updates based on feedback

education/windows/index.yml

@@ -86,7 +86,7 @@ productDirectory:
         - url: /windows/security/identity-protection/hello-for-business
           text: Windows Hello for Business
         - url: /windows/security/identity-protection/credential-guard
-          text: Windows Defender Credential Guard
+          text: Credential Guard
         - url: /windows-server/identity/laps/laps-overview
           text: Windows LAPS (Local Administrator Password Solution)
         - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection

windows/security/identity-protection/credential-guard/configure.md

@@ -105,7 +105,7 @@ Restart the device to apply the change.
 
 ### Verify if Credential Guard is enabled
 
-Checking the task list or Task Manager if `LsaIso.exe` is running is not a recommended method for determining whether Credential Guard is running. Instead, use one of the following methods:
+Checking Task Manager if `LsaIso.exe` is running isn't a recommended method for determining whether Credential Guard is running. Instead, use one of the following methods:
 
 - System Information
 - PowerShell
@@ -157,7 +157,7 @@ Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filte
 :::row-end:::
 :::row:::
   :::column span="1":::
-  14 (Information)
+  `14` (Information)
   :::column-end:::
   :::column span="3":::
   ```logging
@@ -169,7 +169,7 @@ Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filte
 :::row-end:::
 :::row:::
   :::column span="1":::
-  15 (Warning)
+  `15` (Warning)
   :::column-end:::
   :::column span="3":::
   ```logging
@@ -180,7 +180,7 @@ Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filte
 :::row-end:::
 :::row:::
   :::column span="1":::
-  16 (Warning)
+  `16` (Warning)
   :::column-end:::
   :::column span="3":::
   ```logging
@@ -190,7 +190,7 @@ Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filte
 :::row-end:::
 :::row:::
   :::column span="1":::
-  17
+  `17`
   :::column-end:::
   :::column span="3":::
   ```logging
@@ -199,7 +199,7 @@ Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filte
   :::column-end:::
 :::row-end:::
 
-The following event indicates wether TPM is used for key protection. Path: `Applications and Services logs > Microsoft > Windows > Kernel-Boot`
+The following event indicates whether TPM is used for key protection. Path: `Applications and Services logs > Microsoft > Windows > Kernel-Boot`
 
 :::row:::
   :::column span="1":::
@@ -220,7 +220,7 @@ The following event indicates wether TPM is used for key protection. Path: `Appl
   :::column-end:::
 :::row-end:::
 
-If you're running with a TPM, the TPM PCR mask value will be something other than 0.
+If you're running with a TPM, the TPM PCR mask value is something other than 0.
 
 ## Disable Credential Guard
 
@@ -239,7 +239,7 @@ There are different options to disable Credential Guard. The option you choose d
 
 ### Disable Credential Guard with Intune
 
-If Credential Guard is enabled via Intune and without UEFI Lock, disabling the same policy setting will disable Credential Guard.
+If Credential Guard is enabled via Intune and without UEFI Lock, disabling the same policy setting disables Credential Guard.
 
 [!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
 
@@ -261,7 +261,7 @@ Once the policy is applied, restart the device.
 
 ### Disable  Credential Guard with group policy
 
-If Credential Guard is enabled via Group Policy and without UEFI Lock, disabling the same group policy setting will disable Credential Guard.
+If Credential Guard is enabled via Group Policy and without UEFI Lock, disabling the same group policy setting disables Credential Guard.
 
 [!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)]
 
@@ -277,7 +277,7 @@ Once the policy is applied, restart the device.
 
 ### Disable Credential Guard with registry settings
 
-If Credential Guard is enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys as described below to disable Credential Guard.
+If Credential Guard is enabled without UEFI Lock and without Group Policy, it's sufficient to edit the registry keys to disable it.
 
 | Setting |
 |-|
@@ -314,7 +314,7 @@ If Credential Guard is enabled with UEFI lock, follow this procedure since the s
    mountvol X: /d
    ```
 
-1. Restart the device. Before the OS boots, a prompt will appear notifying that UEFI was modified, and asking for confirmation. The prompt must be confirmed for the changes to persist.
+1. Restart the device. Before the OS boots, a prompt appears notifying that UEFI was modified, and asking for confirmation. The prompt must be confirmed for the changes to persist.
 
 ### Disable Credential Guard for a virtual machine
 
@@ -343,7 +343,7 @@ Use one of the following options to disable VBS:
 
 ### Disable VBS with Intune
 
-If VBS is enabled via Intune and without UEFI Lock, disabling the same policy setting will disable VBS.
+If VBS is enabled via Intune and without UEFI Lock, disabling the same policy setting disables VBS.
 
 [!INCLUDE [intune-settings-catalog-1](../../../../includes/configure/intune-settings-catalog-1.md)]
 
@@ -404,7 +404,7 @@ bcdedit /set vsmlaunchtype off
 
 ## Next steps
 
-- Review the advices and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article
+- Review the advice and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article
 - Review [considerations and known issues when using Credential Guard](considerations-known-issues.md)
 
 <!--links-->

windows/security/identity-protection/credential-guard/considerations-known-issues.md

@@ -211,13 +211,11 @@ When Credential Guard is enabled on Windows, the Java GSS API doesn't authentica
 
 The following issue affects McAfee Application and Change Control (MACC):
 
-- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kcm.trellix.com/corporate/index?page=content&id=KB88869) <sup>[Note 1](#bkmk_note1)</sup>
+- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kcm.trellix.com/corporate/index?page=content&id=KB88869)
 
