diff --git a/.openpublishing.redirection.windows-deployment.json b/.openpublishing.redirection.windows-deployment.json
index 96bea40c31..5ac6d20892 100644
--- a/.openpublishing.redirection.windows-deployment.json
+++ b/.openpublishing.redirection.windows-deployment.json
@@ -957,12 +957,12 @@
     },
     {
       "source_path": "windows/deployment/windows-autopilot/user-driven-aad.md",
-      "redirect_url": "/windows/deployment/windows-autopilot/user-driven",
+      "redirect_url": "/mem/autopilot/user-driven",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopilot/user-driven-hybrid.md",
-      "redirect_url": "/windows/deployment/windows-autopilot/user-driven",
+      "redirect_url": "/mem/autopilot/user-driven",
       "redirect_document_id": false
     },
     {
@@ -977,22 +977,22 @@
     },
     {
       "source_path": "windows/deployment/windows-autopilot/windows-10-autopilot.md",
-      "redirect_url": "/windows/deployment/windows-autopilot/windows-autopilot",
+      "redirect_url": "/mem/autopilot/windows-autopilot",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md",
-      "redirect_url": "/windows/deployment/windows-autopilot/windows-autopilot-requirements",
+      "redirect_url": "/mem/autopilot/windows-autopilot-requirements",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md",
-      "redirect_url": "/windows/deployment/windows-autopilot/windows-autopilot-requirements",
+      "redirect_url": "/mem/autopilot/windows-autopilot-requirements",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md",
-      "redirect_url": "/windows/deployment/windows-autopilot/windows-autopilot-requirements",
+      "redirect_url": "/mem/autopilot/windows-autopilot-requirements",
       "redirect_document_id": false
     },
     {
@@ -1002,12 +1002,12 @@
     },
     {
       "source_path": "windows/deployment/windows-autopilot/windows-autopilot-reset-local.md",
-      "redirect_url": "/windows/deployment/windows-autopilot/windows-autopilot-reset",
+      "redirect_url": "/mem/autopilot/windows-autopilot-reset",
       "redirect_document_id": false
     },
     {
       "source_path": "windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md",
-      "redirect_url": "/windows/deployment/windows-autopilot/windows-autopilot-reset",
+      "redirect_url": "/mem/autopilot/windows-autopilot-reset",
       "redirect_document_id": false
     },
     {
@@ -1029,6 +1029,16 @@
       "source_path": "windows/deployment/windows-autopilot/windows-autopilot.md",
       "redirect_url": "/mem/autopilot/windows-autopilot",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md",
+      "redirect_url": "/mem/autopilot/tutorial/autopilot-scenarios",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/deployment/windows-autopilot/index.yml",
+      "redirect_url": "/mem/autopilot/",
+      "redirect_document_id": false
     }
   ]
 }
diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json
index 38a2894c80..54589ae7b4 100644
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@@ -80,6 +80,11 @@
       "redirect_url": "/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md",
+      "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/apps.md",
       "redirect_url": "/windows/security/application-security",
diff --git a/browsers/edge/index.yml b/browsers/edge/index.yml
index accbb0e679..200205ac8f 100644
--- a/browsers/edge/index.yml
+++ b/browsers/edge/index.yml
@@ -10,7 +10,6 @@ metadata:
   keywords: Microsoft Edge Legacy, Windows 10
   ms.localizationpriority: medium
   ms.topic: landing-page # Required
-  ms.collection: collection # Optional; Remove if no collection is used.
   author: dougeby #Required; your GitHub user alias, with correct capitalization.
   ms.author: pashort #Required; microsoft alias of author; optional team alias.
   ms.date: 07/07/2020 #Required; mm/dd/yyyy format.
diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml
index 0e1a848592..996e07597a 100644
--- a/browsers/internet-explorer/kb-support/ie-edge-faqs.yml
+++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.yml
@@ -2,7 +2,6 @@
 metadata:
   title: IE and Microsoft Edge FAQ for IT Pros
   description: Describes frequently asked questions about Internet Explorer and Microsoft Edge for IT professionals. 
-  audience: ITPro
   manager: msmets
   author: ramakoni1
   ms.author: ramakoni
@@ -10,7 +9,6 @@ metadata:
   ms.prod: internet-explorer
   ms.technology:
   ms.topic: faq
-  ms.custom: CI=111020
   ms.localizationpriority: medium
   ms.date: 01/23/2020
 title: Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros
diff --git a/includes/licensing/_edition-requirements.md b/includes/licensing/_edition-requirements.md
index 5f7bfddd78..517cf27df5 100644
--- a/includes/licensing/_edition-requirements.md
+++ b/includes/licensing/_edition-requirements.md
@@ -1,18 +1,21 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
 | Feature name | Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education |
 |:---|:---:|:---:|:---:|:---:|
-|**[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
+|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
 |**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|
 |**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|❌|Yes|
+|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
+|**[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes|
 |**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|
 |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|
 |**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|
+|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|
 |**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|
 |**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|Yes|Yes|Yes|Yes|
 |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|
@@ -28,21 +31,24 @@ ms.topic: include
 |**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|
 |**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
 |**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
-|**[Hypervisor-protected Code Integrity (HVCI)](../../windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md)**|Yes|Yes|Yes|Yes|
-|**[Kernel Direct Memory Access (DMA) protection](../../windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md)**|Yes|Yes|Yes|Yes|
-|**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|
-|**[Manage by Mobile Device Management (MDM) and group policy](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|
+|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
+|**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|
 |**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)**|❌|Yes|❌|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|
-|**[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|
-|**[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|
+|**Microsoft Security Development Lifecycle (SDL)**|Yes|Yes|Yes|Yes|
+|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|
+|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|
+|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|
+|**OneFuzz service**|Yes|Yes|Yes|Yes|
 |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
 |**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|❌|Yes|
 |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
@@ -50,31 +56,32 @@ ms.topic: include
 |**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|
 |**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|
 |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|
-|**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|
-|**[Security baselines](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|
+|**[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|
+|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
 |**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|
 |**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|
 |**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
 |**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|
+|**Software Bill of Materials (SBOM)**|Yes|Yes|Yes|Yes|
 |**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|
 |**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|
-|**[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|
+|**[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|
 |**[Universal Print](/universal-print/)**|Yes|Yes|Yes|Yes|
-|**[User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview)**|Yes|Yes|Yes|Yes|
-|**[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|
+|**[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)**|Yes|Yes|Yes|Yes|
+|**[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|
 |**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|
 |**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|
+|**[Windows application software development kit (SDK)](/windows/security/security-foundations/certification/windows-platform-common-criteria%23security-and-privacy)**|Yes|Yes|Yes|Yes|
 |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|❌|Yes|
 |**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|
-|**[Windows containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
 |**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes|
 |**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
-|**[Windows Defender System Guard](../../windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)**|Yes|Yes|Yes|Yes|
+|**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|
 |**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
 |**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
-|**[Windows Sandbox](../../windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)**|Yes|Yes|Yes|Yes|
-|**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|
+|**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|
+|**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md
index 0f604cb58f..305a28bba1 100644
--- a/includes/licensing/_licensing-requirements.md
+++ b/includes/licensing/_licensing-requirements.md
@@ -1,18 +1,21 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
 |Feature name|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---|:---:|:---:|:---:|:---:|:---:|
-|**[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
+|**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes|
 |**[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)**|❌|Yes|Yes|Yes|Yes|
+|**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
+|**[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes|
 |**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes|
 |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes|
 |**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|Yes|
+|**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|Yes|
 |**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|❌|Yes|Yes|Yes|Yes|
 |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|Yes|
@@ -28,21 +31,24 @@ ms.topic: include
 |**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
 |**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|❌|Yes|Yes|
 |**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes|
-|**[Hypervisor-protected Code Integrity (HVCI)](../../windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md)**|Yes|Yes|Yes|Yes|Yes|
-|**[Kernel Direct Memory Access (DMA) protection](../../windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md)**|Yes|Yes|Yes|Yes|Yes|
-|**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|Yes|
-|**[Manage by Mobile Device Management (MDM) and group policy](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|Yes|
+|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes|
+|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes|
+|**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|Yes|
 |**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)**|❌|Yes|Yes|Yes|Yes|
-|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes|
+|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌|
 |**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes|
 |**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
 |**[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)**|Yes|Yes|Yes|Yes|Yes|
-|**[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes|
-|**[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)**|Yes|Yes|Yes|Yes|Yes|
+|**Microsoft Security Development Lifecycle (SDL)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)**|Yes|Yes|Yes|Yes|Yes|
+|**[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Modern device management through (MDM)](/windows/client-management/mdm-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**OneFuzz service**|Yes|Yes|Yes|Yes|Yes|
 |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
 |**[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)**|❌|Yes|Yes|Yes|Yes|
 |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
@@ -50,31 +56,32 @@ ms.topic: include
 |**[Remote wipe](/windows/client-management/mdm/remotewipe-csp)**|Yes|Yes|Yes|Yes|Yes|
 |**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes|
 |**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes|
-|**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes|
-|**[Security baselines](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|Yes|
+|**[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes|
+|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
 |**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|Yes|
 |**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)**|Yes|Yes|Yes|Yes|Yes|
+|**Software Bill of Materials (SBOM)**|Yes|Yes|Yes|Yes|Yes|
 |**[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)**|Yes|Yes|Yes|Yes|Yes|
 |**[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)**|Yes|Yes|Yes|Yes|Yes|
-|**[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Universal Print](/universal-print/)**|❌|Yes|Yes|Yes|Yes|
-|**[User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview)**|Yes|Yes|Yes|Yes|Yes|
-|**[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes|
+|**[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)**|Yes|Yes|Yes|Yes|Yes|
+|**[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)**|Yes|Yes|Yes|Yes|Yes|
 |**[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)**|Yes|Yes|Yes|Yes|Yes|
 |**[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows application software development kit (SDK)](/windows/security/security-foundations/certification/windows-platform-common-criteria%23security-and-privacy)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Autopatch](/windows/deployment/windows-autopatch/)**|❌|Yes|Yes|❌|❌|
 |**[Windows Autopilot](/windows/deployment/windows-autopilot)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes|
 |**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Defender System Guard](../../windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Sandbox](../../windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)**|Yes|Yes|Yes|Yes|Yes|
-|**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/access-control-aclsacl.md b/includes/licensing/access-control-aclsacl.md
new file mode 100644
index 0000000000..8adad0309e
--- /dev/null
+++ b/includes/licensing/access-control-aclsacl.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 08/02/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Access Control (ACL/SACL):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Access Control (ACL/SACL) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/access-control-aclsscals.md b/includes/licensing/access-control-aclsscals.md
index 74b2f49090..9d8830c6cd 100644
--- a/includes/licensing/access-control-aclsscals.md
+++ b/includes/licensing/access-control-aclsscals.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/account-lockout-policy.md b/includes/licensing/account-lockout-policy.md
index f73aa4228c..1e7a0d8661 100644
--- a/includes/licensing/account-lockout-policy.md
+++ b/includes/licensing/account-lockout-policy.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/always-on-vpn-device-tunnel.md b/includes/licensing/always-on-vpn-device-tunnel.md
index 74b2333a3d..08d98ed800 100644
--- a/includes/licensing/always-on-vpn-device-tunnel.md
+++ b/includes/licensing/always-on-vpn-device-tunnel.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/app-containers.md b/includes/licensing/app-containers.md
new file mode 100644
index 0000000000..0d698a7bfb
--- /dev/null
+++ b/includes/licensing/app-containers.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 08/02/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support App containers:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+App containers license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/applocker.md b/includes/licensing/applocker.md
new file mode 100644
index 0000000000..54cc165d41
--- /dev/null
+++ b/includes/licensing/applocker.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 08/02/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support AppLocker:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+AppLocker license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/assigned-access-kiosk-mode.md b/includes/licensing/assigned-access-kiosk-mode.md
index a2f4b745bb..066c7badc4 100644
--- a/includes/licensing/assigned-access-kiosk-mode.md
+++ b/includes/licensing/assigned-access-kiosk-mode.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/attack-surface-reduction-asr.md b/includes/licensing/attack-surface-reduction-asr.md
index 666af08c54..7d481ce4bf 100644
--- a/includes/licensing/attack-surface-reduction-asr.md
+++ b/includes/licensing/attack-surface-reduction-asr.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md b/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md
index b093cd8faa..5ae19412dd 100644
--- a/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md
+++ b/includes/licensing/azure-ad-join-active-directory-domain-join-and-hybrid-azure-ad-join-with-single-sign-on-sso.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-containers.md b/includes/licensing/azure-code-signing.md
similarity index 76%
rename from includes/licensing/windows-containers.md
rename to includes/licensing/azure-code-signing.md
index f3f9962827..dc29a35e27 100644
--- a/includes/licensing/windows-containers.md
+++ b/includes/licensing/azure-code-signing.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Windows containers:
+The following table lists the Windows editions that support Azure Code Signing:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Windows containers license entitlements are granted by the following licenses:
+Azure Code Signing license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/bitlocker-enablement.md b/includes/licensing/bitlocker-enablement.md
index 4f0645fe52..56f85845aa 100644
--- a/includes/licensing/bitlocker-enablement.md
+++ b/includes/licensing/bitlocker-enablement.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/bitlocker-management.md b/includes/licensing/bitlocker-management.md
index af3034bd8b..a0c68f72ee 100644
--- a/includes/licensing/bitlocker-management.md
+++ b/includes/licensing/bitlocker-management.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/bluetooth-pairing-and-connection-protection.md b/includes/licensing/bluetooth-pairing-and-connection-protection.md
index 494fee6609..171fe3f9b2 100644
--- a/includes/licensing/bluetooth-pairing-and-connection-protection.md
+++ b/includes/licensing/bluetooth-pairing-and-connection-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/common-criteria-certifications.md b/includes/licensing/common-criteria-certifications.md
index dbb9d1669a..528a497f37 100644
--- a/includes/licensing/common-criteria-certifications.md
+++ b/includes/licensing/common-criteria-certifications.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/controlled-folder-access.md b/includes/licensing/controlled-folder-access.md
index 855d0cf28f..25d04b1c49 100644
--- a/includes/licensing/controlled-folder-access.md
+++ b/includes/licensing/controlled-folder-access.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/device-health-attestation-service.md b/includes/licensing/device-health-attestation-service.md
index f8fdb1e381..7ed2add45f 100644
--- a/includes/licensing/device-health-attestation-service.md
+++ b/includes/licensing/device-health-attestation-service.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/direct-access.md b/includes/licensing/direct-access.md
index f1b2da9ef5..057c5a2cea 100644
--- a/includes/licensing/direct-access.md
+++ b/includes/licensing/direct-access.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/email-encryption-smime.md b/includes/licensing/email-encryption-smime.md
index 07e14851b2..6895c5b618 100644
--- a/includes/licensing/email-encryption-smime.md
+++ b/includes/licensing/email-encryption-smime.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/encrypted-hard-drive.md b/includes/licensing/encrypted-hard-drive.md
index e365c0d71c..16225d6ee6 100644
--- a/includes/licensing/encrypted-hard-drive.md
+++ b/includes/licensing/encrypted-hard-drive.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/enhanced-phishing-protection-with-smartscreen.md b/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
index 4f4c059f8b..ae4cd8568a 100644
--- a/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
+++ b/includes/licensing/enhanced-phishing-protection-with-smartscreen.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/exploit-protection.md b/includes/licensing/exploit-protection.md
index c774cb4f5e..7a46f2cc0a 100644
--- a/includes/licensing/exploit-protection.md
+++ b/includes/licensing/exploit-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/fast-identity-online-fido2-security-key.md b/includes/licensing/fast-identity-online-fido2-security-key.md
index b47385e2f5..9985309552 100644
--- a/includes/licensing/fast-identity-online-fido2-security-key.md
+++ b/includes/licensing/fast-identity-online-fido2-security-key.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/federal-information-processing-standard-fips-140-validation.md b/includes/licensing/federal-information-processing-standard-fips-140-validation.md
index ff0563a439..a06133b313 100644
--- a/includes/licensing/federal-information-processing-standard-fips-140-validation.md
+++ b/includes/licensing/federal-information-processing-standard-fips-140-validation.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/federated-sign-in.md b/includes/licensing/federated-sign-in.md
index 5a1a787e06..6050205a6c 100644
--- a/includes/licensing/federated-sign-in.md
+++ b/includes/licensing/federated-sign-in.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
@@ -15,8 +15,8 @@ The following table lists the Windows editions that support Federated sign-in:
 
 Federated sign-in license entitlements are granted by the following licenses:
 
-|Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
-|Yes|No|No|Yes|Yes|
+|No|No|No|Yes|Yes|
 
 For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/hardware-enforced-stack-protection.md b/includes/licensing/hardware-enforced-stack-protection.md
index 50ae05045a..8a2fe75e78 100644
--- a/includes/licensing/hardware-enforced-stack-protection.md
+++ b/includes/licensing/hardware-enforced-stack-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/hypervisor-protected-code-integrity-hvci.md b/includes/licensing/hypervisor-protected-code-integrity-hvci.md
index 8f6b16cf28..a6800d9403 100644
--- a/includes/licensing/hypervisor-protected-code-integrity-hvci.md
+++ b/includes/licensing/hypervisor-protected-code-integrity-hvci.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/kernel-direct-memory-access-dma-protection.md b/includes/licensing/kernel-direct-memory-access-dma-protection.md
index 7c805915cb..52b159827e 100644
--- a/includes/licensing/kernel-direct-memory-access-dma-protection.md
+++ b/includes/licensing/kernel-direct-memory-access-dma-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/local-security-authority-lsa-protection.md b/includes/licensing/local-security-authority-lsa-protection.md
index af4fb5b47f..fafa59de66 100644
--- a/includes/licensing/local-security-authority-lsa-protection.md
+++ b/includes/licensing/local-security-authority-lsa-protection.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md b/includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md
deleted file mode 100644
index 7330817deb..0000000000
--- a/includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 05/04/2023
-ms.topic: include
----
-
-## Windows edition and licensing requirements
-
-The following table lists the Windows editions that support Manage by Mobile Device Management (MDM) and group policy:
-
-|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:---:|:---:|:---:|:---:|
-|Yes|Yes|Yes|Yes|
-
-Manage by Mobile Device Management (MDM) and group policy license entitlements are granted by the following licenses:
-
-|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
-|:---:|:---:|:---:|:---:|:---:|
-|Yes|Yes|Yes|Yes|Yes|
-
-For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/measured-boot.md b/includes/licensing/measured-boot.md
index 39c560d47f..407e64eefe 100644
--- a/includes/licensing/measured-boot.md
+++ b/includes/licensing/measured-boot.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-antivirus.md b/includes/licensing/microsoft-defender-antivirus.md
index ba5bb932ea..357e6daa39 100644
--- a/includes/licensing/microsoft-defender-antivirus.md
+++ b/includes/licensing/microsoft-defender-antivirus.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md b/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
index 453b5db930..bd87e59e22 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-configure-via-mdm.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
index 36c1c33234..8e546d7248 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
index 23bf14013f..5d3024ffc9 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md b/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
index 2ccf97f2da..6284c03484 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-for-microsoft-office.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md b/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
index bf903c766f..de70847881 100644
--- a/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
+++ b/includes/licensing/microsoft-defender-application-guard-mdag-public-apis.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-for-endpoint.md b/includes/licensing/microsoft-defender-for-endpoint.md
index be03daf05e..56edc6e24e 100644
--- a/includes/licensing/microsoft-defender-for-endpoint.md
+++ b/includes/licensing/microsoft-defender-for-endpoint.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-defender-smartscreen.md b/includes/licensing/microsoft-defender-smartscreen.md
index a946b12155..d5b7aae9bd 100644
--- a/includes/licensing/microsoft-defender-smartscreen.md
+++ b/includes/licensing/microsoft-defender-smartscreen.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/microsoft-pluton-security-processor.md b/includes/licensing/microsoft-pluton.md
similarity index 79%
rename from includes/licensing/microsoft-pluton-security-processor.md
rename to includes/licensing/microsoft-pluton.md
index 2190c8a4ab..31058f139d 100644
--- a/includes/licensing/microsoft-pluton-security-processor.md
+++ b/includes/licensing/microsoft-pluton.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Microsoft Pluton security processor:
+The following table lists the Windows editions that support Microsoft Pluton:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Microsoft Pluton security processor license entitlements are granted by the following licenses:
+Microsoft Pluton license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/microsoft-security-development-lifecycle-sdl.md b/includes/licensing/microsoft-security-development-lifecycle-sdl.md
new file mode 100644
index 0000000000..7b9411b126
--- /dev/null
+++ b/includes/licensing/microsoft-security-development-lifecycle-sdl.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 08/02/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Security Development Lifecycle (SDL):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Microsoft Security Development Lifecycle (SDL) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/microsoft-vulnerable-driver-blocklist.md b/includes/licensing/microsoft-vulnerable-driver-blocklist.md
index 39e258739c..449ac22b52 100644
--- a/includes/licensing/microsoft-vulnerable-driver-blocklist.md
+++ b/includes/licensing/microsoft-vulnerable-driver-blocklist.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Microsoft Vulnerable Driver Blocklist:
+The following table lists the Windows editions that support Microsoft vulnerable driver blocklist:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Microsoft Vulnerable Driver Blocklist license entitlements are granted by the following licenses:
+Microsoft vulnerable driver blocklist license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/microsoft-windows-insider-preview-bounty-program.md b/includes/licensing/microsoft-windows-insider-preview-bounty-program.md
new file mode 100644
index 0000000000..c3cd9dbaf1
--- /dev/null
+++ b/includes/licensing/microsoft-windows-insider-preview-bounty-program.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 08/02/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Microsoft Windows Insider Preview bounty program:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Microsoft Windows Insider Preview bounty program license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/modern-device-management-through-mdm.md b/includes/licensing/modern-device-management-through-mdm.md
new file mode 100644
index 0000000000..f2a71b791d
--- /dev/null
+++ b/includes/licensing/modern-device-management-through-mdm.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 08/02/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Modern device management through (MDM):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Modern device management through (MDM) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/onefuzz-service.md b/includes/licensing/onefuzz-service.md
new file mode 100644
index 0000000000..25e6a5ef43
--- /dev/null
+++ b/includes/licensing/onefuzz-service.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 08/02/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support OneFuzz service:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+OneFuzz service license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/opportunistic-wireless-encryption-owe.md b/includes/licensing/opportunistic-wireless-encryption-owe.md
index e0203c3e4d..4629b28a5f 100644
--- a/includes/licensing/opportunistic-wireless-encryption-owe.md
+++ b/includes/licensing/opportunistic-wireless-encryption-owe.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/personal-data-encryption-pde.md b/includes/licensing/personal-data-encryption-pde.md
index 3ca149f34f..ed0e014d0e 100644
--- a/includes/licensing/personal-data-encryption-pde.md
+++ b/includes/licensing/personal-data-encryption-pde.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/privacy-resource-usage.md b/includes/licensing/privacy-resource-usage.md
index 054bf054cc..080229688a 100644
--- a/includes/licensing/privacy-resource-usage.md
+++ b/includes/licensing/privacy-resource-usage.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/privacy-transparency-and-controls.md b/includes/licensing/privacy-transparency-and-controls.md
index 711440f7a5..fd57043298 100644
--- a/includes/licensing/privacy-transparency-and-controls.md
+++ b/includes/licensing/privacy-transparency-and-controls.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/remote-wipe.md b/includes/licensing/remote-wipe.md
index 5f5e79eeb6..6557c69147 100644
--- a/includes/licensing/remote-wipe.md
+++ b/includes/licensing/remote-wipe.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/secure-boot-and-trusted-boot.md b/includes/licensing/secure-boot-and-trusted-boot.md
index 8c60a8b048..b29dea38c5 100644
--- a/includes/licensing/secure-boot-and-trusted-boot.md
+++ b/includes/licensing/secure-boot-and-trusted-boot.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/secured-core-configuration-lock.md b/includes/licensing/secured-core-configuration-lock.md
index 9a2f06088b..8acee3baef 100644
--- a/includes/licensing/secured-core-configuration-lock.md
+++ b/includes/licensing/secured-core-configuration-lock.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/secured-core-pc.md b/includes/licensing/secured-core-pc-firmware-protection.md
similarity index 79%
rename from includes/licensing/secured-core-pc.md
rename to includes/licensing/secured-core-pc-firmware-protection.md
index f22319bbdb..21a3a0651a 100644
--- a/includes/licensing/secured-core-pc.md
+++ b/includes/licensing/secured-core-pc-firmware-protection.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Secured-core PC:
+The following table lists the Windows editions that support Secured-core PC firmware protection:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Secured-core PC license entitlements are granted by the following licenses:
+Secured-core PC firmware protection license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/security-baselines.md b/includes/licensing/security-baselines.md
index a615d3af13..bda8037388 100644
--- a/includes/licensing/security-baselines.md
+++ b/includes/licensing/security-baselines.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/server-message-block-direct-smb-direct.md b/includes/licensing/server-message-block-direct-smb-direct.md
index ba99c98579..683fa8db2e 100644
--- a/includes/licensing/server-message-block-direct-smb-direct.md
+++ b/includes/licensing/server-message-block-direct-smb-direct.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/server-message-block-smb-file-service.md b/includes/licensing/server-message-block-smb-file-service.md
index a271907d88..cd9276809b 100644
--- a/includes/licensing/server-message-block-smb-file-service.md
+++ b/includes/licensing/server-message-block-smb-file-service.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/smart-app-control.md b/includes/licensing/smart-app-control.md
index ff42750aab..fbc05610fb 100644
--- a/includes/licensing/smart-app-control.md
+++ b/includes/licensing/smart-app-control.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/smart-cards-for-windows-service.md b/includes/licensing/smart-cards-for-windows-service.md
index 98f271770f..eb5061e582 100644
--- a/includes/licensing/smart-cards-for-windows-service.md
+++ b/includes/licensing/smart-cards-for-windows-service.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/software-bill-of-materials-sbom.md b/includes/licensing/software-bill-of-materials-sbom.md
new file mode 100644
index 0000000000..4d6f832194
--- /dev/null
+++ b/includes/licensing/software-bill-of-materials-sbom.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 08/02/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Software Bill of Materials (SBOM):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Software Bill of Materials (SBOM) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/tamper-protection-settings-for-mde.md b/includes/licensing/tamper-protection-settings-for-mde.md
index 95a86ec97c..fe7d7c2314 100644
--- a/includes/licensing/tamper-protection-settings-for-mde.md
+++ b/includes/licensing/tamper-protection-settings-for-mde.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/transport-layer-security-tls.md b/includes/licensing/transport-layer-security-tls.md
index 9af6799b44..5642121480 100644
--- a/includes/licensing/transport-layer-security-tls.md
+++ b/includes/licensing/transport-layer-security-tls.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/trusted-platform-module-tpm-20.md b/includes/licensing/trusted-platform-module-tpm.md
similarity index 80%
rename from includes/licensing/trusted-platform-module-tpm-20.md
rename to includes/licensing/trusted-platform-module-tpm.md
index b2e593986b..6f757d623a 100644
--- a/includes/licensing/trusted-platform-module-tpm-20.md
+++ b/includes/licensing/trusted-platform-module-tpm.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Trusted Platform Module (TPM) 2.0:
+The following table lists the Windows editions that support Trusted Platform Module (TPM):
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Trusted Platform Module (TPM) 2.0 license entitlements are granted by the following licenses:
+Trusted Platform Module (TPM) license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/universal-print.md b/includes/licensing/universal-print.md
index 9c6572d61e..87828b2774 100644
--- a/includes/licensing/universal-print.md
+++ b/includes/licensing/universal-print.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/user-account-control-uac.md b/includes/licensing/user-account-control-uac.md
index 9da42619fe..c34f82f836 100644
--- a/includes/licensing/user-account-control-uac.md
+++ b/includes/licensing/user-account-control-uac.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/virtual-private-network-vpn.md b/includes/licensing/virtual-private-network-vpn.md
index aa184cdbb6..eb309a2554 100644
--- a/includes/licensing/virtual-private-network-vpn.md
+++ b/includes/licensing/virtual-private-network-vpn.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Virtual Private Network (VPN):
+The following table lists the Windows editions that support Virtual private network (VPN):
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Virtual Private Network (VPN) license entitlements are granted by the following licenses:
+Virtual private network (VPN) license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/includes/licensing/virtualization-based-security-vbs.md b/includes/licensing/virtualization-based-security-vbs.md
index bab3110e7a..70827aebce 100644
--- a/includes/licensing/virtualization-based-security-vbs.md
+++ b/includes/licensing/virtualization-based-security-vbs.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/wifi-security.md b/includes/licensing/wifi-security.md
index edb7a92967..3d4a3e17c3 100644
--- a/includes/licensing/wifi-security.md
+++ b/includes/licensing/wifi-security.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-application-software-development-kit-sdk.md b/includes/licensing/windows-application-software-development-kit-sdk.md
new file mode 100644
index 0000000000..d97a10562a
--- /dev/null
+++ b/includes/licensing/windows-application-software-development-kit-sdk.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 08/02/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support Windows application software development kit (SDK):
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+Windows application software development kit (SDK) license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/includes/licensing/windows-autopatch.md b/includes/licensing/windows-autopatch.md
index 85f7df53dc..4c866c7106 100644
--- a/includes/licensing/windows-autopatch.md
+++ b/includes/licensing/windows-autopatch.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-autopilot.md b/includes/licensing/windows-autopilot.md
index e187e7a3fa..1eee13f367 100644
--- a/includes/licensing/windows-autopilot.md
+++ b/includes/licensing/windows-autopilot.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-defender-application-control-wdac.md b/includes/licensing/windows-defender-application-control-wdac.md
index 66d6ac70dc..86ab8d5f14 100644
--- a/includes/licensing/windows-defender-application-control-wdac.md
+++ b/includes/licensing/windows-defender-application-control-wdac.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-defender-credential-guard.md b/includes/licensing/windows-defender-credential-guard.md
index c134726708..adf6d74a0e 100644
--- a/includes/licensing/windows-defender-credential-guard.md
+++ b/includes/licensing/windows-defender-credential-guard.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-defender-remote-credential-guard.md b/includes/licensing/windows-defender-remote-credential-guard.md
index b638a7c661..8d862bdc9d 100644
--- a/includes/licensing/windows-defender-remote-credential-guard.md
+++ b/includes/licensing/windows-defender-remote-credential-guard.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-defender-system-guard.md b/includes/licensing/windows-defender-system-guard.md
index 0c747b64c5..7e8c06b51d 100644
--- a/includes/licensing/windows-defender-system-guard.md
+++ b/includes/licensing/windows-defender-system-guard.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-firewall.md b/includes/licensing/windows-firewall.md
index 2e0754b3ac..8e0bc9faf0 100644
--- a/includes/licensing/windows-firewall.md
+++ b/includes/licensing/windows-firewall.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md b/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
index 3d0c015bc5..56e03e6bd4 100644
--- a/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
+++ b/includes/licensing/windows-hello-for-business-enhanced-security-sign-in-ess.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-hello-for-business.md b/includes/licensing/windows-hello-for-business.md
index f48b9316b7..95ffbf43a9 100644
--- a/includes/licensing/windows-hello-for-business.md
+++ b/includes/licensing/windows-hello-for-business.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-laps.md b/includes/licensing/windows-laps.md
index d462168228..eaddd61d61 100644
--- a/includes/licensing/windows-laps.md
+++ b/includes/licensing/windows-laps.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-presence-sensing.md b/includes/licensing/windows-presence-sensing.md
index c6cc796c33..977c729c0c 100644
--- a/includes/licensing/windows-presence-sensing.md
+++ b/includes/licensing/windows-presence-sensing.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-sandbox.md b/includes/licensing/windows-sandbox.md
index 7ed933449c..a486fd64de 100644
--- a/includes/licensing/windows-sandbox.md
+++ b/includes/licensing/windows-sandbox.md
@@ -1,7 +1,7 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
diff --git a/includes/licensing/windows-security-policy-settings-and-auditing.md b/includes/licensing/windows-security-policy-settings-and-auditing.md
index 270d3267ee..a1742270bf 100644
--- a/includes/licensing/windows-security-policy-settings-and-auditing.md
+++ b/includes/licensing/windows-security-policy-settings-and-auditing.md
@@ -1,19 +1,19 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 05/04/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Windows Security policy settings and auditing:
+The following table lists the Windows editions that support Windows security policy settings and auditing:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-Windows Security policy settings and auditing license entitlements are granted by the following licenses:
+Windows security policy settings and auditing license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|
diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md
index 65a8d393da..0e5da2dd3a 100644
--- a/windows/client-management/mdm-overview.md
+++ b/windows/client-management/mdm-overview.md
@@ -56,7 +56,7 @@ For more information about the MDM policies defined in the MDM security baseline
 
 For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
 
-[!INCLUDE [manage-by-mobile-device-management-mdm-and-group-policy](../../includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md)]
+[!INCLUDE [modern-device-management-through-mdm](../../includes/licensing/modern-device-management-through-mdm.md)]
 
 ## Frequently Asked Questions
 
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 3b93d81859..b2500d8e36 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -4,7 +4,7 @@ description: Learn more about the ApplicationDefaults Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 05/11/2023
+ms.date: 08/01/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@@ -36,20 +36,8 @@ ms.topic: reference
 <!-- DefaultAssociationsConfiguration-OmaUri-End -->
 
 <!-- DefaultAssociationsConfiguration-Description-Begin -->
-<!-- Description-Source-ADMX -->
-This policy specifies the path to a file (e.g. either stored locally or on a network location) that contains file type and protocol default application associations. This file can be created using the DISM tool.
-
-For example:
-
-Dism.exe /Online /Export-DefaultAppAssociations:C:\AppAssoc.txt.
-
-For more information, refer to the DISM documentation on TechNet.
-
-If this group policy is enabled and the client machine is domain-joined, the file will be processed and default associations will be applied at logon time.
-
-If the group policy isn't configured, disabled, or the client machine isn't domain-joined, no default associations will be applied at logon time.
-
-If the policy is enabled, disabled, or not configured, users will still be able to override default file type and protocol associations.
+<!-- Description-Source-DDF-Forced -->
+This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). The file can be further edited by adding attributes to control how often associations are applied by the policy. The file then needs to be base64 encoded before being added to SyncML. If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied.
 <!-- DefaultAssociationsConfiguration-Description-End -->
 
 <!-- DefaultAssociationsConfiguration-Editable-Begin -->
@@ -84,54 +72,69 @@ If the policy is enabled, disabled, or not configured, users will still be able
 **Example**:
 
 To create the SyncML, follow these steps:
-<ol>
-<li>Install a few apps and change your defaults.</li>
-<li>From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"</li>
-<li>Take the XML output and put it through your favorite base64 encoder app.</li>
-<li>Paste the base64 encoded XML into the SyncML</li>
-</ol>
 
-Here's an example output from the dism default association export command:
-```xml
-<?xml version="1.0" encoding="UTF-8"?>
-<DefaultAssociations>
-  <Association Identifier=".htm" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" />
-  <Association Identifier=".html" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" />
-  <Association Identifier=".pdf" ProgId="AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723" ApplicationName="Microsoft Edge" />
-  <Association Identifier="http" ProgId="AppXq0fevzme2pys62n3e0fbqa7peapykr8v" ApplicationName="Microsoft Edge" />
-  <Association Identifier="https" ProgId="AppX90nv6nhay5n6a98fnetv7tpk64pp35es" ApplicationName="Microsoft Edge" />
-</DefaultAssociations>
-```
+1. Install a few apps and change your defaults.
+1. From an elevated prompt, run `dism /online /export-defaultappassociations:C:\appassoc.xml`. Here's an example output from the dism default association export command:
 
-Here's the base64 encoded result:
+    ```xml
+    <?xml version="1.0" encoding="UTF-8"?>
+    <DefaultAssociations>
+      <Association Identifier=".htm" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" />
+      <Association Identifier=".html" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" />
+      <Association Identifier=".pdf" ProgId="AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723" ApplicationName="Microsoft Edge" />
+      <Association Identifier="http" ProgId="AppXq0fevzme2pys62n3e0fbqa7peapykr8v" ApplicationName="Microsoft Edge" />
+      <Association Identifier="https" ProgId="AppX90nv6nhay5n6a98fnetv7tpk64pp35es" ApplicationName="Microsoft Edge" />
+    </DefaultAssociations>
+    ```
 
-``` syntax
-PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
-```
-Here's the SyncML example:
+    Starting in Windows 11, version 22H2, two new attributes are available for further customization of the policy. These attributes can be used to change how often the policy associations are applied.
 
-```xml
-<?xml version="1.0" encoding="utf-8"?>
-<SyncML xmlns="SYNCML:SYNCML1.1">
-<SyncBody>
-    <Replace>
-      <CmdID>101</CmdID>
-      <Item>
-        <Meta>
-          <Format>chr</Format>
-          <Type>text/plain</Type>
-        </Meta>
-        <Target>
-          <LocURI>./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration</LocURI>
-        </Target>
-        <Data>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
-</Data>
-      </Item>
-    </Replace>
-  <Final/>
-  </SyncBody>
-</SyncML>
-```
+    - **Version** attribute for `DefaultAssociations`. This attribute is used to control when **Suggested** associations are applied. Whenever the **Version** value is incremented, a **Suggested** association is applied one time.
+    - **Suggested** attribute for `Association`. The default value is false. If it's false, the **Association** is applied on every sign-in. If it's true, the **Association** is only applied once for the current **DefaultAssociations** Version. When the **Version** is incremented, the **Association** is applied once again, on next sign-in.
+
+    In the following example, the **Association** for `.htm` is applied on first sign-in of the user, and all others are applied on every sign-in. If **Version** is incremented, and the updated file is deployed to the user, the **Association** for `.htm` is applied again:
+
+    ```xml
+    <?xml version="1.0" encoding="UTF-8"?>
+    <DefaultAssociations Version="1" >
+      <Association Identifier=".htm" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" Suggested="true" />
+      <Association Identifier=".html" ProgId="AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9" ApplicationName="Microsoft Edge" />
+      <Association Identifier=".pdf" ProgId="AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723" ApplicationName="Microsoft Edge" />
+      <Association Identifier="http" ProgId="AppXq0fevzme2pys62n3e0fbqa7peapykr8v" ApplicationName="Microsoft Edge" />
+      <Association Identifier="https" ProgId="AppX90nv6nhay5n6a98fnetv7tpk64pp35es" ApplicationName="Microsoft Edge" />
+    </DefaultAssociations>
+    ```
+
+1. Take the XML output and put it through your favorite base64 encoder app. Here's the base64 encoded result:
+
+    ```text
+    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
+    ```
+
+1. Paste the base64 encoded XML into the SyncML. Here's the SyncML example:
+
+    ```xml
+    <?xml version="1.0" encoding="utf-8"?>
+    <SyncML xmlns="SYNCML:SYNCML1.1">
+    <SyncBody>
+        <Replace>
+          <CmdID>101</CmdID>
+          <Item>
+            <Meta>
+              <Format>chr</Format>
+              <Type>text/plain</Type>
+            </Meta>
+            <Target>
+              <LocURI>./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration</LocURI>
+            </Target>
+            <Data>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo=
+            </Data>
+          </Item>
+        </Replace>
+      <Final/>
+      </SyncBody>
+    </SyncML>
+    ```
 <!-- DefaultAssociationsConfiguration-Examples-End -->
 
 <!-- DefaultAssociationsConfiguration-End -->
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 8f07d859a6..128256240a 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -19,8 +19,6 @@
           href: update/waas-servicing-strategy-windows-10-updates.md
         - name: Deployment proof of concept
           items: 
-            - name: Demonstrate Autopilot deployment on a VM
-              href: windows-autopilot/demonstrate-deployment-on-vm.md
             - name: Deploy Windows 10 with MDT and Configuration Manager
               items:
                 - name: 'Step by step guide: Configure a test lab to deploy Windows 10'
diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml
index ab01fce75a..c79efcf511 100644
--- a/windows/deployment/windows-autopatch/index.yml
+++ b/windows/deployment/windows-autopatch/index.yml
@@ -10,6 +10,7 @@ metadata:
   ms.topic: landing-page # Required
   author: tiaraquan #Required; your GitHub user alias, with correct capitalization.
   ms.author: tiaraquan #Required; microsoft alias of author; optional team alias.
+  manager: dougeby
   ms.date: 05/30/2022 #Required; mm/dd/yyyy format.
   ms.prod: windows-client
   ms.technology: itpro-updates
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
index 965dc7cb8a..0f80250e80 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
@@ -17,9 +17,9 @@ ms.collection:
 
 # Device alerts
 
-Windows Autopatch and Windows Updates use Device alerts to provide notifications and information about the necessary steps to keep your devices up to date. In Windows Autopatch reporting, every device is provided with a section for alerts. If no alerts are listed, no action is needed. Navigate to **Reports** > **Quality update status** or **Feature update status** > **Device** > select the **Device alerts** column. The provided information will help you understand:
+Windows Autopatch and Windows Updates use Device alerts to provide notifications and information about the necessary steps to keep your devices up to date. In Windows Autopatch reporting, every device is provided with a section for alerts. If no alerts are listed, no action is needed. Navigate to **Reports** > **Quality update status** or **Feature update status** > **Device** > select the **Device alerts** column. The provided information helps you understand:
 
-- The action(s) that have either been performed by Microsoft and/or Windows Autopatch to keep the device properly updated.
+- Microsoft and/or Windows Autopatch performs the action(s) to keep the device properly updated.
 - The actions you must perform so the device can properly be updated.
 
 > [!NOTE]
@@ -42,12 +42,12 @@ Windows Autopatch assigns alerts to either Microsoft Action or Customer Action.
 
 | Assignment | Description |
 | ----- | ----- |
-| Microsoft Action | Refers to the responsibility of the Windows Autopatch service to remediate. The actions are performed by Windows Autopatch automatically. |
+| Microsoft Action | Refers to the responsibility of the Windows Autopatch service to remediate. Windows Autopatch performs these actions automatically. |
 | Customer Action | Refers to your responsibility to carry out the appropriate action(s) to resolve the reported alert. |
 
 ## Alert resolutions
 
-Alert resolutions are provided through the Windows Update service and provide the reason why an update didn’t perform as expected. The recommended actions are general recommendations and if additional assistance is needed, [submit a support request](../operate/windows-autopatch-support-request.md)
+Alert resolutions are provided through the Windows Update service and provide the reason why an update didn’t perform as expected. The recommended actions are general recommendations and if additional assistance is needed, [submit a support request](../operate/windows-autopatch-support-request.md).
 
 | Alert message | Description | Windows Autopatch recommendation(s) |
 | ----- | ----- | ----- |
@@ -79,7 +79,7 @@ Alert resolutions are provided through the Windows Update service and provide th
 | `InstallIssueRedirection` | A known folder that doesn't support redirection to another drive might have been redirected to another drive. | The Windows Update service has reported that the Windows Update file location may be redirected to an invalid location. Check your Windows Installation, and retry the update.<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
 | `InstallMissingInfo` | Windows Update doesn't have the information it needs about the update to finish the installation. | The Windows Update service has reported that another update may have replaced the one you're trying to install. Check the update, and then try reinstalling it. |
 | `InstallOutOfMemory` | The installation couldn't be completed because Windows ran out of memory. | The Windows Update service has reported the system doesn't have sufficient system memory to perform the update.<p>Restart Windows, then try the installation again.</p><p>If it still fails, allocate more memory to the device, or increase the size of the virtual memory pagefile(s). For more information, see [How to determine the appropriate page file size for 64-bit versions of Windows](/troubleshoot/windows-client/performance/how-to-determine-the-appropriate-page-file-size-for-64-bit-versions-of-windows).</p> |
-| `InstallSetupBlock` | There is an application or driver blocking the upgrade. | The Windows Update service has detected that an application or driver is hindering the upgrade process. Utilize the SetupDiag utility to identify and diagnose any compatibility problems.<p>For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).</p> |
+| `InstallSetupBlock` | There's an application or driver blocking the upgrade. | The Windows Update service has detected that an application or driver is hindering the upgrade process. Utilize the SetupDiag utility to identify and diagnose any compatibility problems.<p>For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).</p> |
 | `InstallSetupError` | Windows Setup encountered an error while installing. | The Windows Update service has reported an error during installation.Review the last reported HEX error code in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) to further investigate.<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
 | `PolicyConflict` | There are client policies (MDM, GP) that conflict with Windows Update settings. | The Windows Update service has reported a policy conflict. Review  the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
 | `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service has reported a policy conflict. Review  the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
index bcb28df222..00eb8bc49b 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
@@ -2,8 +2,8 @@
 title: Driver and firmware updates for Windows Autopatch Public Preview Addendum
 description:  This article explains how driver and firmware updates are managed in Autopatch
 ms.date: 06/26/2023 
-ms.prod: w11
-ms.technology: windows
+ms.prod: windows-client
+ms.technology: itpro-updates
 ms.topic: conceptual
 ms.localizationpriority: medium
 author: tiaraquan
@@ -14,11 +14,11 @@ msreviewer: hathind
 
 # Driver and Firmware Updates for Windows Autopatch Public Preview Addendum
 
-**This Driver and Firmware Updates for Windows Autopatch Public Preview Addendum ("Addendum") to the Microsoft Product Terms’ Universal License Terms for Online Services** (as provided at: [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all)  (the "**Product Terms**")) is entered into between Microsoft Corporation, a Washington corporation having its principal place of business at One Microsoft Way, Redmond, Washington, USA 98052-6399 (or based on where Customer lives, one of Microsoft's affiliates) ("**Microsoft**"), and you ("**Customer**").
+**This Driver and Firmware Updates for Windows Autopatch Public Preview Addendum ("Addendum") to the Microsoft Product Terms' Universal License Terms for Online Services** (as provided at: [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all)  (the "**Product Terms**")) is entered into between Microsoft Corporation, a Washington corporation having its principal place of business at One Microsoft Way, Redmond, Washington, USA 98052-6399 (or based on where Customer lives, one of Microsoft's affiliates) ("**Microsoft**"), and you ("**Customer**").
 
 For good and valuable consideration, the receipt and sufficiency of which is acknowledged, the parties agree as follows:
 
-Microsoft desires to preview the Driver and Firmware Updates for Windows Autopatch service it's developing ("**Driver and Firmware Updates Preview**”) in order to evaluate it. Customer would like to particulate this Driver and Firmware Updates Preview under the Product Terms and this Addendum. Driver and Firmware Updates Preview consists of features and services that are in preview, beta, or other prerelease form. Driver and Firmware Updates Preview is subject to the "preview" terms set forth in the Product Terms’ Universal License Terms for Online Services.
+Microsoft desires to preview the Driver and Firmware Updates for Windows Autopatch service it's developing ("**Driver and Firmware Updates Preview**") in order to evaluate it. Customer would like to particulate this Driver and Firmware Updates Preview under the Product Terms and this Addendum. Driver and Firmware Updates Preview consists of features and services that are in preview, beta, or other prerelease form. Driver and Firmware Updates Preview is subject to the "preview" terms set forth in the Product Terms' Universal License Terms for Online Services.
 
 ## Definitions
 
diff --git a/windows/deployment/windows-autopilot/TOC.yml b/windows/deployment/windows-autopilot/TOC.yml
deleted file mode 100644
index 0881334396..0000000000
--- a/windows/deployment/windows-autopilot/TOC.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-- name: Windows Autopilot deployment
-  href: index.yml
-  items: 
-    - name: Get started
-      href: demonstrate-deployment-on-vm.md
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
deleted file mode 100644
index 4ebfe798e1..0000000000
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ /dev/null
@@ -1,901 +0,0 @@
----
-title: Demonstrate Autopilot deployment
-description: Step-by-step instructions on how to set up a virtual machine with a Windows Autopilot deployment.
-ms.prod: windows-client
-ms.technology: itpro-deploy
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.collection:
-  - highpri
-  - tier2
-ms.topic: tutorial
-ms.date: 10/28/2022
----
-
-# Demonstrate Autopilot deployment
-
-**Applies to**
-
-- Windows 10
-
-To get started with Windows Autopilot, you should try it out with a virtual machine (VM). You can also use a physical device that will be wiped and then have a fresh install of Windows 10.
-
-In this article, you'll learn how to set up a Windows Autopilot deployment for a VM using Hyper-V.
-
-> [!NOTE]
-> Although there are [multiple platforms](/mem/autopilot/add-devices#registering-devices) available to enable Autopilot, this lab primarily uses Microsoft Intune.
->
-> Hyper-V and a VM aren't required for this lab. You can use a physical device instead. However, the instructions assume that you're using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to _device_ in the guide refer to the client device, either physical or virtual.
-
-The following video provides an overview of the process:
-
-> [!VIDEO https://www.youtube.com/embed/KYVptkpsOqs]
-
-> [!TIP]
-> For a list of terms used in this guide, see the [Glossary](#glossary) section.
-
-## Prerequisites
-
-You'll need the following components to complete this lab:
-
-| Component | Description |
-|:---|:---|
-|**Windows 10 installation media**|Windows 10 Enterprise ISO file for a supported version of Windows 10, general availability channel. If you don't already have an ISO to use, download an [evaluation version of Windows 10 Enterprise](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).|
-|**Internet access**|If you're behind a firewall, see the detailed [networking requirements](/mem/autopilot/software-requirements#networking-requirements). Otherwise, just make sure that you have a connection to the internet.|
-|**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.|
-|**An account with Azure Active Directory (Azure AD) Premium license**|This guide will describe how to get a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.|
-
-> [!NOTE]
-> When using a VM for Autopilot testing, assign at least two processors and 4 GB of memory.
-
-## Procedures
-
-A summary of the sections and procedures in the lab is provided below. Follow each section in the order it's presented, skipping the sections that don't apply to you. Optional procedures are provided in the appendices.
-
-If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or later.
-
-- [Demonstrate Autopilot deployment](#demonstrate-autopilot-deployment)
-  - [Prerequisites](#prerequisites)
-  - [Procedures](#procedures)
-  - [Verify support for Hyper-V](#verify-support-for-hyper-v)
-  - [Enable Hyper-V](#enable-hyper-v)
-  - [Create a demo VM](#create-a-demo-vm)
-    - [Set ISO file location](#set-iso-file-location)
-    - [Determine network adapter name](#determine-network-adapter-name)
-    - [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm)
-    - [Install Windows 10](#install-windows-10)
-  - [Capture the hardware ID](#capture-the-hardware-id)
-  - [Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe)
-  - [Verify subscription level](#verify-subscription-level)
-  - [Configure company branding](#configure-company-branding)
-  - [Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment)
-  - [Register your VM](#register-your-vm)
-    - [Autopilot registration using Intune](#autopilot-registration-using-intune)
-    - [Autopilot registration using MSfB](#autopilot-registration-using-msfb)
-  - [Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
-    - [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
-      - [Create a device group](#create-a-device-group)
-      - [Create the deployment profile](#create-the-deployment-profile)
-    - [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
-  - [See Windows Autopilot in action](#see-windows-autopilot-in-action)
-  - [Remove devices from Autopilot](#remove-devices-from-autopilot)
-    - [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device)
-  - [Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v)
-  - [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile)
-    - [Add a Win32 app](#add-a-win32-app)
-      - [Prepare the app for Intune](#prepare-the-app-for-intune)
-      - [Create app in Intune](#create-app-in-intune)
-      - [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
-    - [Add Microsoft 365 Apps](#add-microsoft-365-apps)
-      - [Create app in Microsoft Intune](#create-app-in-microsoft-intune)
-      - [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile-1)
-  - [Glossary](#glossary)
-
-## Verify support for Hyper-V
-
-- If you don't already have Hyper-V enabled, enable it on a computer running Windows 10 or Windows Server (2012 R2 or later).
-- If you already have Hyper-V enabled, skip to the [Create a demo VM](#create-a-demo-vm) step. If you're using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
-- If you're not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [Appendix A](#appendix-a-verify-support-for-hyper-v) in this article for details on verifying that Hyper-V can be successfully installed.
-
-## Enable Hyper-V
-
-To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command:
-
-```powershell
-Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
-```
-
-This command works on all operating systems that support Hyper-V. However, on Windows Server operating systems you must type another command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed. So, if you're using Windows Server, you can just type the following command instead of using the **Enable-WindowsOptionalFeature** command:
-
-```powershell
-Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
-```
-
-When you're prompted to restart the computer, choose **Yes**. The computer might restart more than once.
-
-Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
-
-   ![Hyper-V feature.](images/hyper-v-feature.png)
-
-   ![Hyper-V.](images/svr_mgr2.png)
-
-If you choose to install Hyper-V using Server Manager, accept all default selections. Make sure to install both items under **Role Administration Tools\Hyper-V Management Tools**.
-
-After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box.
-
-To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server).
-
-## Create a demo VM
-
-Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it's simpler to use Windows PowerShell.
-
-To use Windows PowerShell, you need to know two things:
-
-1. The location of the Windows 10 ISO file.
-
-   In the example, the location is **c:\iso\win10-eval.iso**.
-
-2. The name of the network interface that connects to the internet.
-
-   In the example, you'll use a Windows PowerShell command to determine this information automatically.
-
-After you determine the ISO file location and the name of the appropriate network interface, you can install Windows 10.
-
-### Set ISO file location
-
-Download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise from the [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). Choose a 64-bit version.
-
-After you download an ISO file, the name will be long. For example, `19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso`
-
-1. So that it's easier to type and remember, rename the file to **win10-eval.iso**.
-
-2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
-
-3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
-
-### Determine network adapter name
-
-The **Get-NetAdaper** cmdlet is used to automatically find the network adapter that's most likely to be the one you use to connect to the internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
-
-```powershell
-(Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name
-```
-
-The output of this command should be the name of the network interface you use to connect to the internet. Verify that this interface name is correct. If it isn't the correct interface name, you'll need to edit the first command below to use your network interface name.
-
-For example, if the command above displays **Ethernet** but you wish to use **Ethernet2**, then the first command below would be `New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2`
-
-### Use Windows PowerShell to create the demo VM
-
-All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
-
-> [!IMPORTANT]
-> **VM switch**: a VM switch is how Hyper-V connects VMs to a network.
->
->- If you previously enabled Hyper-V and your internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to `AutopilotExternal`.
->- If you have never created an external VM switch before, then just run the commands below.
->- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a current list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch).
-
-```powershell
-New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name
-New-VM -Name WindowsAutopilot -MemoryStartupBytes 4GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
-Set-VMProcessor WindowsAutopilot -Count 2
-Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
-Start-VM -VMName WindowsAutopilot
-```
-
-After you enter these commands, connect to this VM. Double-click the VM in Hyper-V Manager to connect to it. Then wait for a prompt to press a key and boot from the DVD.
-
-See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the **vmconnect.exe** command is used, which is only available on Windows Server. If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
-
-<pre>
-PS C:\autopilot&gt; dir c:\iso
-
-
-    Directory: C:\iso
-
-
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
--a----        3/12/2019   2:46 PM     4627343360 win10-eval.iso
-
-PS C:\autopilot&gt; (Get-NetAdapter |?{$<em>.Status -eq &quot;Up&quot; -and !$</em>.Virtual}).Name
-Ethernet
-PS C:\autopilot&gt; New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$<em>.Status -eq &quot;Up&quot; -and !$</em>.Virtual}).Name
-
-Name              SwitchType NetAdapterInterfaceDescription
-----              ---------- ------------------------------
-AutopilotExternal External   Intel(R) Ethernet Connection (2) I218-LM
-
-PS C:\autopilot&gt; New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
-
-Name             State CPUUsage(%) MemoryAssigned(M) Uptime   Status             Version
-----             ----- ----------- ----------------- ------   ------             -------
-WindowsAutopilot Off   0           0                 00:00:00 Operating normally 8.0
-
-PS C:\autopilot&gt; Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
-PS C:\autopilot&gt; Start-VM -VMName WindowsAutopilot
-PS C:\autopilot&gt; vmconnect.exe localhost WindowsAutopilot
-PS C:\autopilot&gt; dir
-
-    Directory: C:\autopilot
-
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
-d-----        3/12/2019   3:15 PM                VMData
-d-----        3/12/2019   3:42 PM                VMs
-
-PS C:\autopilot&gt;
-</pre>
-
-### Install Windows 10
-
-> [!NOTE]
-> The VM will be booted to gather a hardware ID. Then it will be reset. The goal in the next few steps is to get to the desktop quickly, so don't worry about how it's configured at this stage. The VM only needs to be connected to the internet.
-
-Make sure that the VM booted from the installation ISO, select **Next**, select **Install now**, and then complete the Windows installation process. See the following examples:
-
-   ![Windows setup example 1](images/winsetup1.png)
-
-   ![Windows setup example 2](images/winsetup2.png)
-
-   ![Windows setup example 3](images/winsetup3.png)
-
-   ![Windows setup example 4](images/winsetup4.png)
-
-   ![Windows setup example 5](images/winsetup5.png)
-
-   ![Windows setup example 6](images/winsetup6.png)
-
-After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen.  This option offers the fastest way to the desktop. For example:
-
-   ![Windows setup example 7.](images/winsetup7.png)
-
-Once the installation is complete, sign in, and verify that you're at the Windows 10 desktop. Then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state.
-
-   > [!div class="mx-imgBorder"]
-   > ![Windows setup example 8.](images/winsetup8.png)
-
-To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM), and then run the following command:
-
-```powershell
-Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
-```
-
-Select the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane.
-
-## Capture the hardware ID
-
-> [!NOTE]
-> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For the purposes of this lab, you're acting as the OEM (capturing the 4K HH), but you're not going to use the OA3 Tool to capture the full 4K HH for various reasons (you'd have to install the OA3 tool, your device couldn't have a volume license version of Windows, it's a more complicated process than using a PowerShell script, etc.).  Instead, you'll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
-
-Follow these steps to run the PowerShell script:
-
-1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same whether you're using a VM or a physical device:
-
-    ```powershell
-    New-Item -Type Directory -Path "C:\HWID"
-    Set-Location C:\HWID
-    Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
-    Install-Script -Name Get-WindowsAutopilotInfo -Force
-    $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
-    Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv
-    ```
-
-1. When you're prompted to install the NuGet package, choose **Yes**.
-
-   See the sample output below.  A **dir** command is issued at the end to show the file that was created.
-
-    ```console
-    PS C:\> md c:\HWID
-    
-         Directory: C:\
-    
-    
-    Mode                 LastWriteTime         Length Name
-    ----                 -------------         ------ ----
-    d-----        11/13/2020   3:00 PM                HWID
-    
-    
-    PS C:\Windows\system32> Set-Location c:\HWID
-    PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
-    PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
-    
-    NuGet provider is required to continue
-    PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
-     provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
-    'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
-     'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
-    import the NuGet provider now?
-    [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
-    PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
-    PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
-    Gathered details for device with serial number: 1804-7078-6805-7405-0796-0675-17
-    PS C:\HWID> dir
-    
-    
-        Directory: C:\HWID
-    
-    
-    Mode                 LastWriteTime         Length Name
-    ----                 -------------         ------ ----
-    -a----        11/13/2020   3:01 PM           8184 AutopilotHWID.csv
-    
-    
-    PS C:\HWID>
-    ```
-
-1. Verify that there's an **AutopilotHWID.csv** file in the **c:\HWID** directory that's about 8 KB in size. This file contains the complete 4K HH.
-
-   > [!NOTE]
-   > Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you're curious. The file format is validated when it's imported into Autopilot. Here's an example of the data in this file:
-
-   ![Serial number and hardware hash.](images/hwid.png)
-
-   You'll need to upload this data into Intune to register your device for Autopilot. So, the next step is to transfer this file to the computer you'll use to access the Azure portal. If you're using a physical device instead of a VM, you can copy the file to a USB drive. If you're using a VM, you can right-click the **AutopilotHWID.csv** file and copy it. Then right-click and paste the file to your desktop (outside the VM).
-
-   If you have trouble copying and pasting the file, just view the contents in Notepad on the VM, and then copy the text into Notepad outside the VM. Don't use another text editor.
-
-   > [!NOTE]
-   > When copying and pasting to or from VMs, avoid selecting other things with your mouse cursor in between the copy and paste process. Doing so can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
-
-## Reset the VM back to Out-Of-Box-Experience (OOBE)
-
-With the hardware ID captured in a file, prepare your VM for Windows Autopilot deployment by resetting it back to OOBE.
-
-1. On the Virtual Machine, go to **Settings > Update & Security > Recovery** and select **Get started** under **Reset this PC**.
-1. Select **Remove everything**. On **How would you like to reinstall Windows**, select **Local reinstall**.
-1. Finally, select **Reset**.
-
-![Reset this PC final prompt.](images/autopilot-reset-prompt.jpg)
-
-Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process.
-
-![Reset this PC screen capture.](images/autopilot-reset-progress.jpg)
-
-## Verify subscription level
-
-For this lab, you need an Azure AD Premium subscription. To tell if you have a Premium subscription, go to [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) in the Azure portal. See the following example:
-
-**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
-
-![MDM and Intune.](images/mdm-intune2.png)
-
-If this configuration doesn't appear, it's likely that you don't have a **Premium** subscription.  Auto-enrollment is a feature only available in Azure AD Premium.
-
-To convert your Intune trial account to a free Premium trial account, go to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
-
-![License conversion option.](images/aad-lic1.png)
-
-## Configure company branding
-
-If you already have company branding configured in Azure AD, you can skip this step.
-
-> [!IMPORTANT]
-> Make sure to sign-in with a Global Administrator account.
-
-Go to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), select **Configure**, and then configure any type of company branding you'd like to see during the OOBE.
-
-![Configure company branding.](images/branding.png)
-
-When you're finished, select **Save**.
-
-> [!NOTE]
-> Changes to company branding can take up to 30 minutes to apply.
-
-## Configure Microsoft Intune auto-enrollment
-
-If you already have MDM auto-enrollment configured in Azure AD, you can skip this step.
-
-Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you don't see Microsoft Intune, select **Add application** and choose **Intune**.
-
-For the purposes of this demo, select **All** under the **MDM user scope** and select **Save**.
-
-![MDM user scope in the Mobility blade.](images/ap-aad-mdm.png)
-
-## Register your VM
-
-Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB).  Both processes are shown here, but *only pick one* for the purposes of this lab. It's highly recommended that you use Intune rather than Microsoft Store for Business.
-
-### Autopilot registration using Intune
-
-1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
-
-    ![Intune device import.](images/enroll1.png)
-
-    > [!NOTE]
-    > If menu items like **Windows enrollment** aren't active for you, look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appears.
-
-2. Under **Add Windows Autopilot devices** in the far-right pane, go to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It's okay if other fields (Windows Product ID) are left blank.
-
-    ![HWID CSV.](images/enroll2.png)
-
-    You should receive confirmation that the file is formatted correctly before you upload it, as shown above.
-
-3. Select **Import** and wait until the import process completes. This action can take up to 15 minutes.
-
-4. Select **Refresh** to verify your VM or device is added. See the following example.
-
-   ![Import HWID.](images/enroll3.png)
-
-### Autopilot registration using MSfB
-
-> [!IMPORTANT]
-> If you've already registered your VM (or device) using Intune, then skip this step.
-
-First, you need a Microsoft Store for Business account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one.
-
-Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/store) with your test account,  select **Sign in** on the upper-right-corner of the main page.
-
-Select **Manage** from the top menu, then select the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
-
-![Microsoft Store for Business.](images/msfb.png)
-
-Select the **Add devices** link to upload your CSV file. A message appears that indicates your request is being processed. Wait a few moments before refreshing to see that your new device is added.
-
-![Microsoft Store for Business Devices.](images/msfb-device.png)
-
-## Create and assign a Windows Autopilot deployment profile
-
-> [!IMPORTANT]
-> Autopilot profiles can be created and assigned to your registered VM or device either through Intune or Microsoft Store for Business. Both processes are shown here, but only *pick one for the purposes of this lab*:
-
-Pick one:
-- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
-- [Create profiles using Microsoft Store for Business](#create-a-windows-autopilot-deployment-profile-using-msfb)
-
-### Create a Windows Autopilot deployment profile using Intune
-
-> [!NOTE]
-> Even if you registered your device in Microsoft Store for Business, it still appears in Intune. Although, you might have to **sync** and then **refresh** your device list.
-
-![Devices.](images/enroll4.png)
-
-#### Create a device group
-
-The Autopilot deployment profile wizard asks for a device group, so you must create one first. To create a device group:
-
-1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
-
-2. In the **Group** pane:
-    1. For **Group type**, choose **Security**.
-    2. Type a **Group name** and **Group description** (ex: Autopilot Lab).
-    3. Azure AD roles can be assigned to the group: **No**
-    4. For **Membership type**, choose **Assigned**.
-
-3. Select **Members** and add the Autopilot VM to the group. See the following example:
-
-   > [!div class="mx-imgBorder"]
-   > ![add members.](images/group1.png)
-
-4. Select **Create**.
-
-#### Create the deployment profile
-
-To create a Windows Autopilot profile, scroll back to the left-side pane and select **Devices**. Then, under **Enroll devices | Windows enrollment** select **Deployment Profiles**.
-
-> [!div class="mx-imgBorder"]
-> ![Deployment profiles.](images/dp.png)
-
-Select **Create profile** and then select **Windows PC**.
-
-> [!div class="mx-imgBorder"]
-> ![Create deployment profile.](images/create-profile.png)
-
-On the **Create profile** pane, use the following values:
-
-| Setting | Value |
-|---|---|
-| Name | Autopilot Lab profile |
-| Description | Lab |
-| Convert all targeted devices to Autopilot | No |
-
-Select **Next** to continue with the **Out-of-box experience (OOBE)** settings:
-
-| Setting | Value |
-|---|---|
-| Deployment mode | User-driven |
-| Join to Azure AD as | Azure AD joined |
-| Microsoft Software License Terms | Hide |
-| Privacy Settings | Hide |
-| Hide change account options | Hide |
-| User account type | Standard |
-| Allow pre-provisioned deployment | No |
-| Language (Region) | Operating system default |
-| Automatically configure keyboard | Yes |
-| Apply device name template | No |
-
-Select **Next** to continue with the **Assignments** settings:
-
-| Setting | Value |
-|---|---|
-| Assign to | Selected groups |
-
-1. Select **Select groups to include**.
-2. Select the **Autopilot Lab** group, and then choose **Select**.
-3. Select **Next** to continue, and then select **Create**. See the following example:
-
-![Deployment profile.](images/profile.png)
-
-Select **OK**, and then select **Create**.
-
-> [!NOTE]
-> If you want to add an app to your profile via Intune, use the *optional* steps in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
-
-### Create a Windows Autopilot deployment profile using MSfB
-
-If you already created and assigned a profile via Intune with the steps immediately above, then skip this section.
-
-First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab.
-
-Select **Manage** from the top menu, then select **Devices** from the left navigation tree.
-
-![Microsoft Store for Business manage.](images/msfb-manage.png)
-
-Select the **Windows Autopilot Deployment Program** link in the **Devices** tile.
-
-To CREATE the profile:
-
-Select your device from the **Devices** list:
-
-> [!div class="mx-imgBorder"]
-> ![Microsoft Store for Business create step 1.](images/msfb-create1.png)
-
-On the Autopilot deployment dropdown menu, select **Create new profile**:
-
-> [!div class="mx-imgBorder"]
-> ![Microsoft Store for Business create step 2.](images/msfb-create2.png)
-
-Name the profile, choose your desired settings, and then select **Create**:
-
-> [!div class="mx-imgBorder"]
-> ![Microsoft Store for Business create step 3.](images/msfb-create3.png)
-
-The new profile is added to the Autopilot deployment list.
-
-To ASSIGN the profile:
-
-To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab. Then, select the profile you want to assign from the **Autopilot deployment** dropdown menu, as shown:
-
-> [!div class="mx-imgBorder"]
-> ![Microsoft Store for Business assign step 1.](images/msfb-assign1.png)
-
-To confirm the profile was successfully assigned to the intended device, check the contents of the **Profile** column:
-
-> [!div class="mx-imgBorder"]
-> ![Microsoft Store for Business assign step 2.](images/msfb-assign2.png)
-
-> [!IMPORTANT]
-> The new profile is only applied if the device hasn't started and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
-
-## See Windows Autopilot in action
-
-If you shut down your VM after the last reset, start it again. Then it can progress through the Autopilot OOBE experience. However, don't attempt to start your device again until the **PROFILE STATUS** for your device in Intune is changed from **Not assigned** to **Assigning**, and finally to **Assigned**:
-
-> [!div class="mx-imgBorder"]
-> ![Device status.](images/device-status.png)
-
-Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding). Otherwise, these changes might not show up.
-
-> [!TIP]
-> If you reset your device previously, after collecting the 4K HH info, let it restart back to the first OOBE screen. Then you might need to restart the device again to make sure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you're expecting. If you don't see the Autopilot OOBE experience, then reset the device again (**Settings** > **Update & Security** > **Recovery** and select **Get started**.  Under **Reset this PC**, select **Remove everything and Just remove my files**. Select **Reset**).
-
-1. Make sure your device has an internet connection.
-1. Turn on the device.
-1. Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
-
-![OOBE sign-in page.](images/autopilot-oobe.png)
-
-After the device loads the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go to the Intune portal, and select **Devices > All devices**. Then **Refresh** the data to verify that your device has changed to an enabled state, and the name of the device is updated.
-
-> [!div class="mx-imgBorder"]
-> ![Device enabled.](images/devices1.png)
-
-Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure AD credentials. Then you're all done.
-
-> [!TIP]
-> If you receive a message that "Something went wrong" and it "Looks like we can't connect to the URL for your organization's MDM terms of use", verify that you correctly [assigned licenses](/mem/intune/fundamentals/licenses-assign) to the current user.
-
-Windows Autopilot takes over to automatically join your device into Azure AD and enroll it into Microsoft Intune. Use the checkpoint you've created to go through this process again with different settings.
-
-## Remove devices from Autopilot
-
-To use the device (or VM) for other purposes after completion of this lab, you need to remove (deregister) it from Autopilot via either Intune or Microsoft Store for Business, and then reset it.  Instructions for deregistering devices can be found at [Enroll Windows devices in Intune by using Windows Autopilot](/intune/enrollment-autopilot#create-an-autopilot-device-group), [Remove devices by using wipe, retire, or manually unenrolling the device](/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal), and below.
-
-### Delete (deregister) Autopilot device
-
-You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), then go to **Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
-
-> [!div class="mx-imgBorder"]
-> ![Delete device step 1.](images/delete-device1.png)
-
-This action removes the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this action doesn't yet deregister the device from Autopilot. So, the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
-
-The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
-
-> [!NOTE]
-> A device only appears in the **All devices** list once it has booted. The latter (**Windows Autopilot Deployment Program** > **Devices**) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
-
-To remove the device from the Autopilot program, select the device, and then select **Delete**. A pop-up dialog box appears to confirm deletion.
-
-> [!div class="mx-imgBorder"]
-> ![Delete device.](images/delete-device2.png)
-
-At this point, your device is unenrolled from Intune and also deregistered from Autopilot. After several minutes, select the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program.
-
-Once the device no longer appears, you're free to reuse it for other purposes.
-
-If you also (optionally) want to remove your device from Azure AD, go to **Azure Active Directory > Devices > All Devices**, select your device, and then select the **Delete** button:
-
-## Appendix A: Verify support for Hyper-V
-
-Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
-
-To verify your computer supports SLAT, open an administrator command prompt,  type **systeminfo**, press **ENTER**, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
-
-```console
-C:>systeminfo
-
-...
-Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
-                           Virtualization Enabled In Firmware: Yes
-                           Second Level Address Translation: Yes
-                           Data Execution Prevention Available: Yes
-```
-
-In this example, the computer supports SLAT and Hyper-V.
-
-> [!NOTE]
-> If one or more requirements are evaluated as **No** then the computer doesn't support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting depends on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
-
-You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [Coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
-
-```console
-C:>coreinfo -v
-
-Coreinfo v3.31 - Dump information on system CPU and memory topology
-Copyright (C) 2008-2014 Mark Russinovich
-Sysinternals - www.sysinternals.com
-
-Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
-Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
-Microcode signature: 0000001B
-HYPERVISOR      -       Hypervisor is present
-VMX             *       Supports Intel hardware-assisted virtualization
-EPT             *       Supports Intel extended page tables (SLAT)
-```
-
-> [!NOTE]
-> A 64-bit operating system is required to run Hyper-V.
-
-## Appendix B: Adding apps to your profile
-
-### Add a Win32 app
-
-#### Prepare the app for Intune
-
-Before you can pull an application into Intune to make it part of your AP profile, you need to "package" the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following information to use the tool:
-
-1. The source folder for your application
-2. The name of the setup executable file
-3. The output folder for the new file
-
-For the purposes of this lab, we'll use the Notepad++ tool as the Win32 app.
-
-Download the [Notepad++ msi package](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available), and then copy the file to a known location, such as C:\Notepad++msi.
-
-Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
-
-> [!div class="mx-imgBorder"]
-> ![Add app example.](images/app01.png)
-
-After the tool finishes running, you should have an `.intunewin` file in the Output folder. You can upload the file into Intune by using the following steps.
-
-#### Create app in Intune
-
-Sign in to the Azure portal, and then select **Intune**.
-
-Go to **Intune > Clients apps > Apps**, and then select the **Add** button to create a new app package.
-
-![Add app step 1.](images/app02.png)
-
-Under **App Type**, select **Windows app (Win32)**:
-
-![Add app step 2.](images/app03.png)
-
-On the **App package file** pane, browse to the `npp.7.6.3.installer.x64.intunewin` file in your output folder, open it, then select **OK**:
-
-> [!div class="mx-imgBorder"]
-> ![Add app step 3.](images/app04.png)
-
-On the **App Information Configure** pane, provide a friendly name, description, and publisher, such as:
-
-![Add app step 4.](images/app05.png)
-
-On the **Program Configuration** pane, supply the install and uninstall commands:
-
-```console
-Install:  msiexec /i "npp.7.6.3.installer.x64.msi" /q
-Uninstall:  msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
-```
-
-> [!NOTE]
-> Likely, you don't have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
-
-![Add app step 5.](images/app06.png)
-
-Simply using an install command like `notepad++.exe /S` doesn't actually install Notepad++. It only launches the app. To install the program, you need to use the `.msi` file instead. Notepad++ doesn't have an MSI version of their program, but there's an MSI version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
-
-Select **OK** to save your input and activate the **Requirements** pane.
-
-On the **Requirements Configuration** pane, specify the **OS architecture** and the **Minimum OS version**:
-
-> [!div class="mx-imgBorder"]
-> ![Add app step 6.](images/app07.png)
-
-Next, configure the **Detection rules**. For the purposes of this lab, select manual format:
-
-> [!div class="mx-imgBorder"]
-> ![Add app step 7.](images/app08.png)
-
-Select **Add** to define the rule properties. For **Rule type**, select **MSI**, which automatically imports the correct MSI product code into the rule:
-
-![Add app step 8.](images/app09.png)
-
-Select **OK** twice to save, as you back out to the main **Add app** pane again for the final configuration.
-
-**Return codes**: For the purposes of this lab, leave the return codes at their default values:
-
-> [!div class="mx-imgBorder"]
-> ![Add app step 9.](images/app10.png)
-
-Select **OK** to exit.
-
-You can skip configuring the final **Scope (Tags)** pane.
-
-Select the **Add** button to finalize and save your app package.
-
-Wait for indicator message that says the addition has completed.
-
-> [!div class="mx-imgBorder"]
-> ![Add app step 10.](images/app11.png)
-
-Find your app in your app list:
-
-> [!div class="mx-imgBorder"]
-> ![Add app step 11.](images/app12.png)
-
-#### Assign the app to your Intune profile
-
-> [!NOTE]
-> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you haven't done that, return to the main part of the lab and complete those steps before returning here.
-
-In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties pane. Then select **Assignments** from the menu:
-
-> [!div class="mx-imgBorder"]
-> ![Assign app step 1.](images/app13.png)
-
-Select **Add Group** to open the **Add group** pane that's related to the app.
-
-For the purposes of this lab, select **Required** from the **Assignment type** dropdown menu.
-
-> [!NOTE]
-> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
-
-Select **Included Groups** and assign the groups you previously created that will use this app:
-
-![Assign app step 2.](images/app14.png)
-
-> [!div class="mx-imgBorder"]
-> ![Assign app step 3.](images/app15.png)
-
-In the **Select groups** pane, choose the **Select** button.
-
-In the **Assign group** pane, select **OK**.
-
-In the **Add group** pane, select **OK**.
-
-In the app **Assignments** pane, select **Save**.
-
-> [!div class="mx-imgBorder"]
-> ![Assign app step 4.](images/app16.png)
-
-At this point, you have completed steps to add a Win32 app to Intune.
-
-For more information on adding apps to Intune, see [Intune Standalone - Win32 app management](/intune/apps-win32-app-management).
-
-### Add Microsoft 365 Apps
-
-#### Create app in Microsoft Intune
-
-Sign in to the Azure portal and select **Intune**.
-
-Go to **Intune > Clients apps > Apps**, and then select the **Add** button to create a new app package.
-
-![Create app step 1.](images/app17.png)
-
-Under **App Type**, select **Microsoft 365 Apps > Windows 10 and later**:
-
-![Create app step 2.](images/app18.png)
-
-Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this lab, only select Excel:
-
-> [!div class="mx-imgBorder"]
-> ![Create app step 3.](images/app19.png)
-
-Select **OK**.
-
-In the **App Suite Information** pane, enter a *unique* suite name, and a suitable description.
-
-Enter the name of the app suite as it's displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
-
-> [!div class="mx-imgBorder"]
-> ![Create app step 4.](images/app20.png)
-
-Select **OK**.
-
-In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection is okay for the purposes of this lab).  Also select **Yes** for **Automatically accept the app end user license agreement**:
-
-![Create app step 5.](images/app21.png)
-
-Select **OK** and, then select **Add**.
-
-#### Assign the app to your Intune profile
-
-> [!NOTE]
-> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you haven't done that, return to the main part of the lab and complete those steps before returning here.
-
-In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties pane. Then select **Assignments** from the menu:
-
-> [!div class="mx-imgBorder"]
-> ![Create app step 6.](images/app22.png)
-
-Select **Add Group** to open the **Add group** pane that's related to the app.
-
-For the purposes of this lab, select **Required** from the **Assignment type** dropdown menu.
-
-**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
-
-Select **Included Groups** and assign the groups you previously created that will use this app:
-
-![Create app step 7.](images/app23.png)
-
-> [!div class="mx-imgBorder"]
-> ![Create app step 8.](images/app24.png)
-
-In the **Select groups** pane, choose the **Select** button.
-
-In the **Assign group** pane, select **OK**.
-
-In the **Add group** pane, select **OK**.
-
-In the app **Assignments** pane, select **Save**.
-
-![Create app step 9.](images/app25.png)
-
-At this point, you have completed steps to add Office to Intune.
-
-For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365).
-
-If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list. It might take several minutes to populate.
-
-![Create app step 10.](images/app26.png)
-
-## Glossary
-
-|    | Description |
-|:---|:---|
-|**OEM** | Original Equipment Manufacturer |
-|**CSV** | Comma Separated Values |
-|**MPC** | Microsoft Partner Center |
-|**CSP** | Cloud Solution Provider |
-|**MSfB** | Microsoft Store for Business |
-|**Azure AD** | Azure Active Directory |
-|**4K HH** | 4K Hardware Hash |
-|**CBR** | Computer Build Report |
-|**EC** | Enterprise Commerce (server) |
-|**DDS** | Device Directory Service |
-|**OOBE** | Out of the Box Experience |
-|**VM** |Virtual Machine |
diff --git a/windows/deployment/windows-autopilot/images/aad-lic1.png b/windows/deployment/windows-autopilot/images/aad-lic1.png
deleted file mode 100644
index 569d601066..0000000000
Binary files a/windows/deployment/windows-autopilot/images/aad-lic1.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/ap-aad-mdm.png b/windows/deployment/windows-autopilot/images/ap-aad-mdm.png
deleted file mode 100644
index ece310f978..0000000000
Binary files a/windows/deployment/windows-autopilot/images/ap-aad-mdm.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app01.png b/windows/deployment/windows-autopilot/images/app01.png
deleted file mode 100644
index f551c5ca68..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app01.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app02.png b/windows/deployment/windows-autopilot/images/app02.png
deleted file mode 100644
index e5036043cc..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app02.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app03.png b/windows/deployment/windows-autopilot/images/app03.png
deleted file mode 100644
index 63ef76b3f8..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app03.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app04.png b/windows/deployment/windows-autopilot/images/app04.png
deleted file mode 100644
index bd307c4a46..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app04.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app05.png b/windows/deployment/windows-autopilot/images/app05.png
deleted file mode 100644
index 83861dcd51..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app05.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app06.png b/windows/deployment/windows-autopilot/images/app06.png
deleted file mode 100644
index 9563e0514c..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app06.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app07.png b/windows/deployment/windows-autopilot/images/app07.png
deleted file mode 100644
index 59025e69fa..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app07.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app08.png b/windows/deployment/windows-autopilot/images/app08.png
deleted file mode 100644
index cea5edfc57..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app08.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app09.png b/windows/deployment/windows-autopilot/images/app09.png
deleted file mode 100644
index 250c85dd8a..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app09.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app10.png b/windows/deployment/windows-autopilot/images/app10.png
deleted file mode 100644
index 8d5af2ece1..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app10.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app11.png b/windows/deployment/windows-autopilot/images/app11.png
deleted file mode 100644
index 9ca5bc10eb..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app11.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app12.png b/windows/deployment/windows-autopilot/images/app12.png
deleted file mode 100644
index 3f82bf78a9..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app12.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app13.png b/windows/deployment/windows-autopilot/images/app13.png
deleted file mode 100644
index 2b499f4ec2..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app13.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app14.png b/windows/deployment/windows-autopilot/images/app14.png
deleted file mode 100644
index e809db6134..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app14.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app15.png b/windows/deployment/windows-autopilot/images/app15.png
deleted file mode 100644
index b85a96bf9e..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app15.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app16.png b/windows/deployment/windows-autopilot/images/app16.png
deleted file mode 100644
index f22f74a091..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app16.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app17.png b/windows/deployment/windows-autopilot/images/app17.png
deleted file mode 100644
index 5adfc9218f..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app17.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app18.png b/windows/deployment/windows-autopilot/images/app18.png
deleted file mode 100644
index 24c4b9f331..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app18.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app19.png b/windows/deployment/windows-autopilot/images/app19.png
deleted file mode 100644
index 281ba9fb40..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app19.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app20.png b/windows/deployment/windows-autopilot/images/app20.png
deleted file mode 100644
index a5a066b45e..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app20.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app21.png b/windows/deployment/windows-autopilot/images/app21.png
deleted file mode 100644
index d2e23f2db4..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app21.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app22.png b/windows/deployment/windows-autopilot/images/app22.png
deleted file mode 100644
index 4541a69204..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app22.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app23.png b/windows/deployment/windows-autopilot/images/app23.png
deleted file mode 100644
index 19b951c653..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app23.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app24.png b/windows/deployment/windows-autopilot/images/app24.png
deleted file mode 100644
index aa77e4083f..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app24.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app25.png b/windows/deployment/windows-autopilot/images/app25.png
deleted file mode 100644
index 544d1ae37a..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app25.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/app26.png b/windows/deployment/windows-autopilot/images/app26.png
deleted file mode 100644
index e210faa31b..0000000000
Binary files a/windows/deployment/windows-autopilot/images/app26.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-oobe.png b/windows/deployment/windows-autopilot/images/autopilot-oobe.png
deleted file mode 100644
index 9cfea73377..0000000000
Binary files a/windows/deployment/windows-autopilot/images/autopilot-oobe.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-reset-progress.jpg b/windows/deployment/windows-autopilot/images/autopilot-reset-progress.jpg
deleted file mode 100644
index dbf0e3b3ae..0000000000
Binary files a/windows/deployment/windows-autopilot/images/autopilot-reset-progress.jpg and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-reset-prompt.jpg b/windows/deployment/windows-autopilot/images/autopilot-reset-prompt.jpg
deleted file mode 100644
index 9ed75a9db9..0000000000
Binary files a/windows/deployment/windows-autopilot/images/autopilot-reset-prompt.jpg and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/branding.png b/windows/deployment/windows-autopilot/images/branding.png
deleted file mode 100644
index 46dd37bc4a..0000000000
Binary files a/windows/deployment/windows-autopilot/images/branding.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/create-profile.png b/windows/deployment/windows-autopilot/images/create-profile.png
deleted file mode 100644
index d2816e9c89..0000000000
Binary files a/windows/deployment/windows-autopilot/images/create-profile.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device1.png b/windows/deployment/windows-autopilot/images/delete-device1.png
deleted file mode 100644
index 770c8e5b02..0000000000
Binary files a/windows/deployment/windows-autopilot/images/delete-device1.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device2.png b/windows/deployment/windows-autopilot/images/delete-device2.png
deleted file mode 100644
index 188c72d67b..0000000000
Binary files a/windows/deployment/windows-autopilot/images/delete-device2.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/device-status.png b/windows/deployment/windows-autopilot/images/device-status.png
deleted file mode 100644
index a5627040ec..0000000000
Binary files a/windows/deployment/windows-autopilot/images/device-status.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/devices1.png b/windows/deployment/windows-autopilot/images/devices1.png
deleted file mode 100644
index 459aa19c69..0000000000
Binary files a/windows/deployment/windows-autopilot/images/devices1.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/dp.png b/windows/deployment/windows-autopilot/images/dp.png
deleted file mode 100644
index a133c72491..0000000000
Binary files a/windows/deployment/windows-autopilot/images/dp.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/enroll1.png b/windows/deployment/windows-autopilot/images/enroll1.png
deleted file mode 100644
index 4bc9be72bb..0000000000
Binary files a/windows/deployment/windows-autopilot/images/enroll1.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/enroll2.png b/windows/deployment/windows-autopilot/images/enroll2.png
deleted file mode 100644
index 62e7344da1..0000000000
Binary files a/windows/deployment/windows-autopilot/images/enroll2.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/enroll3.png b/windows/deployment/windows-autopilot/images/enroll3.png
deleted file mode 100644
index 3501d5036c..0000000000
Binary files a/windows/deployment/windows-autopilot/images/enroll3.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/enroll4.png b/windows/deployment/windows-autopilot/images/enroll4.png
deleted file mode 100644
index fc7215b68f..0000000000
Binary files a/windows/deployment/windows-autopilot/images/enroll4.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/group1.png b/windows/deployment/windows-autopilot/images/group1.png
deleted file mode 100644
index 2ccc8db248..0000000000
Binary files a/windows/deployment/windows-autopilot/images/group1.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/hwid.png b/windows/deployment/windows-autopilot/images/hwid.png
deleted file mode 100644
index fcc73fa0b0..0000000000
Binary files a/windows/deployment/windows-autopilot/images/hwid.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/hyper-v-feature.png b/windows/deployment/windows-autopilot/images/hyper-v-feature.png
deleted file mode 100644
index d7293d808e..0000000000
Binary files a/windows/deployment/windows-autopilot/images/hyper-v-feature.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/mdm-intune2.png b/windows/deployment/windows-autopilot/images/mdm-intune2.png
deleted file mode 100644
index d464863f37..0000000000
Binary files a/windows/deployment/windows-autopilot/images/mdm-intune2.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-assign1.png b/windows/deployment/windows-autopilot/images/msfb-assign1.png
deleted file mode 100644
index c1e8e27e21..0000000000
Binary files a/windows/deployment/windows-autopilot/images/msfb-assign1.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-assign2.png b/windows/deployment/windows-autopilot/images/msfb-assign2.png
deleted file mode 100644
index fd3be16853..0000000000
Binary files a/windows/deployment/windows-autopilot/images/msfb-assign2.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-create1.png b/windows/deployment/windows-autopilot/images/msfb-create1.png
deleted file mode 100644
index f76aa82991..0000000000
Binary files a/windows/deployment/windows-autopilot/images/msfb-create1.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-create2.png b/windows/deployment/windows-autopilot/images/msfb-create2.png
deleted file mode 100644
index ec6c260fcd..0000000000
Binary files a/windows/deployment/windows-autopilot/images/msfb-create2.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-create3.png b/windows/deployment/windows-autopilot/images/msfb-create3.png
deleted file mode 100644
index a6241fb5ea..0000000000
Binary files a/windows/deployment/windows-autopilot/images/msfb-create3.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-device.png b/windows/deployment/windows-autopilot/images/msfb-device.png
deleted file mode 100644
index d338056013..0000000000
Binary files a/windows/deployment/windows-autopilot/images/msfb-device.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/msfb-manage.png b/windows/deployment/windows-autopilot/images/msfb-manage.png
deleted file mode 100644
index 9bf684d844..0000000000
Binary files a/windows/deployment/windows-autopilot/images/msfb-manage.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/msfb.png b/windows/deployment/windows-autopilot/images/msfb.png
deleted file mode 100644
index af937c2c5f..0000000000
Binary files a/windows/deployment/windows-autopilot/images/msfb.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/profile.png b/windows/deployment/windows-autopilot/images/profile.png
deleted file mode 100644
index 1c6c734a74..0000000000
Binary files a/windows/deployment/windows-autopilot/images/profile.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/svr_mgr2.png b/windows/deployment/windows-autopilot/images/svr_mgr2.png
deleted file mode 100644
index dd2e6737c6..0000000000
Binary files a/windows/deployment/windows-autopilot/images/svr_mgr2.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup1.png b/windows/deployment/windows-autopilot/images/winsetup1.png
deleted file mode 100644
index c8048256c4..0000000000
Binary files a/windows/deployment/windows-autopilot/images/winsetup1.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup2.png b/windows/deployment/windows-autopilot/images/winsetup2.png
deleted file mode 100644
index 43db844334..0000000000
Binary files a/windows/deployment/windows-autopilot/images/winsetup2.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup3.png b/windows/deployment/windows-autopilot/images/winsetup3.png
deleted file mode 100644
index dbea3969de..0000000000
Binary files a/windows/deployment/windows-autopilot/images/winsetup3.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup4.png b/windows/deployment/windows-autopilot/images/winsetup4.png
deleted file mode 100644
index 1121b1dff5..0000000000
Binary files a/windows/deployment/windows-autopilot/images/winsetup4.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup5.png b/windows/deployment/windows-autopilot/images/winsetup5.png
deleted file mode 100644
index 2757253097..0000000000
Binary files a/windows/deployment/windows-autopilot/images/winsetup5.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup6.png b/windows/deployment/windows-autopilot/images/winsetup6.png
deleted file mode 100644
index e91843e1ff..0000000000
Binary files a/windows/deployment/windows-autopilot/images/winsetup6.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup7.png b/windows/deployment/windows-autopilot/images/winsetup7.png
deleted file mode 100644
index dadf85485e..0000000000
Binary files a/windows/deployment/windows-autopilot/images/winsetup7.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/images/winsetup8.png b/windows/deployment/windows-autopilot/images/winsetup8.png
deleted file mode 100644
index 9d7a499db0..0000000000
Binary files a/windows/deployment/windows-autopilot/images/winsetup8.png and /dev/null differ
diff --git a/windows/deployment/windows-autopilot/index.yml b/windows/deployment/windows-autopilot/index.yml
deleted file mode 100644
index 78ac058a36..0000000000
--- a/windows/deployment/windows-autopilot/index.yml
+++ /dev/null
@@ -1,40 +0,0 @@
-### YamlMime:Landing
-
-title: Windows Autopilot deployment resources and documentation # < 60 chars
-summary: 'Note: Windows Autopilot documentation has moved! A few more resources will also be available here. For more information, see the links on this page.'  # < 160 chars
-
-metadata:
-  title: Windows Autopilot deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
-  description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
-  ms.topic: landing-page
-  ms.prod: windows-client
-  ms.technology: itpro-deploy
-  ms.collection:
-    - highpri
-    - tier1
-  author: frankroj
-  ms.author: frankroj
-  manager: aaroncz
-  ms.date: 10/28/2022
-  localization_priority: medium
-    
-# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
-
-landingContent:
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb 
-  # Card
-  - title: Overview
-    linkLists:
-      - linkListType: overview
-        links:
-          - text: Overview of Windows Autopilot
-            url:  /mem/autopilot/windows-autopilot
-
-              # Card
-  - title: Tutorials
-    linkLists:
-      - linkListType: get-started
-        links:
-          - text: Demonstrate Windows Autopilot deployment
-            url: demonstrate-deployment-on-vm.md
\ No newline at end of file
diff --git a/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 2f0412decb..2ec2462e4c 100644
--- a/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -5,9 +5,7 @@ ms.prod: windows-client
 ms.localizationpriority: medium
 author: vinaypamnani-msft
 ms.author: vinpa
-ms.reviewer:
 manager: aaroncz
-ms.custom: asr
 ms.technology: itpro-security
 ms.date: 03/16/2023
 ms.topic: article
diff --git a/windows/security/application-security/application-control/toc.yml b/windows/security/application-security/application-control/toc.yml
index 117ebc744f..f8b2ebf7a8 100644
--- a/windows/security/application-security/application-control/toc.yml
+++ b/windows/security/application-security/application-control/toc.yml
@@ -1,4 +1,10 @@
 items:
+- name: Smart App Control
+  href: windows-defender-application-control/wdac.md
+- name: Windows Defender Application Control
+  href: windows-defender-application-control/wdac.md
+- name: Windows Defender Application Control and virtualization-based protection of code integrity
+  href: introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
 - name: User Account Control (UAC)
   items:
   - name: Overview
@@ -7,9 +13,6 @@ items:
     href: user-account-control/how-it-works.md
   - name: UAC settings and configuration
     href: user-account-control/settings-and-configuration.md
-- name: Windows Defender Application Control and virtualization-based protection of code integrity
-  href: introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
-- name: Windows Defender Application Control
-  href: windows-defender-application-control/wdac.md
-- name: Smart App Control
-  href: windows-defender-application-control/wdac.md
+- name: Microsoft Vulnerable Driver Blocklist
+  href: windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
+  
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml
index 70c937a286..3815f2af27 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml
+++ b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml
@@ -55,8 +55,8 @@
               href: design/create-wdac-policy-using-reference-computer.md
             - name: Create a WDAC deny list policy
               href: design/create-wdac-deny-policy.md
-            - name: Microsoft recommended block rules
-              href: design/microsoft-recommended-block-rules.md
+            - name: Applications that can bypass WDAC and how to block them
+              href: design/applications-that-can-bypass-wdac.md
             - name: Microsoft recommended driver block rules
               href: design/microsoft-recommended-driver-block-rules.md
         - name: Use the WDAC Wizard tool
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md
similarity index 99%
rename from windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md
rename to windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md
index ebc63fd06e..bcce7c5578 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-block-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac.md
@@ -1,15 +1,15 @@
 ---
-title: Microsoft recommended block rules
+title: Applications that can bypass WDAC and how to block them
 description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.
 ms.localizationpriority: medium
 ms.date: 06/14/2023
 ms.topic: reference
 ---
 
-# Microsoft recommended block rules
+# Applications that can bypass WDAC and how to block them
 
->[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](../feature-availability.md).
 
 Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass WDAC.
 
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/index.yml b/windows/security/application-security/application-control/windows-defender-application-control/index.yml
index 116b217e84..1b1d46e536 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/index.yml
+++ b/windows/security/application-security/application-control/windows-defender-application-control/index.yml
@@ -33,8 +33,8 @@ landingContent:
         links:
           - text: Using code signing to simplify application control
             url: deployment/use-code-signing-for-better-control-and-protection.md
-          - text: Microsoft's Recommended Blocklist
-            url: design/microsoft-recommended-block-rules.md
+          - text: Applications that can bypass WDAC and how to block them
+            url: design/applications-that-can-bypass-wdac.md
           - text: Microsoft's Recommended Driver Blocklist
             url: design/microsoft-recommended-driver-block-rules.md
           - text: Example WDAC policies
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
index dee33405bb..7ee7a13013 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
@@ -47,7 +47,7 @@ Smart App Control is only available on clean installation of Windows 11 version
 
 ### Smart App Control Enforced Blocks
 
-Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/microsoft-recommended-block-rules.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
+Smart App Control enforces the [Microsoft Recommended Driver Block rules](design/microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](design/applications-that-can-bypass-wdac.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
 
 - Infdefaultinstall.exe
 - Microsoft.Build.dll
diff --git a/windows/security/application-security/application-isolation/toc.yml b/windows/security/application-security/application-isolation/toc.yml
index 3673f50fde..c8ed951135 100644
--- a/windows/security/application-security/application-isolation/toc.yml
+++ b/windows/security/application-security/application-isolation/toc.yml
@@ -1,6 +1,6 @@
 items:
 - name: Microsoft Defender Application Guard (MDAG)
-  href: ../../threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
+  href: microsoft-defender-application-guard/md-app-guard-overview.md
 - name: MDAG for Edge standalone mode
   href: microsoft-defender-application-guard/md-app-guard-overview.md
 - name: MDAG for Edge enterprise mode and enterprise management 🔗
@@ -9,7 +9,7 @@ items:
   href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
 - name: MDAG configure via MDM 🔗
   href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp
-- name: Windows containers 🔗
+- name: App containers 🔗
   href: /virtualization/windowscontainers/about
 - name: Windows Sandbox
   href: windows-sandbox/windows-sandbox-overview.md
diff --git a/windows/security/application-security/index.md b/windows/security/application-security/index.md
index bcdb6b5bf2..6d2ac65456 100644
--- a/windows/security/application-security/index.md
+++ b/windows/security/application-security/index.md
@@ -1,18 +1,14 @@
 ---
 title: Windows application security
 description: Get an overview of application security in Windows
-ms.date: 03/09/2023
-ms.topic: article
+ms.date: 08/02/2023
+ms.topic: conceptual
 ---
 
 # Windows application security
 
-Cyber-criminals regularly gain access to valuable data by hacking applications. This can include *code injection* attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows protects your valuable data with layers of application security.
+Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts, so that PCs run with least privilege to prevent malicious applications from accessing sensitive resources.
 
-The following table summarizes the Windows security features and capabilities for apps:
+Learn more about application security features in Windows.
 
-| Security Measures | Features & Capabilities |
-|:---|:---|
-| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](application-control/windows-defender-application-control/wdac.md) |
-| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md). |
-| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](application-isolation/windows-sandbox/windows-sandbox-overview.md) |
+[!INCLUDE [application](../includes/sections/application.md)]
diff --git a/windows/security/application-security/toc.yml b/windows/security/application-security/toc.yml
index 3ae26b2e31..84c5873b45 100644
--- a/windows/security/application-security/toc.yml
+++ b/windows/security/application-security/toc.yml
@@ -1,8 +1,8 @@
 items:
 - name: Overview
   href: index.md
-- name: Application Control
+- name: Application and driver control
   href: application-control/toc.yml
-- name: Application Isolation
+- name: Application isolation
   href: application-isolation/toc.yml
 
diff --git a/windows/security/cloud-security/index.md b/windows/security/cloud-security/index.md
new file mode 100644
index 0000000000..4a758c6aa6
--- /dev/null
+++ b/windows/security/cloud-security/index.md
@@ -0,0 +1,18 @@
+---
+title: Windows and cloud security
+description: Get an overview of cloud security features in Windows
+ms.date: 08/02/2023
+ms.topic: conceptual
+author: paolomatarazzo
+ms.author: paoloma
+---
+
+# Windows and cloud security
+
+Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We are focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
+
+From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere.
+
+Learn more about cloud security features in Windows.
+
+[!INCLUDE [cloud-services](../includes/sections/cloud-services.md)]
diff --git a/windows/security/cloud-security/toc.yml b/windows/security/cloud-security/toc.yml
index 4350280431..7c46b6e146 100644
--- a/windows/security/cloud-security/toc.yml
+++ b/windows/security/cloud-security/toc.yml
@@ -1,4 +1,6 @@
 items:
+- name: Overview
+  href: index.md
 - name: Join Active Directory and Azure AD with single sign-on (SSO) 🔗
   href: /azure/active-directory/devices/concept-azure-ad-join
 - name: Security baselines with Intune 🔗
diff --git a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md
index b1f7221ccc..4a94896198 100644
--- a/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md
+++ b/windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md
@@ -37,7 +37,7 @@ When the system boots, Pluton hardware initialization is performed by loading th
 
 ![Diagram showing the Microsoft Pluton Firmware load flow](../images/pluton/pluton-firmware-load.png)
 
-[!INCLUDE [microsoft-pluton-security-processor](../../../../includes/licensing/microsoft-pluton-security-processor.md)]
+[!INCLUDE [microsoft-pluton](../../../../includes/licensing/microsoft-pluton.md)]
 
 ## Related topics
 
diff --git a/windows/security/hardware-security/toc.yml b/windows/security/hardware-security/toc.yml
index 001c8c7a8f..1b95b86db3 100644
--- a/windows/security/hardware-security/toc.yml
+++ b/windows/security/hardware-security/toc.yml
@@ -48,8 +48,8 @@ items:
         href: https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815
       - name: Secured-core PC 🔗
         href: /windows-hardware/design/device-experiences/oem-highly-secure-11
-      - name: Secured-core PC configuration lock
-        href: /windows/client-management/config-lock 🔗
+      - name: Secured-core PC configuration lock 🔗
+        href: /windows/client-management/config-lock
       - name: Kernel Direct Memory Access (DMA) protection
         href: kernel-dma-protection-for-thunderbolt.md
       - name: System Guard Secure Launch
diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
index b434d6a7d8..8d35f5065b 100644
--- a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
@@ -42,7 +42,7 @@ Anti-malware software can use the boot measurements of the operating system star
 
 The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
 
-[!INCLUDE [trusted-platform-module-tpm-20](../../../../includes/licensing/trusted-platform-module-tpm-20.md)]
+[!INCLUDE [trusted-platform-module-tpm-20](../../../../includes/licensing/trusted-platform-module-tpm.md)]
 
 ## New and changed functionality
 
diff --git a/windows/security/includes/sections/application-application-control-overview.md b/windows/security/includes/sections/application-application-control-overview.md
deleted file mode 100644
index 00b89b3535..0000000000
--- a/windows/security/includes/sections/application-application-control-overview.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 06/02/2023
-ms.topic: include
----
-
-The following table lists the edition applicability for all Application Control features.
-
-|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:-:|:-:|:-:|:-:|:-:|
-|[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes|
-|[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|
-|[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|
-
-The following table lists the licensing applicability for all Application Control features.
-
-|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
-|:-:|:-:|:-:|:-:|:-:|:-:|
-|[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)|Yes|Yes|Yes|Yes|Yes|
-|[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes|
-|[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/application-application-isolation-overview.md b/windows/security/includes/sections/application-application-isolation-overview.md
deleted file mode 100644
index 252a6d415b..0000000000
--- a/windows/security/includes/sections/application-application-isolation-overview.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 06/02/2023
-ms.topic: include
----
-
-The following table lists the edition applicability for all Application Isolation features.
-
-|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:-:|:-:|:-:|:-:|:-:|
-|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)|Yes|Yes|Yes|Yes|
-|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)|❌|Yes|❌|Yes|
-|Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|❌|Yes|
-|[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|Yes|❌|Yes|
-|[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|❌|Yes|
-|[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|
-|[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)|Yes|Yes|Yes|Yes|
-
-The following table lists the licensing applicability for all Application Isolation features.
-
-|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
-|:-:|:-:|:-:|:-:|:-:|:-:|
-|[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)|Yes|Yes|Yes|Yes|Yes|
-|[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)|❌|Yes|Yes|Yes|Yes|
-|Microsoft Defender Application Guard (MDAG) public APIs|❌|Yes|Yes|Yes|Yes|
-|[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)|❌|❌|❌|❌|❌|
-|[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)|❌|Yes|Yes|Yes|Yes|
-|[Windows containers](/virtualization/windowscontainers/about/)|Yes|Yes|Yes|Yes|Yes|
-|[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/application.md b/windows/security/includes/sections/application.md
index 247d4a9ae8..34f9e6a785 100644
--- a/windows/security/includes/sections/application.md
+++ b/windows/security/includes/sections/application.md
@@ -1,26 +1,28 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 06/06/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
-## Application Control
+## Application and driver control
 
-| Security Measures | Features & Capabilities |
+| Feature name | Description |
 |:---|:---|
-| **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
-| **[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.<br><br>Windows 10 and above include Windows Defender Application Control (WDAC) and AppLocker. WDAC is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to WDAC for the stronger protection. |
 | **[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections, by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run that are predicted to be safe based on existing and new intelligence processed daily. Smart App Control builds on top of the same cloud-based AI used in Windows Defender Application Control (WDAC) to predict the safety of an application, so people can be confident they're using safe and reliable applications on their new Windows 11 devices, or Windows 11 devices that have been reset. |
+| **[AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview)** |  |
+| **[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.<br><br>Windows 10 and above include Windows Defender Application Control (WDAC) and AppLocker. WDAC is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to WDAC for the stronger protection. |
+| **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
+| **[Microsoft vulnerable driver blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
 
-## Application Isolation
+## Application isolation
 
-| Security Measures | Features & Capabilities |
+| Feature name | Description |
 |:---|:---|
-| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
-| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
+| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
+| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
 | **Microsoft Defender Application Guard (MDAG) public APIs** | Enable applications using them to be isolated Hyper-V based container, which is separate from the host operating system. |
 | **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. |
 | **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. |
-| **[Windows containers](/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. |
-| **[Windows Sandbox](../../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. |
+| **[App containers](/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. |
+| **[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. |
diff --git a/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md b/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md
deleted file mode 100644
index 3f4998f4bc..0000000000
--- a/windows/security/includes/sections/cloud-services-protecting-your-work-information-overview.md
+++ /dev/null
@@ -1,26 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 06/02/2023
-ms.topic: include
----
-
-The following table lists the edition applicability for all Protecting Your Work Information features.
-
-|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:-:|:-:|:-:|:-:|:-:|
-|[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|
-|[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|
-|[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|
-|[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)|Yes|Yes|Yes|Yes|
-|[Universal Print](/universal-print/)|Yes|Yes|Yes|Yes|
-
-The following table lists the licensing applicability for all Protecting Your Work Information features.
-
-|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
-|:-:|:-:|:-:|:-:|:-:|:-:|
-|[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)|Yes|Yes|Yes|Yes|Yes|
-|[Security baselines](/mem/intune/protect/security-baselines)|Yes|Yes|Yes|Yes|Yes|
-|[Remote wipe](/windows/client-management/mdm/remotewipe-csp)|Yes|Yes|Yes|Yes|Yes|
-|[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)|Yes|Yes|Yes|Yes|Yes|
-|[Universal Print](/universal-print/)|❌|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/cloud-services-update-overview.md b/windows/security/includes/sections/cloud-services-update-overview.md
deleted file mode 100644
index b20a97756d..0000000000
--- a/windows/security/includes/sections/cloud-services-update-overview.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 06/02/2023
-ms.topic: include
----
-
-The following table lists the edition applicability for all Update features.
-
-|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:-:|:-:|:-:|:-:|:-:|
-|[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|❌|Yes|
-|[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes|
-
-The following table lists the licensing applicability for all Update features.
-
-|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
-|:-:|:-:|:-:|:-:|:-:|:-:|
-|[Windows Autopatch](/windows/deployment/windows-autopatch/)|❌|Yes|Yes|❌|❌|
-|[Windows Autopilot](/windows/deployment/windows-autopilot)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/cloud-services.md b/windows/security/includes/sections/cloud-services.md
index 4c2d636206..07fc5b88b5 100644
--- a/windows/security/includes/sections/cloud-services.md
+++ b/windows/security/includes/sections/cloud-services.md
@@ -1,23 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 06/06/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
-## Protecting Your Work Information
+## Protect your work information
 
-| Security Measures | Features & Capabilities |
+| Feature name | Description |
 |:---|:---|
 | **[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)** | Microsoft Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
-| **[Security baselines](/mem/intune/protect/security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. <br><br>Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
+| **[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. <br><br>Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
 | **[Remote wipe](/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators may want to remotely wipe data stored on the device. A helpdesk agent may also want to reset devices to fix issues encountered by remote workers. <br><br>With the Remote Wipe configuration service provider (CSP), an MDM solution can remotely initiate any of the following operations on a Windows device: reset the device and remove user accounts and data, reset the device and clean the drive, reset the device but persist user accounts and data. |
-| **[Manage by Mobile Device Management (MDM) and group policy](../../operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.  |
-| **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a <br>Microsoft hosted cloud subscription service that supports a zero-trust security model by <br>enabling network isolation of printers, including the Universal Print connector software, from <br>the rest of the organization's resources. |
-
-## Update
-
-| Security Measures | Features & Capabilities |
-|:---|:---|
+| **[Modern device management through (MDM)](/windows/client-management/mdm-overview)** | Windows 11 supports modern device management through mobile device management (MDM) protocols.<br><br>IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols.<br><br>To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.  |
+| **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft hosted cloud subscription service that supports a zero-trust security model by enabling network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. |
 | **[Windows Autopatch](/windows/deployment/windows-autopatch/)** | With the Autopatch service, IT teams can delegate management of updates to Windows 10/11, Microsoft Edge, and Microsoft 365 apps to Microsoft. Under the hood, Autopatch takes over configuration of the policies and deployment service of Windows Update for Business. What the customer gets are endpoints that are up to date, thanks to dynamically generated rings for progressive deployment that will pause and/or roll back updates (where possible) when issues arise. <br><br>The goal is to provide peace of mind to IT pros, encourage rapid adoption of updates, and to reduce bandwidth required to deploy them successfully, thereby closing gaps in protection that may have been open to exploitation by malicious actors.  |
 | **[Windows Autopilot](/windows/deployment/windows-autopilot)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |
diff --git a/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md b/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md
deleted file mode 100644
index cb297f9fb2..0000000000
--- a/windows/security/includes/sections/hardware-hardware-root-of-trust-overview.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 06/02/2023
-ms.topic: include
----
-
-The following table lists the edition applicability for all Hardware Root-Of-Trust features.
-
-|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:-:|:-:|:-:|:-:|:-:|
-|[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)|Yes|Yes|Yes|Yes|
-|[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|
-|[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|
-
-The following table lists the licensing applicability for all Hardware Root-Of-Trust features.
-
-|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
-|:-:|:-:|:-:|:-:|:-:|:-:|
-|[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)|Yes|Yes|Yes|Yes|Yes|
-|[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)|Yes|Yes|Yes|Yes|Yes|
-|[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md b/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md
deleted file mode 100644
index fb61005d36..0000000000
--- a/windows/security/includes/sections/hardware-silicon-assisted-security-secured-kernel-overview.md
+++ /dev/null
@@ -1,26 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 06/02/2023
-ms.topic: include
----
-
-The following table lists the edition applicability for all Silicon Assisted Security (Secured Kernel) features.
-
-|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:-:|:-:|:-:|:-:|:-:|
-|[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes|
-|[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|
-|[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|
-|[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|
-|[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)|Yes|Yes|Yes|Yes|
-
-The following table lists the licensing applicability for all Silicon Assisted Security (Secured Kernel) features.
-
-|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
-|:-:|:-:|:-:|:-:|:-:|:-:|
-|[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)|Yes|Yes|Yes|Yes|Yes|
-|[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)|Yes|Yes|Yes|Yes|Yes|
-|[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)|Yes|Yes|Yes|Yes|Yes|
-|[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)|Yes|Yes|Yes|Yes|Yes|
-|[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/hardware.md b/windows/security/includes/sections/hardware.md
index 52202f35f7..11a4f97b60 100644
--- a/windows/security/includes/sections/hardware.md
+++ b/windows/security/includes/sections/hardware.md
@@ -1,24 +1,30 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 06/06/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
-## Hardware Root-Of-Trust
+## Hardware root-of-trust
 
-| Security Measures | Features & Capabilities |
+| Feature name | Description |
 |:---|:---|
-| **[Windows Defender System Guard](../../hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. |
-| **[Trusted Platform Module (TPM) 2.0](/windows/security/information-protection/tpm/trusted-platform-module-overview)** | TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, Windows Defender System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. The 2.0 version of the specification includes support for newer algorithms, which can improve driver signing and key generation performance.<br><br>Starting with Windows 10, Microsoft's hardware certification requires all new Windows PCs to include TPM 2.0 built in and enabled by default. With Windows 11, both new and upgraded devices must have TPM 2.0. |
-| **[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)** | Microsoft Pluton security processors are designed by Microsoft in partnership with silicon partners. Pluton enhances the protection of Windows devices with a hardware root-of-trust that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface as it integrates the security chip directly into the processor. It can be used with a discreet TPM 2.0, or as a standalone security processor. When root of trust is located on a separate, discrete chip on the motherboard, the communication path between the root-of-trust and the CPU can be vulnerable to physical attack. Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPMs including BitLocker, Windows Hello, and Windows Defender System Guard.<br><br>In addition to providing root-of trust, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. Pluton-enabled Windows 11 devices are available and the selection of options with Pluton is growing. |
+| **[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. |
+| **[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)** | TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, Windows Defender System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. The 2.0 version of the specification includes support for newer algorithms, which can improve driver signing and key generation performance.<br><br>Starting with Windows 10, Microsoft's hardware certification requires all new Windows PCs to include TPM 2.0 built in and enabled by default. With Windows 11, both new and upgraded devices must have TPM 2.0. |
+| **[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)** | Microsoft Pluton security processors are designed by Microsoft in partnership with silicon partners. Pluton enhances the protection of Windows devices with a hardware root-of-trust that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface as it integrates the security chip directly into the processor. It can be used with a discreet TPM 2.0, or as a standalone security processor. When root of trust is located on a separate, discrete chip on the motherboard, the communication path between the root-of-trust and the CPU can be vulnerable to physical attack. Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPMs including BitLocker, Windows Hello, and Windows Defender System Guard.<br><br>In addition to providing root-of trust, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. Pluton-enabled Windows 11 devices are available and the selection of options with Pluton is growing. |
 
-## Silicon Assisted Security (Secured Kernel)
+## Silicon assisted security
 
-| Security Measures | Features & Capabilities |
+| Feature name | Description |
 |:---|:---|
 | **[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)** | In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats, such as by protecting the boot process, safeguarding the integrity of memory, isolating security sensitive compute logic, and more. Two examples include Virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI). Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel remains protected.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
-| **[Hypervisor-protected Code Integrity (HVCI)](/windows-hardware/design/device-experiences/oem-hvci-enablement)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
+| **[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
 | **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. |
-| **[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)** | Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks. |
-| **[Kernel Direct Memory Access (DMA) protection](../../hardware-security/kernel-dma-protection-for-thunderbolt.md)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
+| **[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
+
+## Secured-core PC
+
+| Feature name | Description |
+|:---|:---|
+| **[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)** | Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks. |
+| **[Secured-core configuration lock](/windows/client-management/config-lock)** | Secured-core configuration lock is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired SCPC state in seconds.  |
diff --git a/windows/security/includes/sections/identity-advanced-credential-protection-overview.md b/windows/security/includes/sections/identity-advanced-credential-protection-overview.md
deleted file mode 100644
index c8f646fb31..0000000000
--- a/windows/security/includes/sections/identity-advanced-credential-protection-overview.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 06/02/2023
-ms.topic: include
----
-
-The following table lists the edition applicability for all Advanced Credential Protection features.
-
-|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:-:|:-:|:-:|:-:|:-:|
-|[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes|
-|[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes|
-|[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes|
-|[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes|
-|[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|❌|Yes|
-|[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes|
-
-The following table lists the licensing applicability for all Advanced Credential Protection features.
-
-|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
-|:-:|:-:|:-:|:-:|:-:|:-:|
-|[Windows LAPS](/windows-server/identity/laps/laps-overview)|Yes|Yes|Yes|Yes|Yes|
-|[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)|Yes|Yes|Yes|Yes|Yes|
-|[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)|Yes|Yes|Yes|Yes|Yes|
-|[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)|Yes|Yes|Yes|Yes|Yes|
-|[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)|❌|Yes|Yes|Yes|Yes|
-|[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/identity-passwordless-sign-in-overview.md b/windows/security/includes/sections/identity-passwordless-sign-in-overview.md
deleted file mode 100644
index c2666f968d..0000000000
--- a/windows/security/includes/sections/identity-passwordless-sign-in-overview.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 06/02/2023
-ms.topic: include
----
-
-The following table lists the edition applicability for all Passwordless Sign In features.
-
-|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:-:|:-:|:-:|:-:|:-:|
-|[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes|
-|[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes|
-|[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes|
-|[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes|
-|[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|Yes|Yes|
-|[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes|
-
-The following table lists the licensing applicability for all Passwordless Sign In features.
-
-|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
-|:-:|:-:|:-:|:-:|:-:|:-:|
-|[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)|Yes|Yes|Yes|Yes|Yes|
-|[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)|Yes|Yes|Yes|Yes|Yes|
-|[Windows Hello for Business Enhanced Security Sign-in (ESS) ](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)|Yes|Yes|Yes|Yes|Yes|
-|[Fast Identity Online (FIDO2) security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)|Yes|Yes|Yes|Yes|Yes|
-|[Federated sign-in](/education/windows/federated-sign-in)|❌|❌|❌|Yes|Yes|
-|[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md
index b31aaf1ca9..891ad65444 100644
--- a/windows/security/includes/sections/identity.md
+++ b/windows/security/includes/sections/identity.md
@@ -1,13 +1,13 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 06/06/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
-## Passwordless Sign In
+## Passwordless sign in
 
-| Security Measures | Features & Capabilities |
+| Feature name | Description |
 |:---|:---|
 | **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.<br><br>Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
 | **[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
@@ -16,13 +16,13 @@ ms.topic: include
 | **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with third-party identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
 | **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |
 
-## Advanced Credential Protection
+## Advanced credential protection
 
-| Security Measures | Features & Capabilities |
+| Feature name | Description |
 |:---|:---|
 | **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Azure Active Directory-joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
-| **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** |  |
+| **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. |
 | **[Enhanced phishing protection with SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
-| **[Access Control (ACLs/SCALS)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.<br><br>Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
+| **[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.<br><br>Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
 | **[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)** | Enabled by default in Windows 11 Enterprise, Windows Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Windows Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. <br><br>By protecting the LSA process with Virtualization-based security, Windows Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
 | **[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Window Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. <br><br>Administrator credentials are highly privileged and must be protected. When you use Windows Defender Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |
diff --git a/windows/security/includes/sections/operating-system-encryption-and-data-protection-overview.md b/windows/security/includes/sections/operating-system-encryption-and-data-protection-overview.md
deleted file mode 100644
index 68b64731f3..0000000000
--- a/windows/security/includes/sections/operating-system-encryption-and-data-protection-overview.md
+++ /dev/null
@@ -1,26 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 06/02/2023
-ms.topic: include
----
-
-The following table lists the edition applicability for all Data Protection features.
-
-|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:-:|:-:|:-:|:-:|:-:|
-|[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)|Yes|Yes|Yes|Yes|
-|[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)|Yes|Yes|Yes|Yes|
-|[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)|Yes|Yes|Yes|Yes|
-|[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)|❌|Yes|❌|Yes|
-|[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)|Yes|Yes|Yes|Yes|
-
-The following table lists the licensing applicability for all Data Protection features.
-
-|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
-|:-:|:-:|:-:|:-:|:-:|:-:|
-|[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)|❌|Yes|Yes|Yes|Yes|
-|[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)|Yes|Yes|Yes|Yes|Yes|
-|[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)|Yes|Yes|Yes|Yes|Yes|
-|[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)|❌|Yes|Yes|Yes|Yes|
-|[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system-modern-device-management-overview.md b/windows/security/includes/sections/operating-system-modern-device-management-overview.md
deleted file mode 100644
index b43f14f6ef..0000000000
--- a/windows/security/includes/sections/operating-system-modern-device-management-overview.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 06/02/2023
-ms.topic: include
----
-
-The following table lists the edition applicability for all Modern Device Management features.
-
-|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:-:|:-:|:-:|:-:|:-:|
-|[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)|Yes|Yes|Yes|Yes|
-|[Secured-core configuration lock](/windows/client-management/config-lock)|Yes|Yes|Yes|Yes|
-|[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)|Yes|Yes|Yes|Yes|
-
-The following table lists the licensing applicability for all Modern Device Management features.
-
-|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
-|:-:|:-:|:-:|:-:|:-:|:-:|
-|[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)|Yes|Yes|Yes|Yes|Yes|
-|[Secured-core configuration lock](/windows/client-management/config-lock)|Yes|Yes|Yes|Yes|Yes|
-|[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system-network-security-overview.md b/windows/security/includes/sections/operating-system-network-security-overview.md
deleted file mode 100644
index 95b71a85f8..0000000000
--- a/windows/security/includes/sections/operating-system-network-security-overview.md
+++ /dev/null
@@ -1,36 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 06/02/2023
-ms.topic: include
----
-
-The following table lists the edition applicability for all Network Security features.
-
-|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:-:|:-:|:-:|:-:|:-:|
-|[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)|Yes|Yes|Yes|Yes|
-|Bluetooth pairing and connection protection|Yes|Yes|Yes|Yes|
-|[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)|Yes|Yes|Yes|Yes|
-|Opportunistic Wireless Encryption (OWE)|Yes|Yes|Yes|Yes|
-|[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|Yes|Yes|Yes|Yes|
-|[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)|Yes|Yes|Yes|Yes|
-|[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)|❌|Yes|❌|Yes|
-|[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)|❌|Yes|❌|Yes|
-|[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)|Yes|Yes|Yes|Yes|
-|[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)|Yes|Yes|Yes|Yes|
-
-The following table lists the licensing applicability for all Network Security features.
-
-|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
-|:-:|:-:|:-:|:-:|:-:|:-:|
-|[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)|Yes|Yes|Yes|Yes|Yes|
-|Bluetooth pairing and connection protection|Yes|Yes|Yes|Yes|Yes|
-|[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)|Yes|Yes|Yes|Yes|Yes|
-|Opportunistic Wireless Encryption (OWE)|Yes|Yes|Yes|Yes|Yes|
-|[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)|Yes|Yes|Yes|Yes|Yes|
-|[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)|Yes|Yes|Yes|Yes|Yes|
-|[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)|❌|Yes|Yes|Yes|Yes|
-|[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)|❌|Yes|Yes|Yes|Yes|
-|[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)|Yes|Yes|Yes|Yes|Yes|
-|[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system.md b/windows/security/includes/sections/operating-system-security.md
similarity index 76%
rename from windows/security/includes/sections/operating-system.md
rename to windows/security/includes/sections/operating-system-security.md
index e4414bfaaf..3a748fac25 100644
--- a/windows/security/includes/sections/operating-system.md
+++ b/windows/security/includes/sections/operating-system-security.md
@@ -1,61 +1,53 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 07/31/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
-## System Security
+## System security
 
-| Security Measures | Features & Capabilities |
+| Feature name | Description |
 |:---|:---|
 | **[Secure Boot and Trusted Boot](/windows/security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts. <br><br>Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
 | **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.<br><br>The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The antimalware software can use the log to determine whether components that ran before it are trustworthy, or if they are infected with malware. The antimalware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
 | **[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and have not been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Azure Active Directory for conditional access. |
+| **[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
 
-## Virus And Threat Protection
+## Virus and threat protection
 
-| Security Measures | Features & Capabilities |
+| Feature name | Description |
 |:---|:---|
 | **[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a protection solution included in all versions of Windows. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection.<br><br>The combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but are not considered malware. |
-| **Local Security Authority (LSA) Protection** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.<br><br>LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
+| **[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.<br><br>LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
 | **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.<br><br>Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. |
 | **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
-| **[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt in to enforce the policy from the **Windows Security** settings. |
 | **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders. <br><br>Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware.  |
 | **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
 | **[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they are entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
 | **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams to detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: endpoint behavioral sensors, cloud security analytics, threat intelligence and rich response capabilities. |
 
-## Network Security
+## Network security
 
-| Security Measures | Features & Capabilities |
+| Feature name | Description |
 |:---|:---|
 | **[Transport layer security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
 | **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
 | **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification programs designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.<br><br>Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
 | **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots.  |
-| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Security provides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
-| **[Virtual Private Network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.<br><br>In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls.  |
-| **[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)** |  |
+| **[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)** | Windows Firewall with Advanced Securityprovides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
+| **[Virtual private network (VPN)](/windows/security/identity-protection/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.<br><br>In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls.  |
+| **[Always On VPN (device tunnel)](/windows-server/remote/remote-access/vpn/always-on-vpn/)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. |
 | **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.<br><br>With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
 | **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. In Windows 11, the SMB protocol has significant security updates, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of more advanced security or continue to use the more compatible, and still-safe, AES-128 encryption. |
 | **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | SMB Direct (SMB over remote direct memory access) is a storage protocol that enables direct memory-to-memory data transfers between device and storage, with minimal CPU usage, while using standard RDMA-capable network adapters.<br><br>SMB Direct supports encryption, and now you can operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
 
-## Encryption And Data Protection
+## Encryption and data protection
 
-| Security Measures | Features & Capabilities |
+| Feature name | Description |
 |:---|:---|
 | **[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Azure AD.  |
 | **[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).<br><br>BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
 | **[Encrypted hard drive](/windows/security/information-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.<br><br>By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
 | **[Personal data encryption (PDE)](/windows/security/information-protection/personal-data-encryption/overview-pde)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow. <br><br>Windows Hello for Business is used to protect the container which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content.  |
 | **[Email Encryption (S/MIME)](/windows/security/identity-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message has not been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
-
-## Modern Device Management
-
-| Security Measures | Features & Capabilities |
-|:---|:---|
-| **[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
-| **[Secured-core configuration lock](/windows/client-management/config-lock)** | In an enterprise organization, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Secured-core configuration lock (config lock) is a Secured-core PC feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds.  |
-| **[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.<br><br>Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
diff --git a/windows/security/includes/sections/operating-system-system-security-overview.md b/windows/security/includes/sections/operating-system-system-security-overview.md
deleted file mode 100644
index 426c265aca..0000000000
--- a/windows/security/includes/sections/operating-system-system-security-overview.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 06/02/2023
-ms.topic: include
----
-
-The following table lists the edition applicability for all System Security features.
-
-|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:-:|:-:|:-:|:-:|:-:|
-|[Secure Boot and Trusted Boot](/windows/security/trusted-boot)|Yes|Yes|Yes|Yes|
-|[Measured boot](/windows/compatibility/measured-boot)|Yes|Yes|Yes|Yes|
-|[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)|Yes|Yes|Yes|Yes|
-
-The following table lists the licensing applicability for all System Security features.
-
-|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
-|:-:|:-:|:-:|:-:|:-:|:-:|
-|[Secure Boot and Trusted Boot](/windows/security/trusted-boot)|Yes|Yes|Yes|Yes|Yes|
-|[Measured boot](/windows/compatibility/measured-boot)|Yes|Yes|Yes|Yes|Yes|
-|[Device health attestation service](/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md b/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md
deleted file mode 100644
index 4853fdc620..0000000000
--- a/windows/security/includes/sections/operating-system-virus-and-threat-protection-overview.md
+++ /dev/null
@@ -1,34 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 06/02/2023
-ms.topic: include
----
-
-The following table lists the edition applicability for all Virus And Threat Protection features.
-
-|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:-:|:-:|:-:|:-:|:-:|
-|[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)|Yes|Yes|Yes|Yes|
-|Local Security Authority (LSA) Protection|Yes|Yes|Yes|Yes|
-|[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)|Yes|Yes|Yes|Yes|
-|[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)|Yes|Yes|Yes|Yes|
-|[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)|Yes|Yes|Yes|Yes|
-|[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)|Yes|Yes|Yes|Yes|
-|[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)|Yes|Yes|Yes|Yes|
-|[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)|Yes|Yes|Yes|Yes|
-|[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)|Yes|Yes|Yes|Yes|
-
-The following table lists the licensing applicability for all Virus And Threat Protection features.
-
-|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
-|:-:|:-:|:-:|:-:|:-:|:-:|
-|[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)|Yes|Yes|Yes|Yes|Yes|
-|Local Security Authority (LSA) Protection|Yes|Yes|Yes|Yes|Yes|
-|[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)|Yes|Yes|Yes|Yes|Yes|
-|[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)|Yes|Yes|Yes|Yes|Yes|
-|[Microsoft Vulnerable Driver Blocklist](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules#microsoft-vulnerable-driver-blocklist)|Yes|Yes|Yes|Yes|Yes|
-|[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)|Yes|Yes|Yes|Yes|Yes|
-|[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)|Yes|Yes|Yes|Yes|Yes|
-|[Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)|Yes|Yes|Yes|Yes|Yes|
-|[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)|❌|❌|Yes|❌|Yes|
diff --git a/windows/security/includes/sections/privacy.md b/windows/security/includes/sections/privacy.md
deleted file mode 100644
index cb5118754a..0000000000
--- a/windows/security/includes/sections/privacy.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 06/02/2023
-ms.topic: include
----
diff --git a/windows/security/includes/sections/security-foundations-certification-overview.md b/windows/security/includes/sections/security-foundations-certification-overview.md
deleted file mode 100644
index 78601c07dd..0000000000
--- a/windows/security/includes/sections/security-foundations-certification-overview.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 06/02/2023
-ms.topic: include
----
-
-The following table lists the edition applicability for all Certification features.
-
-|Feature|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
-|:-:|:-:|:-:|:-:|:-:|
-|[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)|Yes|Yes|Yes|Yes|
-|[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)|Yes|Yes|Yes|Yes|
-
-The following table lists the licensing applicability for all Certification features.
-
-|Feature|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
-|:-:|:-:|:-:|:-:|:-:|:-:|
-|[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)|Yes|Yes|Yes|Yes|Yes|
-|[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/security/includes/sections/security-foundations.md b/windows/security/includes/sections/security-foundations.md
index 8c3cd14c92..23533d333f 100644
--- a/windows/security/includes/sections/security-foundations.md
+++ b/windows/security/includes/sections/security-foundations.md
@@ -1,13 +1,29 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 06/06/2023
+ms.date: 08/02/2023
 ms.topic: include
 ---
 
+## Offensive research
+
+| Feature name | Description |
+|:---|:---|
+| **Microsoft Security Development Lifecycle (SDL)** | The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. |
+| **OneFuzz service** | A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released.  |
+| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.<br><br>Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quicky fix the issues before releasing the final Windows.  |
+
 ## Certification
 
-| Security Measures | Features & Capabilities |
+| Feature name | Description |
 |:---|:---|
 | **[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. |
 | **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |
+
+## Secure supply chain
+
+| Feature name | Description |
+|:---|:---|
+| **Software Bill of Materials (SBOM)** | SBOMs are leveraged to provide the transparency and provenance of the content as it moves through various stages of the Windows supply chain. This enables trust between each supply chain segment, ensures that tampering has not taken place during ingestion and along the way, and provides a provable chain of custody for the product that we ship to customers. |
+| **[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)** | Windows Defender Application Control (WDAC) enables customers to define policies for controlling what is allowed to run on their devices. WDAC policies can be remotely applied to devices using an MDM solution like Microsoft Intune. <br><br>To simplify WDAC enablement, organizations can take advantage of Azure Code Signing, a secure and fully managed service for signing WDAC policies and apps. <br><br>Azure Code Signing minimizes the complexity of code signing with a turnkey service backed by a Microsoft managed certificate authority, eliminating the need to procure and self-manage any signing certificates. The service is managed just as any other Azure resource and integrates easily with the leading development and CI/CD toolsets.  |
+| **[Windows application software development kit (SDK)](/windows/security/security-foundations/certification/windows-platform-common-criteria%23security-and-privacy)** | Developers have an opportunity to design highly secure applications that benefit from the latest Windows safeguards. The Windows App SDK provides a unified set of APIs and tools for developing desktop apps for Windows. To help create apps that are up-to-date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system.  |
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index 009e1b6019..b6b7dac0ab 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -94,15 +94,14 @@ If you don't know the publisher or product name, you can find them for both desk
 
 **To find the Publisher and Product Name values for Store apps without installing them**
 
-1. Go to the [Microsoft Store for Business](https://businessstore.microsoft.com/store) website, and find your app. For example, Microsoft OneNote.
+1. Go to the [Microsoft Store](https://apps.microsoft.com/) website, and find your app. For example, Microsoft OneNote.
 
    > [!NOTE]
-   > 
    > If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in [Add an AppLocker policy file](#add-an-applocker-policy-file) in this article.
 
-2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
+2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is `https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl`, and you'd copy the ID value, `9wzdncrfhvjl`.
 
-3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
+3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run `https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata`, where `9wzdncrfhvjl` is replaced with your ID value.
 
    The API runs and opens a text editor with the app details.
 
diff --git a/windows/security/operating-system-security/device-management/toc.yml b/windows/security/operating-system-security/device-management/toc.yml
index 3fbd57294b..913340c2fb 100644
--- a/windows/security/operating-system-security/device-management/toc.yml
+++ b/windows/security/operating-system-security/device-management/toc.yml
@@ -1,10 +1,4 @@
 items:
-  - name: Security policy settings
-    href: ../../threat-protection/security-policy-settings/security-policy-settings.md
-  - name: Security auditing
-    href: ../../threat-protection/auditing/security-auditing-overview.md
-  - name: Secured-core configuration lock
-    href: /windows/client-management/config-lock
   - name: Assigned Access (kiosk mode)
     href: /windows/configuration/kiosk-methods
   - name: Security baselines
diff --git a/windows/security/operating-system-security/index.md b/windows/security/operating-system-security/index.md
index 7787d87aa3..1c0cd9103b 100644
--- a/windows/security/operating-system-security/index.md
+++ b/windows/security/operating-system-security/index.md
@@ -1,7 +1,7 @@
 ---
 title: Windows operating system security
 description: Securing the operating system includes system security, encryption, network security, and threat protection.
-ms.date: 09/21/2021
+ms.date: 08/02/2023
 ms.topic: article
 ---
 
@@ -13,4 +13,4 @@ Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9Q
 
 Use the links in the following sections to learn more about the operating system security features and capabilities in Windows.
 
-[!INCLUDE [operating-system-security](../includes/sections/operating-system.md)]
+[!INCLUDE [operating-system-security](../includes/sections/operating-system-security.md)]
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index 834f56a321..809b88492a 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -1,19 +1,25 @@
 ---
-title: How to configure Diffie Hellman protocol over IKEv2 VPN connections
-description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.date: 09/23/2021
+title: How to configure cryptographic settings for IKEv2 VPN connections
+description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
+ms.date: 06/28/2023
 ms.topic: how-to
 ---
 
-# How to configure Diffie Hellman protocol over IKEv2 VPN connections
+# How to configure cryptographic settings for IKEv2 VPN connections
 
-In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges.
+In IKEv2 VPN connections, the default setting for IKEv2 cryptographic settings are:
+
+- Encryption Algorithm           : DES3  
+- Integrity, Hash Algorithm      : SHA1  
+- Diffie Hellman Group (Key Size): DH2
+
+These settings aren't secure for IKE exchanges.  
 
 To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.
 
 ## VPN server
 
-For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps&preserve-view=true) to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration.
+For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps&preserve-view=true) to configure the tunnel type. These settings are effective for all IKEv2 VPN connections.
 
 ```powershell
 Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy
@@ -30,7 +36,43 @@ Set-VpnServerIPsecConfiguration -CustomPolicy
 For VPN client, you need to configure each VPN connection. 
 For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps&preserve-view=true) and specify the name of the connection:
 
-
 ```powershell
 Set-VpnConnectionIPsecConfiguration -ConnectionName <String>
-```
\ No newline at end of file
+```
+
+## IKEv2 Crypto Settings Example
+
+The following commands configure the IKEv2 cryptographic settings to:  
+
+- Encryption Algorithm           : AES128  
+- Integrity, Hash Algorithm      : SHA256  
+- Diffie Hellman Group (Key Size): DH14  
+
+### IKEv2 VPN Server  
+
+```powershell
+Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000  
+restart-service RemoteAccess -PassThru
+```
+
+If you need to switch back to the default IKEv2 settings, use this command:
+
+```powershell
+Set-VpnServerConfiguration -TunnelType IKEv2 -RevertToDefault  
+restart-service RemoteAccess -PassThru
+```
+
+### IKEv2 VPN Client  
+
+```powershell
+Set-VpnConnectionIPsecConfiguration -ConnectionName <String - your VPN connection name> -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -Force
+```
+
+If you need to switch back to the default IKEv2 settings, use this command:
+
+```powershell
+Set-VpnConnectionIPsecConfiguration -ConnectionName <String - your VPN connection name> -RevertToDefault -Force
+```
+
+> [!TIP]  
+> If you're configuring a all-user VPN connection or a Device Tunnel you must use the `-AllUserConnection` parameter in the `Set-VpnConnectionIPsecConfiguration` command.  
\ No newline at end of file
diff --git a/windows/security/operating-system-security/system-security/toc.yml b/windows/security/operating-system-security/system-security/toc.yml
index d16f3d1e5d..2b6feab9aa 100644
--- a/windows/security/operating-system-security/system-security/toc.yml
+++ b/windows/security/operating-system-security/system-security/toc.yml
@@ -9,6 +9,10 @@ items:
   href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
 - name: Cryptography and certificate management
   href: cryptography-certificate-mgmt.md
+- name: Security policy settings
+  href: ../../threat-protection/security-policy-settings/security-policy-settings.md
+- name: Security auditing
+  href: ../../threat-protection/auditing/security-auditing-overview.md
 - name: Windows Security settings
   href: windows-defender-security-center/windows-defender-security-center.md
   items:
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
index 9082efb2be..a1539064f6 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
+++ b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml
@@ -6,8 +6,6 @@ items:
     href: /microsoft-365/security/defender-endpoint/attack-surface-reduction
   - name: Tamper protection for MDE 🔗
     href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
-  - name: Microsoft Vulnerable Driver Blocklist 🔗
-    href: ../../application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
   - name: Controlled folder access 🔗
     href: /microsoft-365/security/defender-endpoint/controlled-folders
   - name: Exploit protection 🔗
diff --git a/windows/security/toc.yml b/windows/security/toc.yml
index f706e0710b..1234cb6efc 100644
--- a/windows/security/toc.yml
+++ b/windows/security/toc.yml
@@ -1,6 +1,10 @@
 items:
+- name: Windows security
+  href: index.yml
 - name: Introduction to Windows security
   href: introduction.md
+- name: Security features licensing and edition requirements
+  href: licensing-and-edition-requirements.md
 - name: Security foundations
   href: security-foundations/toc.yml
 - name: Hardware security
diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md
index 330293213d..3943ef84fc 100644
--- a/windows/whats-new/deprecated-features-resources.md
+++ b/windows/whats-new/deprecated-features-resources.md
@@ -1,7 +1,7 @@
 ---
 title: Resources for deprecated features in the Windows client
-description: Resources and details for deprecated features in the Windows Client.
-ms.date: 02/14/2023
+description: Resources and details for deprecated features in the Windows client.
+ms.date: 08/01/2023
 ms.prod: windows-client
 ms.technology: itpro-fundamentals
 ms.localizationpriority: medium
@@ -21,6 +21,50 @@ appliesto:
 
 This article provides additional resources about [deprecated features for Windows client](deprecated-features.md) that may be needed by IT professionals. The following information is provided to help IT professionals plan for the removal of deprecated features:
 
+## TLS versions 1.0 and 1.1 disablement resources
+
+Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 are disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1.
+
+The following information can help IT professionals to:
+
+- Identify issues related to TLS 1.0 and 1.1 disablement
+- Re-enable TLS 1.0 and 1.1, if needed
+
+For developer guidance and for a list of common applications known to rely on TLS 1.0 or 1.1, see the [Announcing the disablement of TLS 1.0 and TLS 1.1 in Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947) blog post.
+
+### TLS diagnostic events
+
+Applications that fail when TLS 1.0 and 1.1 are disabled can be identified by reviewing the event logs. In the System Event Log, SChannel EventID 36871 may be logged with the following description:
+
+`A fatal error occurred while creating a TLS <client/server> credential. The internal error state is 10013. The SSPI client process is <process ID>.`
+
+### TLS 1.0 and 1.1 guidance for IT professionals
+
+The impact of disabling TLS versions 1.0 and 1.1 depends on the Windows applications using TLS. For example, TLS 1.0 and TLS 1.1 are already disabled by [Microsoft 365](/lifecycle/announcements/transport-layer-security-1x-disablement) products as well as [WinHTTP and WinINet API surfaces](https://support.microsoft.com/topic/kb5017811-manage-transport-layer-security-tls-1-0-and-1-1-after-default-behavior-change-on-september-20-2022-e95b1b47-9c7c-4d64-9baf-610604a64c3e). Most newer versions of applications support TLS 1.2 or higher protocol versions. If an application starts failing after this change, the first step is to discover if a newer version of the application has TLS 1.2 or TLS 1.3 support.
+
+Using the system default settings for the best balance of security and performance is recommended. Organizations that limit TLS cipher suites using [Group Policy](/windows-server/security/tls/manage-tls) or [PowerShell cmdlets](/powershell/module/tls) should also verify that [cipher suites](/windows/win32/secauthn/tls-cipher-suites-in-windows-11) needed for TLS 1.3 and TLS 1.2 are enabled.
+
+If there are no alternatives available and TLS 1.0 or TLS 1.1 is needed, the protocol versions can be re-enabled with a system [registry setting](/windows-server/security/tls/tls-registry-settings). To override a system default and set a (D)TLS or SSL protocol version to the **Enabled** state:
+
+   - **TLS 1.0**:
+     ```registry
+     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
+           "Enabled" = dword:00000001
+     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
+           "Enabled" = dword:00000001
+     ```
+
+   - **TLS 1.1**:
+
+     ```registry
+     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
+           "Enabled" = dword:00000001
+     [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
+           "Enabled" = dword:00000001
+     ```
+
+Re-enabling TLS 1.0 or TLS 1.1 on machines should only be done as a last resort, and as a temporary solution until incompatible applications can be updated or replaced. Support for these legacy TLS versions may be completely removed in the future.
+
 ## Microsoft Support Diagnostic Tool resources
 
 The [Microsoft Support Diagnostic Tool (MSDT)](/windows-server/administration/windows-commands/msdt) gathers diagnostic data for analysis by support professionals. MSDT is the engine used to run legacy Windows built-in troubleshooters. There are currently 28 built-in troubleshooters for MSDT. Half of the built-in troubleshooters have already been [redirected](#redirected-msdt-troubleshooters) to the Get Help platform, while the other half will be [retired](#retired-msdt-troubleshooters).  
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 75692f13ab..5d0649468d 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
 ---
 title: Deprecated features in the Windows client
 description: Review the list of features that Microsoft is no longer developing in Windows 10 and Windows 11.
-ms.date: 06/08/2023
+ms.date: 08/01/2023
 ms.prod: windows-client
 ms.technology: itpro-fundamentals
 ms.localizationpriority: medium
@@ -36,6 +36,7 @@ The features in this article are no longer being actively developed, and might b
 
 |Feature    |  Details and mitigation  | Deprecation announced |
 | ----------- | --------------------- | ---- |
+| TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023| 
 | Cortana in Windows <!--7987543--> | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 | 
 | Microsoft Support Diagnostic Tool (MSDT) <!--6968128--> | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
 | Universal Windows Platform (UWP) Applications for 32-bit Arm <!--7116112-->| This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content is not applicable. If you are not sure which type of processor you have, check **Settings** > **System** > **About**.</br> </br> Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 |