Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into tempctrl-sept-8092554

windows/deployment/do/delivery-optimization-endpoints.md

@@ -28,7 +28,7 @@ Use the table below to reference any particular content types or services endpoi
 
 |Domain Name  |Protocol/Port(s)  | Content Type | Additional Information | Microsoft Connected Cache Version |
 |---------|---------|---------------|-------------------|-----------------|
-| *.b1.download.windowsupdate.com, *.dl.delivery.mp.microsoft.com, *.download.windowsupdate.com, *.au.download.windowsupdate.com, *.au.b1.download.windowsupdate.com, *.tlu.dl.delivery.mp.microsoft.com, *.emdl.ws.microsoft.com, *.ctldl.windowsupdate.com   |  HTTP / 80  | Windows Update </br> Windows Defender </br> Windows Drivers | [Complete list](/windows/privacy/manage-windows-2004-endpoints) of endpoints for Windows Update services and payload. | Both |
+| *.b1.download.windowsupdate.com, *.dl.delivery.mp.microsoft.com, *.download.windowsupdate.com, *.au.download.windowsupdate.com, *.au.b1.download.windowsupdate.com, *.tlu.dl.delivery.mp.microsoft.com, *.emdl.ws.microsoft.com, *.ctldl.windowsupdate.com   |  HTTP / 80  | Windows Update </br> Windows Defender </br> Windows Drivers </br> Windows Store | [Complete list](/windows/privacy/manage-windows-2004-endpoints) of endpoints for Windows Update services and payload. | Both |
 | *.delivery.mp.microsoft.com  |  HTTP / 80  | Edge Browser | [Complete list](/deployedge/microsoft-edge-security-endpoints) of endpoints for Edge Browser. | Both |
 | *.officecdn.microsoft.com.edgesuite.net, *.officecdn.microsoft.com, *.cdn.office.net |  HTTP / 80  | Office CDN updates | [Complete list](/office365/enterprise/office-365-endpoints) of endpoints for Office CDN updates. | Both |
 | *.manage.microsoft.com, *.swda01.manage.microsoft.com, *.swda02.manage.microsoft.com, *.swdb01.manage.microsoft.com, *.swdb02.manage.microsoft.com, *.swdc01.manage.microsoft.com, *.swdc02.manage.microsoft.com, *.swdd01.manage.microsoft.com, *.swdd02.manage.microsoft.com, *.swda01-mscdn.manage.microsoft.com, *.swda02-mscdn.manage.microsoft.com, *.swdb01-mscdn.manage.microsoft.com, *.swdb02-mscdn.manage.microsoft.com, *.swdc01-mscdn.manage.microsoft.com, *.swdc02-mscdn.manage.microsoft.com, *.swdd01-mscdn.manage.microsoft.com, *.swdd02-mscdn.manage.microsoft.com |  HTTP / 80 </br> HTTPs / 443  | Intune Win32 Apps | [Complete list](/mem/intune/fundamentals/intune-endpoints) of endpoints for Intune Win32 Apps updates. | Both |

windows/security/application-security/application-control/user-account-control/settings-and-configuration.md

@@ -1,7 +1,7 @@
 ---
 title: User Account Control settings and configuration
 description: Learn about the User Account Control settings and how to configure them via Intune, CSP, group policy and registry.
-ms.date: 05/26/2023
+ms.date: 07/31/2023
 ms.topic: how-to
 ---
 
@@ -9,11 +9,11 @@ ms.topic: how-to
 
 ## User Account Control settings list
 
-The following table lists the available settings to configure the UAC behavior, and their default values.  
+The following table lists the available settings to configure the UAC behavior, and their default values.
 
 |Setting name| Description|
 |-|-|
-|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Windows Security app notifies you that the overall security of the operating system has been reduced.|
+|Run all administrators in Admin Approval Mode|Controls the behavior of all UAC policy settings.<br><br>**Enabled (default)**: Admin Approval Mode is enabled. This policy must be enabled and related UAC settings configured. The policy allows the built-in Administrator account and members of the Administrators group to run in Admin Approval Mode.<br>**Disabled**: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, **Windows Security** notifies you that the overall security of the operating system has been reduced.|
 |Admin Approval Mode for the Built-in Administrator account|Controls the behavior of Admin Approval Mode for the built-in Administrator account.<br><br>**Enabled**: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege prompts the user to approve the operation.<br>**Disabled (default)** : The built-in Administrator account runs all applications with full administrative privilege.|
 |Switch to the secure desktop when prompting for elevation|This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.<br><br>**Enabled (default)**: All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.<br>**Disabled**: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.|
 |Behavior of the elevation prompt for administrators in Admin Approval Mode|Controls the behavior of the elevation prompt for administrators.<br><br>**Elevate without prompting**: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. **Use this option only in the most constrained environments**.<br>**Prompt for credentials on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.<br>**Prompt for consent on the secure desktop**: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for credentials**: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.<br>**Prompt for consent**: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.<br>**Prompt for consent for non-Windows binaries (default)**: When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.|
@@ -82,7 +82,7 @@ The policy settings are located under: `Computer Configuration\Windows Settings\
 
 #### [:::image type="icon" source="../../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg)
 
-The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`.  
+The registry keys are found under the key: `HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`.
 
 | Setting name | Registry key name | Value |
 | - | - | - |

windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md

@@ -33,9 +33,9 @@ With Windows 11 2022 update, the vulnerable driver blocklist  is enabled by defa
 
 > [!NOTE]
 >
-> - The Windows Security app is updated separately from the OS and ships out of box. The version with the vulnerable driver blocklist toggle is in the final validation ring and will ship to all customers very soon. Initially, you will be able to view the configuration state only and the toggle will appear grayed out. The ability to turn the toggle on or off will come with a future Windows update.
+> - **Windows Security** is updated separately from the OS and ships out of box. The version with the vulnerable driver blocklist toggle is in the final validation ring and will ship to all customers very soon. Initially, you will be able to view the configuration state only and the toggle will appear grayed out. The ability to turn the toggle on or off will come with a future Windows update.
 >
-> - For Windows Insiders, the option to turn Microsoft's vulnerable driver blocklist on or off using the Windows Security app is grayed out when HVCI, Smart App Control, or S mode is enabled. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can turn off the Microsoft vulnerable driver blocklist.
+> - For Windows Insiders, the option to turn Microsoft's vulnerable driver blocklist on or off using **Windows Security** settings is grayed out when HVCI, Smart App Control, or S mode is enabled. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can turn off the Microsoft vulnerable driver blocklist.
 