 The following issue affects Citrix applications:
 
-- Windows machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled. <sup>[Note 1](#bkmk_note1)</sup>
+- Windows machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled.
-
-<a name="bkmk_note1"></a>
 
 > [!NOTE]
 > Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled devices to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage).
@@ -228,7 +226,6 @@ The following issue affects Citrix applications:
 
 The following products and services don't support Credential Guard:
 
-- [Support for Hypervisor-Protected Code Integrity and Credential Guard on Windows with McAfee encryption products](https://kcm.trellix.com/corporate/index?page=content&id=KB86009KB86009)
 - [Check Point Endpoint Security Client support for Microsoft Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
 - [*VMware Workstation and Device/Credential Guard aren't compatible* error in VMware Workstation on Windows 10 host (2146361)](https://kb.vmware.com/s/article/2146361)
 - [ThinkPad support for Hypervisor-Protected Code Integrity and Credential Guard in Microsoft Windows](https://support.lenovo.com/in/en/solutions/ht503039)

windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md

@@ -1,7 +1,7 @@
 ---
 title: Remote Desktop
 description: Learn how Windows Hello for Business supports using biometrics with remote desktop
-ms.date: 02/24/2021
+ms.date: 09/01/2023
 ms.topic: conceptual
 ms.collection:
 - tier1
@@ -32,11 +32,11 @@ The ability for users to authenticate to a remote desktop session using their Wi
 
 Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP). Software-based keys are created and stored using the Microsoft Software Key Storage Provider. Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider. Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider.
 
-A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP.  Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store.  The private key remains on the smart card and the public key is stored with the certificate.  Metadata on the certificate (and the key) store the key storage provider used to create the key (remember the certificate contains the public key).
+A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP. Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store. The private key remains on the smart card and the public key is stored with the certificate. Metadata on the certificate (and the key) stores the key storage provider used to create the key (remember the certificate contains the public key).
 
-This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric).  The certificate APIs hide this complexity.  When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider.  The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate.  This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card).
+The same concept applies to Windows Hello for Business, except that the keys are created using the Microsoft Passport KSP. The user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide the complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers direct the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card).
 
-Windows Hello for Business emulates a smart card for application compatibility.  Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN.  Windows 10, version 1809 or later no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows to prompt the user for their biometric gesture or PIN.
+Windows Hello for Business emulates a smart card for application compatibility, and the Microsoft Passport KSP prompts the user for their biometric gesture or PIN.
 
 ### Compatibility
 
@@ -47,14 +47,3 @@ Users appreciate convenience of biometrics and administrators value the security
 
 > [!IMPORTANT]
 > The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.
-
-## Related topics
-
-- [Windows Hello for Business](hello-identity-verification.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)

windows/security/identity-protection/remote-credential-guard.md

@@ -26,11 +26,11 @@ Administrator credentials are highly privileged and must be protected. By using
 
 The following diagram helps you to understand how a standard Remote Desktop session to a server without Remote Credential Guard works:
 
-![RDP connection to a server without Remote Credential Guard.png.](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
+![Screenshot of RDP connection to a server without Remote Credential Guard.png.](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
 
 The following diagram helps you to understand how Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option:
 
-![Remote Credential Guard.](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
+![Screenshot of remote Credential Guard.](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
 
 As illustrated, Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
 
@@ -118,7 +118,7 @@ Beginning with Windows 10 version 1703, you can enable Remote Credential Guard o
 
 1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**
 1. Double-click **Restrict delegation of credentials to remote servers**
-    ![Remote Credential Guard Group Policy.](images/remote-credential-guard-gp.png)
+    ![Screenshot of Remote Credential Guard Group Policy.](images/remote-credential-guard-gp.png)
 1. Under **Use the following restricted mode**:
   - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used
 

windows/security/introduction.md

@@ -1,7 +1,7 @@
 ---
 title: Introduction to Windows security
 description: System security book.
-ms.date: 08/01/2023
+ms.date: 09/01/2023
 ms.topic: tutorial
 ms.author: paoloma
 content_well_notification: 
@@ -25,7 +25,7 @@ A Zero Trust security model gives the right people the right access at the right
 1. When verified, give people and devices access to only necessary resources for the necessary amount of time
 1. Use continuous analytics to drive threat detection and improve defenses
 
-For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
+For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enables timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
 
 ### Security, by default
 

windows/whats-new/ltsc/whats-new-windows-10-2021.md

@@ -74,7 +74,7 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
 
 ### Virus and threat protection
 
-[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL's and IP addresses.
+[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URLs and IP addresses.
 [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) - Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
   - Integrity enforcement capabilities - Enable remote runtime attestation of Windows 10 platform.
   - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities - Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.

windows/whats-new/windows-licensing.md

@@ -135,7 +135,7 @@ In most cases, the Windows Pro edition comes pre-installed on a business-class d
 - A developer that is developing applications that must be tested and certified on Pro, as that is how it will be delivered to customers
 - A Windows Pro device that was pre-configured for a specific purpose and is certified on Pro only
 
-In these cases, you want the PC to be configured, secured, monitored, and updated with the enterprise management and security tools that come with the Windows Enterprise user subscription. Your Windows Enterprise E3 subscriptions does not block these scenarios.
+In these cases, you want the PC to be configured, secured, monitored, and updated with the enterprise management and security tools that come with the Windows Enterprise user subscription. Your Windows Enterprise E3 subscription doesn't block these scenarios.
 
 The following table lists the Windows 11 Enterprise features and their Windows edition requirements: