diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 2d21a68dd9..296b5cade7 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -20524,6 +20524,71 @@
       "source_path": "windows/security/identity-protection/credential-guard/dg-readiness-tool.md",
       "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard",
       "redirect_document_id": true
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/change-the-tpm-owner-password.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/get-support-for-security-baselines.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/mbsa-removal-and-guidance.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/credential-guard/credential-guard-scripts.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/manage-tpm-commands.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/information-protection/tpm/manage-tpm-lockout.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md",
+      "redirect_url": "/windows/security",
+      "redirect_document_id": false
     }
   ]
 }
diff --git a/education/windows/images/suspcs/2023-02-16_13-02-37.png b/education/windows/images/suspcs/2023-02-16_13-02-37.png
new file mode 100644
index 0000000000..dc396099bf
Binary files /dev/null and b/education/windows/images/suspcs/2023-02-16_13-02-37.png differ
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 9b877306f7..0ee49c8f45 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -94,6 +94,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `Class Policy`                            | 114.0.0           | Win32    | `Class Policy`                            |
 | `Classroom.cloud`                         | 1.40.0004         | Win32    | `NetSupport`                              |
 | `CoGat Secure Browser`                    | 11.0.0.19         | Win32    | `Riverside Insights`                      |
+| `ColorVeil`                               | 4.0.0.175         | Win32    | `East-Tec`                                | 
 | `ContentKeeper Cloud`                     | 9.01.45           | Win32    | `ContentKeeper Technologies`              |
 | `Dragon Professional Individual`          | 15.00.100         | Win32    | `Nuance Communications`                   |
 | `DRC INSIGHT Online Assessments`          | 12.0.0.0          | `Store`  | `Data recognition Corporation`            |
@@ -107,6 +108,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
 | `Ghotit Real Writer & Reader`             | 10.14.2.3         | Win32    | `Ghotit Ltd`                              |
 | `GoGuardian`                              | 1.4.4             | Win32    | `GoGuardian`                              |
 | `Google Chrome`                           | 109.0.5414.75     | Win32    | `Google`                                  |
+| `GuideConnect`                            | 1.23              | Win32    | `Dolphin Computer Access`                 |
 | `Illuminate Lockdown Browser`             | 2.0.5             | Win32    | `Illuminate Education`                    |
 | `Immunet`                                 | 7.5.8.21178       | Win32    | `Immunet`                                 |
 | `Impero Backdrop Client`                  | 4.4.86            | Win32    | `Impero Software`                         |
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index a6540780aa..5a0761c2f4 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -79,8 +79,12 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
             - Office Click-to-run
 - Last Intune device check in completed within the last 28 days.
 - Devices must have Serial Number, Model and Manufacturer.
-	> [!NOTE]
-	> Windows Autopatch doesn't support device emulators that don't generate Serial number, Model and Manufacturer. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** pre-requisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch.
+
+> [!NOTE]
+> Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch.
+
+> [!NOTE]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions).
 
 For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md).
 
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index eae276feaa..c806472b1e 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -1,7 +1,7 @@
 ---
 title: Windows feature updates
 description: This article explains how Windows feature updates are managed in Autopatch
-ms.date: 02/07/2023
+ms.date: 02/17/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -37,6 +37,9 @@ If a device is registered with Windows Autopatch, and the device is:
 - Below the service's currently targeted Windows feature update, that device will update to the service's target version when it meets the Windows OS upgrade eligibility criteria.
 - On, or above the currently targeted Windows feature update version, there won't be any Windows OS upgrades to that device.
 
+> [!IMPORTANT]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use a [LTSC media](/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
+
 ## Windows feature update policy configuration
 
 If your tenant is enrolled with Windows Autopatch, you can see the following policies created by the service in the Microsoft Intune portal:
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index 7ab913eb2c..6245326cc1 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -1,7 +1,7 @@
 ---
 title: Windows quality updates
 description: This article explains how Windows quality updates are managed in Autopatch
-ms.date: 02/07/2023
+ms.date: 02/17/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -33,6 +33,9 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut
 | Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-windows-update-unsupported-policies.md). |
 | Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-windows-update-unsupported-policies.md#group-policy-and-other-policy-managers) |
 
+> [!NOTE]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions).
+
 ## Windows quality update releases
 
 Windows Autopatch deploys the [B release of Windows quality updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month.
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
index 5ff4c62390..b66883ee6d 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
@@ -1,7 +1,7 @@
 ---
 title: Prerequisites
 description: This article details the prerequisites needed for Windows Autopatch
-ms.date: 09/16/2022
+ms.date: 02/17/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: conceptual
@@ -44,12 +44,15 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b
 | [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 |
 | [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 |
 
-The following Windows OS 10 editions, 1809 builds and architecture are supported in Windows Autopatch:
+The following Windows OS 10 editions, 1809+ builds and architecture are supported in Windows Autopatch:
 
 - Windows 10 (1809+)/11 Pro
 - Windows 10 (1809+)/11 Enterprise
 - Windows 10 (1809+)/11 Pro for Workstations
 
+> [!NOTE]
+> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions).
+
 ## Configuration Manager co-management requirements
 
 Windows Autopatch fully supports co-management. The following co-management requirements apply:
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index ceede02bef..cc3ce24386 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
 ---
 title: What's new 2023
 description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 01/31/2023
+ms.date: 02/17/2023
 ms.prod: windows-client
 ms.technology: itpro-updates
 ms.topic: whats-new
@@ -24,9 +24,13 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
 
 | Article | Description |
 | ----- | ----- |
-| [Privacy](../references/windows-autopatch-privacy.md) | Added additional resources to the Microsoft Windows 10/11 diagnostic data section |
+| [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md#) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-feature-update-overview.md#enforcing-a-minimum-windows-os-version) |
+| [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../operate/windows-autopatch-windows-quality-update-overview.md#device-eligibility) |
+| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) |
+| [Prerequisites](../prepare/windows-autopatch-prerequisites.md) | Added note about [Windows 10 Long-Term Servicing Channel (LTSC) support](../prepare/windows-autopatch-prerequisites.md#more-about-licenses) |
+| [Privacy](../references/windows-autopatch-privacy.md) | Added additional resources to the [Microsoft Windows 10/11 diagnostic data](../references/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data) section |
 | [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] |
-| [Register your devices](../deploy/windows-autopatch-register-devices.md) |<ul><li>Updated the Built-in roles required for registration section</li><li>Added more information about assigning less-privileged user accounts</li></ul> |
+| [Register your devices](../deploy/windows-autopatch-register-devices.md) |<ul><li>Updated the [Built-in roles required for registration](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration) section</li><li>Added more information about assigning less-privileged user accounts</li></ul> |
 
 ## January 2023
 
diff --git a/windows/security/cloud.md b/windows/security/cloud.md
index 27db0f26ae..6d99441988 100644
--- a/windows/security/cloud.md
+++ b/windows/security/cloud.md
@@ -23,7 +23,7 @@ Windows 11 includes the cloud services that are listed in the following table:<b
 | Service type | Description |
 |:---|:---|
 | Mobile device management (MDM) and Microsoft Intune | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.<br/><br/>Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.<br/><br/>To learn more, see [Mobile device management](/windows/client-management/mdm/). |
-| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices. <br/><br/>The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards. <br/><br/>To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).|
+| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices. <br/><br/>The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards. <br/><br/>To learn more, see [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts).|
 | OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data. <br/><br/>The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4). <br/><br/>If there's a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). |
 | Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.<br/><br/>With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.<br/><br/>To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) |
 
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index ceef5206ad..54f2278102 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -77,6 +77,16 @@
         "identity-protection/hello-for-business/*.md": "erikdau",
         "identity-protection/credential-guard/*.md": "zwhittington",
         "identity-protection/access-control/*.md": "sulahiri"
+      },
+      "ms.collection":{
+        "identity-protection/hello-for-business/*.md": "tier1",
+        "information-protection/bitlocker/*.md": "tier1",
+        "information-protection/personal-data-encryption/*.md": "tier1",
+        "information-protection/pluton/*.md": "tier1",
+        "information-protection/tpm/*.md": "tier1",
+        "threat-protection/auditing/*.md": "tier3",
+        "threat-protection/windows-defender-application-control/*.md": "tier3",
+        "threat-protection/windows-firewall/*.md": "tier3"
       }
     },
     "template": [],
diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md
index 262ed05694..781c1f164d 100644
--- a/windows/security/encryption-data-protection.md
+++ b/windows/security/encryption-data-protection.md
@@ -1,7 +1,6 @@
 ---
 title: Encryption and data protection in Windows
 description: Get an overview encryption and data protection in Windows 11 and Windows 10
-search.appverid: MET150
 author: frankroj
 ms.author: frankroj
 manager: aaroncz
@@ -9,9 +8,6 @@ ms.topic: overview
 ms.date: 09/22/2022
 ms.prod: windows-client
 ms.technology: itpro-security
-ms.localizationpriority: medium
-ms.collection: 
-ms.custom: 
 ms.reviewer: rafals
 ---
 
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 0f1ca8d5c4..4ddce5cb4e 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -29,14 +29,14 @@ Object owners generally grant permissions to security groups rather than to indi
 
 This content set contains:
 
-- [Dynamic Access Control Overview](dynamic-access-control.md)
-- [Security identifiers](security-identifiers.md)
-- [Security Principals](security-principals.md)
+- [Dynamic Access Control Overview](/windows-server/identity/solution-guides/dynamic-access-control-overview)
+- [Security identifiers](/windows-server/identity/ad-ds/manage/understand-security-identifiers)
+- [Security Principals](/windows-server/identity/ad-ds/manage/understand-security-principals)
   - [Local Accounts](local-accounts.md)
-  - [Active Directory Accounts](active-directory-accounts.md)
-  - [Microsoft Accounts](microsoft-accounts.md)
-  - [Service Accounts](service-accounts.md)
-  - [Active Directory Security Groups](active-directory-security-groups.md)
+  - [Active Directory Accounts](/windows-server/identity/ad-ds/manage/understand-default-user-accounts)
+  - [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts)
+  - [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts)
+  - [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups)
 
 ## Practical applications
 
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif
deleted file mode 100644
index fb60cd5599..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample1.gif and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png
deleted file mode 100644
index 93e5e8e098..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample2.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png
deleted file mode 100644
index 7aad6b6a7b..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample3.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png
deleted file mode 100644
index 2b6c1394b9..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample4.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png
deleted file mode 100644
index 65508e5cf4..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample5.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png
deleted file mode 100644
index 4653a66f29..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample6.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png
deleted file mode 100644
index b4e379a357..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc1-sample7.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png
deleted file mode 100644
index c725fd4f55..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample1.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png
deleted file mode 100644
index 999303a2d6..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample2.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png
deleted file mode 100644
index b80fc69397..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample3.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png
deleted file mode 100644
index 412f425ccf..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample4.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png
deleted file mode 100644
index b80fc69397..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample5.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png
deleted file mode 100644
index b2f6d3e1e2..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample6.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png
deleted file mode 100644
index 8dda5403cf..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc2-sample7.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png b/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png
deleted file mode 100644
index e96b26abe1..0000000000
Binary files a/windows/security/identity-protection/access-control/images/adlocalaccounts-proc3-sample1.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif b/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif
deleted file mode 100644
index d8a4d99dd2..0000000000
Binary files a/windows/security/identity-protection/access-control/images/authorizationandaccesscontrolprocess.gif and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/corpnet.gif b/windows/security/identity-protection/access-control/images/corpnet.gif
deleted file mode 100644
index f76182ee25..0000000000
Binary files a/windows/security/identity-protection/access-control/images/corpnet.gif and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png
deleted file mode 100644
index e70fa02c92..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample1.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png
deleted file mode 100644
index 085993f92c..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample2.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png
deleted file mode 100644
index 282cdb729d..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample3.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png
deleted file mode 100644
index 89fc916400..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample4.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png
deleted file mode 100644
index d8d5af1336..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample5.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png b/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png
deleted file mode 100644
index ba3f15f597..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc1-sample6.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png
deleted file mode 100644
index 2d44e29e1b..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample1.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png
deleted file mode 100644
index 89136d1ba0..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample2.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png b/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png
deleted file mode 100644
index f2d3a7596b..0000000000
Binary files a/windows/security/identity-protection/access-control/images/localaccounts-proc2-sample3.png and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg b/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg
deleted file mode 100644
index cd7d341065..0000000000
Binary files a/windows/security/identity-protection/access-control/images/security-identifider-architecture.jpg and /dev/null differ
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 5a35d2853f..f6baab162b 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -4,6 +4,7 @@ description: Learn how to secure and manage access to the resources on a standal
 ms.date: 12/05/2022
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index ebee2bafa4..ec9ce3c4e8 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -4,6 +4,7 @@ description: Learn how to deploy and manage Windows Defender Credential Guard us
 ms.date: 11/23/2022
 ms.collection:
   - highpri
+  - tier2
 ms.topic: article
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
deleted file mode 100644
index 5051ce94cd..0000000000
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ /dev/null
@@ -1,494 +0,0 @@
----
-title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows)
-description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows.
-ms.date: 11/22/2022
-ms.topic: reference
-appliesto: 
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
-- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
----
-
-# Windows Defender Credential Guard: scripts for certificate authority issuance policies
-
-Expand each section to see the PowerShell scripts:
-
-<br>
-<details>
-<summary><b>Get the available issuance policies on the certificate authority</b></summary>
-
-Save this script file as get-IssuancePolicy.ps1.
-
-```powershell
-#######################################
-##     Parameters to be defined      ##
-##     by the user                   ##
-#######################################
-Param (
-$Identity,
-$LinkedToGroup
-)
-#######################################
-##     Strings definitions           ##
-#######################################
-Data getIP_strings {
-# culture="en-US"
-ConvertFrom-StringData -stringdata @'
-help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted.
-help2 = Usage:
-help3 = The following parameter is mandatory:
-help4 = -LinkedToGroup:<yes|no|all>
-help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups.
-help6 = "no" will return only Issuance Policies that are not currently linked to any group.
-help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups.
-help8 = The following parameter is optional:
-help9 = -Identity:<Name, Distinguished Name or Display Name of the Issuance Policy that you want to retrieve>. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
-help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters.
-help11 = Examples:
-errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
-ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
-ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
-ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members:
-LinkedIPs = The following Issuance Policies are linked to groups:
-displayName = displayName : {0}
-Name = Name : {0}
-dn = distinguishedName : {0}
-        InfoName = Linked Group Name: {0}
-        InfoDN = Linked Group DN: {0}   
-NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
-'@
-}
-##Import-LocalizedData getIP_strings
-import-module ActiveDirectory
-#######################################
-##           Help                    ##
-#######################################
-function Display-Help {
-    ""
-    $getIP_strings.help1
-    ""
-$getIP_strings.help2
-""
-$getIP_strings.help3
-"     " + $getIP_strings.help4
-"             " + $getIP_strings.help5
-    "             " + $getIP_strings.help6
-    "             " + $getIP_strings.help7
-""
-$getIP_strings.help8
-    "     " + $getIP_strings.help9
-    ""
-    $getIP_strings.help10
-""
-""    
-$getIP_strings.help11
-    "     " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
-    "     " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
-    "     " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
-""
-}
-$root = get-adrootdse
-$domain = get-addomain -current loggedonuser
-$configNCDN = [String]$root.configurationNamingContext
-if ( !($Identity) -and !($LinkedToGroup) ) {
-display-Help
-break
-}
-if ($Identity) {
-    $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
-    if ($OIDs -eq $null) {
-$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
-write-host $errormsg -ForegroundColor Red
-    }
-    foreach ($OID in $OIDs) {
-        if ($OID."msDS-OIDToGroupLink") {
-# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping.
-            $groupDN = $OID."msDS-OIDToGroupLink"
-            $group = get-adgroup -Identity $groupDN
-    $groupName = $group.Name
-# Analyze the group
-            if ($group.groupCategory -ne "Security") {
-$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
-                write-host $errormsg -ForegroundColor Red
-            }
-            if ($group.groupScope -ne "Universal") {
-                $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
-write-host $errormsg -ForegroundColor Red
-            }
-            $members = Get-ADGroupMember -Identity $group
-            if ($members) {
-                $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
-write-host $errormsg -ForegroundColor Red
-                foreach ($member in $members) {
-                    write-host "          "  $member -ForeGroundColor Red
-                }
-            }
-        }
-    }
-    return $OIDs
-    break
-}
-if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
-    $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
-    $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
-    write-host ""    
-    write-host "*****************************************************"
-    write-host $getIP_strings.LinkedIPs
-    write-host "*****************************************************"
-    write-host ""
-    if ($LinkedOIDs -ne $null){
-      foreach ($OID in $LinkedOIDs) {
-# Display basic information about the Issuance Policies
-          ""
-  $getIP_strings.displayName -f $OID.displayName
-  $getIP_strings.Name -f $OID.Name
-  $getIP_strings.dn -f $OID.distinguishedName
-# Get the linked group.
-          $groupDN = $OID."msDS-OIDToGroupLink"
-          $group = get-adgroup -Identity $groupDN
-          $getIP_strings.InfoName -f $group.Name
-          $getIP_strings.InfoDN -f $groupDN
-# Analyze the group
-          $OIDName = $OID.displayName
-    $groupName = $group.Name
-          if ($group.groupCategory -ne "Security") {
-          $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
-          write-host $errormsg -ForegroundColor Red
-          }
-          if ($group.groupScope -ne "Universal") {
-          $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
-          write-host $errormsg -ForegroundColor Red
-          }
-          $members = Get-ADGroupMember -Identity $group
-          if ($members) {
-          $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
-          write-host $errormsg -ForegroundColor Red
-              foreach ($member in $members) {
-                  write-host "          "  $member -ForeGroundColor Red
-              }
-          }
-          write-host ""
-      }
-    }else{
-write-host "There are no issuance policies that are mapped to a group"
-    }
-    if ($LinkedToGroup -eq "yes") {
-        return $LinkedOIDs
-        break
-    }
-}    
-if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {  
-    $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
-    $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
-    write-host ""    
-    write-host "*********************************************************"
-    write-host $getIP_strings.NonLinkedIPs
-    write-host "*********************************************************"
-    write-host ""
-    if ($NonLinkedOIDs -ne $null) {
-      foreach ($OID in $NonLinkedOIDs) {
-# Display basic information about the Issuance Policies
-write-host ""
-$getIP_strings.displayName -f $OID.displayName
-$getIP_strings.Name -f $OID.Name
-$getIP_strings.dn -f $OID.distinguishedName
-write-host ""
-      }
-    }else{
-write-host "There are no issuance policies which are not mapped to groups"
-    }
-    if ($LinkedToGroup -eq "no") {
-        return $NonLinkedOIDs
-        break
-    }
-}
-```
-> [!NOTE]
-> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
-
-</details>
-
-<br>
-<details>
-<summary><b>Link an issuance policy to a group</b></summary>
-
-Save the script file as set-IssuancePolicyToGroupLink.ps1.
-
-```powershell
-#######################################
-##     Parameters to be defined      ##
-##     by the user                   ##
-#######################################
-Param (
-$IssuancePolicyName,
-$groupOU,
-$groupName
-)
-#######################################
-##     Strings definitions           ##
-#######################################
-Data ErrorMsg {
-# culture="en-US"
-ConvertFrom-StringData -stringdata @'
-help1 = This command can be used to set the link between a certificate issuance policy and a universal security group.
-help2 = Usage:
-help3 = The following parameters are required:
-help4 = -IssuancePolicyName:<name or display name of the issuance policy that you want to link to a group>
-help5 = -groupName:<name of the group you want to link the issuance policy to>. If no name is specified, any existing link to a group is removed from the Issuance Policy.
-help6 = The following parameter is optional:
-help7 = -groupOU:<Name of the Organizational Unit dedicated to the groups which are linked to issuance policies>. If this parameter is not specified, the group is looked for or created in the Users container.
-help8 = Examples:
-help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them.
-help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group.
-MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}"
-NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
-IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
-MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
-confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it?
-OUCreationSuccess = Organizational Unit "{0}" successfully created.
-OUcreationError = Error: Organizational Unit "{0}" could not be created.
-OUFoundSuccess = Organizational Unit "{0}" was successfully found.
-multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".  
-confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
-groupCreationSuccess = Univeral Security group "{0}" successfully created.
-groupCreationError = Error: Univeral Security group "{0}" could not be created.
-GroupFound = Group "{0}" was successfully found.
-confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link?
-UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
-UnlinkError = Removing the link failed.
-UnlinkExit = Exiting without removing the link from the issuance policy to the group.
-IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script.
-ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security".
-ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal".
-ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members:
-ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"?
-LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
-LinkError = The certificate issuance policy could not be linked to the specified group.
-ExitNoLinkReplacement = Exiting without setting the new link.
-'@
-}
-# import-localizeddata ErrorMsg
-function Display-Help {
-""
-write-host $ErrorMsg.help1
-""
-write-host $ErrorMsg.help2
-""
-write-host $ErrorMsg.help3
-write-host "`t" $ErrorMsg.help4
-write-host "`t" $ErrorMsg.help5
-""
-write-host $ErrorMsg.help6
-write-host "`t" $ErrorMsg.help7
-""
-""
-write-host $ErrorMsg.help8
-""
-write-host $ErrorMsg.help9
-".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
-""
-write-host $ErrorMsg.help10
-'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null '
-""
-}
-# Assumption:  The group to which the Issuance Policy is going
-#              to be linked is (or is going to be created) in
-#              the domain the user running this script is a member of.
-import-module ActiveDirectory
-$root = get-adrootdse
-$domain = get-addomain -current loggedonuser
-if ( !($IssuancePolicyName) ) {
-display-Help
-break
-}
-#######################################
-##     Find the OID object           ##
-##     (aka Issuance Policy)         ##
-#######################################
-$searchBase = [String]$root.configurationnamingcontext
-$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
-if ($OID -eq $null) {
-$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase  
-write-host $tmp -ForeGroundColor Red
-break;
-}
-elseif ($OID.GetType().IsArray) {
-$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase  
-write-host $tmp -ForeGroundColor Red
-break;
-}
-else {
-$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
-write-host $tmp -ForeGroundColor Green
-}
-#######################################
-##  Find the container of the group  ##
-#######################################
-if ($groupOU -eq $null) {
-# default to the Users container
-$groupContainer = $domain.UsersContainer
-}
-else {
-$searchBase = [string]$domain.DistinguishedName
-$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
-if ($groupContainer.count -gt 1) {
-$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
-write-host $tmp -ForegroundColor Red
-break;
-}
-elseif ($groupContainer -eq $null) {
-$tmp = $ErrorMsg.confirmOUcreation
-write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
-if ($?){
-$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
-write-host $tmp -ForegroundColor Green
-}
-else{
-$tmp = $ErrorMsg.OUCreationError -f $groupOU
-write-host $tmp -ForeGroundColor Red
-break;
-}
-$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
-}
-else {
-break;
-}
-}
-else {
-$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
-write-host $tmp -ForegroundColor Green
-}
-}
-#######################################
-##  Find the group               ##
-#######################################
-if (($groupName -ne $null) -and ($groupName -ne "")){
-##$searchBase = [String]$groupContainer.DistinguishedName
-$searchBase = $groupContainer
-$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
-if ($group -ne $null -and $group.gettype().isarray) {
-$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
-write-host $tmp -ForeGroundColor Red
-break;
-}
-elseif ($group -eq $null) {
-$tmp = $ErrorMsg.confirmGroupCreation
-write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security"
-if ($?){
-$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
-write-host $tmp -ForegroundColor Green
-}else{
-$tmp = $ErrorMsg.groupCreationError -f $groupName
-write-host $tmp -ForeGroundColor Red
-break
-}
-$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
-}
-else {
-break;
-}
-}
-else {
-$tmp = $ErrorMsg.GroupFound -f $group.Name
-write-host $tmp -ForegroundColor Green
-}
-}
-else {
-#####
-## If the group is not specified, we should remove the link if any exists
-#####
-if ($OID."msDS-OIDToGroupLink" -ne $null) {
-$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
-write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
-if ($?) {
-$tmp = $ErrorMsg.UnlinkSuccess
-write-host $tmp -ForeGroundColor Green
-}else{
-$tmp = $ErrorMsg.UnlinkError
-write-host $tmp -ForeGroundColor Red
-}
-}
-else {
-$tmp = $ErrorMsg.UnlinkExit
-write-host $tmp
-break
-}
-}
-else {
-$tmp = $ErrorMsg.IPNotLinked
-write-host $tmp -ForeGroundColor Yellow
-}
-break;
-}
-#######################################
-##  Verify that the group is         ##
-##  Universal, Security, and         ##
-##  has no members                   ##
-#######################################
-if ($group.GroupScope -ne "Universal") {
-$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
-write-host $tmp -ForeGroundColor Red
-break;
-}
-if ($group.GroupCategory -ne "Security") {
-$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
-write-host $tmp -ForeGroundColor Red
-break;
-}
-$members = Get-ADGroupMember -Identity $group
-if ($members -ne $null) {
-$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
-write-host $tmp -ForeGroundColor Red
-foreach ($member in $members) {write-host "   $member.name" -ForeGroundColor Red}
-break;
-}
-#######################################
-##  We have verified everything. We  ##
-##  can create the link from the     ##
-##  Issuance Policy to the group.    ##
-#######################################
-if ($OID."msDS-OIDToGroupLink" -ne $null) {
-$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName
-write-host $tmp  "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
-set-adobject -Identity $OID -Replace $tmp
-if ($?) {
-$tmp = $Errormsg.LinkSuccess
-write-host $tmp -Foreground Green
-}else{
-$tmp = $ErrorMsg.LinkError
-write-host $tmp -Foreground Red
-}
-} else {
-$tmp = $Errormsg.ExitNoLinkReplacement
-write-host $tmp
-break
-}
-}
-else {
-$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
-set-adobject -Identity $OID -Add $tmp
-if ($?) {
-$tmp = $Errormsg.LinkSuccess
-write-host $tmp -Foreground Green
-}else{
-$tmp = $ErrorMsg.LinkError
-write-host $tmp -Foreground Red
-}
-}
-```
-
-> [!NOTE]
-> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
-
-</details>
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index 6548d02f17..0ab05c22ab 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -5,6 +5,7 @@ ms.date: 11/22/2022
 ms.topic: article
 ms.collection: 
   - highpri
+  - tier2
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 33c5c76b9f..a82f25aa93 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -267,7 +267,7 @@ This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer,
         <ipv4DnsServer>10.10.0.1</ipv4DnsServer>
         <ipv4DnsServer>10.10.0.2</ipv4DnsServer>
         <dnsSuffix>corp.contoso.com</dnsSuffix> 
-	</signal> 
+    </signal> 
 </rule>
 ```
 
@@ -280,12 +280,12 @@ This example configures an IpConfig signal type using a dnsSuffix element and a
 
 ```xml
 <rule schemaVersion="1.0"> 
-	<signal type="ipConfig"> 
-	    <dnsSuffix>corp.contoso.com</dnsSuffix> 
-	</signal> 
+    <signal type="ipConfig"> 
+        <dnsSuffix>corp.contoso.com</dnsSuffix> 
+    </signal> 
 </rule>,
 <rule schemaVersion="1.0">
-	<signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
+    <signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
 </rule>
 ```
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
index b7b06e3193..299c09d7f0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
@@ -37,5 +37,5 @@ Suppose instead that you sign in on **Device B** and change your password for yo
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index c9bc5a12f3..e6a01bb2b8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -89,4 +89,4 @@ To use Iris authentication, you’ll need a [HoloLens 2 device](/hololens/). All
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index a73ef3f3f2..5d92d9dcb7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -3,6 +3,7 @@ title: Configure Windows Hello for Business Policy settings in an on-premises ce
 description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
 ms.collection: 
   - highpri
+  - tier1
 ms.date: 12/12/2022
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 64b6af4819..22f170e86e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -55,7 +55,7 @@ Following are the various deployment guides and models included in this topic:
 - [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
 - [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
 
-For Windows Hello for Business hybrid [certificate trust prerequisites](hello-hybrid-cert-trust-prereqs.md#directory-synchronization) and [key trust prerequisites](hello-hybrid-key-trust-prereqs.md#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments.
+For Windows Hello for Business hybrid [certificate trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directory-synchronization) and [key trust prerequisites](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments.
 
 ## Provisioning
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 424f82c737..26fb7abfb6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -3,6 +3,7 @@ title: Deploy certificates for remote desktop sign-in
 description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
 ms.collection: 
   - ContentEngagementFY23
+  - tier1
 ms.topic: article
 ms.date: 11/15/2022
 appliesto: 
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index c853063c26..982ee0f388 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -4,6 +4,7 @@ metadata:
   description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
   ms.collection:
     - highpri
+    - tier1
   ms.topic: faq
   ms.date: 01/06/2023
   appliesto: 
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index adfbe58657..d6d35b189a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -76,5 +76,5 @@ The computer is ready for dual enrollment.  Sign in as the privileged user first
 * [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 * [Windows Hello and password changes](hello-and-password-changes.md)
 * [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-* [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+* [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 * [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 6bae92fc12..9f461f9697 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -55,5 +55,5 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw
 * [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 * [Windows Hello and password changes](hello-and-password-changes.md)
 * [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-* [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+* [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 * [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index e1aa2e7acb..519b34bd34 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -3,6 +3,7 @@ title: Pin Reset
 description: Learn how Microsoft PIN reset services enable you to help users recover who have forgotten their PIN.
 ms.collection: 
   - highpri
+  - tier1
 ms.date: 07/29/2022
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
@@ -265,5 +266,5 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 2281821bdc..2f1c460668 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -5,6 +5,8 @@ ms.date: 02/24/2021
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
 ms.topic: article
+ms.collection:
+  - tier1
 ---
 
 # Remote Desktop
@@ -56,5 +58,5 @@ Users appreciate convenience of biometrics and administrators value the security
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 7bec9c2543..b3765851fa 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -101,7 +101,7 @@ In Windows 10 and Windows 11, cloud experience host is an application used while
 
 ### More information on cloud experience host
 
-[Windows Hello for Business and device registration](./hello-how-it-works-device-registration.md)
+[Windows Hello for Business and device registration](/azure/active-directory/devices/device-registration-how-it-works)
 
 ## Cloud Kerberos trust
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 9f3670151c..40e094e6c7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -52,5 +52,5 @@ For more information read [how authentication works](hello-how-it-works-authenti
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 2cc6e81fff..677bc65d0e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -14,7 +14,7 @@ ms.topic: how-to
 If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices.
 
 > [!IMPORTANT]
-> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue.
+> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso) before you continue.
 
 Steps you'll perform include:
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 80f86ef481..9d45b8bed7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -77,4 +77,4 @@ Before moving to the next section, ensure the following steps are complete:
 > - Update group memberships for the AD FS service account
 
 > [!div class="nextstepaction"]
-> [Next: configure policy settings >](hello-hybrid-cert-whfb-settings-policy.md)
\ No newline at end of file
+> [Next: configure policy settings >](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index e1ed3396b6..518283865d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -3,6 +3,7 @@ title: Windows Hello for Business Deployment Prerequisite Overview
 description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
 ms.collection: 
 - highpri
+- tier1
 ms.date: 12/13/2022
 appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 8c3bfe995d..e666aa4beb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -3,6 +3,7 @@ title: Manage Windows Hello in your organization (Windows)
 description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
 ms.collection: 
   - highpri
+  - tier1
 ms.date: 2/15/2022
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 48c16385f3..d6e6de308d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -3,6 +3,7 @@ title: Windows Hello for Business Overview (Windows)
 description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 appliesto: 
   - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
@@ -110,5 +111,5 @@ Windows Hello for Business with a key, including cloud Kerberos trust, doesn't s
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index c3c5912b26..f3e0b27534 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -87,7 +87,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut
 
 The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
-The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](./hello-hybrid-cert-trust-prereqs.md#directories)).  Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
+The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust#directories)).  Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
 
 > [!NOTE]
 > RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 69e4a380e5..0efcd603a1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -52,6 +52,6 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci
 - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 89fe8f84ce..6b65c109d3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -3,6 +3,7 @@ title: Why a PIN is better than an online password (Windows)
 description: Windows Hello enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password.
 ms.collection: 
   - highpri
+  - tier1
 ms.date: 10/23/2017
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
@@ -81,5 +82,5 @@ If you only had a biometric sign-in configured and, for any reason, were unable
 - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
 - [Windows Hello and password changes](hello-and-password-changes.md)
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/windows/security/identity-protection/hello-for-business/hello-faq)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/images/SetupAPin.png b/windows/security/identity-protection/hello-for-business/images/SetupAPin.png
deleted file mode 100644
index 50029cc00e..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/SetupAPin.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png b/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png
deleted file mode 100644
index 93085b03a8..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png
deleted file mode 100644
index 88aaf424f0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png
deleted file mode 100644
index 3d547d05fc..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png b/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png
deleted file mode 100644
index d98d871f21..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/MEM.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png
deleted file mode 100644
index caacf8a566..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png
deleted file mode 100644
index 226f85eeb0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png
deleted file mode 100644
index 067c109808..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png
deleted file mode 100644
index f2c38239f3..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png
deleted file mode 100644
index 74cea5f0b5..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png
deleted file mode 100644
index e95fd1b9ba..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png
deleted file mode 100644
index c973e43aec..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png
deleted file mode 100644
index 70aaa2db9d..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png
deleted file mode 100644
index eadf1eb285..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png
deleted file mode 100644
index 56cced034f..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png
deleted file mode 100644
index e4e4555942..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png
deleted file mode 100644
index 390bfecafd..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png
deleted file mode 100644
index a136973f04..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png
deleted file mode 100644
index c78baecd49..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png
deleted file mode 100644
index 96fe45bbcf..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png
deleted file mode 100644
index 004d3a3f25..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png
deleted file mode 100644
index 9d66d330fd..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png
deleted file mode 100644
index dea61f116e..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png
deleted file mode 100644
index 831e12fe59..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png
deleted file mode 100644
index 21f4159d80..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png
deleted file mode 100644
index 49c4dee983..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png
deleted file mode 100644
index c2a4f36704..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png
deleted file mode 100644
index 0ec08ecbc0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png
deleted file mode 100644
index 46db47b6f0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/createPin.png b/windows/security/identity-protection/hello-for-business/images/createPin.png
deleted file mode 100644
index 91e079feca..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/createPin.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/dsregcmd.png b/windows/security/identity-protection/hello-for-business/images/dsregcmd.png
deleted file mode 100644
index 85bc6491cf..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/dsregcmd.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png b/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png
deleted file mode 100644
index 7f0be5249d..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-cmd-netdom.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png
deleted file mode 100644
index 72c94fb321..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-company-settings.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png
deleted file mode 100644
index 64f85b1f54..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-content-edit-email.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png
deleted file mode 100644
index 6894047f98..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-sync-item.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png b/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png
deleted file mode 100644
index 3167588d7b..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello-mfa-user-portal-settings.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello_filter.png b/windows/security/identity-protection/hello-for-business/images/hello_filter.png
deleted file mode 100644
index 611bbfad70..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello_filter.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello_gear.png b/windows/security/identity-protection/hello-for-business/images/hello_gear.png
deleted file mode 100644
index b74cf682ac..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello_gear.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello_lock.png b/windows/security/identity-protection/hello-for-business/images/hello_lock.png
deleted file mode 100644
index 5643cecec0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello_lock.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello_users.png b/windows/security/identity-protection/hello-for-business/images/hello_users.png
deleted file mode 100644
index c6750396dd..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hello_users.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png
deleted file mode 100644
index 8b003013f0..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png
deleted file mode 100644
index 44bbc4a572..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png
deleted file mode 100644
index df7973e2ca..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png
deleted file mode 100644
index eb3458bf76..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png
deleted file mode 100644
index 6011b3c66e..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png
deleted file mode 100644
index ac1752b75b..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png
deleted file mode 100644
index 2835e56049..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device1.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png
deleted file mode 100644
index 4874ca4516..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device2.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png
deleted file mode 100644
index c6572cbd5a..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device3.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png
deleted file mode 100644
index 3a72066a31..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device4.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png
deleted file mode 100644
index c3754b5389..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device5.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png
deleted file mode 100644
index 97db24c262..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device6.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png
deleted file mode 100644
index 80f9d53d2c..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device7.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png b/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png
deleted file mode 100644
index 97ad2a1bfb..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/hybridct/device8.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/mfa.png b/windows/security/identity-protection/hello-for-business/images/mfa.png
deleted file mode 100644
index b7086b9b79..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/mfa.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png
deleted file mode 100644
index 174cf0a790..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png
deleted file mode 100644
index 028f06544c..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png
deleted file mode 100644
index 322a4fcbdc..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png b/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png
deleted file mode 100644
index f86101b1e8..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-pin-reset-phone-notification.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg
deleted file mode 100644
index d9acfd8170..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-prompt.jpg and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg b/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg
deleted file mode 100644
index 21d37405a7..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/whfb-reset-pin-settings.jpg and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md
deleted file mode 100644
index a5b340a3f8..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-cert-trust-ad.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.date: 12/08/2022
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [hello-trust-cloud-kerberos](hello-trust-cloud-kerberos.md)]
-- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md b/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md
deleted file mode 100644
index b637be9beb..0000000000
--- a/windows/security/identity-protection/hello-for-business/includes/hello-hybrid-key-trust-ad.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-ms.date: 12/08/2022
-ms.topic: include
----
-
-[!INCLUDE [hello-intro](hello-intro.md)]
-- **Deployment type:** [!INCLUDE [hello-deployment-hybrid](hello-deployment-hybrid.md)]
-- **Trust type:** [!INCLUDE [hello-trust-key](hello-trust-key.md)]
-- **Join type:** [!INCLUDE [hello-join-hybrid](hello-join-hybrid.md)]
----
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
index 0c6b760604..75e29c597a 100644
--- a/windows/security/identity-protection/hello-for-business/index.yml
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -16,6 +16,7 @@ metadata:
   ms.date: 01/22/2021
   ms.collection:
     - highpri
+    - tier1
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
 
diff --git a/windows/security/identity-protection/images/application-guard-and-system-guard.png b/windows/security/identity-protection/images/application-guard-and-system-guard.png
deleted file mode 100644
index b4b883db90..0000000000
Binary files a/windows/security/identity-protection/images/application-guard-and-system-guard.png and /dev/null differ
diff --git a/windows/security/identity-protection/images/remote-credential-guard.png b/windows/security/identity-protection/images/remote-credential-guard.png
deleted file mode 100644
index d8e3598dc9..0000000000
Binary files a/windows/security/identity-protection/images/remote-credential-guard.png and /dev/null differ
diff --git a/windows/security/identity-protection/images/traditional-windows-software-stack.png b/windows/security/identity-protection/images/traditional-windows-software-stack.png
deleted file mode 100644
index 0da610c368..0000000000
Binary files a/windows/security/identity-protection/images/traditional-windows-software-stack.png and /dev/null differ
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 2876ab9e18..63c2e03d67 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -7,6 +7,7 @@ ms.author: paoloma
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 01/12/2018
@@ -51,12 +52,12 @@ Use the following table to compare different Remote Desktop connection security
 
 | Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
 |--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-|                                                 **Protection benefits**                                                  |                                Credentials on the server are not protected from Pass-the-Hash attacks.                                 |  User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing   |                                                                                  User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server                                                                                   |
+|                                                 **Protection benefits**                                                  |                                Credentials on the server are not protected from Pass-the-Hash attacks.                                 |  User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing   |                                                                                  User logs on to the server as local administrator, so an attacker cannot act on behalf of the "domain user". Any attack is local to the server                                                                                   |
 |                                                   **Version support**                                                    |                                        The remote computer can run any Windows operating system                                        | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](/security-updates/SecurityAdvisories/2016/2871997). |
 | **Helps prevent**   &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;   &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; |                             &nbsp;&nbsp;&nbsp;&nbsp; N/A &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;                              |                   <ul><li> Pass-the-Hash</li> <li>Use of a credential after disconnection </li></ul>                   |                                                                                                                <ul><li> Pass-the-Hash</li> <li>Use of domain identity during connection </li></ul>                                                                                                                |
 |                             **Credentials supported from the remote desktop client device**                              | <ul><li><b>Signed on</b> credentials <li> <b>Supplied</b> credentials<li> <b>Saved</b> credentials </ul> |                                  <ul><li> <b>Signed on</b> credentials only                                  |                                                                                        <ul><li><b>Signed on</b> credentials<li><b>Supplied</b> credentials<li><b>Saved</b> credentials</ul>                                                                                         |
 |                                                        **Access**                                                        |                           **Users allowed**, that is, members of Remote Desktop Users group of remote host.                            |                      **Users allowed**, that is, members of Remote Desktop Users of remote host.                       |                                                                                                              **Administrators only**, that is, only members of Administrators group of remote host.                                                                                                               |
-|                                                   **Network identity**                                                   |                               Remote Desktop session **connects to other resources as signed-in user**.                                |                       Remote Desktop session **connects to other resources as signed-in user**.                        |                                                                                                                 Remote Desktop session **connects to other resources as remote host’s identity**.                                                                                                                 |
+|                                                   **Network identity**                                                   |                               Remote Desktop session **connects to other resources as signed-in user**.                                |                       Remote Desktop session **connects to other resources as signed-in user**.                        |                                                                                                                 Remote Desktop session **connects to other resources as remote host's identity**.                                                                                                                 |
 |                                                      **Multi-hop**                                                       |                        From the remote desktop, **you can connect through Remote Desktop to another computer**                         |                From the remote desktop, you **can connect through Remote Desktop to another computer**.                |                                                                                                                      Not allowed for user as the session is running as a local host account                                                                                                                       |
 |                                               **Supported authentication**                                               |                                                        Any negotiable protocol.                                                        |                                                     Kerberos only.                                                     |                                                                                                                                              Any negotiable protocol                                                                                                                                              |
 
@@ -71,7 +72,7 @@ and [How Kerberos works](/previous-versions/windows/it-pro/windows-2000-server/c
 
 ## Remote Desktop connections and helpdesk support scenarios
 
-For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user’s resources for a limited time (a few hours) after the session disconnects.
+For helpdesk support scenarios in which personnel require administrative access to provide remote assistance to computer users via Remote Desktop sessions, Microsoft recommends that Windows Defender Remote Credential Guard should not be used in that context. This is because if an RDP session is initiated to a compromised client that an attacker already controls, the attacker could use that open channel to create sessions on the user's behalf (without compromising credentials) to access any of the user's resources for a limited time (a few hours) after the session disconnects.
 
 Therefore, we recommend instead that you use the Restricted Admin mode option. For helpdesk support scenarios, RDP connections should only be initiated using the /RestrictedAdmin switch. This helps ensure that credentials and other user resources are not exposed to compromised remote hosts. For more information, see [Mitigating Pass-the-Hash and Other Credential Theft v2](https://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf).
 
@@ -90,7 +91,7 @@ The Remote Desktop client device:
 
 -  Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine.
 
--  Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host.
+-  Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user's signed-in credentials. This requires the user's account be able to sign in to both the client device and the remote host.
 
 -  Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
 
@@ -100,7 +101,7 @@ The Remote Desktop remote host:
 
 -  Must be running at least Windows 10, version 1607 or Windows Server 2016.
 -  Must allow Restricted Admin connections.
--  Must allow the client’s domain user to access Remote Desktop connections.
+-  Must allow the client's domain user to access Remote Desktop connections.
 -  Must allow delegation of non-exportable credentials.
 
 There are no hardware requirements for Windows Defender Remote Credential Guard.
@@ -182,7 +183,7 @@ mstsc.exe /remoteGuard
 
 ## Considerations when using Windows Defender Remote Credential Guard
 
-- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you’re trying to access a file server from a remote host that requires a device claim, access will be denied.
+- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you're trying to access a file server from a remote host that requires a device claim, access will be denied.
 
 - Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory.
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 3c1b301625..10b6bda518 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -8,6 +8,7 @@ ms.reviewer: ardenw
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 09/24/2021
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index a968914652..8037f68045 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -3,6 +3,7 @@ title: How User Account Control works (Windows)
 description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index f3c8c14d4e..979a7ae1f1 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -3,6 +3,7 @@ title: User Account Control Group Policy and registry key settings (Windows)
 description: Here's a list of UAC  Group Policy and registry key settings that your organization can use to manage UAC.
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 ms.date: 04/19/2017
 appliesto: 
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 35851d61af..93502be3e3 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -3,6 +3,7 @@ title: User Account Control (Windows)
 description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 ms.date: 09/24/2011
 appliesto: 
diff --git a/windows/security/identity-protection/vpn/images/custom-vpn-profile.png b/windows/security/identity-protection/vpn/images/custom-vpn-profile.png
deleted file mode 100644
index b229c96b68..0000000000
Binary files a/windows/security/identity-protection/vpn/images/custom-vpn-profile.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png b/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png
deleted file mode 100644
index 9f4efabc3f..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-conditional-access-intune.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-intune-policy.png b/windows/security/identity-protection/vpn/images/vpn-intune-policy.png
deleted file mode 100644
index 4224979bbd..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-intune-policy.png and /dev/null differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png b/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png
deleted file mode 100644
index 7277b7a598..0000000000
Binary files a/windows/security/identity-protection/vpn/images/vpn-profilexml-intune.png and /dev/null differ
diff --git a/windows/security/images/fall-creators-update-next-gen-security.png b/windows/security/images/fall-creators-update-next-gen-security.png
deleted file mode 100644
index 62aaa46f8d..0000000000
Binary files a/windows/security/images/fall-creators-update-next-gen-security.png and /dev/null differ
diff --git a/windows/security/images/icons/accessibility.svg b/windows/security/images/icons/accessibility.svg
deleted file mode 100644
index 21a6b4f235..0000000000
--- a/windows/security/images/icons/accessibility.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
-  <path d="M6.75001 3.25C6.75001 2.55964 7.30966 2 8.00001 2C8.69037 2 9.25001 2.55964 9.25001 3.25C9.25001 3.94036 8.69037 4.5 8.00001 4.5C7.30966 4.5 6.75001 3.94036 6.75001 3.25ZM8.00001 1C6.75737 1 5.75001 2.00736 5.75001 3.25C5.75001 3.42769 5.77061 3.60057 5.80955 3.76638L4.1981 3.11531C3.38523 2.78689 2.45661 3.17707 2.12226 3.98751C1.78682 4.8006 2.17658 5.72824 2.9921 6.05773L5 6.86897L5 9.25304L3.18661 12.6635C2.77397 13.4396 3.06858 14.4032 3.84463 14.8158C4.62069 15.2285 5.58431 14.9339 5.99695 14.1578L8.00028 10.3901L10.0037 14.158C10.4163 14.934 11.3799 15.2286 12.156 14.816C12.9321 14.4034 13.2267 13.4397 12.814 12.6637L11 9.252V6.86897L13.0079 6.05773C13.8234 5.72824 14.2132 4.80059 13.8777 3.98751C13.5434 3.17707 12.6148 2.78689 11.8019 3.11531L10.1905 3.76636C10.2294 3.60055 10.25 3.42768 10.25 3.25C10.25 2.00736 9.24265 1 8.00001 1ZM3.04668 4.36889C3.17149 4.06635 3.52005 3.91989 3.82349 4.04249L7.25078 5.42721C7.73138 5.62138 8.2686 5.62138 8.74921 5.42721L12.1765 4.04249C12.4799 3.91989 12.8285 4.06635 12.9533 4.36889C13.077 4.66879 12.9341 5.00902 12.6333 5.13055L10.6254 5.94179C10.2474 6.09449 10 6.46133 10 6.86897V9.252C10 9.41571 10.0402 9.57692 10.1171 9.72147L11.9311 13.1332C12.0844 13.4216 11.9749 13.7797 11.6865 13.9331C11.3981 14.0864 11.04 13.9769 10.8866 13.6885L8.88322 9.92064C8.50711 9.21327 7.49344 9.21326 7.11733 9.92064L5.114 13.6883C4.96065 13.9768 4.60252 14.0863 4.31411 13.9329C4.02569 13.7795 3.9162 13.4214 4.06955 13.133L5.88295 9.72251C5.9598 9.57796 6 9.41675 6 9.25304V6.86897C6 6.46133 5.75256 6.09449 5.3746 5.94179L3.3667 5.13055C3.06591 5.00902 2.92295 4.66879 3.04668 4.36889Z" fill="#0078D4" />
-</svg>
\ No newline at end of file
diff --git a/windows/security/images/icons/powershell.svg b/windows/security/images/icons/powershell.svg
deleted file mode 100644
index ab2d5152ca..0000000000
--- a/windows/security/images/icons/powershell.svg
+++ /dev/null
@@ -1,20 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
-  <defs>
-    <linearGradient id="a24f9983-911f-4df7-920f-f964c8c10f82" x1="9" y1="15.834" x2="9" y2="5.788" gradientUnits="userSpaceOnUse">
-      <stop offset="0" stop-color="#32bedd" />
-      <stop offset="0.175" stop-color="#32caea" />
-      <stop offset="0.41" stop-color="#32d2f2" />
-      <stop offset="0.775" stop-color="#32d4f5" />
-    </linearGradient>
-  </defs>
-  <title>MsPortalFx.base.images-10</title>
-  <g id="a7ef0482-71f2-4b7e-b916-b1c754245bf1">
-    <g>
-      <path d="M.5,5.788h17a0,0,0,0,1,0,0v9.478a.568.568,0,0,1-.568.568H1.068A.568.568,0,0,1,.5,15.266V5.788A0,0,0,0,1,.5,5.788Z" fill="url(#a24f9983-911f-4df7-920f-f964c8c10f82)" />
-      <path d="M1.071,2.166H16.929a.568.568,0,0,1,.568.568V5.788a0,0,0,0,1,0,0H.5a0,0,0,0,1,0,0V2.734A.568.568,0,0,1,1.071,2.166Z" fill="#0078d4" />
-      <path d="M4.292,7.153h.523a.167.167,0,0,1,.167.167v3.858a.335.335,0,0,1-.335.335H4.125a0,0,0,0,1,0,0V7.321a.167.167,0,0,1,.167-.167Z" transform="translate(-5.271 5.967) rotate(-45.081)" fill="#f2f2f2" />
-      <path d="M4.32,9.647h.523a.167.167,0,0,1,.167.167v4.131a0,0,0,0,1,0,0H4.488a.335.335,0,0,1-.335-.335v-3.8a.167.167,0,0,1,.167-.167Z" transform="translate(-0.504 23.385) rotate(-135.081)" fill="#e6e6e6" />
-      <rect x="7.221" y="12.64" width="4.771" height="1.011" rx="0.291" fill="#f2f2f2" />
-    </g>
-  </g>
-</svg>
\ No newline at end of file
diff --git a/windows/security/images/icons/provisioning-package.svg b/windows/security/images/icons/provisioning-package.svg
deleted file mode 100644
index dbbad7d780..0000000000
--- a/windows/security/images/icons/provisioning-package.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
-  <path d="M1544 128q75 0 143 30t120 82 82 120 31 144v328q0 26-19 45t-45 19q-26 0-45-19t-19-45V507q0-50-20-95t-55-80-80-55-96-21H346q16 15 27 28t11 36q0 26-19 45t-45 19q-26 0-45-19L147 237q-19-19-19-45t19-45L275 19q19-19 45-19t45 19 19 45q0 23-11 36t-27 28h1198zm-57 896q0 24 22 43t50 39 50 46 23 63q0 21-12 51t-30 61-37 59-33 44q-31 37-79 37-20 0-42-8t-44-17-41-17-35-8q-15 0-24 6t-14 15-8 20-5 24l-17 91q-6 34-25 52t-45 27-55 10-57 2h-5q-27 0-58-1t-58-11-47-28-26-53l-20-116q-2-14-14-26t-28-12q-20 0-40 7t-42 17-43 17-43 8q-50 0-80-37-14-16-32-43t-35-59-29-61-12-52q0-39 22-64t50-45 49-38 23-43q0-25-22-43t-50-39-50-45-23-64q0-22 12-52t30-60 37-58 33-45q31-37 79-37 20 0 42 7t43 17 40 17 36 8q21 0 32-11t16-30 8-41 7-46 11-45 24-38q12-12 29-19t37-10 40-5 39-1h15q27 0 57 1t58 11 46 28 26 53l20 116q3 18 16 27t31 10q17 0 37-7t41-17 42-17 42-8q23 0 44 10t36 28q14 17 32 44t36 58 29 61 12 52q0 39-22 64t-50 45-49 38-23 43zm-128 0q0-37 12-64t31-50 45-42 52-42q-13-30-29-58t-36-54q-36 13-76 29t-80 16q-24 0-44-6t-42-18q-33-19-51-42t-27-51-13-59-11-67q-16-2-32-3t-33-1q-17 0-33 1t-32 3q-7 35-11 66t-14 58-28 52-51 43q-21 13-41 18t-45 6q-40 0-79-16t-76-30q-38 51-66 112 26 22 51 42t45 42 32 50 12 65q0 37-12 64t-31 50-45 42-52 42q13 30 29 58t36 54q35-13 74-29t79-16q32 0 61 10t52 30 39 46 22 58l17 99q17 2 32 3t33 1q17 0 33-1t33-3q5-30 9-59t13-57 24-52 43-43q23-15 48-23t53-9q18 0 38 5t40 12 39 15 37 14q38-51 66-112-26-22-51-42t-45-42-32-50-12-65zm-207 0q0 27-10 50t-27 40-41 28-50 10q-27 0-50-10t-41-27-27-40-10-51q0-27 10-50t27-40 41-28 50-10q26 0 49 10t41 27 28 41 10 50zm768 832q0 26-19 45l-128 128q-19 19-45 19t-45-19-19-45q0-23 11-36t27-28H504q-75 0-143-30t-120-82-82-120-31-144v-328q0-26 19-45t45-19q26 0 45 19t19 45v325q0 50 20 95t55 80 80 55 96 21h1195q-14-14-26-28t-12-36q0-26 19-45t45-19q26 0 45 19l128 128q19 19 19 45z" fill="#0078D4" />
-</svg>
\ No newline at end of file
diff --git a/windows/security/images/icons/registry.svg b/windows/security/images/icons/registry.svg
deleted file mode 100644
index 06ab4c09d7..0000000000
--- a/windows/security/images/icons/registry.svg
+++ /dev/null
@@ -1,22 +0,0 @@
-<svg id="b9b1f1bd-1131-4ac5-b607-ad500ee51398" data-name="fluent_icons" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="18" height="18" viewBox="0 0 18 18">
-  <defs>
-    <linearGradient id="b0b22e7a-bfc7-4dec-91e9-5f981ed97407" x1="8.55" y1="0.41" x2="8.48" y2="18.62" gradientUnits="userSpaceOnUse">
-      <stop offset="0" stop-color="#76bc2d" />
-      <stop offset="0.32" stop-color="#73b82c" />
-      <stop offset="0.65" stop-color="#6cab29" />
-      <stop offset="0.99" stop-color="#5e9724" />
-      <stop offset="1" stop-color="#5e9624" />
-    </linearGradient>
-    <linearGradient id="e827adc5-7c19-488a-9b2c-abb70d46ae5e" x1="14.75" y1="5.9" x2="14.75" y2="1.1" gradientTransform="translate(18.1 -11.21) rotate(90)" gradientUnits="userSpaceOnUse">
-      <stop offset="0" stop-color="#0078d4" />
-      <stop offset="0.17" stop-color="#1c84dc" />
-      <stop offset="0.38" stop-color="#3990e4" />
-      <stop offset="0.59" stop-color="#4d99ea" />
-      <stop offset="0.8" stop-color="#5a9eee" />
-      <stop offset="1" stop-color="#5ea0ef" />
-    </linearGradient>
-  </defs>
-  <title>Icon-general-18</title>
-  <path d="M6.27,13.29h4.49v4.49H6.27ZM1,3.43V7.3h4.5V2.81H1.65A.63.63,0,0,0,1,3.43ZM1,17.16a.63.63,0,0,0,.63.62H5.52V13.29H1Zm0-4.62h4.5V8.05H1Zm10.49,5.24h3.87a.62.62,0,0,0,.62-.62V13.29H11.51ZM6.27,12.54h4.49V8.05H6.27Zm5.24-4.49v4.49H16V8.05ZM6.27,7.3h4.49V2.81H6.27Z" fill="url(#b0b22e7a-bfc7-4dec-91e9-5f981ed97407)" />
-  <rect x="12.2" y="1.14" width="4.8" height="4.8" rx="0.25" transform="translate(5.14 15.21) rotate(-64.59)" fill="url(#e827adc5-7c19-488a-9b2c-abb70d46ae5e)" />
-</svg>
\ No newline at end of file
diff --git a/windows/security/images/next-generation-windows-security-vision.png b/windows/security/images/next-generation-windows-security-vision.png
deleted file mode 100644
index a598365cb7..0000000000
Binary files a/windows/security/images/next-generation-windows-security-vision.png and /dev/null differ
diff --git a/windows/security/images/windows-security-app-w11.png b/windows/security/images/windows-security-app-w11.png
deleted file mode 100644
index e062b0d292..0000000000
Binary files a/windows/security/images/windows-security-app-w11.png and /dev/null differ
diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md
deleted file mode 100644
index f928705138..0000000000
--- a/windows/security/includes/improve-request-performance.md
+++ /dev/null
@@ -1,12 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 12/08/2022
-ms.topic: include
----
-
->[!TIP]
->For better performance, you can use server closer to your geo location:
-> - api-us.securitycenter.microsoft.com
-> - api-eu.securitycenter.microsoft.com
-> - api-uk.securitycenter.microsoft.com
diff --git a/windows/security/includes/intune-custom-settings-info.md b/windows/security/includes/intune-custom-settings-info.md
deleted file mode 100644
index 9509d5b13d..0000000000
--- a/windows/security/includes/intune-custom-settings-info.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 01/03/2022
-ms.topic: include
----
-
-For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
\ No newline at end of file
diff --git a/windows/security/includes/intune-settings-catalog-1.md b/windows/security/includes/intune-settings-catalog-1.md
deleted file mode 100644
index 2ddfc8d6b6..0000000000
--- a/windows/security/includes/intune-settings-catalog-1.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 01/03/2022
-ms.topic: include
----
-
-To configure devices with Microsoft Intune, use the settings catalog:
-
-  > [!TIP]
-  > If you're browsing with an account that can create Intune policies, you can skip to step 5 by using this direct link to <a href="https://go.microsoft.com/fwlink/?linkid=2109431#view/Microsoft_Intune_Workflows/SettingsCatalogWizardBlade/mode/create/platform/Windows%2010%20and%20later/policyType/SettingsCatalogWindows10" target="_blank"><b>create a Settings catalog policy</b></a> (opens in a new tab).
-
-1. Go to the <a href="https://go.microsoft.com/fwlink/?linkid=2109431" target="_blank"><b>Microsoft Endpoint Manager admin center</b></a>
-2. Select **Devices > Configuration profiles > Create profile**
-3. Select **Platform > Windows 10 and later** and **Profile type > Settings catalog**
-4. Select **Create**
-5. Specify a **Name** and, optionally, a **Description** > **Next**
-6. In the settings picker, add the following settings:
\ No newline at end of file
diff --git a/windows/security/includes/intune-settings-catalog-2.md b/windows/security/includes/intune-settings-catalog-2.md
deleted file mode 100644
index 9558ed41a7..0000000000
--- a/windows/security/includes/intune-settings-catalog-2.md
+++ /dev/null
@@ -1,11 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 01/03/2022
-ms.topic: include
----
-
-7. Select **Next**
-8. Optionally, add *scope tags* > **Next**
-9. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
-10. Review the policy configuration and select **Create**
\ No newline at end of file
diff --git a/windows/security/includes/intune-settings-catalog-info.md b/windows/security/includes/intune-settings-catalog-info.md
deleted file mode 100644
index 8387d702ff..0000000000
--- a/windows/security/includes/intune-settings-catalog-info.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 01/03/2022
-ms.topic: include
----
-
-For more information about how to create policies with the Intune settings catalog, see [Use the settings catalog to configure settings](/mem/intune/configuration/settings-catalog).
\ No newline at end of file
diff --git a/windows/security/includes/machineactionsnote.md b/windows/security/includes/machineactionsnote.md
deleted file mode 100644
index d4b4560d8f..0000000000
--- a/windows/security/includes/machineactionsnote.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 12/08/2022
-ms.topic: include
----
-
->[!Note]
-> This page focuses on performing a machine action via API. See [take response actions on a machine](/microsoft-365/security/defender-endpoint/respond-machine-alerts) for more information about response actions functionality via Microsoft Defender for Endpoint.
\ No newline at end of file
diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md
deleted file mode 100644
index 0b0b2be701..0000000000
--- a/windows/security/includes/microsoft-defender-api-usgov.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 12/08/2022
-ms.topic: include
----
-
->[!NOTE]
->If you are a US Government customer, please use the URIs listed in [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov#api).
\ No newline at end of file
diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md
deleted file mode 100644
index bd9a8d2c0d..0000000000
--- a/windows/security/includes/microsoft-defender.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 12/08/2022
-ms.topic: include
----
-
-> [!IMPORTANT]
-> The improved [Microsoft 365 Defender portal](https://security.microsoft.com) is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. [Learn what's new](/microsoft-365/security/mtp/overview-security-center).
diff --git a/windows/security/includes/prerelease.md b/windows/security/includes/prerelease.md
deleted file mode 100644
index c0212561bd..0000000000
--- a/windows/security/includes/prerelease.md
+++ /dev/null
@@ -1,9 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 12/08/2022
-ms.topic: include
----
-
-> [!IMPORTANT]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
index b917a468f8..daa9cba013 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
@@ -10,6 +10,7 @@ metadata:
   audience: ITPro
   ms.collection:
     - highpri
+    - tier1
   ms.topic: faq
   ms.date: 11/08/2022
   ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index 32a6c0816b..bc4ad1b106 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -90,17 +90,17 @@ To address these issues, [BitLocker Network Unlock](./bitlocker-how-to-enable-ne
 
 ### Protecting Thunderbolt and other DMA ports
 
-There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.  
+There are a few different options to protect DMA ports, such as Thunderbolt&trade;3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt&trade; 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.  
 
 You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled:
 
 ![Kernel DMA protection.](images/kernel-dma-protection.png)
 
-If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
+If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt&trade; 3 enabled ports:
 
 1. Require a password for BIOS changes
 
-2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
+2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt&trade; 3 and Security on Microsoft Windows&reg; 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
 
 3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11):
 
@@ -141,7 +141,7 @@ Enable secure boot and mandatorily prompt a password to change BIOS settings. Fo
 
 ### Tricking BitLocker to pass the key to a rogue operating system
 
-An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don’t recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
+An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
  
 An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index 811287a4d3..c0f495b8a6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -8,6 +8,7 @@ ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 11/08/2022
 ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
index 24016c5ca6..4f7256eadb 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
@@ -10,6 +10,7 @@ metadata:
   audience: ITPro
   ms.collection:
     - highpri
+    - tier1
   ms.topic: faq
   ms.date: 11/08/2022
   ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 38d6bcb2f9..8b776366c3 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -9,6 +9,7 @@ ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 11/08/2022
 ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
index 8398ff5cb5..3243fdb178 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
@@ -10,6 +10,7 @@ metadata:
   audience: ITPro
   ms.collection:
     - highpri
+    - tier1
   ms.topic: faq
   ms.date: 11/08/2022
   ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index 5cc2a4ae6c..a3b7a72ca1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -8,6 +8,7 @@ author: frankroj
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 11/08/2022
 ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index 495549c66c..39eb80e0aa 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -10,6 +10,7 @@ ms.reviewer: rafals
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 11/08/2022
 ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
deleted file mode 100644
index 11ce21de12..0000000000
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: Breaking out of a BitLocker recovery loop
-description: This article for IT professionals describes how to break out of a BitLocker recovery loop.
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: frankroj
-ms.author: frankroj
-manager: aaroncz
-ms.collection: 
-  - highpri
-ms.topic: conceptual
-ms.date: 11/08/2022
-ms.custom: bitlocker
-ms.technology: itpro-security
----
-
-# Breaking out of a BitLocker recovery loop
-
-Sometimes, following a crash, the operating system might not be able to successful boot due to the recovery screen repeatedly prompting to enter a recovery key. This experience can be frustrating.
-
-If the correct BitLocker recovery key has been entered multiple times but are unable to continue past the initial recovery screen, follow these steps to break out of the loop:
-
-> [!NOTE]
-> Try these steps only after the device has been restarted at least once.
-
-1. On the initial recovery screen, don't enter The recovery key. Instead, select **Skip this drive**.
-
-2. Navigate to **Troubleshoot** > **Advanced options**, and select **Command prompt**.
-
-3. From the WinRE command prompt, manually unlock the drive with the following command:
-
-```cmd
-manage-bde.exe -unlock C: -rp <recovery password>
-```
-
-4. Suspend the protection on the operating system with the following command:
-
-```cmd
-manage-bde.exe -protectors -disable C:
-```
-
-5. Once the command is run, exit the command prompt and continue to boot into the operating system.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index ea25cc99da..ba44582914 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -9,6 +9,7 @@ ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 11/08/2022
 ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
index fe24fac2a4..1592e527a6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@@ -9,6 +9,7 @@ ms.author: frankroj
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 11/08/2022
 ms.custom: bitlocker
diff --git a/windows/security/information-protection/bitlocker/images/4509186-en-1.png b/windows/security/information-protection/bitlocker/images/4509186-en-1.png
deleted file mode 100644
index 11f986fb68..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509186-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509188-en-1.png b/windows/security/information-protection/bitlocker/images/4509188-en-1.png
deleted file mode 100644
index 5b5b7b1b4a..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509188-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509189-en-1.png b/windows/security/information-protection/bitlocker/images/4509189-en-1.png
deleted file mode 100644
index 8d243a1899..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509189-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509190-en-1.png b/windows/security/information-protection/bitlocker/images/4509190-en-1.png
deleted file mode 100644
index bd37969b5d..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509190-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509191-en-1.png b/windows/security/information-protection/bitlocker/images/4509191-en-1.png
deleted file mode 100644
index 00ef607ab3..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509191-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509193-en-1.png b/windows/security/information-protection/bitlocker/images/4509193-en-1.png
deleted file mode 100644
index 2085613b3d..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509193-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509194-en-1.png b/windows/security/information-protection/bitlocker/images/4509194-en-1.png
deleted file mode 100644
index f4506c399b..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509194-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509195-en-1.png b/windows/security/information-protection/bitlocker/images/4509195-en-1.png
deleted file mode 100644
index cbecb03c4e..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509195-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509196-en-1.png b/windows/security/information-protection/bitlocker/images/4509196-en-1.png
deleted file mode 100644
index 01e94b1243..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509196-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509198-en-1.png b/windows/security/information-protection/bitlocker/images/4509198-en-1.png
deleted file mode 100644
index 9056658662..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509198-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509199-en-1.png b/windows/security/information-protection/bitlocker/images/4509199-en-1.png
deleted file mode 100644
index d68a22eef7..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509199-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509200-en-1.png b/windows/security/information-protection/bitlocker/images/4509200-en-1.png
deleted file mode 100644
index 689bb19299..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509200-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509201-en-1.png b/windows/security/information-protection/bitlocker/images/4509201-en-1.png
deleted file mode 100644
index d521e86eed..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509201-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509202-en-1.png b/windows/security/information-protection/bitlocker/images/4509202-en-1.png
deleted file mode 100644
index bfcd2326b6..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509202-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509203-en-1.png b/windows/security/information-protection/bitlocker/images/4509203-en-1.png
deleted file mode 100644
index 05acc571fe..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509203-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509204-en-1.png b/windows/security/information-protection/bitlocker/images/4509204-en-1.png
deleted file mode 100644
index fa13f38ba9..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509204-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509205-en-1.png b/windows/security/information-protection/bitlocker/images/4509205-en-1.png
deleted file mode 100644
index a4f5cc15d2..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509205-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/4509206-en-1.png b/windows/security/information-protection/bitlocker/images/4509206-en-1.png
deleted file mode 100644
index 7b7e449443..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/4509206-en-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg
deleted file mode 100644
index 95afbf2ccc..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-bios-uefi-startup.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg
deleted file mode 100644
index d2caa05b03..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin7.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg
deleted file mode 100644
index 14a30db7c4..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin8.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg b/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg
deleted file mode 100644
index e691dcbc53..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/bitlockerprebootprotection-counterwin81.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg b/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg
deleted file mode 100644
index 40ddf183f6..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/feedback-app-icon.png b/windows/security/information-protection/bitlocker/images/feedback-app-icon.png
deleted file mode 100644
index c600883c0e..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/feedback-app-icon.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/pcptool-output.jpg b/windows/security/information-protection/bitlocker/images/pcptool-output.jpg
deleted file mode 100644
index 91d10e6c66..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/pcptool-output.jpg and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/psget-winevent-1.png b/windows/security/information-protection/bitlocker/images/psget-winevent-1.png
deleted file mode 100644
index 21adc928de..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/psget-winevent-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/psget-winevent-2.png b/windows/security/information-protection/bitlocker/images/psget-winevent-2.png
deleted file mode 100644
index 2941452109..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/psget-winevent-2.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png
deleted file mode 100644
index 53b374d26e..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-default-sddl.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png b/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png
deleted file mode 100644
index bc299cc0e9..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-bitlocker-usb-sddl.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-1.png b/windows/security/information-protection/bitlocker/images/ts-tpm-1.png
deleted file mode 100644
index 1bef01d587..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-1.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-2.png b/windows/security/information-protection/bitlocker/images/ts-tpm-2.png
deleted file mode 100644
index d4d825029c..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-2.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-3.png b/windows/security/information-protection/bitlocker/images/ts-tpm-3.png
deleted file mode 100644
index 2acac0f3ea..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-3.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-4.png b/windows/security/information-protection/bitlocker/images/ts-tpm-4.png
deleted file mode 100644
index cb5b84d6b9..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-4.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-5.png b/windows/security/information-protection/bitlocker/images/ts-tpm-5.png
deleted file mode 100644
index 3b3cd2b961..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-5.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-6.png b/windows/security/information-protection/bitlocker/images/ts-tpm-6.png
deleted file mode 100644
index 4e82b9b76e..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-6.png and /dev/null differ
diff --git a/windows/security/information-protection/bitlocker/images/ts-tpm-7.png b/windows/security/information-protection/bitlocker/images/ts-tpm-7.png
deleted file mode 100644
index 8fb9446d93..0000000000
Binary files a/windows/security/information-protection/bitlocker/images/ts-tpm-7.png and /dev/null differ
diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg b/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg
deleted file mode 100644
index f1c25c116c..0000000000
Binary files a/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg and /dev/null differ
diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.png b/windows/security/information-protection/images/kernel-dma-protection-security-center.png
deleted file mode 100644
index dfd30ba2a2..0000000000
Binary files a/windows/security/information-protection/images/kernel-dma-protection-security-center.png and /dev/null differ
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 234c8a6eba..49d276838c 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -1,12 +1,13 @@
 ---
 title: Kernel DMA Protection (Windows)
-description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports.
+description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt&trade; 3 ports.
 ms.prod: windows-client
 author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 01/05/2023
 ms.technology: itpro-security
@@ -18,7 +19,7 @@ ms.technology: itpro-security
 -   Windows 10
 -   Windows 11
 
-In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots)
+In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (for example, Thunderbolt&trade; 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (for example, M.2 slots)
 
 Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.
 
@@ -32,9 +33,9 @@ The DMA capability is what makes PCI devices the highest performing devices avai
 These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard. 
 Access to these devices required the user to turn off power to the system and disassemble the chassis. 
 
-Today, this is no longer the case with hot plug PCIe ports (for example, Thunderbolt™ and CFexpress). 
+Today, this is no longer the case with hot plug PCIe ports (for example, Thunderbolt&trade; and CFexpress). 
 
-Hot plug PCIe ports such as Thunderbolt™ technology have provided modern PCs with extensibility that wasn't available before for PCs. 
+Hot plug PCIe ports such as Thunderbolt&trade; technology have provided modern PCs with extensibility that wasn't available before for PCs. 
 It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB. 
 Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks.
 
@@ -102,15 +103,15 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to
 
 4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. 
 
-   For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
+   For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt&trade; 3 and Security on Microsoft Windows&reg; 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
 
 ## Frequently asked questions
 
-### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3?
-In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
+### Do in-market systems support Kernel DMA Protection for Thunderbolt&trade; 3?
+In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt&trade; 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt&trade; 3 and Security on Microsoft Windows&reg; 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
 
 ### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot?
-No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. 
+No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt&trade; 3 ports during boot. 
 
 ### How can I check if a certain driver supports DMA-remapping?
 DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of two means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (that is, the device driver does not support DMA-remapping).
@@ -122,7 +123,7 @@ Check the driver instance for the device you are testing. Some drivers may have
 
 ![Experience of a user about Kernel DMA protection](images/device-details-tab.png)
 
-### When the drivers for PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?
+### When the drivers for PCI or Thunderbolt&trade; 3 peripherals do not support DMA-remapping?
 
 If the peripherals do have class drivers provided by Windows, use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers).
 
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index edec923f61..80d41fa3fb 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -5,8 +5,9 @@ ms.prod: windows-client
 ms.localizationpriority: medium
 author: dansimp
 manager: aaroncz
-ms.collection: 
+ms.collection:
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 05/12/2022
 ms.author: dansimp
@@ -91,13 +92,13 @@ To trust and boot operating systems, like Linux, and components signed by the UE
 
 1. Open the firmware menu, either: 
   
-  - Boot the PC, and press the manufacturer’s key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there’s often a screen that mentions the key. If there’s not one, or if the screen goes by too fast to see it, check your manufacturer’s site.
+  - Boot the PC, and press the manufacturer's key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, there's often a screen that mentions the key. If there's not one, or if the screen goes by too fast to see it, check your manufacturer's site.
 
   - Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
   
-2.	From the firmware menu navigate to Security > Secure Boot and select the option to trust the “3rd Party CA”. 
+2.    From the firmware menu navigate to Security > Secure Boot and select the option to trust the "3rd Party CA". 
 
-3.	Save changes and exit. 
+3.    Save changes and exit. 
  
 Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust. 
 
@@ -132,6 +133,8 @@ Depending on the implementation and configuration, the server can now determine
 
 Figure 2 illustrates the Measured Boot and remote attestation process.
 
+
+
 ![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png)
 
 *Figure 2. Measured Boot proves the PC's health to a remote server*
diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
index 5545248585..1f711c3493 100644
--- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
@@ -14,7 +14,7 @@ ms.technology: itpro-security
 # Back up the TPM recovery information to AD DS
 
 **Applies to**
--   Windows 10
+-   Windows 10
 -   Windows 11
 -   Windows Server 2016 and above
 
@@ -22,7 +22,7 @@ ms.technology: itpro-security
 
 -   Windows 10, version 1607 or later
 
-With Windows 10, versions 1511 and 1507, or Windows 11, you can back up a computer’s Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)).
+With Windows 10, versions 1511 and 1507, or Windows 11, you can back up a computer's Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)).
 
 ## Related topics
 
diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
deleted file mode 100644
index 5fabd8a69f..0000000000
--- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Change the TPM owner password (Windows)
-description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
-ms.reviewer: 
-ms.prod: windows-client
-author: dansimp
-ms.author: dansimp
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 01/18/2022
-ms.technology: itpro-security
----
-
-# Change the TPM owner password
-
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
-This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system.
-
-## About the TPM owner password
-
-Starting with Windows 10, version 1607, or Windows 11, Windows will not retain the TPM owner password when provisioning the TPM. The password will be set to a random high entropy value and then discarded.
-
-> [!IMPORTANT]
-> Although the TPM owner password is not retained starting with Windows 10, version 1607, or Windows 11, you can change a default registry key to retain it. However, we strongly recommend that you do not make this change. To retain the TPM owner password, set the registry key 'HKLM\\Software\\Policies\\Microsoft\\TPM' \[REG\_DWORD\] 'OSManagedAuthLevel' to 4. For Windows 10 versions newer than 1703 the default value for this key is 5. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. Unless it is changed to 4 before the TPM is provisioned, the owner password will not be saved.
-
-Only one owner password exists for each TPM. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Taking ownership of the TPM is performed by Windows as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it.
-
-Without the owner password you can still perform all the preceding actions by means of a physical presence confirmation from UEFI.
-
-### Other TPM management options
-
-Instead of changing your owner password, you can also use the following options to manage your TPM:
-
--   **Clear the TPM**   If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm).
-
--   **Turn off the TPM**   With TPM 1.2 and Windows 10, versions 1507 and 1511, or Windows 11, you can turn off the TPM. Do this if you want to keep all existing keys and data intact and disable the services that are provided by the TPM. For more info, see [Turn off the TPM](initialize-and-configure-ownership-of-the-tpm.md#turn-off-the-tpm).
-
-## Change the TPM owner password
-
-With Windows 10, version 1507 or 1511, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password.
-
-To change to a new TPM owner password, in TPM.msc, click **Change Owner Password**, and follow the instructions. You will be prompted to provide the owner password file or to type the password. Then you can create a new password, either automatically or manually, and save the password in a file or as a printout.
-
-## Use the TPM cmdlets
-
-You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule).
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index df275cf0b3..d1f3ca2437 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -30,9 +30,9 @@ The Windows operating system improves most existing security features in the ope
 
 The TPM is a cryptographic module that enhances computer security and privacy. Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security. The TPM helps with all these scenarios and more.
 
-Historically, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
+Historically, TPMs have been discrete chips soldered to a computer's motherboard. Such implementations allow the computer's original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
 
-TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user reinstalls the operating system, user may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features.
+TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user reinstalls the operating system, user may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM's features.
 
 The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
 
@@ -40,7 +40,7 @@ OEMs implement the TPM as a component in a trusted computing platform, such as a
 
 The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others do not.
 
-Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft’s best advice is to determine your organization’s security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
+Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability.
 
 ## TPM in Windows 
 
@@ -58,15 +58,15 @@ The Platform Crypto Provider, introduced in the Windows 8 operating system, expo
 
 - **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions.
 
-These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically.
+These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM's dictionary attack protection automatically.
 
 ## Virtual Smart Card
 
-Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card’s certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers.
+Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card's certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers.
 
-In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes “something the user has” but still requires a PIN. Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM’s dictionary attack protection to prevent too many PIN guesses.
+In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes "something the user has" but still requires a PIN. Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses.
 
-For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates “lost card” and “card left at home” scenarios while still delivering the benefits of smart card–based multifactor authentication. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
+For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates "lost card" and "card left at home" scenarios while still delivering the benefits of smart card–based multifactor authentication. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
 
 ## Windows Hello for Business
 
@@ -87,21 +87,21 @@ For Windows Hello for Business, Microsoft can fill the role of the identity CA.
 
 ## BitLocker Drive Encryption
 
-BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system’s enforcement of file permissions to read any user data.
+BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system's enforcement of file permissions to read any user data.
 
 In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities:
 
-- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
+- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component's measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values.
 
 - **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS).
 
-Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
+Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume's decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience.
 
-Newer hardware and Windows work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the “TPM-only” configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot.
+Newer hardware and Windows work better together to disable direct memory access through ports and reduce attack vectors. The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. The right hardware allows BitLocker to be used with the "TPM-only" configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot.
 
 ## Device Encryption
 
-Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.
+Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows that the hardware is appropriate for deploying Device Encryption and allows use of the "TPM-only" configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.
 
 For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. These values also change less frequently. The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data.
 
@@ -111,7 +111,7 @@ Windows 8 introduced Measured Boot as a way for the operating system to record t
 
 The Windows boot process happens in stages and often involves third-party drivers to communicate with vendor-specific hardware or implement antimalware solutions. For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off).
 
-Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system’s starting state to determine whether the running operating system should be trusted.
+Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. Other scenarios can use the operating system's starting state to determine whether the running operating system should be trusted.
 
 TPM measurements are designed to avoid recording any privacy-sensitive information as a measurement. As an additional privacy protection, Measured Boot stops the measurement chain at the initial starting state of Windows. Therefore, the set of measurements does not include details about which applications are in use or how Windows is being used. Measurement information can be shared with external entities to show that the device is enforcing adequate security policies and did not start with malware.
 
@@ -133,7 +133,7 @@ Mobile device management (MDM) solutions can receive simple security assertions
 
 ## Credential Guard
 
-Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user’s credentials (e.g., logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer’s memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a “pass the hash” attack, a malware technique that infects one machine to infect many machines across an organization.
+Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user's credentials (such as a logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer's memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a "pass the hash" attack, a malware technique that infects one machine to infect many machines across an organization.
 
 Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return.
 
@@ -141,17 +141,17 @@ The resulting solution provides defense in depth, because even if malware runs i
 
 ## Conclusion
 
-The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM’s major features.
+The TPM adds hardware-based security benefits to Windows. When installed on hardware that includes a TPM, Window delivers remarkably improved security benefits. The following table summarizes the key benefits of the TPM's major features.
 
 <br/>
 
 |Feature | Benefits when used on a system with a TPM|
 |---|---|
-| Platform Crypto Provider | <ul><li>If the machine is compromised, the private key associated with the certificate cannot be copied off the device.</li><li>The TPM’s dictionary attack mechanism protects PIN values to use a certificate.</li></ul> |
+| Platform Crypto Provider | <ul><li>If the machine is compromised, the private key associated with the certificate cannot be copied off the device.</li><li>The TPM's dictionary attack mechanism protects PIN values to use a certificate.</li></ul> |
 | Virtual Smart Card | <ul><li>Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.</li></ul> |
-| Windows Hello for Business | <ul><li>Credentials provisioned on a device cannot be copied elsewhere.</li><li>Confirm a device’s TPM before credentials are provisioned.</li></ul> |
+| Windows Hello for Business | <ul><li>Credentials provisioned on a device cannot be copied elsewhere.</li><li>Confirm a device's TPM before credentials are provisioned.</li></ul> |
 | BitLocker Drive Encryption | <ul><li>Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.</li></ul> |
-|Device Encryption | <ul><li>With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection.</li></ul> |
+|Device Encryption | <ul><li>With a Microsoft account and the right hardware, consumers' devices seamlessly benefit from data-at-rest protection.</li></ul> |
 | Measured Boot | <ul><li>A hardware root of trust contains boot measurements that help detect malware during remote attestation.</li></ul> |
 | Health Attestation | <ul><li>MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365. </li></ul> |
 | Credential Guard | <ul><li>Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization.</li></ul> |
diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
index dc54432a56..0fa4cfb623 100644
--- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -8,6 +8,7 @@ ms.author: dansimp
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 09/06/2021
 ms.technology: itpro-security
@@ -71,7 +72,7 @@ You can use the Windows Defender Security Center app to clear the TPM as a troub
 Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically re-initialize it and take ownership again.
 
 > [!WARNING]
-> Clearing the TPM can result in data loss. For more information, see the next section, “Precautions to take before clearing the TPM.”
+> Clearing the TPM can result in data loss. For more information, see the next section, "Precautions to take before clearing the TPM."
 
 ### Precautions to take before clearing the TPM
 
diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md
deleted file mode 100644
index 1ec4c72de8..0000000000
--- a/windows/security/information-protection/tpm/manage-tpm-commands.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-title: Manage TPM commands (Windows)
-description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
-ms.author: dansimp
-ms.prod: windows-client
-author: dulcemontemayor
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 09/06/2021
-ms.technology: itpro-security
----
-
-# Manage TPM commands
-
-**Applies to**
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
-
-This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
-
-After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands.
-
-The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group.
-
-**To block TPM commands by using the Local Group Policy Editor**
-
-1.  Open the Local Group Policy Editor (gpedit.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-
-    > [!NOTE]
-    > Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS).
-
-2.  In the console tree, under **Computer Configuration**, expand **Administrative Templates**, and then expand **System**.
-
-3.  Under **System**, click **Trusted Platform Module Services**.
-
-4.  In the details pane, double-click **Configure the list of blocked TPM commands**.
-
-5.  Click **Enabled**, and then click **Show**.
-
-6.  For each command that you want to block, click **Add**, enter the command number, and then click **OK**.
-
-    > [!NOTE]
-    > For a list of commands, see links in the [TPM Specification](https://www.trustedcomputinggroup.org/tpm-main-specification/).
-
-7.  After you have added numbers for each command that you want to block, click **OK** twice.
-
-8.  Close the Local Group Policy Editor.
-
-**To block or allow TPM commands by using the TPM MMC**
-
-1.  Open the TPM MMC (tpm.msc)
-
-2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-
-3.  In the console tree, click **Command Management**. A list of TPM commands is displayed.
-
-4.  In the list, select a command that you want to block or allow.
-
-5.  Under **Actions**, click **Block Selected Command** or **Allow Selected Command** as needed. If **Allow Selected Command** is unavailable, that command is currently blocked by Group Policy.
-
-**To block new commands**
-
-1.  Open the TPM MMC (tpm.msc).
-
-    If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-
-2.  In the console tree, click **Command Management**. A list of TPM commands is displayed.
-
-3.  In the **Action** pane, click **Block New Command**. The **Block New Command** dialog box is displayed.
-
-4.  In the **Command Number** text box, type the number of the new command that you want to block, and then click **OK**. The command number you entered is added to the blocked list.
-
-## Use the TPM cmdlets
-
-You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
\ No newline at end of file
diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md
deleted file mode 100644
index b348034a8d..0000000000
--- a/windows/security/information-protection/tpm/manage-tpm-lockout.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Manage TPM lockout (Windows)
-description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
-ms.reviewer: 
-ms.author: dansimp
-ms.prod: windows-client
-author: dulcemontemayor
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 09/06/2021
-ms.technology: itpro-security
----
-# Manage TPM lockout
-
-**Applies to**
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
-
-This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
-
-## About TPM lockout
-
-The TPM will lock itself to prevent tampering or malicious attacks. TPM lockout often lasts for a variable amount of time or until the computer is turned off. While the TPM is in lockout mode, it generally returns an error message when it receives commands that require an authorization value. One exception is that the TPM always allows the owner at least one attempt to reset the TPM lockout when it is in lockout mode.
-
-TPM ownership is taken upon first boot by Windows. By default, Windows does not retain the TPM owner password.
-
-In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values.
-
-**TPM 1.2**
-
-The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. This can prevent them from using the TPM for a period of time.
-
-**TPM 2.0**
-
-TPM 2.0 devices have standardized lockout behavior, which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event, which increases the counter will cause the counter to decrease by 1.
-
-If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher.
-
-## Reset the TPM lockout by using the TPM MMC
-
-> [!NOTE]
-> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password is not available in Windows 10 starting with version 1607 and higher.
-
-The following procedure explains the steps to reset the TPM lockout by using the TPM MMC.
-
-**To reset the TPM lockout**
-
-1. Open the TPM MMC (tpm.msc).
-
-2. In the **Action** pane, click **Reset TPM Lockout** to start the Reset TPM Lockout Wizard.
-
-3. Choose one of the following methods to enter the TPM owner password:
-
-   -   If you saved your TPM owner password to a .tpm file, click **I have the owner password file**, and then type the path to the file, or click **Browse** to navigate to the file location.
-
-   -   If you want to manually enter your TPM owner password, click **I want to enter the owner password**, and then type the password in the text box provided.
-
-   > [!NOTE]
-   > If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it.
-
-## Use Group Policy to manage TPM lockout settings
-
-The TPM Group Policy settings in the following list are located at:
-
-**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
-
--   [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#standard-user-lockout-duration)
-
-    This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for TPM commands that require authorization. An authorization failure occurs each time a user sends a command to the TPM and receives an error message that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, the user is prevented from sending commands to the TPM that require authorization.
-
--   [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-individual-lockout-threshold)
-
-    This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user is not allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization.
-
--   [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-total-lockout-threshold)
-
-    This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization.
-
-For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#anti-hammering).
-
-## Use the TPM cmdlets
-
-You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/).
-
-## Related topics
-
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
\ No newline at end of file
diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index ef5a4ad22d..6e27cc9532 100644
--- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -41,7 +41,7 @@ It is important to note that this binding to PCR values also includes the hashin
 
 When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs.
 
-As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
+As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
 
 ## What can I do to switch PCRs when BitLocker is already active?
 
diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md
index 60e31fc6af..e6fafb1224 100644
--- a/windows/security/information-protection/tpm/tpm-fundamentals.md
+++ b/windows/security/information-protection/tpm/tpm-fundamentals.md
@@ -26,7 +26,7 @@ Computers that incorporate a TPM can create cryptographic keys and encrypt them
 
 You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM.
 
-Computers that incorporate a TPM can also create a key that is wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.
+Computers that incorporate a TPM can also create a key that is wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as "sealing the key to the TPM." Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.
 
 With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. The TPM uses its own internal firmware and logic circuits to process instructions. Hence, it doesn't rely on the operating system and it isn't exposed to vulnerabilities that might exist in the operating system or application software.
 
@@ -61,7 +61,7 @@ The Measured Boot feature provides antimalware software with a trusted (resistan
 
 ## TPM-based Virtual Smart Card
 
-The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
+The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip that is available on an organization's computers, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
 
 ## TPM-based certificate storage
 
@@ -93,7 +93,7 @@ When a TPM processes a command, it does so in a protected environment, for examp
 
 TPMs have anti-hammering protection that is designed to prevent brute force attacks, or more complex dictionary attacks, that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur.
 
-Because many entities can use the TPM, a single authorization success cannot reset the TPM’s anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s protection. TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic.
+Because many entities can use the TPM, a single authorization success cannot reset the TPM's anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM's protection. TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM's lockout logic.
 
 ### TPM 2.0 anti-hammering
 
@@ -125,7 +125,7 @@ Beginning with Windows 10, version 1703, the minimum length for the BitLocker PI
 
 The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards:
 
--   Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM’s anti-hammering protection is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
+-   Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM's anti-hammering protection is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors.
 
 -   Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements.
 
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index aab2d0711e..6207a1192c 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -9,6 +9,7 @@ ms.author: dansimp
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 09/06/2021
 ms.technology: itpro-security
@@ -28,9 +29,9 @@ For a basic feature description of TPM, see the [Trusted Platform Module Technol
 
 ## TPM design and implementation
 
-Traditionally, TPMs are discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Discrete TPM implementations are common. However, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
+Traditionally, TPMs are discrete chips soldered to a computer's motherboard. Such implementations allow the computer's original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Discrete TPM implementations are common. However, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
 
-TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM.
+TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM.
 
 The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards. These standards support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
 
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index f768669a7c..f484ac475a 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -9,6 +9,7 @@ ms.author: dansimp
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 adobe-target: true
 ms.technology: itpro-security
@@ -32,7 +33,7 @@ This topic for the IT professional describes the Trusted Platform Module (TPM) a
 
 - Generate, store, and limit the use of cryptographic keys.
 
-- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into it.
+- Use TPM technology for platform device authentication by using the TPM's unique RSA key, which is burned into it.
 
 - Help ensure platform integrity by taking and storing security measurements.
 
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
index 300fe10913..ca9f536057 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
@@ -8,6 +8,7 @@ ms.author: dansimp
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier1
 ms.topic: conceptual
 ms.date: 09/06/2021
 ms.technology: itpro-security
@@ -29,7 +30,7 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based,
 | [Trusted Platform Module Overview](trusted-platform-module-overview.md) | Provides an overview of the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. |
 | [TPM fundamentals](tpm-fundamentals.md) | Provides background about how a TPM can work with cryptographic keys. Also describes technologies that work with the TPM, such as TPM-based virtual smart cards. |
 | [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) | Describes TPM services that can be controlled centrally by using Group Policy settings. |
-| [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer’s TPM information to Active Directory Domain Services. |
+| [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer's TPM information to Active Directory Domain Services. |
 | [Troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, describes how to turn the TPM on or off. |
 | [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md) | Provides background about what happens when you switch PCR banks on TPM 2.0 devices. |
 | [TPM recommendations](tpm-recommendations.md) | Discusses aspects of TPMs such as the difference between TPM 1.2 and 2.0, and the Windows features for which a TPM is required or recommended. |
diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png
deleted file mode 100644
index 5ce10dd81f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/WIPNEW1-chart-selected-sterile.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png
deleted file mode 100644
index 6bc8237f7f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/WIPNEWMAIN-sterile.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png b/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png
deleted file mode 100644
index 7d67692ff3..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/WIPappID-sterile.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png b/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png
deleted file mode 100644
index 3ffbcce88c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/app-protection-policies.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png b/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png
deleted file mode 100644
index 0148a800b2..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png b/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png
deleted file mode 100644
index 3ceabfd15a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-applocker-xml-file.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png
deleted file mode 100644
index 09bbda3a06..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-classic-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png b/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png
deleted file mode 100644
index 17a97b8d3a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png b/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png
deleted file mode 100644
index 7b226b7edd..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-add-uwp.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-addapps.png b/windows/security/information-protection/windows-information-protection/images/intune-addapps.png
deleted file mode 100644
index 52e3983adf..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-addapps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png b/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png
deleted file mode 100644
index 808de2db0e..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-corporate-identity.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png b/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png
deleted file mode 100644
index 3f7b7af6b6..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-createnewpolicy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png b/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png
deleted file mode 100644
index f889dbca48..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-data-recovery.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png b/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png
deleted file mode 100644
index de066d3a8b..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-deploy-vpn.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png b/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png
deleted file mode 100644
index 7987e91454..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-empty-addapps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png b/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png
deleted file mode 100644
index 70e726d379..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-generalinfo.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png b/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png
deleted file mode 100644
index e48b59aa4b..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-groupselection.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png b/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png
deleted file mode 100644
index 6aa8f89355..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-groupselection_vpnlink.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png b/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png
deleted file mode 100644
index 6786a93416..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-managedeployment.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png b/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png
deleted file mode 100644
index bc801a8521..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-network-detection-boxes.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png b/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png
deleted file mode 100644
index 64d9ebda26..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-networklocation.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png b/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png
deleted file mode 100644
index 3ec8bec32d..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-optional-settings.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png b/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png
deleted file mode 100644
index b3340d6e4f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-protection-mode.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png
deleted file mode 100644
index 49c41b313d..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-authentication.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png
deleted file mode 100644
index 51abff3771..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-createpolicy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png
deleted file mode 100644
index cf9f85181a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-customconfig.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png
deleted file mode 100644
index 66415d57fd..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-omaurisettings.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png
deleted file mode 100644
index a1d9bc70d9..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-titledescription.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png
deleted file mode 100644
index b09cb58508..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-vpnsettings.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png b/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png
deleted file mode 100644
index 19892b3a7c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/intune-vpn-wipmodeid.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png b/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png
deleted file mode 100644
index cfeee8a45f..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/oms-wip-app-learning-tile.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png b/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png
deleted file mode 100644
index 57c40a85d0..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png b/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png
deleted file mode 100644
index 58f675399a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png
deleted file mode 100644
index dd6450af37..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png
deleted file mode 100644
index 3dbbb4e09b..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png
deleted file mode 100644
index 89a133bcbe..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png
deleted file mode 100644
index f069f140dd..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions-desktop.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png
deleted file mode 100644
index e02310282d..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-app-and-permissions.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png
deleted file mode 100644
index ae14d18238..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-auto-generate-rules.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png
deleted file mode 100644
index 91109c29c9..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules-desktop.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png
deleted file mode 100644
index 0aeb04bf0a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-export-rules.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png
deleted file mode 100644
index 7090e29ff1..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-review-rules.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png b/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png
deleted file mode 100644
index 313b0e4b73..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-applocker-secpol-rule-preferences.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png
deleted file mode 100644
index e759e45f28..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-access-options.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png
deleted file mode 100644
index 8b81622c1a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png
deleted file mode 100644
index 8bc8a4d845..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-recommended-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png
deleted file mode 100644
index b31efa417c..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-store-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png
deleted file mode 100644
index d12500349a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-desktop-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png
deleted file mode 100644
index e2b9b2ccae..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-uri-store-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png
deleted file mode 100644
index b549db5548..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-pane.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png
deleted file mode 100644
index 5c0dd50bb0..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-allowed-apps-with-apps.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png
deleted file mode 100644
index eef6b1efd0..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-desktop-apps-using-uri.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png
deleted file mode 100644
index 5ed595983a..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-configure-store-apps-using-uri.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png
deleted file mode 100644
index 59291bf62e..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-add-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png
deleted file mode 100644
index 3142b31f51..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-addpolicy-mam.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png
deleted file mode 100644
index aa0184a2c6..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start-mam.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png
deleted file mode 100644
index f282ff5e6b..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-portal-start.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png
deleted file mode 100644
index 2ecd78f1ca..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-configure-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png
deleted file mode 100644
index f397cd6797..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-custom-omauri.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png
deleted file mode 100644
index 30dde125e1..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-vpn-device-policy.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png
deleted file mode 100644
index 0fff54b6d2..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png
deleted file mode 100644
index fdbc950c9e..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png and /dev/null differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png b/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png
deleted file mode 100644
index af36a7cc4e..0000000000
Binary files a/windows/security/information-protection/windows-information-protection/images/wip-intune-app-reconfig-warning.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index af39d39146..d8992b23c1 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/06/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index 319301f86f..45ec095169 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/06/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index d505b5d9ef..aab983edfc 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -14,6 +14,7 @@ ms.author: vinpa
 ms.technology: itpro-security
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: reference
 ---
 
@@ -127,7 +128,7 @@ This event generates when a logon session is created (on destination machine). I
 
 - **Account Name** [Type = UnicodeString]**:** the name of the account that reported information about successful logon.
 
-- **Account Domain** [Type = UnicodeString]**:** subject’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following:
 
     - Domain NETBIOS name example: CONTOSO
 
@@ -191,7 +192,7 @@ This event generates when a logon session is created (on destination machine). I
 
 - **Account Name** [Type = UnicodeString]**:** the name of the account for which logon was performed.
 
-- **Account Domain** [Type = UnicodeString]**:** subject’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** [Type = UnicodeString]**:** subject's domain or computer name. Formats vary, and include the following:
 
     - Domain NETBIOS name example: CONTOSO
 
@@ -289,7 +290,7 @@ For 4624(S): An account was successfully logged on.
 | **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on.                                                                                 | If this event corresponds to an action you want to monitor for certain account types, review the **"New Logon\\Security ID"** to see whether the account type is as expected. |
 | **External accounts**: You might be monitoring accounts from another domain, or "external" accounts that are not allowed to perform certain actions (represented by certain specific events).                                                                                                                     | Monitor this event for the **"Subject\\Account Domain"** corresponding to accounts from another domain or "external" accounts.                                                |
 | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions.                                                                                                                                      | Monitor the target **Computer:** (or other target device) for actions performed by the **"New Logon\\Security ID"** that you are concerned about.                             |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor "**Subject\\Account Name"** for names that don’t comply with naming conventions.                                                                                      |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor "**Subject\\Account Name"** for names that don't comply with naming conventions.                                                                                      |
 
 - Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **"Subject\\Security ID"** is not SYSTEM.
 
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index 81657a6361..425447b217 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -14,6 +14,7 @@ ms.author: vinpa
 ms.technology: itpro-security
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: reference
 ---
 
@@ -28,7 +29,7 @@ ms.topic: reference
 
 This event is logged for any logon failure.
 
-It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation.
+It generates on the computer where logon attempt was made, for example, if logon attempt was made on user's workstation, then event will be logged on this workstation.
 
 This event generates on domain controllers, member servers, and workstations.
 
@@ -107,11 +108,11 @@ This event generates on domain controllers, member servers, and workstations.
 
     -   Uppercase full domain name: CONTOSO.LOCAL
 
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
 
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
 
--   **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
+-   **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. "Table 11. Windows Logon Types" contains the list of possible values for this field.
 
 
     <span id="_Ref433822321" class="anchor"></span>**Table 11: Windows Logon Types**
@@ -146,17 +147,17 @@ This event generates on domain controllers, member servers, and workstations.
 
     -   Uppercase full domain name: CONTOSO.LOCAL
 
-    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
+    -   For some [well-known security principals](/windows/security/identity-protection/access-control/security-identifiers), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is "NT AUTHORITY".
 
-    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
+    -   For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: "Win81".
 
--   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
+-   **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, "[4624](event-4624.md): An account was successfully logged on."
 
 **Failure Information:**
 
--   **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has “**Account locked out**” value.
+-   **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has "**Account locked out**" value.
 
--   **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes.
+-   **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has "**0xC0000234**" value. The most common status codes are listed in Table 12. Windows logon status codes.
 
     <span id="_Ref433822658" class="anchor"></span>**Table 12: Windows logon status codes.**
 
@@ -189,7 +190,7 @@ This event generates on domain controllers, member servers, and workstations.
 
 More information: <https://dev.windows.com/en-us/downloads>
 
--   **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common substatus codes listed in the “Table 12. Windows logon status codes.”.
+-   **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common substatus codes listed in the "Table 12. Windows logon status codes.".
 
 **Process Information:**
 
@@ -199,7 +200,7 @@ More information: <https://dev.windows.com/en-us/downloads>
 
     If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
 
-    You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
+    You can also correlate this process ID with a process ID in other events, for example, "[4688](event-4688.md): A new process has been created" **Process Information\\New Process ID**.
 
 -   **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
 
@@ -219,9 +220,9 @@ More information: <https://dev.windows.com/en-us/downloads>
 
 **Detailed Authentication Information:**
 
--   **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
+-   **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event "[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority" description for more information.
 
--   **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
+-   **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig" registry key. Other packages can be loaded at runtime. When a new package is loaded a "[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority" (typically for NTLM) or "[4622](event-4622.md): A security package has been loaded by the Local Security Authority" (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
 
     -   **NTLM** – NTLM-family Authentication
 
@@ -233,15 +234,15 @@ More information: <https://dev.windows.com/en-us/downloads>
 
 -   **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager subpackage ([NTLM-family](/openspecs/windows_protocols/ms-nlmp/c50a85f0-5940-42d8-9e82-ed206902e919) protocol name) that was used during the logon attempt. Possible values are:
 
-    -   “NTLM V1”
+    -   "NTLM V1"
 
-    -   “NTLM V2”
+    -   "NTLM V2"
 
-    -   “LM”
+    -   "LM"
 
-        Only populated if “**Authentication Package” = “NTLM”**.
+        Only populated if "**Authentication Package" = "NTLM"**.
 
--   **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package.
+-   **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have "0" value if Kerberos was negotiated using **Negotiate** authentication package.
 
 ## Security Monitoring Recommendations
 
@@ -250,19 +251,19 @@ For 4625(F): An account failed to log on.
 > [!IMPORTANT]
 > For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
 
--   If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
+-   If you have a pre-defined "**Process Name**" for the process reported in this event, monitor all events with "**Process Name**" not equal to your defined value.
 
--   You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+-   You can monitor to see if "**Process Name**" is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
 
 <!-- -->
 
--   If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
+-   If you have a pre-defined list of restricted substrings or words in process names (for example, "**mimikatz**" or "**cain.exe**"), check for these substrings in "**Process Name**."
 
 -   If **Subject\\Account Name** is a name of service account or user account, it may be useful to investigate whether that account is allowed (or expected) to request logon for **Account For Which Logon Failed\\Security ID**.
 
 -   To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event.
 
--   If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **“Subject\\Security ID”** that corresponds to the account.
+-   If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **"Subject\\Security ID"** that corresponds to the account.
 
 -   We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. Monitoring is especially relevant for critical servers, administrative workstations, and other high-value assets.
 
@@ -270,7 +271,7 @@ For 4625(F): An account failed to log on.
 
 -   If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
 
-    -   If the **“Account For Which Logon Failed \\Security ID”** should never be used to log on from the specific **Network Information\\Workstation Name**.
+    -   If the **"Account For Which Logon Failed \\Security ID"** should never be used to log on from the specific **Network Information\\Workstation Name**.
 
     -   If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses.
 
@@ -286,14 +287,14 @@ For 4625(F): An account failed to log on.
 
     |  Field                                                                         | Value to monitor for                                                                                                                                                                                |
     |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.” <br>This issue is typically not a security issue, but it can be an infrastructure or availability issue. |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”. <br>Especially if you get several of these events in a row, it can be a sign of a user enumeration attack.                             |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row.                               |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row.       |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”.                                                                                                                                                 |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”.                                                                                                                                            |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”.                                                                                                                                     |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”.                                                                                            |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”. <br>This issue is typically not a security issue but it can be an infrastructure or availability issue.      |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”.                                                                                                                                                     |
-    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”.                     |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000005E – "There are currently no logon servers available to service the logon request." <br>This issue is typically not a security issue, but it can be an infrastructure or availability issue. |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000064 – "User logon with misspelled or bad user account". <br>Especially if you get several of these events in a row, it can be a sign of a user enumeration attack.                             |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006A – "User logon with misspelled or bad password" for critical accounts or service accounts. <br>Especially watch for a number of such events in a row.                               |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000006D – "This is either due to a bad username or authentication information" for critical accounts or service accounts. <br>Especially watch for a number of such events in a row.       |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006F – "User logon outside authorized hours".                                                                                                                                                 |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000070 – "User logon from unauthorized workstation".                                                                                                                                            |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000072 – "User logon to account disabled by administrator".                                                                                                                                     |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000015B – "The user has not been granted the requested logon type (aka logon right) at this machine".                                                                                            |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000192 – "An attempt was made to logon, but the Netlogon service was not started". <br>This issue is typically not a security issue but it can be an infrastructure or availability issue.      |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000193 – "User logon with expired account".                                                                                                                                                     |
+    | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000413 – "Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine".                     |
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index 3ca1095e98..2cefaaced0 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -14,6 +14,7 @@ ms.author: vinpa
 ms.technology: itpro-security
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: reference
 ---
 
@@ -26,11 +27,11 @@ ms.topic: reference
 
 ***Event Description:***
 
-This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.
+This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a "Domain Controller" or "Domain Controller Authentication" template), the user's password has expired, or the wrong password was provided.
 
 This event generates only on domain controllers.
 
-This event is not generated if “Do not require Kerberos preauthentication” option is set for the account.
+This event is not generated if "Do not require Kerberos preauthentication" option is set for the account.
 
 > **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
 
@@ -127,7 +128,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
 
     -   Using **MSB 0**-bit numbering, we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
 
-> **Note**&nbsp;&nbsp;In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.<br><img src="images/msb.png" alt="MSB illustration" width="224" height="57" />
+> **Note**&nbsp;&nbsp;In the table below **"MSB 0"** bit numbering is used, because RFC documents use this style. In "MSB 0" style bit numbering begins from left.<br><img src="images/msb.png" alt="MSB illustration" width="224" height="57" />
 
 The most common values:
 
@@ -185,14 +186,14 @@ The most common values:
 | 0xd         | KDC\_ERR\_BADOPTION                       | KDC cannot accommodate requested option         |
 | 0xe         | KDC\_ERR\_ETYPE\_NOSUPP                   | KDC has no support for encryption type          |
 | 0xf         | KDC\_ERR\_SUMTYPE\_NOSUPP                 | KDC has no support for checksum type            |
-| 0x10         | KDC\_ERR\_PADATA\_TYPE\_NOSUPP            | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
+| 0x10         | KDC\_ERR\_PADATA\_TYPE\_NOSUPP            | KDC has no support for PADATA type (pre-authentication data)|Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.<br>It can also happen when a domain controller doesn't have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
 | 0x11         | KDC\_ERR\_TRTYPE\_NOSUPP                  | KDC has no support for transited type           |
 | 0x12         | KDC\_ERR\_CLIENT\_REVOKED                 | Clients credentials have been revoked           |
 | 0x13         | KDC\_ERR\_SERVICE\_REVOKED                | Credentials for server have been revoked        |
 | 0x14         | KDC\_ERR\_TGT\_REVOKED                    | TGT has been revoked                            |
 | 0x15         | KDC\_ERR\_CLIENT\_NOTYET                  | Client not yet valid; try again later           |
 | 0x16         | KDC\_ERR\_SERVICE\_NOTYET                 | Server not yet valid; try again later           |
-| 0x17         | KDC\_ERR\_KEY\_EXPIRED                    | Password has expired—change password to reset   |The user’s password has expired.
+| 0x17         | KDC\_ERR\_KEY\_EXPIRED                    | Password has expired—change password to reset   |The user's password has expired.
 | 0x18         | KDC\_ERR\_PREAUTH\_FAILED                 | Pre-authentication information was invalid      |The wrong password was provided.
 | 0x19         | KDC\_ERR\_PREAUTH\_REQUIRED               | Additional pre-authentication required          |
 | 0x1a         | KDC\_ERR\_SERVER\_NOMATCH                 | Requested server and ticket don't match         |
@@ -260,9 +261,9 @@ The most common values:
 
 - **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority that issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
 
-- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events.
+- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate's serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events.
 
-- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate’s thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events.
+- **Certificate Thumbprint** \[Type = UnicodeString\]**:** smart card certificate's thumbprint. Can be found in **Thumbprint** field in the certificate. Always empty for [4771](event-4771.md) events.
 
 ## Security Monitoring Recommendations
 
@@ -270,11 +271,11 @@ For 4771(F): Kerberos pre-authentication failed.
 
 | **Type of monitoring required**                                                                                                                                                                                                                                                                                   | **Recommendation**                                                                                                                                                 |
 |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts.                                                              |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used.                                                          |
-| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a “allow list-only” action, review the **“Security ID”** for accounts that are outside the allow list.                                  |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions.                                                                           |
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"Security ID"** that corresponds to the high-value account or accounts.                                                              |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **"Security ID"** (with other information) to monitor how or when a particular account is being used. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used.                                                                                                                                                                                     | Monitor this event with the **"Security ID"** that corresponds to the accounts that should never be used.                                                          |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.                                                                                                                                                      | If this event corresponds to a "allow list-only" action, review the **"Security ID"** for accounts that are outside the allow list.                                  |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names.                                                                                                                                                                                                       | Monitor "**Subject\\Account Name"** for names that don't comply with naming conventions.                                                                           |
 
 -   You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
 
diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md
index e411b647ce..ad57e347c4 100644
--- a/windows/security/threat-protection/auditing/event-4776.md
+++ b/windows/security/threat-protection/auditing/event-4776.md
@@ -14,6 +14,7 @@ ms.author: vinpa
 ms.technology: itpro-security
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: reference
 ---
 
@@ -34,11 +35,11 @@ It shows successful and unsuccessful credential validation attempts.
 
 It shows only the computer name (**Source Workstation**) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you'll see CLIENT-1 in the **Source Workstation** field. Information about the destination computer (SERVER-1) isn't presented in this event.
 
-If a credential validation attempt fails, you'll see a Failure event with **Error Code** parameter value not equal to “**0x0**”.
+If a credential validation attempt fails, you'll see a Failure event with **Error Code** parameter value not equal to "**0x0**".
 
 The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.
 
-For monitoring local account logon attempts, it's better to use event “[4624](event-4624.md): An account was successfully logged on” because it contains more details and is more informative.
+For monitoring local account logon attempts, it's better to use event "[4624](event-4624.md): An account was successfully logged on" because it contains more details and is more informative.
 
 This event also generates when a workstation unlock event occurs.
 
@@ -85,7 +86,7 @@ This event does *not* generate when a domain account logs on locally to a domain
 
 ***Field Descriptions:***
 
--   **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](/windows/win32/secauthn/authentication-packages) that was used for credential validation. It's always “**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**” for [4776](event-4776.md) event.
+-   **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](/windows/win32/secauthn/authentication-packages) that was used for credential validation. It's always "**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**" for [4776](event-4776.md) event.
 
 > **Note**&nbsp;&nbsp;**Authentication package** is a DLL that encapsulates the authentication logic used to determine whether to permit a user to log on. [Local Security Authority](/windows/win32/secgloss/l-gly#_security_local_security_authority_gly) (LSA) authenticates a user logon by sending the request to an authentication package. The authentication package then examines the logon information and either authenticates or rejects the user logon attempt.
 
@@ -101,7 +102,7 @@ This event does *not* generate when a domain account logs on locally to a domain
 
 -   **Source Workstation** \[Type = UnicodeString\]: the name of the computer from which the logon attempt originated.
 
--   **Error Code** \[Type = HexInt32\]: contains error code for Failure events. For Success events this parameter has “**0x0**” value. The table below contains most common error codes for this event:
+-   **Error Code** \[Type = HexInt32\]: contains error code for Failure events. For Success events this parameter has "**0x0**" value. The table below contains most common error codes for this event:
 
 | Error Code | Description                                                                                                                                                                                                                                                                               |
 |------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -126,16 +127,16 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun
 
 | **Type of monitoring required**     | **Recommendation**          |
 |-----------------|---------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts.        |
-| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.<br>To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used.   |
-| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.   | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list.     |
-| **Restricted-use computers**: You might have certain computers from which certain people (accounts) shouldn't log on.   | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you're concerned about.  |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names.  | Monitor “**Logon Account”** for names that don’t comply with naming conventions. |
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **"Logon Account"** that corresponds to the high-value account or accounts.        |
+| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours.                                                                                | When you monitor for anomalies or malicious actions, use the **"Logon Account"** value (with other information) to monitor how or when a particular account is being used.<br>To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **"Logon Account"** that should never be used.   |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events.   | If this event corresponds to a "allow list-only" action, review the **"Logon Account"** for accounts that are outside the allow list.     |
+| **Restricted-use computers**: You might have certain computers from which certain people (accounts) shouldn't log on.   | Monitor the target **Source Workstation** for credential validation requests from the **"Logon Account"** that you're concerned about.  |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names.  | Monitor "**Logon Account"** for names that don't comply with naming conventions. |
 
--   If NTLM authentication shouldn't be used for a specific account, monitor for that account. Don’t forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored.
+-   If NTLM authentication shouldn't be used for a specific account, monitor for that account. Don't forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored.
 
--   You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don’t forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored.
+-   You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don't forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored.
 
 -   If a local account should be used only locally (for example, network logon or terminal services logon isn't allowed), you need to monitor for all events where **Source Workstation** and **Computer** (where the event was generated and where the credentials are stored) have different values.
 
diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md
index 97c0977a60..e935d656d9 100644
--- a/windows/security/threat-protection/auditing/event-5136.md
+++ b/windows/security/threat-protection/auditing/event-5136.md
@@ -212,9 +212,9 @@ For a change operation, you'll typically see two 5136 events for one action, wit
 
 -   **Type** \[Type = UnicodeString\]**:** type of performed operation.
 
-    -   **Value Added** – new value added.
+    -   **Value Added** – new value added ('%%14674')
 
-    -   **Value Deleted** – value deleted (typically “Value Deleted” is a part of change operation).
+    -   **Value Deleted** – value deleted ('%%14675', typically “Value Deleted” is a part of change operation).
 
 <!-- -->
 
@@ -236,4 +236,5 @@ For 5136(S): A directory service object was modified.
 
 -   If you need to monitor modifications to specific Active Directory attributes, monitor for **LDAP Display Name** field with specific attribute name.
 
--   It's better to monitor **Operation\\Type = Value Added** events, because you'll see the new value of attribute. At the same time, you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value.
\ No newline at end of file
+-   It's better to monitor **Operation\\Type = Value Added** events, because you'll see the new value of attribute. At the same time, you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value.
+   
diff --git a/windows/security/threat-protection/auditing/images/netsh-command.png b/windows/security/threat-protection/auditing/images/netsh-command.png
deleted file mode 100644
index 56d7caa0c4..0000000000
Binary files a/windows/security/threat-protection/auditing/images/netsh-command.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/images/synaptics.png b/windows/security/threat-protection/auditing/images/synaptics.png
deleted file mode 100644
index 2ffc025437..0000000000
Binary files a/windows/security/threat-protection/auditing/images/synaptics.png and /dev/null differ
diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md
index ebf21e1e50..3985c12068 100644
--- a/windows/security/threat-protection/auditing/view-the-security-event-log.md
+++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/09/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png b/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png
deleted file mode 100644
index 043da38016..0000000000
Binary files a/windows/security/threat-protection/device-control/images/Add-device-setup-class-to-prevent-list.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png b/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png
deleted file mode 100644
index 1943ec1fab..0000000000
Binary files a/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png b/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png
deleted file mode 100644
index 6913ecfcc6..0000000000
Binary files a/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/Devicesecuritypage.png b/windows/security/threat-protection/device-control/images/Devicesecuritypage.png
deleted file mode 100644
index d35b3507f8..0000000000
Binary files a/windows/security/threat-protection/device-control/images/Devicesecuritypage.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png b/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png
deleted file mode 100644
index c2cec3aca1..0000000000
Binary files a/windows/security/threat-protection/device-control/images/add-vendor-id-to-prevent-list.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/admintemplates.png b/windows/security/threat-protection/device-control/images/admintemplates.png
deleted file mode 100644
index 4bf90b2b8a..0000000000
Binary files a/windows/security/threat-protection/device-control/images/admintemplates.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/baselines.png b/windows/security/threat-protection/device-control/images/baselines.png
deleted file mode 100644
index d08380470f..0000000000
Binary files a/windows/security/threat-protection/device-control/images/baselines.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png
deleted file mode 100644
index 3080e0d1f0..0000000000
Binary files a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/bluetooth.png b/windows/security/threat-protection/device-control/images/bluetooth.png
deleted file mode 100644
index f4f5e4804b..0000000000
Binary files a/windows/security/threat-protection/device-control/images/bluetooth.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/class-guids.png b/windows/security/threat-protection/device-control/images/class-guids.png
deleted file mode 100644
index 6951e4ed5a..0000000000
Binary files a/windows/security/threat-protection/device-control/images/class-guids.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png
deleted file mode 100644
index 9d295dfa6b..0000000000
Binary files a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png
deleted file mode 100644
index 4b8c80fdd7..0000000000
Binary files a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png
deleted file mode 100644
index eaba30b27f..0000000000
Binary files a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/create-profile.png b/windows/security/threat-protection/device-control/images/create-profile.png
deleted file mode 100644
index b0b7eb7237..0000000000
Binary files a/windows/security/threat-protection/device-control/images/create-profile.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png b/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png
deleted file mode 100644
index 95ac48ec54..0000000000
Binary files a/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png b/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png
deleted file mode 100644
index 44be977537..0000000000
Binary files a/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/devicecontrolcard.png b/windows/security/threat-protection/device-control/images/devicecontrolcard.png
deleted file mode 100644
index 829014859f..0000000000
Binary files a/windows/security/threat-protection/device-control/images/devicecontrolcard.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png b/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png
deleted file mode 100644
index a7cd33c892..0000000000
Binary files a/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg b/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg
deleted file mode 100644
index cd814377be..0000000000
Binary files a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/devicesbyconnection.png b/windows/security/threat-protection/device-control/images/devicesbyconnection.png
deleted file mode 100644
index 4743358c57..0000000000
Binary files a/windows/security/threat-protection/device-control/images/devicesbyconnection.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/devicevendorid.jpg b/windows/security/threat-protection/device-control/images/devicevendorid.jpg
deleted file mode 100644
index 10b636fc0d..0000000000
Binary files a/windows/security/threat-protection/device-control/images/devicevendorid.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png b/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png
deleted file mode 100644
index cf8399acf4..0000000000
Binary files a/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/general-settings.png b/windows/security/threat-protection/device-control/images/general-settings.png
deleted file mode 100644
index 152822dc29..0000000000
Binary files a/windows/security/threat-protection/device-control/images/general-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/hardware-ids.png b/windows/security/threat-protection/device-control/images/hardware-ids.png
deleted file mode 100644
index 9017f289f6..0000000000
Binary files a/windows/security/threat-protection/device-control/images/hardware-ids.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png b/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png
deleted file mode 100644
index 55be4d714a..0000000000
Binary files a/windows/security/threat-protection/device-control/images/lookup-vendor-product-id.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-control/images/sortbyconnection.jpg b/windows/security/threat-protection/device-control/images/sortbyconnection.jpg
deleted file mode 100644
index c86eab1470..0000000000
Binary files a/windows/security/threat-protection/device-control/images/sortbyconnection.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 003104ce73..9c1feb7d06 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -10,6 +10,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: conceptual
 ms.date: 12/16/2021
 ms.reviewer: 
@@ -77,7 +78,7 @@ Set the following registry keys to enable HVCI. These keys provide exactly the s
 
 > [!IMPORTANT]
 >
-> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
+> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer's hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
 >
 > - In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have Windows Defender Application Control enabled.
 >
diff --git a/windows/security/threat-protection/device-guard/images/device-guard-gp.png b/windows/security/threat-protection/device-guard/images/device-guard-gp.png
deleted file mode 100644
index 6d265509ea..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/device-guard-gp.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png b/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png
deleted file mode 100644
index cefb124344..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig1-enableos.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png b/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png
deleted file mode 100644
index 938e397751..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig10-enablecredentialguard.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png b/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png
deleted file mode 100644
index fa2c162cc0..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig12-verifysigning.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png b/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig13-createnewgpo.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png b/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png
deleted file mode 100644
index 4439bd2764..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig14-createnewfile.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png b/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png
deleted file mode 100644
index db0ddb80db..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig15-setnewfileprops.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png
deleted file mode 100644
index 55344d70d1..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig16-specifyinfo.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png
deleted file mode 100644
index d79ca2c2af..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig17-specifyinfo.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png b/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png
deleted file mode 100644
index 08492ef73b..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig18-specifyux.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png b/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png
deleted file mode 100644
index 2c5c7236eb..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig19-customsettings.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png b/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig2-createou.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png b/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png
deleted file mode 100644
index 2c838be648..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig20-setsoftwareinv.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png b/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png
deleted file mode 100644
index 9499946283..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig21-pathproperties.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png b/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png
deleted file mode 100644
index 4f6746eddf..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig22-deploycode.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png b/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png
deleted file mode 100644
index c6b33e6139..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig23-exceptionstocode.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png b/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig24-creategpo.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png b/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png
deleted file mode 100644
index e3729e8214..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig25-editcode.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png b/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png
deleted file mode 100644
index 4f6746eddf..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig26-enablecode.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png b/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png
deleted file mode 100644
index 9f0ed93274..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig27-managecerttemp.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png b/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png
deleted file mode 100644
index bad5fe7cdd..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig29-enableconstraints.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png
deleted file mode 100644
index 782c2017ae..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig3-enablevbs.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png b/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png
deleted file mode 100644
index 11687d092c..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig30-selectnewcert.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png b/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png
deleted file mode 100644
index 7661cb4eb9..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig31-getmoreinfo.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png b/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig5-createnewou.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png
deleted file mode 100644
index b9a4b1881f..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig6-enablevbs.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png b/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png
deleted file mode 100644
index 25f73eb190..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig7-enablevbsofkmci.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png b/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig8-createoulinked.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png b/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png
deleted file mode 100644
index 3a33c13350..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/dg-fig9-enablevbs.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png b/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png
deleted file mode 100644
index 9b423ea8ab..0000000000
Binary files a/windows/security/threat-protection/device-guard/images/wdac-edit-gp.png and /dev/null differ
diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
deleted file mode 100644
index 1bee48b996..0000000000
--- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-title: Deployment guidelines for Windows Defender Device Guard (Windows 10)
-description: Plan your deployment of Hypervisor-Protected Code Integrity (also known as Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies.
-keywords: virtualization, security, malware
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-manager: aaroncz
-audience: ITPro
-ms.topic: conceptual
-ms.date: 10/20/2017
-ms.reviewer: 
-ms.author: vinpa
-ms.technology: itpro-security
----
-
-# Baseline protections and other qualifications for virtualization-based protection of code integrity
-
-**Applies to** 
-- Windows 10
-
-Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor-Protected Code Integrity (HVCI), a  virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers won't be as hardened against certain threats.
-
-For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media.
-
-> [!WARNING]
->  Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
-
-The following tables provide more information about the hardware, firmware, and software required for deployment of WDAC and HVCI. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
-
-> [!NOTE]
-> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
-
-## Baseline protections
-
-|Baseline Protections            | Description                                        | Security benefits |
-|--------------------------------|----------------------------------------------------|-------------------|
-| Hardware: **64-bit CPU**       | A 64-bit computer is required for the Windows hypervisor to provide VBS. |  |
-| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>• VT-x (Intel) or<br>• AMD-V<br>And:<br>• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system can't be exploited because of this isolation. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This guarantee can prevent boot kits and root kits from installing and persisting across reboots.  |
-| Firmware: **Secure firmware update process**      | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies).  | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: **HVCI compatible drivers**       | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware can't run in kernel. Only code verified through code integrity can run in kernel mode.  |
-| Software: Qualified **Windows operating system**  | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><b>Important:</b><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features. |
-
-> **Important**&nbsp;&nbsp;The following tables list additional qualifications for improved security. You can use WDAC and HVCI with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that WDAC and HVCI can provide.
-
-## Other qualifications for improved security
-
-The following tables describe other hardware and firmware qualifications, and the improved security that is available when these qualifications are met.
-
-
-### More security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
-
-| Protections for Improved Security       | Description                                        | Security benefits |
-|---------------------------------------------|----------------------------------------------------|------|
-| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported.<br>• In the BIOS configuration, BIOS authentication must be set.<br>• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This guarantee helps protect against a physically present user with BIOS access.<br>• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-
-<br>
-
-### More security qualifications starting with Windows 10, version 1607, and Windows Server 2016
-
-
-| Protections for Improved Security        | Description                                        | Security benefits |
-|---------------------------------------------|----------------------------------------------------|-----|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies).<br>• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI 1.1.a provides extra security assurance for correctly secured silicon and platform. |
-| Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should use ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-
-<br>
-
-### More security qualifications starting with Windows 10, version 1703
-
-
-| Protections for Improved Security          | Description                                        | Security benefits |
-|---------------------------------------------|----------------------------------------------------|------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><b>Notes:</b><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Also note the following guidelines: <br>• Don't use sections that are both writeable and executable<br>• Don't attempt to directly modify executable system memory<br>• Don't use dynamic code  | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.   |
-| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks other security attacks against SMM.  |
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 7b0d87f42e..4f3fd11f90 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -8,6 +8,7 @@ ms.author: paoloma
 author: paolomatarazzo
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: article
 ms.localizationpriority: medium
 ms.reviewer: 
@@ -133,7 +134,7 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
 |Boot Manager|[10.0.15063][sp-3089]|[#3089][certificate-3089]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); CKG (vendor affirmed); HMAC (Cert. [#3061][hmac-3061]); PBKDF (vendor affirmed); RSA (Cert. [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]<p>Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)|
 |Windows OS Loader|[10.0.15063][sp-3090]|[#3090][certificate-3090]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]<p>[Other algorithms: NDRNG][certificate-3090]|
 |Windows Resume <sup>[1]</sup>|[10.0.15063][sp-3091]|[#3091][certificate-3091]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790])|
-|BitLocker® Dump Filter <sup>[2]</sup>|[10.0.15063][sp-3092]|[#3092][certificate-3092]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2522][rsa-2522]); SHS (Cert. [#3790][shs-3790])|
+|BitLocker&reg; Dump Filter <sup>[2]</sup>|[10.0.15063][sp-3092]|[#3092][certificate-3092]|FIPS approved algorithms: AES (Certs. [#4624][aes-4624] and [#4625][aes-4625]); RSA (Cert. [#2522][rsa-2522]); SHS (Cert. [#3790][shs-3790])|
 |Code Integrity (ci.dll)|[10.0.15063][sp-3093]|[#3093][certificate-3093]|FIPS approved algorithms: AES (Cert. [#4624][aes-4624]); RSA (Certs. [#2522][rsa-2522] and [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. [#1282][component-1282])|
 |Secure Kernel Code Integrity (skci.dll)<sup>[3]</sup>|[10.0.15063][sp-3096]|[#3096][certificate-3096]|FIPS approved algorithms: AES (Cert. [#4624][aes-4624]); RSA (Certs. [#2522][rsa-2522] and [#2523][rsa-2523]); SHS (Cert. [#3790][shs-3790]<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. [#1282][component-1282])|
 
@@ -156,9 +157,9 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
 |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.14393][sp-2937]|[#2937][certificate-2937]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])<p>Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#922][component-922]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#887][component-887]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#886][component-886])|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.14393][sp-2936]|[#2936][certificate-2936]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])<p>Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#922][component-922]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#887][component-887])|
 |Boot Manager|[10.0.14393][sp-2931]|[#2931][certificate-2931]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); HMAC (Cert. [#2651][hmac-2651]); PBKDF (vendor affirmed); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5; PBKDF (non-compliant); VMK KDF|
-|BitLocker® Windows OS Loader (winload)|[10.0.14393][sp-2932]|[#2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: NDRNG; MD5|
-|BitLocker® Windows Resume (winresume)<sup>[1]</sup>|[10.0.14393][sp-2933]|[#2933][certificate-2933]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)<sup>[2]</sup>|[10.0.14393][sp-2934]|[#2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])|
+|BitLocker&reg; Windows OS Loader (winload)|[10.0.14393][sp-2932]|[#2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: NDRNG; MD5|
+|BitLocker&reg; Windows Resume (winresume)<sup>[1]</sup>|[10.0.14393][sp-2933]|[#2933][certificate-2933]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (dumpfve.sys)<sup>[2]</sup>|[10.0.14393][sp-2934]|[#2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])|
 |Code Integrity (ci.dll)|[10.0.14393][sp-2935]|[#2935][certificate-2935]|FIPS approved algorithms: RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: AES (non-compliant); MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888])|
 |Secure Kernel Code Integrity (skci.dll)<sup>[3]</sup>|[10.0.14393][sp-2938]|[#2938][certificate-2938]|FIPS approved algorithms: RSA (Certs. [#2193][rsa-2193]); SHS (Certs. [#3347][shs-3347])<p>Other algorithms: MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#888][component-888])|
 
@@ -180,9 +181,9 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
 |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.10586][sp-2605]|[#2606][certificate-2606]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629]); DRBG (Certs. [#955][drbg-955]); DSA (Certs. [#1024][dsa-1024]); ECDSA (Certs. [#760][ecdsa-760]); HMAC (Certs. [#2381][hmac-2381]); KAS (Certs. [#72][kas-72]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#72][kdf-72]); KTS (AES Certs. [#3653][aes-3653]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1887][rsa-1887], [#1888, and #1889][rsa-1888]); SHS (Certs. [#3047][shs-3047]); Triple-DES (Certs. [#2024][tdes-2024])<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#666][component-666]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#663][component-663]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#664][component-664])|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.10586][sp-2605]|[#2605][certificate-2605]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629]); DRBG (Certs. [#955][drbg-955]); DSA (Certs.  [#1024][dsa-1024]); ECDSA (Certs. [#760][ecdsa-760]); HMAC (Certs. [#2381][hmac-2381]); KAS (Certs. [#72][kas-72]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#72][kdf-72]); KTS (AES Certs. [#3653][aes-3653]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1887][rsa-1887], [#1888, and #1889][rsa-1888]); SHS (Certs. [#3047][shs-3047]); Triple-DES (Certs. [#2024][tdes-2024])<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#666][component-666]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#663][component-663])|
 |Boot Manager <sup>[4]</sup>|[10.0.10586][sp-2700]|[#2700][certificate-2700]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653]); HMAC (Cert. [#2381][hmac-2381]); PBKDF (vendor affirmed); RSA (Cert. [#1871][rsa-1871]); SHS (Certs. [#3047][shs-3047] and [#3048][shs-3048])<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
-|BitLocker® Windows OS Loader (winload)<sup>[5]</sup>|[10.0.10586][sp-2701]|[#2701][certificate-2701]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629] and [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])<p>Other algorithms: MD5; NDRNG|
-|BitLocker® Windows Resume (winresume)<sup>[6]</sup>|[10.0.10586][sp-2702]|[#2702][certificate-2702]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)<sup>[7]</sup>|[10.0.10586][sp-2703]|[#2703][certificate-2703]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653])|
+|BitLocker&reg; Windows OS Loader (winload)<sup>[5]</sup>|[10.0.10586][sp-2701]|[#2701][certificate-2701]|FIPS approved algorithms: AES (Certs. [#3629][aes-3629] and [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])<p>Other algorithms: MD5; NDRNG|
+|BitLocker&reg; Windows Resume (winresume)<sup>[6]</sup>|[10.0.10586][sp-2702]|[#2702][certificate-2702]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653]); RSA (Cert. [#1871][rsa-1871]); SHS (Cert. [#3048][shs-3048])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (dumpfve.sys)<sup>[7]</sup>|[10.0.10586][sp-2703]|[#2703][certificate-2703]|FIPS approved algorithms: AES (Certs. [#3653][aes-3653])|
 |Code Integrity (ci.dll)|[10.0.10586][sp-2604]|[#2604][certificate-2604]|FIPS approved algorithms: RSA (Certs. [#1871][rsa-1871]); SHS (Certs. [#3048][shs-3048])<p>Other algorithms: AES (non-compliant); MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665])|
 |Secure Kernel Code Integrity (skci.dll)<sup>[8]</sup>|[10.0.10586][sp-2607]|[#2607][certificate-2607]|FIPS approved algorithms: RSA (Certs. [#1871][rsa-1871]); SHS (Certs. [#3048][shs-3048])<p>Other algorithms: MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#665][component-665])|
 
@@ -208,9 +209,9 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
 |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.10240][sp-2605]|#[2606][certificate-2606]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497]); DRBG (Certs. [#868][drbg-868]); DSA (Certs. [#983][dsa-983]); ECDSA (Certs. [#706][ecdsa-706]); HMAC (Certs. [#2233][hmac-2233]); KAS (Certs. [#64][kas-64]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#66][kdf-66]); KTS (AES Certs. [#3507][aes-3507]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1783][rsa-1783], [#1798][rsa-1798], and [#1802][rsa-1802]); SHS (Certs. [#2886][shs-2886]); Triple-DES (Certs. [#1969][tdes-1969])<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#576][component-576]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#575][component-575])|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.10240][sp-2605]|[#2605][certificate-2605]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497]); DRBG (Certs. [#868][drbg-868]); DSA (Certs. [#983][dsa-983]); ECDSA (Certs. [#706][ecdsa-706]); HMAC (Certs. [#2233][hmac-2233]); KAS (Certs. [#64][kas-64]; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. [#66][kdf-66]); KTS (AES Certs. [#3507][aes-3507]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#1783][rsa-1783], [#1798][rsa-1798], and [#1802][rsa-1802]); SHS (Certs. [#2886][shs-2886]); Triple-DES (Certs. [#1969][tdes-1969])<p>Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572]); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. [#576][component-576])|
 |Boot Manager<sup>[9]</sup>|[10.0.10240][sp-2600]|[#2600][certificate-2600]|FIPS approved algorithms: AES (Cert. [#3497][aes-3497]); HMAC (Cert. [#2233][hmac-2233]); KTS (AES Cert. [#3498][aes-3498]); PBKDF (vendor affirmed); RSA (Cert. [#1784][rsa-1784]); SHS (Certs. [#2871][shs-2871] and [#2886][shs-2886])<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
-|BitLocker® Windows OS Loader (winload)<sup>[10]</sup>|[10.0.10240][sp-2601]|[#2601][certificate-2601]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])<p>Other algorithms: MD5; NDRNG|
-|BitLocker® Windows Resume (winresume)<sup>[11]</sup>|[10.0.10240][sp-2602]|[#2602][certificate-2602]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)<sup>[12]</sup>|[10.0.10240][sp-2603]|[#2603][certificate-2603]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498])|
+|BitLocker&reg; Windows OS Loader (winload)<sup>[10]</sup>|[10.0.10240][sp-2601]|[#2601][certificate-2601]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])<p>Other algorithms: MD5; NDRNG|
+|BitLocker&reg; Windows Resume (winresume)<sup>[11]</sup>|[10.0.10240][sp-2602]|[#2602][certificate-2602]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498]); RSA (Cert. [#1784][rsa-1784]); SHS (Cert. [#2871][shs-2871])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (dumpfve.sys)<sup>[12]</sup>|[10.0.10240][sp-2603]|[#2603][certificate-2603]|FIPS approved algorithms: AES (Certs. [#3497][aes-3497] and [#3498][aes-3498])|
 |Code Integrity (ci.dll)|[10.0.10240][sp-2604]|[#2604][certificate-2604]|FIPS approved algorithms: RSA (Certs. [#1784][rsa-1784]); SHS (Certs. [#2871][shs-2871])<p>Other algorithms: AES (non-compliant); MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572])|
 |Secure Kernel Code Integrity (skci.dll)<sup>[13]</sup>|[10.0.10240][sp-2607]|[#2607][certificate-2607]|FIPS approved algorithms: RSA (Certs. [#1784][rsa-1784]); SHS (Certs. [#2871][shs-2871])<p>Other algorithms: MD5<p>Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#572][component-572])|
 
@@ -237,9 +238,9 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
 |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[6.3.9600 6.3.9600.17031][sp-2357]|[#2357][certificate-2357]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); DSA (Cert. [#855][dsa-855]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [#2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])<p>Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#288][component-288]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289][component-289]); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. [#323][component-323])|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.3.9600 6.3.9600.17042][sp-2356]|[#2356][certificate-2356]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [# 2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])<p>Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)<p>Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. [#288][component-288]); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289][component-289])|
 |Boot Manager|[6.3.9600 6.3.9600.17031][sp-2351]|[#2351][certificate-2351]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); HMAC (Cert. [#1773][hmac-1773]); PBKDF (vendor affirmed); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
-|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[#2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])<p>Other algorithms: MD5; NDRNG|
-|BitLocker® Windows Resume (winresume)<sup>[14]</sup>|[6.3.9600 6.3.9600.17031][sp-2353]|[#2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)|[6.3.9600 6.3.9600.17031][sp-2354]|[#2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])<p>Other algorithms: N/A|
+|BitLocker&reg; Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[#2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])<p>Other algorithms: MD5; NDRNG|
+|BitLocker&reg; Windows Resume (winresume)<sup>[14]</sup>|[6.3.9600 6.3.9600.17031][sp-2353]|[#2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (dumpfve.sys)|[6.3.9600 6.3.9600.17031][sp-2354]|[#2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])<p>Other algorithms: N/A|
 |Code Integrity (ci.dll)|[6.3.9600 6.3.9600.17031][sp-2355]|[#2355][certificate-2355]|FIPS approved algorithms: RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [# 2373][shs-2373])<p>Other algorithms: MD5<p>Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. [#289][component-289])|
 
 <sup>\[14\]</sup> Applies only to Pro, Enterprise, and Embedded 8.
@@ -256,9 +257,9 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
 |Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.2.9200][sp-1892]|[#1892][sp-1892]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258]); DSA (Cert. [#687][dsa-687]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. [#1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])<p>Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert.); ECDSA (Cert.); HMAC (Cert.); KAS (Cert); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.2.9200][sp-1891]|[#1891][certificate-1891]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258] and [#259][drbg-259]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. [#1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RNG (Cert. [#1110][rng-1110]); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])<p>Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and); ECDSA (Cert.); HMAC (Cert.); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RNG (Cert.); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)|
 |Boot Manager|[6.2.9200][sp-1895]|[#1895][sp-1895]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); HMAC (Cert. #[1347][hmac-1347]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
-|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[#1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG|
-|BitLocker® Windows Resume (WINRESUME)<sup>[15]</sup>|[6.2.9200][sp-1898]|[#1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[#1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])<p>Other algorithms: N/A|
+|BitLocker&reg; Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[#1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG|
+|BitLocker&reg; Windows Resume (WINRESUME)<sup>[15]</sup>|[6.2.9200][sp-1898]|[#1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[#1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])<p>Other algorithms: N/A|
 |Code Integrity (CI.DLL)|[6.2.9200][sp-1897]|[#1897][sp-1897]|FIPS approved algorithms: RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
 |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.2.9200][sp-1893]|[#1893][sp-1893]|FIPS approved algorithms: DSA (Cert. [#686][dsa-686]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386]); Triple-DES MAC (Triple-DES Cert. [#1386][tdes-1386], vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert.); Triple-DES MAC (Triple-DES Certificate, vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Certificate, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
 |Enhanced Cryptographic Provider (RSAENH.DLL)|[6.2.9200][sp-1894]|[#1894][sp-1894]|FIPS approved algorithms: AES (Cert. [#2196][aes-2196]); HMAC (Cert. #1346); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386])<p>Other algorithms: AES (Cert. [#2196][aes-2196], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
@@ -278,7 +279,7 @@ Validated Editions: Windows 7, Windows 7 SP1
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.1.7600.16385][sp-1328]<p>[6.1.7600.16915][sp-1328]<p>[6.1.7600.21092][sp-1328]<p>[6.1.7601.17514][sp-1328]<p>[6.1.7601.17725][sp-1328]<p>[6.1.7601.17919][sp-1328]<p>[6.1.7601.21861][sp-1328]<p>[6.1.7601.22076][sp-1328]|[1328][certificate-1328]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1178][aes-1178]); AES GCM (Cert. [#1168][aes-1168], vendor-affirmed); AES GMAC (Cert. [#1168][aes-1168], vendor-affirmed); DRBG (Certs. [#23][drbg-23] and [#24][drbg-24]); ECDSA (Cert. [#141][ecdsa-141]); HMAC (Cert. [#677][hmac-677]); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. [#649][rng-649]); RSA (Certs. [#559][rsa-559] and [#560][rsa-560]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846])<p>Other algorithms: AES (Cert. [#1168][aes-1168], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4|
 |Boot Manager|[6.1.7600.16385][sp-1319]<p>[6.1.7601.17514][sp-1319]|[1319][certificate-1319]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); RSA (Cert. [#557][rsa-557]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: MD5#1168 and); HMAC (Cert.); RSA (Cert.); SHS (Cert.)<p>Other algorithms: MD5|
 |Winload OS Loader (winload.exe)|[6.1.7600.16385][sp-1326]<p>[6.1.7600.16757][sp-1326]<p>[6.1.7600.20897][sp-1326]<p>[6.1.7600.20916][sp-1326]<p>[6.1.7601.17514][sp-1326]<p>[6.1.7601.17556][sp-1326]<p>[6.1.7601.21655][sp-1326]<p>[6.1.7601.21675][sp-1326]|[1326][certificate-1326]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); RSA (Cert. [#557][rsa-557]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: MD5|
-|BitLocker™ Drive Encryption|[6.1.7600.16385][sp-1332]<p>[6.1.7600.16429][sp-1332]<p>[6.1.7600.16757][sp-1332]<p>[6.1.7600.20536][sp-1332]<p>[6.1.7600.20873][sp-1332]<p>[6.1.7600.20897][sp-1332]<p>[6.1.7600.20916][sp-1332]<p>[6.1.7601.17514][sp-1332]<p>[6.1.7601.17556][sp-1332]<p>[6.1.7601.21634][sp-1332]<p>[6.1.7601.21655][sp-1332]<p>[6.1.7601.21675][sp-1332]|[1332][certificate-1332]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: Elephant Diffuser|
+|BitLocker&trade; Drive Encryption|[6.1.7600.16385][sp-1332]<p>[6.1.7600.16429][sp-1332]<p>[6.1.7600.16757][sp-1332]<p>[6.1.7600.20536][sp-1332]<p>[6.1.7600.20873][sp-1332]<p>[6.1.7600.20897][sp-1332]<p>[6.1.7600.20916][sp-1332]<p>[6.1.7601.17514][sp-1332]<p>[6.1.7601.17556][sp-1332]<p>[6.1.7601.21634][sp-1332]<p>[6.1.7601.21655][sp-1332]<p>[6.1.7601.21675][sp-1332]|[1332][certificate-1332]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: Elephant Diffuser|
 |Code Integrity (CI.DLL)|[6.1.7600.16385][sp-1327]<p>[6.1.7600.17122][sp-1327]v[6.1.7600.21320][sp-1327]<p>[6.1.7601.17514][sp-1327]<p>[6.1.7601.17950][sp-1327]v[6.1.7601.22108][sp-1327]|[1327][certificate-1327]|FIPS approved algorithms: RSA (Cert. [#557][rsa-557]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: MD5|
 |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.1.7600.16385][sp-1331]<p>(no change in SP1)|[1331][certificate-1331]|FIPS approved algorithms: DSA (Cert. [#385][dsa-385]); RNG (Cert. [#649][rng-649]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846]); Triple-DES MAC (Triple-DES Cert. [#846][tdes-846], vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4|
 |Enhanced Cryptographic Provider (RSAENH.DLL)|[6.1.7600.16385][sp-1330]<p>(no change in SP1)|[1330][certificate-1330]|FIPS approved algorithms: AES (Cert. [#1168][aes-1168]); DRBG (Cert. [#23][drbg-23]); HMAC (Cert. [#673][hmac-673]); SHS (Cert. [#1081][shs-1081]); RSA (Certs. [#557][rsa-557] and [#559][rsa-559]); Triple-DES (Cert. [#846][tdes-846])<p>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
@@ -312,7 +313,7 @@ Validated Editions: Ultimate Edition
 |--- |--- |--- |--- |
 |Enhanced Cryptographic Provider (RSAENH) | [6.0.6000.16386][sp-893] | [893][certificate-893] | FIPS approved algorithms: AES (Cert. [#553][aes-553]); HMAC (Cert. [#297][hmac-297]); RNG (Cert. [#321][rng-321]); RSA (Certs. [#255][rsa-255] and [#258][rsa-258]); SHS (Cert. [#618][shs-618]); Triple-DES (Cert. [#549][tdes-549])<br/><br/>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
 |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.0.6000.16386][sp-894]|[894][certificate-894]|FIPS approved algorithms: DSA (Cert. [#226][dsa-226]); RNG (Cert. [#321][rng-321]); SHS (Cert. [#618][shs-618]); Triple-DES (Cert. [#549][tdes-549]); Triple-DES MAC (Triple-DES Cert. [#549][tdes-549], vendor affirmed)<br/><br/>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4|
-|BitLocker™ Drive Encryption|[6.0.6000.16386][sp-947]|[947][certificate-947]|FIPS approved algorithms: AES (Cert. [#715][aes-715]); HMAC (Cert. [#386][hmac-386]); SHS (Cert. [#737][shs-737])<br/><br/>Other algorithms: Elephant Diffuser|
+|BitLocker&trade; Drive Encryption|[6.0.6000.16386][sp-947]|[947][certificate-947]|FIPS approved algorithms: AES (Cert. [#715][aes-715]); HMAC (Cert. [#386][hmac-386]); SHS (Cert. [#737][shs-737])<br/><br/>Other algorithms: Elephant Diffuser|
 |Kernel Mode Security Support Provider Interface (ksecdd.sys)|[6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067][sp-891]|[891][certificate-891]|FIPS approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)<br/><br/>Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 bits to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5|
 
 </details>
@@ -481,9 +482,9 @@ Validated Editions: Standard, Datacenter, Storage Server
 |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[10.0.14393][sp-2937]|[2937][certificate-2937]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])<p>Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[10.0.14393][sp-2936]|[2936][certificate-2936]|FIPS approved algorithms: AES (Cert. [#4064][aes-4064]); DRBG (Cert. [#1217][drbg-1217]); DSA (Cert. [#1098][dsa-1098]); ECDSA (Cert. [#911][ecdsa-911]); HMAC (Cert. [#2651][hmac-2651]); KAS (Cert. [#92][kas-92]); KBKDF (Cert. [#101][kdf-101]); KTS (AES Cert. [#4062][aes-4062]; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. [#2192][rsa-2192], [#2193, and #2195][rsa-2193]); SHS (Cert. [#3347][shs-3347]); Triple-DES (Cert. [#2227][tdes-2227])<p>Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)|
 |Boot Manager|[10.0.14393][sp-2931]|[2931][certificate-2931]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); HMAC (Cert. [#2651][hmac-2651]); PBKDF (vendor affirmed); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5; PBKDF (non-compliant); VMK KDF|
-|BitLocker® Windows OS Loader (winload)|[10.0.14393][sp-2932]|[2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: NDRNG; MD5|
-|BitLocker® Windows Resume (winresume)|[10.0.14393][sp-2933]|[2933][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)|[10.0.14393][sp-2934]|[2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])|
+|BitLocker&reg; Windows OS Loader (winload)|[10.0.14393][sp-2932]|[2932][certificate-2932]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: NDRNG; MD5|
+|BitLocker&reg; Windows Resume (winresume)|[10.0.14393][sp-2933]|[2933][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064]); RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (dumpfve.sys)|[10.0.14393][sp-2934]|[2934][certificate-2934]|FIPS approved algorithms: AES (Certs. [#4061][aes-4061] and [#4064][aes-4064])|
 |Code Integrity (ci.dll)|[10.0.14393][sp-2935]|[2935][certificate-2935]|FIPS approved algorithms: RSA (Cert. [#2193][rsa-2193]); SHS (Cert. [#3347][shs-3347])<p>Other algorithms: AES (non-compliant); MD5|
 |Secure Kernel Code Integrity (skci.dll)|[10.0.14393][sp-2938]|[2938][certificate-2938]|FIPS approved algorithms: RSA (Certs. [#2193][rsa-2193]); SHS (Certs. [#3347][shs-3347])<p>Other algorithms: MD5|
 
@@ -501,9 +502,9 @@ Validated Editions: Server, Storage Server,
 |Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)|[6.3.9600 6.3.9600.17031][sp-2357]|[2357][certificate-2357]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); DSA (Cert. [#855][dsa-855]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [#2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])<p>Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.3.9600 6.3.9600.17042][sp-2356]|[2356][certificate-2356]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); DRBG (Certs. [#489][drbg-489]); ECDSA (Cert. [#505][ecdsa-505]); HMAC (Cert. [#1773][hmac-1773]); KAS (Cert. [#47][kas-47]); KBKDF (Cert. [#30][kdf-30]); PBKDF (vendor affirmed); RSA (Certs. [#1487][rsa-1487], [#1493, and #1519][rsa-1493]); SHS (Cert. [# 2373][shs-2373]); Triple-DES (Cert. [#1692][tdes-1692])<p>Other algorithms: AES (Cert. [#2832][aes-2832], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)|
 |Boot Manager|[6.3.9600 6.3.9600.17031][sp-2351]|[2351][certificate-2351]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); HMAC (Cert. [#1773][hmac-1773]); PBKDF (vendor affirmed); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)|
-|BitLocker® Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])<p>Other algorithms: MD5; NDRNG|
-|BitLocker® Windows Resume (winresume)<sup>[16]</sup>|[6.3.9600 6.3.9600.17031][sp-2353]|[2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (dumpfve.sys)<sup>[17]</sup>|[6.3.9600 6.3.9600.17031][sp-2354]|[2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])<p>Other algorithms: N/A|
+|BitLocker&reg; Windows OS Loader (winload)|[6.3.9600 6.3.9600.17031][sp-2352]|[2352][certificate-2352]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [#2396][shs-2396])<p>Other algorithms: MD5; NDRNG|
+|BitLocker&reg; Windows Resume (winresume)<sup>[16]</sup>|[6.3.9600 6.3.9600.17031][sp-2353]|[2353][certificate-2353]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832]); RSA (Cert. [#1494][rsa-1494]); SHS (Certs. [# 2373][shs-2373] and [#2396][shs-2396])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (dumpfve.sys)<sup>[17]</sup>|[6.3.9600 6.3.9600.17031][sp-2354]|[2354][certificate-2354]|FIPS approved algorithms: AES (Cert. [#2832][aes-2832])<p>Other algorithms: N/A|
 |Code Integrity (ci.dll)|[6.3.9600 6.3.9600.17031][sp-2355]|[2355][certificate-2355]|FIPS approved algorithms: RSA (Cert. [#1494][rsa-1494]); SHS (Cert. [# 2373][shs-2373])<p>Other algorithms: MD5|
 
 <sup>\[16\]</sup> Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
@@ -522,9 +523,9 @@ Validated Editions: Server, Storage Server
 |Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)|[6.2.9200][sp-1892]|[1892]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258]); DSA (Cert. [#687][dsa-687]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. #[1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])<p>Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert.); HMAC (Cert. #); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)|
 |Kernel Mode Cryptographic Primitives Library (cng.sys)|[6.2.9200][sp-1891]|[1891][certificate-1891]|FIPS approved algorithms: AES (Certs. [#2197][aes-2197] and [#2216][aes-2216]); DRBG (Certs. [#258][drbg-258] and [#259][drbg-259]); ECDSA (Cert. [#341][ecdsa-341]); HMAC (Cert. [#1345][hmac-1345]); KAS (Cert. [#36][kas-36]); KBKDF (Cert. [#3][kdf-3]); PBKDF (vendor affirmed); RNG (Cert. [#1110][rng-1110]); RSA (Certs. [#1133][rsa-1133] and [#1134][rsa-1134]); SHS (Cert. [#1903][shs-1903]); Triple-DES (Cert. [#1387][tdes-1387])<p>Other algorithms: AES (Cert. [#2197][aes-2197], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and); SHS (Cert.); Triple-DES (Cert.)<p>Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)|
 |Boot Manager|[6.2.9200][sp-1895]|[1895][sp-1895]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); HMAC (Cert. #[1347][hmac-1347]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
-|BitLocker® Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG|
-|BitLocker® Windows Resume (WINRESUME)|[6.2.9200][sp-1898]|[1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
-|BitLocker® Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])<p>Other algorithms: N/A|
+|BitLocker&reg; Windows OS Loader (WINLOAD)|[6.2.9200][sp-1896]|[1896][sp-1896]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: AES (Cert. [#2197][aes-2197]; non-compliant); MD5; Non-Approved RNG|
+|BitLocker&reg; Windows Resume (WINRESUME)|[6.2.9200][sp-1898]|[1898][sp-1898]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
+|BitLocker&reg; Dump Filter (DUMPFVE.SYS)|[6.2.9200][sp-1899]|[1899][sp-1899]|FIPS approved algorithms: AES (Certs. [#2196][aes-2196] and [#2198][aes-2198])<p>Other algorithms: N/A|
 |Code Integrity (CI.DLL)|[6.2.9200][sp-1897]|[1897][sp-1897]|FIPS approved algorithms: RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1903][shs-1903])<p>Other algorithms: MD5|
 |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)|[6.2.9200][sp-1893]|[1893][sp-1893]|FIPS approved algorithms: DSA (Cert. [#686][dsa-686]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386]); Triple-DES MAC (Triple-DES Cert. [#1386][tdes-1386], vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
 |Enhanced Cryptographic Provider (RSAENH.DLL)|[6.2.9200][sp-1894]|[1894][sp-1894]|FIPS approved algorithms: AES (Cert. [#2196][aes-2196]); HMAC (Cert. [#1346][hmac-1346]); RSA (Cert. [#1132][rsa-1132]); SHS (Cert. [#1902][shs-1902]); Triple-DES (Cert. [#1386][tdes-1386])<p>Other algorithms: AES (Cert. [#2196][aes-2196], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. [#1386][tdes-1386], key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
@@ -542,7 +543,7 @@ Validated Editions: Server, Storage Server
 |Cryptographic Primitives Library (bcryptprimitives.dll)|[66.1.7600.16385 or 6.1.7601.17514][sp-1336]|[1336][certificate-1336]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); AES GCM (Cert. [#1168][aes-1168], vendor-affirmed); AES GMAC (Cert. [#1168][aes-1168], vendor-affirmed); DRBG (Certs. [#23][drbg-23] and [#27][drbg-27]); DSA (Cert. [#391][dsa-391]); ECDSA (Cert. [#142][ecdsa-142]); HMAC (Cert. [#686][hmac-686]); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. [#649][rng-649]); RSA (Certs. [#559][rsa-559] and [#567][rsa-567]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846])<p>Other algorithms: AES (Cert. [#1168][aes-1168], key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4|
 |Enhanced Cryptographic Provider (RSAENH)|[6.1.7600.16385][sp-1337]|[1337][certificate-1337]|FIPS approved algorithms: AES (Cert. [#1168][aes-1168]); DRBG (Cert. [#23][drbg-23]); HMAC (Cert. [#687][hmac-687]); SHS (Cert. [#1081][shs-1081]); RSA (Certs. [#559][rsa-559] and [#568][rsa-568]); Triple-DES (Cert. [#846][tdes-846])<p>Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)|
 |Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)|[6.1.7600.16385][sp-1338]|[1338][certificate-1338]|FIPS approved algorithms: DSA (Cert. [#390][dsa-390]); RNG (Cert. [#649][rng-649]); SHS (Cert. [#1081][shs-1081]); Triple-DES (Cert. [#846][tdes-846]); Triple-DES MAC (Triple-DES Cert. [#846][tdes-846], vendor affirmed)<p>Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4|
-|BitLocker™ Drive Encryption|[6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675][sp-1339]|[1339][certificate-1339]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: Elephant Diffuser|
+|BitLocker&trade; Drive Encryption|[6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675][sp-1339]|[1339][certificate-1339]|FIPS approved algorithms: AES (Certs. [#1168][aes-1168] and [#1177][aes-1177]); HMAC (Cert. [#675][hmac-675]); SHS (Cert. [#1081][shs-1081])<p>Other algorithms: Elephant Diffuser|
 
 </details>
 
@@ -661,20 +662,20 @@ For more details, expand each algorithm section.
 |**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)<p>**CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC (Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:**  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported<p>GMAC supported<p>**XTS((KS: XTS_128**((e/d)(f)) **KS: XTS_256**((e/d)(f))|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations [#4064][aes-4064]<p>Version 10.0.14393|
 |**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations [#4063][aes-4063]<p>Version 10.0.14393|
 |**KW**  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 192, 256, 320, 2048)<p>AES [validation number 4064][aes-4064]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#4062][aes-4062]<p>Version 10.0.14393|
-|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 4064][aes-4064]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations [#4061][aes-4061]<p>Version 10.0.14393|
+|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 4064][aes-4064]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker&reg; Cryptographic Implementations [#4061][aes-4061]<p>Version 10.0.14393|
 |**KW**  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)<p>AES [validation number 3629][aes-3629]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" Cryptography Next Generation (CNG) Implementations [#3652][aes-3652]<p>Version 10.0.10586|
-|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 3629][aes-3629]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" BitLocker® Cryptographic Implementations [#3653][aes-3653]<p>Version 10.0.10586|
+|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 3629][aes-3629]|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" BitLocker&reg; Cryptographic Implementations [#3653][aes-3653]<p>Version 10.0.10586|
 |**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" RSA32 Algorithm Implementations [#3630][aes-3630]<p>Version 10.0.10586|
 |**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)<p>**CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC (Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)v**IV Generated:**  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported<p>GMAC supported<p>**XTS((KS: XTS_128**((e/d) (f)) **KS: XTS_256**((e/d) (f))|Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84" and Surface Hub 55" SymCrypt Cryptographic Implementations [#3629][aes-3629]<p>Version 10.0.10586|
 |**KW** (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)<p>AES [validation number 3497][aes-3497]|Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations [#3507][aes-3507]<p>Version 10.0.10240|
-|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 3497][aes-3497]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations [#3498][aes-3498]<p>Version 10.0.10240|
+|**CCM** (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 3497][aes-3497]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker&reg; Cryptographic Implementations [#3498][aes-3498]<p>Version 10.0.10240|
 |**ECB** (e/d; 128, 192, 256); **CBC** (e/d; 128, 192, 256); **CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256); **CTR** (int only; 128, 192, 256)<p>**CCM** (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC(Generation/Verification)** (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM** (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:**  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested:  (0, 0); 96 bit IV supported<p>GMAC supported<p>**XTS((KS: XTS_128**((e/d)(f)) **KS: XTS_256**((e/d)(f))|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#3497][aes-3497]<p>Version 10.0.10240|
 |**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations [#3476][aes-3476]<p>Version 10.0.10240|
 |**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations [#2853][aes-2853]<p>Version 6.3.9600|
 |**CCM (KS: 256)** (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)<p>AES [validation number 2832][aes-2832]|Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BitLocker Cryptographic Implementations [#2848][aes-2848]<p>Version 6.3.9600|
 |**CCM (KS: 128, 192, 256)** (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 0 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)<p>**CMAC (Generation/Verification) (KS: 128**; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)<p>**GCM (KS: AES_128**(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)<p>**(KS: AES_256**(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:**  (Externally); PT Lengths Tested:  (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 128, 1024, 8, 1016); IV Lengths Tested:  (8, 1024); 96 bit IV supported;<p>**OtherIVLen_Supported<p>GMAC supported**|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #[2832][aes-2832]<p>Version 6.3.9600|
 |**CCM (KS: 128, 192, 256**) **(Assoc. Data Len Range**: 0-0, 2^16) **(Payload Length Range**: 0 - 32 (**Nonce Length(s)**: 7 8 9 10 11 12 13 **(Tag Length(s)**: 4 6 8 10 12 14 16)<p>AES [validation number 2197][aes-2197]<p>**CMAC** (Generation/Verification) **(KS: 128;** Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16) **(KS: 192**; Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16) **(KS: 256**; Block Size(s); **Msg Len(s)** Min: 0 Max: 2^16; **Tag Len(s)** Min: 16 Max: 16)<p>AES [validation number 2197][aes-2197]<p>**GCM(KS: AES_128**(e/d) Tag Length(s): 128 120 112 104 96) **(KS: AES_192**(e/d) Tag Length(s): 128 120 112 104 96)<p>**(KS: AES_256**(e/d) Tag Length(s): 128 120 112 104 96)<p>**IV Generated:** (Externally); **PT Lengths Tested:** (0, 128, 1024, 8, 1016); **Additional authenticated data lengths tested:** (0, 128, 1024, 8, 1016); **IV Lengths Tested:** (8, 1024); **96 bit IV supported<p>GMAC supported**|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations [#2216][aes-2216]|
-|**CCM (KS: 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 0 - 32 (**Nonce Length(s)**: 12 **(Tag Length(s)**: 16)<p>AES [validation number 2196][aes-2196]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations [#2198][aes-2198]|
+|**CCM (KS: 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 0 - 32 (**Nonce Length(s)**: 12 **(Tag Length(s)**: 16)<p>AES [validation number 2196][aes-2196]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker&reg; Cryptographic Implementations [#2198][aes-2198]|
 |**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);<p>**CFB128** (e/d; 128, 192, 256);<p>**CTR** (int only; 128, 192, 256)|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) [#2197][aes-2197]|
 |**ECB** (e/d; 128, 192, 256);<p>**CBC** (e/d; 128, 192, 256);<p>**CFB8** (e/d; 128, 192, 256);|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) [#2196][aes-2196]|
 |**CCM (KS: 128, 192, 256) (Assoc. Data Len Range: **0 - 0, 2^16**) (Payload Length Range:** 0 - 32 **(Nonce Length(s):** 7 8 9 10 11 12 13 **(Tag Length(s): **4 6 8 10 12 14 16**)**<p>AES [validation number 1168][aes-1168]|Windows Server 2008 R2 and SP1 CNG algorithms [#1187][aes-1187]<p>Windows 7 Ultimate and SP1 CNG algorithms [#1178][aes-1178]|
@@ -842,7 +843,7 @@ For more details, expand each algorithm section.