 The blocklist is updated with each new major release of Windows, typically 1-2 times per year, including most recently with the Windows 11 2022 update released in September 2022. The most current blocklist is now also available for Windows 10 20H2 and Windows 11 21H2 users as an optional update from Windows Update. Microsoft will occasionally publish future updates through regular Windows servicing.
 

windows/security/docfx.json

@@ -134,10 +134,20 @@
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
         ],
-        "hardware-security//**/*.md": [
+        "hardware-security/**/*.md": [
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
         ],
+        "hardware-security/pluton/**/*.md": [
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
+        ],
+        "hardware-security/tpm/**/*.md": [
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
+        ],
         "identity-protection/**/*.md": [
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"

windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md

@@ -37,17 +37,17 @@ appliesto:
 
 To enable memory integrity on Windows devices with supporting hardware throughout an enterprise, use any of these options:
 
-- [Windows Security app](#windows-security-app)
+- [Windows Security settings](#windows-security)
 - [Microsoft Intune (or another MDM provider)](#enable-memory-integrity-using-intune)
 - [Group Policy](#enable-memory-integrity-using-group-policy)
 - [Microsoft Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
 - [Registry](#use-registry-keys-to-enable-memory-integrity)
 
-### Windows Security app
+### Windows Security
 
-**Memory integrity** can be turned on in the Windows Security app and found at **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
+**Memory integrity** can be turned on in **Windows Security** settings and found at **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
 
-Beginning with Windows 11 22H2, the Windows Security app shows a warning if memory integrity is turned off. The warning indicator also appears on the Windows Security icon in the Windows Taskbar and in the Windows Notification Center. The user can dismiss the warning from within the Windows Security app.
+Beginning with Windows 11 22H2, **Windows Security** shows a warning if memory integrity is turned off. The warning indicator also appears on the Windows Security icon in the Windows Taskbar and in the Windows Notification Center. The user can dismiss the warning from within **Windows Security**.
 
 To proactively dismiss the memory integrity warning, you can set the **Hardware_HVCI_Off** (DWORD) registry value under `HKLM\SOFTWARE\Microsoft\Windows Security Health\State` to 0. After you change the registry value, you must restart the device for the change to take effect.
 

windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md

@@ -5,7 +5,7 @@ ms.collection:
   - highpri
   - tier1
 ms.topic: conceptual
-ms.date: 03/30/2023
+ms.date: 07/31/2023
 ---
 
 # Kernel DMA Protection
@@ -49,9 +49,9 @@ Kernel DMA Protection isn't compatible with other BitLocker DMA attacks counterm
 
 Systems that support Kernel DMA Protection will enable the feature automatically, with no user or IT admin configuration required.
 
-You can use the Windows Security app to check if Kernel DMA Protection is enabled:
+You can use the Windows Security settings to check if Kernel DMA Protection is enabled:
 
-1. Open Windows Security app
+1. Open **Windows Security**.
 1. Select **Device security > Core isolation details > Memory access protection**
 
 :::image type="content" source="images/kernel-dma-protection-security-center.png" alt-text="Screenshot of Kernel DMA protection in Windows Security." lightbox="images/kernel-dma-protection-security-center.png" border="true":::

windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md

@@ -2,9 +2,7 @@
 title: Microsoft Pluton security processor
 description: Learn more about Microsoft Pluton security processor
 ms.topic: conceptual
-ms.date: 09/15/2022
-appliesto: 
-  - ✅ <b>Windows 11, version 22H2</b>
+ms.date: 07/31/2023
 ---
 
 # Microsoft Pluton security processor

windows/security/hardware-security/pluton/pluton-as-tpm.md

@@ -2,9 +2,7 @@
 title: Microsoft Pluton as Trusted Platform Module (TPM 2.0)
 description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0)
 ms.topic: conceptual
-ms.date: 09/15/2022
-appliesto: 
-  - ✅ <b>Windows 11, version 22H2</b>
+ms.date: 07/31/2023
 ---
 
 # Microsoft Pluton as Trusted Platform Module

windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md

@@ -2,7 +2,7 @@
 title: System Guard Secure Launch and SMM protection
 description: Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows 10 devices.
 ms.localizationpriority: medium
-ms.date: 11/30/2021
+ms.date: 07/31/2023
 ms.topic: conceptual
 ---
 
@@ -19,7 +19,7 @@ You can enable System Guard Secure Launch by using any of these options:
 
 - [Mobile Device Management (MDM)](#mobile-device-management)
 - [Group Policy](#group-policy)
-- [Windows Security app](#windows-security-app)
+- [Windows Security settings](#windows-security)
 - [Registry](#registry)
 
 ### Mobile Device Management
@@ -34,11 +34,11 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM)
 
     ![Secure Launch Configuration.](images/secure-launch-group-policy.png)
 
-### Windows Security app
+### Windows Security
 
 Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
 
-  ![Windows Security app.](images/secure-launch-security-app.png)
+  ![Windows Security settings.](images/secure-launch-security-app.png)
 
 ### Registry
 
@@ -58,7 +58,7 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** >
 
 To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
 
-![Verifying Secure Launch is running in the Windows Security app.](images/secure-launch-msinfo.png)
+![Verifying Secure Launch is running in the Windows Security settings.](images/secure-launch-msinfo.png)
 
 > [!NOTE]
 > To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).

windows/security/hardware-security/toc.yml

@@ -6,36 +6,36 @@ items:
       - name: Windows Defender System Guard
         href: how-hardware-based-root-of-trust-helps-protect-windows.md
       - name: Trusted Platform Module
-        href: ../information-protection/tpm/trusted-platform-module-top-node.md
+        href: tpm/trusted-platform-module-top-node.md
         items:
           - name: Trusted Platform Module overview
-            href: ../information-protection/tpm/trusted-platform-module-overview.md
+            href: tpm/trusted-platform-module-overview.md
           - name: TPM fundamentals
-            href: ../information-protection/tpm/tpm-fundamentals.md
+            href: tpm/tpm-fundamentals.md
           - name: How Windows uses the TPM
-            href: ../information-protection/tpm/how-windows-uses-the-tpm.md
+            href: tpm/how-windows-uses-the-tpm.md
           - name: Manage TPM commands
-            href: ../information-protection/tpm/manage-tpm-commands.md
-          - name: Manager TPM Lockout
-            href: ../information-protection/tpm/manage-tpm-lockout.md
+            href: tpm/manage-tpm-commands.md
+          - name: Manage TPM Lockout
+            href: tpm/manage-tpm-lockout.md
           - name: Change the TPM password
-            href: ../information-protection/tpm/change-the-tpm-owner-password.md
+            href: tpm/change-the-tpm-owner-password.md
           - name: TPM Group Policy settings
-            href: ../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+            href: tpm/trusted-platform-module-services-group-policy-settings.md
           - name: Back up the TPM recovery information to AD DS
-            href: ../information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+            href: tpm/backup-tpm-recovery-information-to-ad-ds.md
           - name: View status, clear, or troubleshoot the TPM
-            href: ../information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+            href: tpm/initialize-and-configure-ownership-of-the-tpm.md
           - name: Understanding PCR banks on TPM 2.0 devices
-            href: ../information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+            href: tpm/switch-pcr-banks-on-tpm-2-0-devices.md
           - name: TPM recommendations
-            href: ../information-protection/tpm/tpm-recommendations.md
+            href: tpm/tpm-recommendations.md
       - name: Microsoft Pluton security processor
         items:
           - name: Microsoft Pluton overview
-            href: ../information-protection/pluton/microsoft-pluton-security-processor.md
+            href: pluton/microsoft-pluton-security-processor.md
           - name: Microsoft Pluton as TPM
-            href: ../information-protection/pluton/pluton-as-tpm.md
+            href: pluton/pluton-as-tpm.md
   - name: Silicon assisted security
     items:
       - name: Virtualization-based security (VBS) 🔗
@@ -53,4 +53,4 @@ items:
       - name: Kernel Direct Memory Access (DMA) protection
         href: kernel-dma-protection-for-thunderbolt.md
       - name: System Guard Secure Launch
-        href: system-guard-secure-launch-and-smm-protection.md
+        href: system-guard-secure-launch-and-smm-protection.md

windows/security/hardware-security/tpm/backup-tpm-recovery-information-to-ad-ds.md

@@ -3,9 +3,6 @@ title: Back up TPM recovery information to Active Directory
 description: Learn how to back up the Trusted Platform Module (TPM) recovery information to Active Directory.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ---
 
 # Back up the TPM recovery information to AD DS

windows/security/hardware-security/tpm/change-the-tpm-owner-password.md

@@ -1,14 +1,8 @@
 ---
-title: Change the TPM owner password 
+title: Change the TPM owner password
 description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
 ms.topic: conceptual
 ms.date: 04/26/2023
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
 ---
 
 # Change the TPM owner password

windows/security/hardware-security/tpm/how-windows-uses-the-tpm.md

@@ -3,9 +3,6 @@ title: How Windows uses the TPM
 description: Learn how Windows uses the Trusted Platform Module (TPM) to enhance security.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ---
 
 # How Windows uses the Trusted Platform Module
@@ -22,11 +19,11 @@ TPMs are passive: they receive commands and return responses. To realize the ful
 
 The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
 
-OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone can't achieve. For example, software alone can't reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly can't leave the TPM*.
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone can't achieve. For example, software alone can't reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust-that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly can't leave the TPM*.
 
 The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others don't.
 
-Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
+Certification programs for TPMs-and technology in general-continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
 
 ## TPM in Windows
 
@@ -64,7 +61,7 @@ The adoption of new authentication technology requires that identity providers a
 
 Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
 
-- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM.
+- **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM).
 
 - **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
 
@@ -77,7 +74,7 @@ For Windows Hello for Business, Microsoft can fill the role of the identity CA.
 
 BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system's enforcement of file permissions to read any user data.
 
-In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data can't be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
+In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however-for example, a different operating system is booted from a USB device-the operating system volume and user data can't be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
 
 - **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component's measurement is sent to the TPM before it runs, a component can't erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
 

windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md

@@ -3,9 +3,6 @@ title: Troubleshoot the TPM
 description: Learn how to view and troubleshoot the Trusted Platform Module (TPM).
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ms.collection:
 - highpri
 - tier1

windows/security/hardware-security/tpm/manage-tpm-commands.md

@@ -1,14 +1,8 @@
 ---
-title: Manage TPM commands 
+title: Manage TPM commands
 description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
 ms.topic: conceptual
 ms.date: 04/26/2023
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
 ---
 
 # Manage TPM commands

windows/security/hardware-security/tpm/manage-tpm-lockout.md

@@ -1,15 +1,10 @@
 ---
-title: Manage TPM lockout 
+title: Manage TPM lockout
 description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
 ms.topic: conceptual
 ms.date: 04/26/2023
-appliesto:
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
-  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
 ---
+
 # Manage TPM lockout
 
 This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.

windows/security/hardware-security/tpm/switch-pcr-banks-on-tpm-2-0-devices.md

@@ -3,9 +3,6 @@ title: UnderstandPCR banks on TPM 2.0 devices
 description: Learn about what happens when you switch PCR banks on TPM 2.0 devices.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ---
 
 # PCR banks on TPM 2.0 devices

windows/security/hardware-security/tpm/tpm-fundamentals.md

@@ -3,9 +3,6 @@ title: Trusted Platform Module (TPM) fundamentals
 description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks.
 ms.topic: conceptual
 ms.date: 03/09/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
 ---
 
 # TPM fundamentals
@@ -116,4 +113,4 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur
 - Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered.
   With a virtual smart card, the TPM's anti-hammering protection isn't reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors
 - Hardware manufacturers and software developers can use the security features of the TPM to meet their requirements
-- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password
+- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password

windows/security/hardware-security/tpm/tpm-recommendations.md

@@ -1,14 +1,11 @@
 ---
-title: TPM recommendations 
+title: TPM recommendations
 description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
-ms.collection: 
-  - highpri
-  - tier1
+ms.collection:
+- highpri
+- tier1
 ---
 
 # TPM recommendations
@@ -25,7 +22,7 @@ TPMs are passive: they receive commands and return responses. To realize the ful
 
 The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards. These standards support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
 
-OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM.
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust-that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM.
 
 The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not.
 
@@ -90,7 +87,7 @@ For end consumers, TPM is behind the scenes but is still relevant. TPM is used f
 
 - TPM is optional on IoT Core.
 
-### Windows Server 2016
+### Windows Server 2016
 
 - TPM is optional for Windows Server SKUs unless the SKU meets the other qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
 

windows/security/hardware-security/tpm/trusted-platform-module-overview.md

@@ -3,12 +3,9 @@ title: Trusted Platform Module Technology Overview
 description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
 ms.topic: conceptual
 ms.date: 02/22/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
-ms.collection: 
-  - highpri
-  - tier1
+ms.collection:
+- highpri
+- tier1
 ---
 
 # Trusted Platform Module Technology Overview

windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md

@@ -1,16 +1,12 @@
 ---
-title: TPM Group Policy settings 
+title: TPM Group Policy settings
 description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 ms.topic: conceptual
-ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
+ms.date: 07/31/2023
 ---
 
 # TPM Group Policy settings
 
-
 This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
 
 The Group Policy settings for TPM services are located at:
@@ -34,11 +30,11 @@ This policy setting configured which TPM authorization values are stored in the
 
 There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.
 
--   **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
+-   **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0.
 
--   **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
+-   **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703.
 
--   **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
+-   **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications.
 
 > [!NOTE]
 > If the operating system managed TPM authentication setting is changed from **Full** to **Delegated**, the full TPM owner authorization value will be regenerated, and any copies of the previously set TPM owner authorization value will be invalid.
@@ -57,7 +53,6 @@ The following table shows the TPM owner authorization values in the registry.
 | 2          | Delegated |
 | 4          | Full      |
 
-
 If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose.
 
 On Windows 10 prior to version 1607, if you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
@@ -73,9 +68,9 @@ This setting helps administrators prevent the TPM hardware from entering a locko
 
 For each standard user, two thresholds apply. Exceeding either threshold prevents the user from sending a command that requires authorization to the TPM. Use the following policy settings to set the lockout duration:
 
--   [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold)   This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
+-   [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold)   This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM.
 
--   [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold)   This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
+-   [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold)   This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
 
 An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
 
@@ -107,32 +102,36 @@ If you do not configure this policy setting, a default value of 9 is used. A val
 
 ## Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0
 
-Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. 
+Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below.
 
 > [!IMPORTANT]
-> Setting this policy will take effect only if:  
-> -   The TPM was originally prepared using a version of Windows after Windows 10 Version 1607
-> -   The system has a TPM 2.0. 
-> 
+> Setting this policy will take effect only if:
+>
+> - The TPM was originally prepared using a version of Windows after Windows 10 Version 1607
+> - The system has a TPM 2.0.
+
 > [!NOTE]
 > Enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only ways for the disabled setting of this policy to take effect on a system where it was once enabled are to either:
+>
 > -  Disable it from group policy
 > -  Clear the TPM on the system
 
-## TPM Group Policy settings in the Windows Security app
+## TPM Group Policy settings in Windows Security
 
-You can change what users see about TPM in the Windows Security app. The Group Policy settings for the TPM area in the Windows Security app are located at:
+You can change what users see about TPM in **Windows Security**. The Group Policy settings for the TPM area in **Windows Security** are located at:
 
-**Computer Configuration\\Administrative Templates\\Windows Components\\Windows Security\\Device security** 
+**Computer Configuration\\Administrative Templates\\Windows Components\\Windows Security\\Device security**
 
 ### Disable the Clear TPM button
-If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it with this Group Policy setting. Select **Enabled** to make the **Clear TPM** button unavailable for use.
+
+If you don't want users to be able to click the **Clear TPM** button in **Windows Security**, you can disable it with this Group Policy setting. Select **Enabled** to make the **Clear TPM** button unavailable for use.
 
 ### Hide the TPM Firmware Update recommendation
+
 If you don't want users to see the recommendation to update TPM firmware, you can disable it with this setting. Select **Enabled** to prevent users from seeing a recommendation to update their TPM firmware when a vulnerable firmware is detected.
 
 ## Related topics
 
-- [Trusted Platform Module](trusted-platform-module-top-node.md) 
+- [Trusted Platform Module](trusted-platform-module-top-node.md)
 - [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true)
 - [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../../operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md)

windows/security/hardware-security/tpm/trusted-platform-module-top-node.md

@@ -1,14 +1,11 @@
 ---
-title: Trusted Platform Module 
+title: Trusted Platform Module
 description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
 ms.topic: conceptual
 ms.date: 02/02/2023
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
-ms.collection: 
-  - highpri
-  - tier1
+ms.collection:
+- highpri
+- tier1
 ---
 
 # Trusted Platform Module

windows/security/identity-protection/credential-guard/credential-guard-requirements.md

@@ -85,7 +85,7 @@ The following tables describe baseline protections, plus protections for improve
 |---|---|---|
 |Hardware: **64-bit CPU**        |A 64-bit computer is required for the Windows hypervisor to provide VBS.|
 |Hardware: **CPU virtualization extensions**, plus **extended page tables**|**Requirements**: </br> - These hardware features are required for VBS: One of the following virtualization extensions: - VT-x (Intel) or - AMD-V And: - Extended page tables, also called Second Level Address Translation (SLAT).|VBS provides isolation of secure kernel from normal operating system. </br></br> Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation.|
-|Hardware: **Trusted Platform Module (TPM)**|**Requirement**: </br> - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../information-protection/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
+|Hardware: **Trusted Platform Module (TPM)**|**Requirement**: </br> - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../hardware-security/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
 |Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**: </br> - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.|
 |Firmware: **Secure firmware update process**|**Requirements**: </br> - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
 |Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|

windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md

@@ -359,7 +359,7 @@ A TPM implements controls that meet the specification described by the Trusted C
 - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
 - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
 
-Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../information-protection/tpm/tpm-recommendations.md).
+Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../hardware-security/tpm/tpm-recommendations.md).
 
 Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 and Windows 11 support only TPM 2.0.
 

windows/security/includes/sections/operating-system.md

@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 06/06/2023
+ms.date: 07/31/2023
 ms.topic: include
 ---
 
@@ -21,7 +21,7 @@ ms.topic: include
 | **Local Security Authority (LSA) Protection** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.<br><br>LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
 | **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.<br><br>Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. |
 | **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
-| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt in to enforce the policy from the Windows Security app. |
+| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt in to enforce the policy from the **Windows Security** settings. |
 | **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders. <br><br>Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware.  |
 | **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
 | **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |

windows/security/index.yml

@@ -39,7 +39,7 @@ landingContent:
       - linkListType: concept
         links:
         - text: Trusted Platform Module
-          url: information-protection/tpm/trusted-platform-module-top-node.md
+          url: hardware-security/tpm/trusted-platform-module-top-node.md
         - text: Windows Defender System Guard firmware protection
           url: hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
         - text: System Guard Secure Launch and SMM protection enablement

windows/security/introduction.md

@@ -1,7 +1,7 @@
 ---
 title: Introduction to Windows security
 description: System security book.
-ms.date: 04/24/2023
+ms.date: 08/01/2023
 ms.topic: tutorial
 ms.author: paoloma
 content_well_notification: 
@@ -15,7 +15,7 @@ appliesto:
 
 The acceleration of digital transformation and the expansion of both remote and hybrid work brings new opportunities to organizations, communities, and individuals. This expansion introduces new threats and risks.
 
-Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the [security baselines](../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) with new requirements for advanced hardware and software protection that extends from chip to cloud.
+Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the [security baselines](operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) with new requirements for advanced hardware and software protection that extends from chip to cloud.
 
 ## How Windows 11 enables Zero Trust protection
 
@@ -25,7 +25,7 @@ A Zero Trust security model gives the right people the right access at the right
 1. When verified, give people and devices access to only necessary resources for the necessary amount of time
 1. Use continuous analytics to drive threat detection and improve defenses
 
-For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](../identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
+For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Azure Active Directory, which enable timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
 
 ### Security, by default
 
@@ -35,7 +35,7 @@ Windows 11 is a natural evolution of its predecessor, Windows 10. We have collab
 
 With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind other barriers separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering.
 
-In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](../operating-system-security/system-security/trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
+In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](operating-system-security/system-security/trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
 
 ### Robust application security and privacy controls
 
@@ -45,7 +45,7 @@ In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/d
 
 ### Secured identities
 
-Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](../information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](../identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](../identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
+Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication.
 
 ### Connecting to cloud services
 

windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md

@@ -15,7 +15,7 @@ This article for IT professionals describes the function, location, and effect o
 Group Policy administrative templates or local computer policy settings can be used to control what BitLocker drive encryption tasks and configurations can be performed by users, for example through the **BitLocker Drive Encryption** control panel. Which of these policies are configured and how they're configured depends on how BitLocker is implemented and what level of interaction is desired for end users.
 
 > [!NOTE]
-> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [TPM Group Policy settings](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md).
+> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [TPM Group Policy settings](../../../hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md).
 
 BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**.
 
@@ -219,7 +219,7 @@ This policy setting is applied when BitLocker is turned on. The startup PIN must
 
 Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
 
-The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
 
 The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This number of attempts totals to a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
 

windows/security/operating-system-security/data-protection/bitlocker/index.md

@@ -48,7 +48,8 @@ The hard disk must be partitioned with at least two drives:
 
 When installed on a new computer, Windows automatically creates the partitions that are required for BitLocker.
 
-A partition subject to encryption can't be marked as an active partition. This requirement applies to the operating system drives, fixed data drives, and removable data drives.
+> [!IMPORTANT]
+> An encrypted partition can't be marked as active.
 
 When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives.
 

windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md

@@ -755,4 +755,4 @@ Health attestation is a key feature of Windows 10 that includes client and cloud
 
 - [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard)
 - [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide)
-- [Trusted Platform Module technology overview](../../information-protection/tpm/trusted-platform-module-overview.md)
+- [Trusted Platform Module technology overview](../../hardware-security/tpm/trusted-platform-module-overview.md)

windows/security/operating-system-security/system-security/toc.yml

@@ -9,7 +9,7 @@ items:
   href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
 - name: Cryptography and certificate management
   href: cryptography-certificate-mgmt.md
-- name: Windows Security app
+- name: Windows Security settings
   href: windows-defender-security-center/windows-defender-security-center.md
   items:
   - name: Virus & threat protection
@@ -25,4 +25,8 @@ items:
   - name: Device performance & health
     href: windows-defender-security-center\wdsc-device-performance-health.md
   - name: Family options
-    href: windows-defender-security-center\wdsc-family-options.md
+    href: windows-defender-security-center\wdsc-family-options.md
+  - name: Customize contact information
+    href: windows-defender-security-center\wdsc-customize-contact-information.md
+  - name: Hide notifications
+    href: windows-defender-security-center\wdsc-hide-notifications.md

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-account-protection.md

@@ -1,7 +1,7 @@
 ---
-title: Account protection in the Windows Security app
+title: Account protection in Windows Security
 description: Use the Account protection section to manage security for your account and sign in to Microsoft.
-ms.date: 12/31/2018
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
@@ -18,7 +18,7 @@ You can also choose to hide the section from users of the device. This is useful
 
 ## Hide the Account protection section
 
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
 
 You can only configure these settings by using Group Policy.
 
@@ -32,6 +32,6 @@ You can only configure these settings by using Group Policy.
 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-app-browser-control.md

@@ -1,7 +1,7 @@
 ---
-title: App & browser control in the Windows Security app
+title: App & browser control in Windows Security
 description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
-ms.date: 12/31/2018
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
@@ -30,7 +30,7 @@ You can only prevent users from modifying Exploit protection settings by using G
 
 ## Hide the App & browser control section
 
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
 
 This section can be hidden only by using Group Policy.
 
@@ -44,6 +44,6 @@ This section can be hidden only by using Group Policy.
 5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-customize-contact-information.md

@@ -1,13 +1,13 @@
 ---
-title: Customize Windows Security contact information
+title: Customize Windows Security contact information in Windows Security
 description: Provide information to your employees on how to contact your IT department when a security issue occurs
-ms.date: 12/31/2018
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
-# Customize the Windows Security app for your organization
+# Customize the Windows Security settings for your organization
 
-You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
+You can add information about your organization in a contact card in **Windows Security**. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
 
 ![The Windows Security custom fly-out.](images/security-center-custom-flyout.png)
 
@@ -16,7 +16,7 @@ This information will also be shown in some enterprise-specific notifications (i
 Users can select the displayed information to initiate a support request:
 
 - Select **Call** or the phone number to open Skype to start a call to the displayed number.
-- Select  **Email** or the email address to create a new email in the machine's default email app address to the displayed email.
+- Select **Email** or the email address to create a new email in the machine's default email app addressed to the displayed email.
 - Select **Help portal** or the website URL to open the machine's default web browser and go to the displayed address.
 
 ## Requirements

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-performance-health.md

@@ -1,7 +1,7 @@
 ---
-title: Device & performance health in the Windows Security app
+title: Device & performance health in Windows Security
 description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
-ms.date: 12/31/2018
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
@@ -12,11 +12,11 @@ The **Device performance & health** section contains information about hardware,
 
 The [Windows 10 IT pro troubleshooting topic](/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](/windows/windows-10/) can also be helpful for resolving issues.
 
-In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+This section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
 
 ## Hide the Device performance & health section
 
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
 
 This section can be hidden only by using Group Policy.
 
@@ -30,6 +30,6 @@ This section can be hidden only by using Group Policy.
 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-device-security.md

@@ -1,7 +1,7 @@
 ---
-title: Device security in the Windows Security app
+title: Device security in Windows Security
 description: Use the Device security section to manage security built into your device, including virtualization-based security.
-ms.date: 12/31/2018
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
@@ -13,7 +13,7 @@ You can choose to hide the section from users of the machine. This option can be
 
 ## Hide the Device security section
 
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. You can hide the device security section by using Group Policy only.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side. You can hide the device security section by using Group Policy only.
 
 > [!IMPORTANT]
 > You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
@@ -25,13 +25,13 @@ You can choose to hide the entire section by using Group Policy. The section won
 5. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
 
 ## Disable the Clear TPM button
 
-If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
+If you don't want users to be able to click the **Clear TPM** button in **Windows Security**, you can disable it.
 
 > [!IMPORTANT]
 > You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-family-options.md

@@ -1,22 +1,22 @@
 ---
-title: Family options in the Windows Security app
+title: Family options in Windows Security
 description: Learn how to hide the Family options section of Windows Security for enterprise environments. Family options aren't intended for business environments.
-ms.date: 12/31/2018
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
 
 # Family options
 
-The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It isn't intended for enterprise or business environments.
+The **Family options** section contains links to settings and further information for parents of a Windows PC. It isn't intended for enterprise or business environments.
 
 Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
 
-In Windows 10, version 1709, the section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to this section.
+This section can be hidden from users of the machine. This option can be useful if you don't want employees in your organization to see or have access to this section.
 
 ## Hide the Family options section
 
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
 
 This section can be hidden only by using Group Policy.
 
@@ -30,6 +30,6 @@ This section can be hidden only by using Group Policy.
 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md

@@ -1,7 +1,7 @@
 ---
-title: Firewall and network protection in the Windows Security app
+title: Firewall and network protection in Windows Security
 description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
-ms.date: 12/31/2018
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
@@ -9,11 +9,11 @@ ms.topic: article
 
 The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
 
-In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+This section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
 
 ## Hide the Firewall & network protection section
 
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
 
 This section can be hidden only by using Group Policy.
 
@@ -27,6 +27,6 @@ This section can be hidden only by using Group Policy.
 1. Deploy the updated GPO as you normally do.
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-hide-notifications.md

@@ -1,13 +1,13 @@
 ---
-title: Hide notifications from the Windows Security app
-description: Prevent Windows Security app notifications from appearing on user endpoints
-ms.date: 12/31/2018
+title: Hide notifications from Windows Security
+description: Prevent Windows Security notifications from appearing on user endpoints
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
-# Hide Windows Security app notifications
+# Hide Windows Security notifications
 
-The Windows Security app is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
+**Windows Security** is used by many Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
 
 In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the employees in your organization.
 
@@ -38,7 +38,7 @@ These notifications can be hidden only by using Group Policy.
 
 ## Use Group Policy to hide all notifications
 
-You can hide all notifications that are sourced from the Windows Security app. This option may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input.
+You can hide all notifications that are sourced from **Windows Security**. This option may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input.
 
 These notifications can be hidden only by using Group Policy.
 
@@ -57,11 +57,18 @@ These notifications can be hidden only by using Group Policy.
 
 > [!NOTE]
 > You can use the following registry key and DWORD value to **Hide all notifications**.
-> **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
-    **"DisableNotifications"=dword:00000001**
+>
+> ```text
+> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]
+>   "DisableNotifications"=dword:00000001
+> ```
+>
 > You can use the following registry key and DWORD value to **Hide not-critical notifications**.
->**[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]**
-     **"DisableEnhancedNotifications"=dword:00000001**
+>
+> ```text
+> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]
+>   "DisableEnhancedNotifications"=dword:00000001
+> ```
 
 ## Notifications
 
@@ -79,7 +86,7 @@ These notifications can be hidden only by using Group Policy.
 | Follow-up action (restart) | Microsoft Defender Antivirus found _threat_ in _file_. Restart your device. | WDAV_REBOOT | Yes |Virus & threat protection notification|
 | Follow-up action (Full scan) | Microsoft Defender Antivirus found _threat_ in _file_. Run a full scan of your device. | FULLSCAN_REQUIRED | Yes |Virus & threat protection notification|
 | Sample submission prompt | Review files that Windows Defender will send to Microsoft. Sending this information can improve how Microsoft Defender Antivirus helps protect your device. | SAMPLE_SUBMISSION_REQUIRED | Yes |Virus & threat protection notification|
-| OS support ending warning | Support for your version of Windows is ending. When this support ends, Microsoft Defender Antivirus won’t be supported, and your device might be at risk. | SUPPORT_ENDING | Yes |Virus & threat protection notification|
+| OS support ending warning | Support for your version of Windows is ending. When this support ends, Microsoft Defender Antivirus won't be supported, and your device might be at risk. | SUPPORT_ENDING | Yes |Virus & threat protection notification|
 | OS support ended, device at risk | Support for your version of Windows has ended. Microsoft Defender Antivirus is no longer supported, and your device might be at risk. | SUPPORT_ENDED _and_ SUPPORT_ENDED_NO_DEFENDER | Yes |Virus & threat protection notification|
 | Summary notification, items found | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. Your device was scanned _n_ times. | RECAP_FOUND_THREATS_SCANNED | No |Virus & threat protection notification|
 | Summary notification, items found, no scan count | Microsoft Defender Antivirus successfully took action on _n_ threats since your last summary. | RECAP_FOUND_THREATS | No |Virus & threat protection notification|

windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-virus-threat-protection.md

@@ -1,7 +1,7 @@
 ---
-title: Virus and threat protection in the Windows Security app
+title: Virus and threat protection in Windows Security
 description: Use the Virus & threat protection section to see and configure Microsoft Defender Antivirus, Controlled folder access, and 3rd-party AV products.
-ms.date: 12/31/2017
+ms.date: 07/31/2023
 ms.topic: article
 ---
 
@@ -13,7 +13,7 @@ In Windows 10, version 1803, this section also contains information and settings
 
 IT administrators and IT pros can get more configuration information from these articles:
 
-- [Microsoft Defender Antivirus in the Windows Security app](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
+- [Microsoft Defender Antivirus in Windows Security](/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus)
 - [Microsoft Defender Antivirus documentation library](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)
 - [Protect important folders with Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
 - [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
@@ -24,7 +24,7 @@ You can hide the **Virus & threat protection** section or the **Ransomware prote
 
 ## Hide the Virus & threat protection section
 
-You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of **Windows Security**, and its icon won't be shown on the navigation bar on the side.
 
 This section can be hidden only by using Group Policy.
 
@@ -38,13 +38,13 @@ This section can be hidden only by using Group Policy.
 1. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Screenshot of the Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Screenshot of the Windows Security with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
 
 ## Hide the Ransomware protection area
 
-You can choose to hide the **Ransomware protection** area by using Group Policy. The area won't appear on the **Virus & threat protection** section of the Windows Security app.
+You can choose to hide the **Ransomware protection** area by using Group Policy. The area won't appear on the **Virus & threat protection** section of **Windows Security**.
 
 This area can be hidden only by using Group Policy.
 

windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md

@@ -1,30 +1,30 @@
 ---
-title: Windows Security app
-description: The Windows Security app brings together common Windows security features into one place.
-ms.date: 12/31/2017
+title: Windows Security
+description: Windows Security brings together common Windows security features into one place.
+ms.date: 07/31/2023
 ms.topic: article
 ms.collection:
   - highpri
   - tier2
 ---
 
-# Windows Security app
+# Windows Security
 
-This library describes the Windows Security app, and provides information on configuring certain features, including:
+This library describes **Windows Security** settings, and provides information on configuring certain features, including:
 
-- [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md)
+- [Showing and customizing contact information](wdsc-customize-contact-information.md)
 - [Hiding notifications](wdsc-hide-notifications.md)
 
-In Windows 10, version 1709 and later, the app also shows information from third-party antivirus and firewall apps.
+In Windows 10, version 1709 and later, the settings also show information from third-party antivirus and firewall apps.
 
-In Windows 10, version 1803, the app has two new areas: **Account protection** and **Device security**.
+In Windows 10, version 1803, the settings have two new areas: **Account protection** and **Device security**.
 
-![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features.](images/security-center-home.png)
+![Screenshot of the Windows Security showing that the device is protected and five icons for each of the features.](images/security-center-home.png)
 
 > [!NOTE]
-> The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/).
+> **Windows Security** is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/).
 
-You can't uninstall the Windows Security app, but you can do one of the following actions:
+You can't uninstall **Windows Security**, but you can do one of the following actions:
 
 - Disable the interface on Windows Server 2016.
 - Hide all of the sections on client computers.
@@ -41,19 +41,19 @@ For more information about each section, options for configuring the sections, a
 - [Family options](wdsc-family-options.md), which include access to parental controls along with tips and information for keeping kids safe online.
 
 > [!NOTE]
-> If you hide all sections then the app will show a restricted interface, as in the following screenshot:
+> If you hide all sections then **Windows Security** will show a restricted interface, as in the following screenshot:
 >
-> ![Windows Security app with all sections hidden by group policy.](images/wdsc-all-hide.png)
+> ![Windows Security with all sections hidden by group policy.](images/wdsc-all-hide.png)
 
-## Open the Windows Security app
+## Open Windows Security
 
 - Select the icon in the notification area on the taskbar.
 
-    ![Screenshot of the icon for the Windows Security app on the Windows task bar.](images/security-center-taskbar.png)
+    ![Screenshot of the icon for the Windows Security on the Windows task bar.](images/security-center-taskbar.png)
 
 - Search the Start menu for **Windows Security**.
 
-    ![Screenshot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected.](images/security-center-start-menu.png)
+    ![Screenshot of the Start menu showing the results of a search for the Windows Security, the first option with a large shield symbol is selected.](images/security-center-start-menu.png)
 
 - Open an area from Windows **Settings**.
 
@@ -62,12 +62,12 @@ For more information about each section, options for configuring the sections, a
 > [!NOTE]
 > Settings configured with management tools, such as group policy, Microsoft Intune, or Microsoft Configuration Manager, will generally take precedence over the settings in the Windows Security.
 
-## How the Windows Security app works with Windows security features
+## How Windows Security works with Windows security features
 
 > [!IMPORTANT]
-> Microsoft Defender Antivirus and the Windows Security app use similarly named services for specific purposes.
+> **Microsoft Defender Antivirus** and **Windows Security** use similarly named services for specific purposes.
 >
-> The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service (*wscsvc*). This service makes sure that the app provides the most up-to-date information about the protection status on the endpoint. This information includes protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
+> The **Windows Security** uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Service*), which in turn utilizes the Windows Security Center Service (*wscsvc*). This service makes sure that **Windows Security** provides the most up-to-date information about the protection status on the endpoint. This information includes protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
 >
 > These services don't affect the state of Microsoft Defender Antivirus. Disabling or modifying these services won't disable Microsoft Defender Antivirus. It will lead to a lowered protection state on the endpoint, even if you're using a third-party antivirus product.
 >
@@ -76,19 +76,19 @@ For more information about each section, options for configuring the sections, a
 > Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
 
 > [!WARNING]
-> If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+> If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, **Windows Security** may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
 >
 > It may also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
 >
 > This will significantly lower the protection of your device and could lead to malware infection.
 
-The Windows Security app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
+**Windows Security** operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
 
 It acts as a collector or single place to see the status and perform some configuration for each of the features.
 
-If you disable any of the individual features, it will prevent that feature from reporting its status in the Windows Security app. For example, if you disable a feature through group policy or other management tools, such as Microsoft Configuration Manager. The Windows Security app itself will still run and show status for the other security features.
+If you disable any of the individual features, it will prevent that feature from reporting its status in **Windows Security**. For example, if you disable a feature through group policy or other management tools, such as Microsoft Configuration Manager, **Windows Security** itself will still run and show status for the other security features.
 
 > [!IMPORTANT]
-> If you individually disable any of the services, it won't disable the other services or the Windows Security app.
+> If you individually disable any of the services, it won't disable the other services or **Windows Security** itself.
 
-For example, [using a third-party antivirus will disable Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.
+For example, [using a third-party antivirus will disable Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility). However, **Windows Security** will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.

windows/security/security-foundations/certification/fips-140-validation.md

@@ -47,7 +47,7 @@ Each of the cryptographic modules has a defined security policy that must be met
 
 ### Step 3: Enable the FIPS security policy
 
-Windows provides the security policy setting, *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*. This setting is used by some Microsoft products to determine whether to run in FIPS mode.  When this policy is turned on, the validated cryptographic modules in Windows will also operate in FIPS mode.  This policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution.   For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).  
+Windows provides the security policy setting, *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*. This setting is used by some Microsoft products to determine whether to run in FIPS mode.  When this policy is turned on, the validated cryptographic modules in Windows will also operate in FIPS mode.  This policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution.   For more information on the policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
 
 ### Step 4: Ensure that only FIPS validated cryptographic algorithms are used
 

windows/security/security-foundations/certification/toc.yml

@@ -1,5 +1,5 @@
 items:
 - name: FIPS 140-2 Validation
-  href: ../../threat-protection/fips-140-validation.md
+  href: fips-140-validation.md
 - name: Common Criteria Certifications
-  href: ../../threat-protection/windows-platform-common-criteria.md
+  href: windows-platform-common-criteria.md

windows/security/security-foundations/index.md

@@ -15,9 +15,4 @@ Our strong security foundation uses Microsoft Security Development Lifecycle (SD
 
 Use the links in the following table to learn more about the security foundations:
 
-| Concept | Description |
-|:---|:---|
-| FIPS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001. <br/><br/>Learn more about [FIPS 140-2 Validation](../threat-protection/fips-140-validation.md). |
-| Common Criteria Certifications |  Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products. <br/><br/>Learn more about [Common Criteria Certifications](../threat-protection/windows-platform-common-criteria.md). |
-| Microsoft Security Development Lifecycle | The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. The SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.<br/><br/>Learn more about [Microsoft SDL](../threat-protection/msft-security-dev-lifecycle.md).|
-| Microsoft Bug Bounty Program | If you find a vulnerability in a Microsoft product, service, or device, we want to hear from you! If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.<br/><br/>Learn more about the [Microsoft Bug Bounty Program](https://www.microsoft.com/en-us/msrc/bounty?rtc=1). |
+[!INCLUDE [operating-system-security](../includes/sections/security-foundations.md)]

windows/security/security-foundations/msft-security-dev-lifecycle.md

@@ -1,14 +1,11 @@
 ---
 title: Microsoft Security Development Lifecycle
 description: Download the Microsoft Security Development Lifecycle white paper that covers a security assurance process focused on software development.
-ms.prod: windows-client
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: paolomatarazzo
+ms.author: paoloma
+manager: aaroncz
 ms.topic: article
-ms.localizationpriority: medium
-ms.technology: itpro-security
-ms.date: 12/31/2017
+ms.date: 07/31/2023
 ---
 
 # Microsoft Security Development Lifecycle
@@ -20,10 +17,11 @@ The Security Development Lifecycle (SDL) is a security assurance process that is
 With the help of the combination of a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process. 
 
 The Microsoft SDL is based on three core concepts:
+
 - Education
 - Continuous process improvement
 - Accountability
 
 To learn more about the SDL, visit the [Security Engineering site](https://www.microsoft.com/en-us/securityengineering/sdl).
 
-And, download the [Simplified Implementation of the Microsoft SDL whitepaper](https://go.microsoft.com/?linkid=9708425).
+And, download the [Simplified Implementation of the Microsoft SDL whitepaper](https://www.microsoft.com/download/details.aspx?id=12379).

windows/security/security-foundations/toc.yml

@@ -1,7 +1,9 @@
 items:
 - name: Overview
   href: index.md
+- name: Zero Trust and Windows
+  href: zero-trust-windows-device-health.md
 - name: Microsoft Security Development Lifecycle
-  href: ../threat-protection/msft-security-dev-lifecycle.md
+  href: msft-security-dev-lifecycle.md
 - name: Certification
-  href: certification/toc.yml
+  href: certification/toc.yml

windows/security/security-foundations/zero-trust-windows-device-health.md

@@ -41,7 +41,7 @@ Attestation helps verify the identity and status of essential components and tha
 
 These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device hasn't been tampered with.
 
-Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](operating-system-security/system-security/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
+Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](../operating-system-security/system-security/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
 
 A summary of the steps involved in attestation and Zero Trust on the device side are as follows:
 

windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md

@@ -1,8 +1,8 @@
 ---
-title: UAC Run all administrators in Admin Approval Mode 
+title: UAC Run all administrators in Admin Approval Mode
 description: Learn about best practices, security considerations and more for the security policy setting, User Account Control Run all administrators in Admin Approval Mode.
 ms.assetid: b838c561-7bfc-41ef-a7a5-55857259c7bf
-ms.reviewer: 
+ms.reviewer:
 ms.author: vinpa
 ms.prod: windows-client
 ms.mktglfcycl: deploy
@@ -20,8 +20,8 @@ ms.technology: itpro-security
 # User Account Control: Run all administrators in Admin Approval Mode
 
 **Applies to**
--   Windows 11
--   Windows 10
+-   Windows 11
+-   Windows 10
 
 This article describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting.
 
@@ -40,7 +40,7 @@ This policy setting determines the behavior of all User Account Control (UAC) po
     Admin Approval Mode and all related UAC policies are disabled.
 
     > [!NOTE]
-    > If this security setting is configured to **Disabled**, Windows Security app notifies the user that the overall security of the operating system has been reduced.
+    > If this security setting is configured to **Disabled**, **Windows Security** notifies the user that the overall security of the operating system has been reduced.
 
 ### Best practices
 
@@ -56,13 +56,13 @@ The following table lists the actual and effective default values for this polic
 
 | Server type or GPO | Default value |
 | - | - |
-| Default Domain Policy| Not defined| 
-| Default Domain Controller Policy | Not defined| 
-| Stand-Alone Server Default Settings | Enabled| 
-| DC Effective Default Settings | Enabled| 
-| Member Server Effective Default Settings| Enabled| 
-| Client Computer Effective Default Settings | Enabled| 
- 
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Enabled|
+| DC Effective Default Settings | Enabled|
+| Member Server Effective Default Settings| Enabled|
+| Client Computer Effective Default Settings | Enabled|
+
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.

windows/security/toc.yml

@@ -2,14 +2,10 @@ items:
 - name: Windows security
   href: index.yml
   expanded: true
-- name: Introduction
-  items:
-  - name: Windows security overview
-    href: introduction/index.md
-  - name: Zero Trust and Windows
-    href: zero-trust-windows-device-health.md
-  - name: Security features licensing and edition requirements
-    href: licensing-and-edition-requirements.md
+- name: Introduction to Windows security
+  href: introduction.md
+- name: Security features licensing and edition requirements
+  href: licensing-and-edition-requirements.md
 - name: Hardware security
   href: hardware-security/toc.yml
 - name: Operating system security