 |<p> **HMAC-SHA1** (Key Sizes Ranges Tested:  KSBS)<br>SHS[validation number  2886][shs-2886]<p> **HMAC-SHA256** (Key Size Ranges Tested:  KSBS)<br>SHS[validation number  2886][shs-2886]<p> **HMAC-SHA384** (Key Size Ranges Tested:  KSBS)<br>[ SHSvalidation number  2886][shs-2886]<p> **HMAC-SHA512** (Key Size Ranges Tested:  KSBS)<br>SHS[validation number  2886][shs-2886]|Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations [#2233][hmac-2233]<p>Version 10.0.10240|
 |<p> **HMAC-SHA1** (Key Sizes Ranges Tested:  KSBS)<br>SHS [validation number 2373][shs-2373]<p> **HMAC-SHA256** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number 2373][shs-2373]<p> **HMAC-SHA384** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number 2373][shs-2373]<p> **HMAC-SHA512** (Key Size Ranges Tested:  KSBS)<br>SHS [validation number 2373][shs-2373]|Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations [#1773][hmac-1773]<p>Version 6.3.9600|
 |<p> **HMAC-SHA1** (Key Sizes Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]<p> **HMAC-SHA256** (Key Size Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]<p> **HMAC-SHA384** (Key Size Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]<p> **HMAC-SHA512** (Key Size Ranges Tested: KSBS) SHS [validation number 2764][shs-2764]|Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) [#2122][hmac-2122]<p>Version 5.2.29344|
-|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[#1902][shs-1902]<p> **HMAC-SHA256 (Key Size Ranges Tested: KS**[#1902][shs-1902]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #[1347][hmac-1347]|
+|<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KS**[#1902][shs-1902]<p> **HMAC-SHA256 (Key Size Ranges Tested: KS**[#1902][shs-1902]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker&reg; Cryptographic Implementations #[1347][hmac-1347]|
 |<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS**[#1902][shs-1902]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS**[#1902][shs-1902]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS**[#1902][shs-1902]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS**[#1902][shs-1902]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #[1346][hmac-1346]|
 |<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)**<br>**SHS**[#1903][shs-1903]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS)**<br>**SHS**[#1903][shs-1903]<p> **HMAC-SHA384 (Key Size Ranges Tested: KSBS)**<br>**SHS**[#1903][shs-1903]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS)**<br>**SHS**[#1903][shs-1903]|Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #[1345][hmac-1345]|
 |<p> **HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]<p> **HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]<br>**Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]<p> **HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS** [validation number 1773][shs-1773]|Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll), [#1364][hmac-1364]|
diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md
deleted file mode 100644
index 6fb73d0cd6..0000000000
--- a/windows/security/threat-protection/get-support-for-security-baselines.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: Get support
-description: Frequently asked questions about how to get support for Windows baselines and the Security Compliance Toolkit (SCT).
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dulcemontemayor
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 06/25/2018
-ms.reviewer: 
-ms.technology: itpro-security
----
-
-# Get Support for Windows baselines
-
-## Frequently asked questions
-
-### What is the Microsoft Security Compliance Manager (SCM)?
-
-The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we've moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
-
-For more information, see [Security Compliance Manager (SCM) retired; new tools and procedures](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
-
-### Where can I get an older version of a Windows baseline?
-
-Any version of Windows baseline before Windows 10 version 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. To see if your version of Windows baseline is available on SCT, see the [Version matrix](#version-matrix).
-
-- [SCM 4.0 download](https://www.microsoft.com/download/details.aspx?id=53353)
-- [SCM frequently asked questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
-- [SCM release notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
-- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
-
-### What file formats are supported by the new SCT?
-
-The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. A local group policy object (LGPO) also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. The `.cab` files from SCM are no longer supported.
-
-### Does SCT support the Desired State Configuration (DSC) file format?
-
-Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We're currently developing a tool to provide customers with these features.
-
-### Does SCT support the creation of Microsoft Configuration Manager DCM packs?
-
-No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). A tool that supports conversion of GPO backups to DSC format is the [BaselineManagement module](https://github.com/Microsoft/BaselineManagement).
-
-### Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?
-
-No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new toolkit also doesn't include SCAP support.
-
-## Version matrix
-
-### Client versions
-
-| Name | Build | Baseline release date | Security tools |
-|---|---|---|---|
-| Windows 10 | [Version 1709](/archive/blogs/secguide/security-baseline-for-windows-10-fall-creators-update-v1709-draft) <p> [Version 1703](/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final) <p>[Version 1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) <p>[1511 (TH2)](/archive/blogs/secguide/security-baseline-for-windows-10-v1511-threshold-2-final) <p>[1507 (TH1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2017 <p>August 2017 <p>October 2016 <p>January 2016<p> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
-
-### Server versions
-
-| Name | Build | Baseline release date | Security tools |
-|---|---|---|---|
-|Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-|Windows Server 2012 R2|[SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
-|Windows Server 2012|[Technet](/previous-versions/tn-archive/jj898542(v=technet.10)) |2012| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
-
-### Microsoft products
-
-| Name | Details | Security tools |
-|--|--|--|
-| Internet Explorer 11 | [SecGuide](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Exchange Server 2010 | [Technet](/previous-versions/tn-archive/hh913521(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
-| Exchange Server 2007 | [Technet](/previous-versions/tn-archive/hh913520(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
-| Microsoft Office 2010 | [Technet](/previous-versions/tn-archive/gg288965(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
-| Microsoft Office 2007 SP2 | [Technet](/previous-versions/tn-archive/cc500475(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
-
-> [!NOTE]
-> Browser baselines are built-in to new OS versions starting with Windows 10.
-
-## See also
-
-[Windows security baselines](windows-security-baselines.md)
diff --git a/windows/security/threat-protection/images/AH_icon.png b/windows/security/threat-protection/images/AH_icon.png
deleted file mode 100644
index 3fae6eba9a..0000000000
Binary files a/windows/security/threat-protection/images/AH_icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/SS_icon.png b/windows/security/threat-protection/images/SS_icon.png
deleted file mode 100644
index e69ea2a796..0000000000
Binary files a/windows/security/threat-protection/images/SS_icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/TVM_icon.png b/windows/security/threat-protection/images/TVM_icon.png
deleted file mode 100644
index 63f8c75929..0000000000
Binary files a/windows/security/threat-protection/images/TVM_icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/Untitled-1.png b/windows/security/threat-protection/images/Untitled-1.png
deleted file mode 100644
index 7e4e011d4f..0000000000
Binary files a/windows/security/threat-protection/images/Untitled-1.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/air-icon.png b/windows/security/threat-protection/images/air-icon.png
deleted file mode 100644
index 985e3e4429..0000000000
Binary files a/windows/security/threat-protection/images/air-icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/asr-icon.png b/windows/security/threat-protection/images/asr-icon.png
deleted file mode 100644
index bf649e87ec..0000000000
Binary files a/windows/security/threat-protection/images/asr-icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/asr-notif.png b/windows/security/threat-protection/images/asr-notif.png
deleted file mode 100644
index 2f8eb02556..0000000000
Binary files a/windows/security/threat-protection/images/asr-notif.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/asr-rules-gp.png b/windows/security/threat-protection/images/asr-rules-gp.png
deleted file mode 100644
index fa6285cb56..0000000000
Binary files a/windows/security/threat-protection/images/asr-rules-gp.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/asr-test-tool.png b/windows/security/threat-protection/images/asr-test-tool.png
deleted file mode 100644
index 569ee7a256..0000000000
Binary files a/windows/security/threat-protection/images/asr-test-tool.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-allow-app-ps.png b/windows/security/threat-protection/images/cfa-allow-app-ps.png
deleted file mode 100644
index f93dbe34e3..0000000000
Binary files a/windows/security/threat-protection/images/cfa-allow-app-ps.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-allow-app.png b/windows/security/threat-protection/images/cfa-allow-app.png
deleted file mode 100644
index afb220f764..0000000000
Binary files a/windows/security/threat-protection/images/cfa-allow-app.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-allow-folder-ps.png b/windows/security/threat-protection/images/cfa-allow-folder-ps.png
deleted file mode 100644
index 88cd35c6ce..0000000000
Binary files a/windows/security/threat-protection/images/cfa-allow-folder-ps.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-audit-gp.png b/windows/security/threat-protection/images/cfa-audit-gp.png
deleted file mode 100644
index 89abf15424..0000000000
Binary files a/windows/security/threat-protection/images/cfa-audit-gp.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-filecreator.png b/windows/security/threat-protection/images/cfa-filecreator.png
deleted file mode 100644
index 96e6874361..0000000000
Binary files a/windows/security/threat-protection/images/cfa-filecreator.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-gp-enable.png b/windows/security/threat-protection/images/cfa-gp-enable.png
deleted file mode 100644
index f8d3056d80..0000000000
Binary files a/windows/security/threat-protection/images/cfa-gp-enable.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-notif.png b/windows/security/threat-protection/images/cfa-notif.png
deleted file mode 100644
index 62ca8c3021..0000000000
Binary files a/windows/security/threat-protection/images/cfa-notif.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-on.png b/windows/security/threat-protection/images/cfa-on.png
deleted file mode 100644
index 7441a54834..0000000000
Binary files a/windows/security/threat-protection/images/cfa-on.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/cfa-prot-folders.png b/windows/security/threat-protection/images/cfa-prot-folders.png
deleted file mode 100644
index a61b54a696..0000000000
Binary files a/windows/security/threat-protection/images/cfa-prot-folders.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/check-no.png b/windows/security/threat-protection/images/check-no.png
deleted file mode 100644
index 040c7d2f63..0000000000
Binary files a/windows/security/threat-protection/images/check-no.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/images/create-endpoint-protection-profile.png
deleted file mode 100644
index f9a64efbd7..0000000000
Binary files a/windows/security/threat-protection/images/create-endpoint-protection-profile.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/create-exploit-guard-policy.png b/windows/security/threat-protection/images/create-exploit-guard-policy.png
deleted file mode 100644
index 1253d68613..0000000000
Binary files a/windows/security/threat-protection/images/create-exploit-guard-policy.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/edr-icon.png b/windows/security/threat-protection/images/edr-icon.png
deleted file mode 100644
index 8c750dee42..0000000000
Binary files a/windows/security/threat-protection/images/edr-icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/enable-cfa-app-allow.png b/windows/security/threat-protection/images/enable-cfa-app-allow.png
deleted file mode 100644
index ddf0ca23e9..0000000000
Binary files a/windows/security/threat-protection/images/enable-cfa-app-allow.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/enable-cfa-app-folder.png b/windows/security/threat-protection/images/enable-cfa-app-folder.png
deleted file mode 100644
index 7401e1e87f..0000000000
Binary files a/windows/security/threat-protection/images/enable-cfa-app-folder.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/enable-cfa-app.png b/windows/security/threat-protection/images/enable-cfa-app.png
deleted file mode 100644
index f8e4dc98d1..0000000000
Binary files a/windows/security/threat-protection/images/enable-cfa-app.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/enable-cfa-intune.png b/windows/security/threat-protection/images/enable-cfa-intune.png
deleted file mode 100644
index 620d786868..0000000000
Binary files a/windows/security/threat-protection/images/enable-cfa-intune.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/enable-ep-intune.png b/windows/security/threat-protection/images/enable-ep-intune.png
deleted file mode 100644
index e89118fd47..0000000000
Binary files a/windows/security/threat-protection/images/enable-ep-intune.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/enable-np-intune.png b/windows/security/threat-protection/images/enable-np-intune.png
deleted file mode 100644
index 604dceff4c..0000000000
Binary files a/windows/security/threat-protection/images/enable-np-intune.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/ep-default.png b/windows/security/threat-protection/images/ep-default.png
deleted file mode 100644
index eafac1db7a..0000000000
Binary files a/windows/security/threat-protection/images/ep-default.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/ep-prog.png b/windows/security/threat-protection/images/ep-prog.png
deleted file mode 100644
index d36cdd8498..0000000000
Binary files a/windows/security/threat-protection/images/ep-prog.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/event-viewer-import.png b/windows/security/threat-protection/images/event-viewer-import.png
deleted file mode 100644
index 96d12d3af1..0000000000
Binary files a/windows/security/threat-protection/images/event-viewer-import.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/event-viewer.gif b/windows/security/threat-protection/images/event-viewer.gif
deleted file mode 100644
index 7909bfe728..0000000000
Binary files a/windows/security/threat-protection/images/event-viewer.gif and /dev/null differ
diff --git a/windows/security/threat-protection/images/events-create.gif b/windows/security/threat-protection/images/events-create.gif
deleted file mode 100644
index 68f057de3a..0000000000
Binary files a/windows/security/threat-protection/images/events-create.gif and /dev/null differ
diff --git a/windows/security/threat-protection/images/events-import.gif b/windows/security/threat-protection/images/events-import.gif
deleted file mode 100644
index 55e77c546f..0000000000
Binary files a/windows/security/threat-protection/images/events-import.gif and /dev/null differ
diff --git a/windows/security/threat-protection/images/exp-prot-gp.png b/windows/security/threat-protection/images/exp-prot-gp.png
deleted file mode 100644
index d7b921aa69..0000000000
Binary files a/windows/security/threat-protection/images/exp-prot-gp.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/get-support.png b/windows/security/threat-protection/images/get-support.png
deleted file mode 100644
index 427ba670de..0000000000
Binary files a/windows/security/threat-protection/images/get-support.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/lab-creation-page.png b/windows/security/threat-protection/images/lab-creation-page.png
deleted file mode 100644
index 75540493da..0000000000
Binary files a/windows/security/threat-protection/images/lab-creation-page.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/linux-mdatp-1.png b/windows/security/threat-protection/images/linux-mdatp-1.png
deleted file mode 100644
index f8c9c07b16..0000000000
Binary files a/windows/security/threat-protection/images/linux-mdatp-1.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/linux-mdatp.png b/windows/security/threat-protection/images/linux-mdatp.png
deleted file mode 100644
index f8c9c07b16..0000000000
Binary files a/windows/security/threat-protection/images/linux-mdatp.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/mobile-security-guide-fig1.png b/windows/security/threat-protection/images/mobile-security-guide-fig1.png
deleted file mode 100644
index 4bdc6c0c9c..0000000000
Binary files a/windows/security/threat-protection/images/mobile-security-guide-fig1.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/mobile-security-guide-fig2.png b/windows/security/threat-protection/images/mobile-security-guide-fig2.png
deleted file mode 100644
index becb48f0ed..0000000000
Binary files a/windows/security/threat-protection/images/mobile-security-guide-fig2.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/mobile-security-guide-figure3.png b/windows/security/threat-protection/images/mobile-security-guide-figure3.png
deleted file mode 100644
index f78d187b04..0000000000
Binary files a/windows/security/threat-protection/images/mobile-security-guide-figure3.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/mobile-security-guide-figure4.png b/windows/security/threat-protection/images/mobile-security-guide-figure4.png
deleted file mode 100644
index 6f9b3725f8..0000000000
Binary files a/windows/security/threat-protection/images/mobile-security-guide-figure4.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/mte-icon.png b/windows/security/threat-protection/images/mte-icon.png
deleted file mode 100644
index 1d5693a399..0000000000
Binary files a/windows/security/threat-protection/images/mte-icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/ngp-icon.png b/windows/security/threat-protection/images/ngp-icon.png
deleted file mode 100644
index 9aca3db517..0000000000
Binary files a/windows/security/threat-protection/images/ngp-icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/np-notif.png b/windows/security/threat-protection/images/np-notif.png
deleted file mode 100644
index 69eb1bbeee..0000000000
Binary files a/windows/security/threat-protection/images/np-notif.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/powershell-example.png b/windows/security/threat-protection/images/powershell-example.png
deleted file mode 100644
index 4ec2be97af..0000000000
Binary files a/windows/security/threat-protection/images/powershell-example.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-asr-blocks.png b/windows/security/threat-protection/images/sccm-asr-blocks.png
deleted file mode 100644
index 00225ec18c..0000000000
Binary files a/windows/security/threat-protection/images/sccm-asr-blocks.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-asr-rules.png b/windows/security/threat-protection/images/sccm-asr-rules.png
deleted file mode 100644
index dfb1cb201b..0000000000
Binary files a/windows/security/threat-protection/images/sccm-asr-rules.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-cfa-block.png b/windows/security/threat-protection/images/sccm-cfa-block.png
deleted file mode 100644
index 2868712541..0000000000
Binary files a/windows/security/threat-protection/images/sccm-cfa-block.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-cfa.png b/windows/security/threat-protection/images/sccm-cfa.png
deleted file mode 100644
index bd2e57d73f..0000000000
Binary files a/windows/security/threat-protection/images/sccm-cfa.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-ep-xml.png b/windows/security/threat-protection/images/sccm-ep-xml.png
deleted file mode 100644
index d7a896332a..0000000000
Binary files a/windows/security/threat-protection/images/sccm-ep-xml.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-ep.png b/windows/security/threat-protection/images/sccm-ep.png
deleted file mode 100644
index 1d16250401..0000000000
Binary files a/windows/security/threat-protection/images/sccm-ep.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-np-block.png b/windows/security/threat-protection/images/sccm-np-block.png
deleted file mode 100644
index 0655fdad69..0000000000
Binary files a/windows/security/threat-protection/images/sccm-np-block.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/sccm-np.png b/windows/security/threat-protection/images/sccm-np.png
deleted file mode 100644
index a9f11a2e95..0000000000
Binary files a/windows/security/threat-protection/images/sccm-np.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/seccon-framework.png b/windows/security/threat-protection/images/seccon-framework.png
deleted file mode 100644
index 06f66acf99..0000000000
Binary files a/windows/security/threat-protection/images/seccon-framework.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/security-compliance-toolkit-1.png b/windows/security/threat-protection/images/security-compliance-toolkit-1.png
deleted file mode 100644
index 270480af39..0000000000
Binary files a/windows/security/threat-protection/images/security-compliance-toolkit-1.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/security-control-classification.png b/windows/security/threat-protection/images/security-control-classification.png
deleted file mode 100644
index 75467f2098..0000000000
Binary files a/windows/security/threat-protection/images/security-control-classification.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/security-control-deployment-methodologies.png b/windows/security/threat-protection/images/security-control-deployment-methodologies.png
deleted file mode 100644
index 4f869474e2..0000000000
Binary files a/windows/security/threat-protection/images/security-control-deployment-methodologies.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/security-update.png b/windows/security/threat-protection/images/security-update.png
deleted file mode 100644
index f7ca20f34e..0000000000
Binary files a/windows/security/threat-protection/images/security-update.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg b/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg
deleted file mode 100644
index e79d2b057d..0000000000
Binary files a/windows/security/threat-protection/images/securityrecs-tamperprotect.jpg and /dev/null differ
diff --git a/windows/security/threat-protection/images/svg/check-no.svg b/windows/security/threat-protection/images/svg/check-no.svg
deleted file mode 100644
index 89a87afa8b..0000000000
--- a/windows/security/threat-protection/images/svg/check-no.svg
+++ /dev/null
@@ -1,7 +0,0 @@
-<svg width="15px" height="15px" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
-    <title>Check mark no</title>
-    <polygon 
-        fill='#d83b01' 
-        points='95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2'
-     />
-</svg>
\ No newline at end of file
diff --git a/windows/security/threat-protection/images/svg/check-yes.svg b/windows/security/threat-protection/images/svg/check-yes.svg
deleted file mode 100644
index 483ff5fefc..0000000000
--- a/windows/security/threat-protection/images/svg/check-yes.svg
+++ /dev/null
@@ -1,7 +0,0 @@
-<svg width="15px" height="15px" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
-    <title>Check mark yes</title>
-    <path
-        fill='#0E8915' 
-        d='M129 20L55 94 21 60 10 71l45 45 85-85z'
-    />
-</svg>
\ No newline at end of file
diff --git a/windows/security/threat-protection/images/tpm-capabilities.png b/windows/security/threat-protection/images/tpm-capabilities.png
deleted file mode 100644
index aecbb68522..0000000000
Binary files a/windows/security/threat-protection/images/tpm-capabilities.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/tpm-remote-attestation.png b/windows/security/threat-protection/images/tpm-remote-attestation.png
deleted file mode 100644
index fa092591a1..0000000000
Binary files a/windows/security/threat-protection/images/tpm-remote-attestation.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/turn-windows-features-on-or-off.png b/windows/security/threat-protection/images/turn-windows-features-on-or-off.png
deleted file mode 100644
index 8d47a53b51..0000000000
Binary files a/windows/security/threat-protection/images/turn-windows-features-on-or-off.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/vbs-example.png b/windows/security/threat-protection/images/vbs-example.png
deleted file mode 100644
index 6a1cc80fd4..0000000000
Binary files a/windows/security/threat-protection/images/vbs-example.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna1.png b/windows/security/threat-protection/images/wanna1.png
deleted file mode 100644
index e90d1cc12c..0000000000
Binary files a/windows/security/threat-protection/images/wanna1.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna2.png b/windows/security/threat-protection/images/wanna2.png
deleted file mode 100644
index 7b4a1dcd97..0000000000
Binary files a/windows/security/threat-protection/images/wanna2.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna3.png b/windows/security/threat-protection/images/wanna3.png
deleted file mode 100644
index 9b0b176366..0000000000
Binary files a/windows/security/threat-protection/images/wanna3.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna4.png b/windows/security/threat-protection/images/wanna4.png
deleted file mode 100644
index 17fefde707..0000000000
Binary files a/windows/security/threat-protection/images/wanna4.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna5.png b/windows/security/threat-protection/images/wanna5.png
deleted file mode 100644
index 92ecf67d20..0000000000
Binary files a/windows/security/threat-protection/images/wanna5.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna6.png b/windows/security/threat-protection/images/wanna6.png
deleted file mode 100644
index 26824af34d..0000000000
Binary files a/windows/security/threat-protection/images/wanna6.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna7.png b/windows/security/threat-protection/images/wanna7.png
deleted file mode 100644
index 634bd1449d..0000000000
Binary files a/windows/security/threat-protection/images/wanna7.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wanna8.png b/windows/security/threat-protection/images/wanna8.png
deleted file mode 100644
index 59b42eb6f6..0000000000
Binary files a/windows/security/threat-protection/images/wanna8.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wdatp-pillars2.png b/windows/security/threat-protection/images/wdatp-pillars2.png
deleted file mode 100644
index 8a67d190b7..0000000000
Binary files a/windows/security/threat-protection/images/wdatp-pillars2.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wdeg.png b/windows/security/threat-protection/images/wdeg.png
deleted file mode 100644
index 312167da41..0000000000
Binary files a/windows/security/threat-protection/images/wdeg.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png
deleted file mode 100644
index 01801a519d..0000000000
Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings-options.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png
deleted file mode 100644
index 38404d7569..0000000000
Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-app-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-export.png b/windows/security/threat-protection/images/wdsc-exp-prot-export.png
deleted file mode 100644
index eac90e96f5..0000000000
Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-export.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png b/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png
deleted file mode 100644
index 53edeb6135..0000000000
Binary files a/windows/security/threat-protection/images/wdsc-exp-prot-sys-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/images/wdsc-exp-prot.png b/windows/security/threat-protection/images/wdsc-exp-prot.png
deleted file mode 100644
index 67abde13e0..0000000000
Binary files a/windows/security/threat-protection/images/wdsc-exp-prot.png and /dev/null differ
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
deleted file mode 100644
index 307fd1ee4b..0000000000
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
-description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions.
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
-ms.reviewer: 
-manager: aaroncz
-ms.technology: itpro-security
-ms.date: 12/31/2017
-ms.topic: article
----
- 
-# What is Microsoft Baseline Security Analyzer and its uses?
- 
-Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. 
- 
-MBSA was largely used in situations where Microsoft Update a local WSUS or Configuration Manager server wasn't available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 isn't updated to fully support Windows 10 and Windows Server 2016.
-
-> [!NOTE]
-> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file. 
- 
-## The Solution 
-A script can help you with an alternative to MBSA’s patch-compliance checking:
- 
-- [Using WUA to Scan for Updates Offline](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script. 
-For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0).
- 
-For example:
- 
-[![VBS script.](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) 
-[![PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) 
-  
-The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
-The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers.
- 
-## More Information  
-
-For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit.
-
-- [Windows security baselines](windows-security-baselines.md) 
-- [Download Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319) 
-- [Microsoft Security Guidance blog](/archive/blogs/secguide/)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png
deleted file mode 100644
index 08cb4d5676..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png
deleted file mode 100644
index 9e58d99ead..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-security-center-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png
deleted file mode 100644
index 877b707030..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/host-screen-no-application-guard.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png
deleted file mode 100644
index 5172022256..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index ad5d373c27..0b7b4ac15b 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -15,6 +15,7 @@ ms.custom: asr
 ms.technology: itpro-security
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: how-to
 ---
 
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 6b284c9344..afc6aaef79 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -15,6 +15,7 @@ ms.custom: asr
 ms.technology: itpro-security
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: conceptual
 ---
 
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png
deleted file mode 100644
index daa96d291d..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Windows-defender-smartscreen-control-2020.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg
deleted file mode 100644
index 21a6b4f235..0000000000
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/accessibility.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
-  <path d="M6.75001 3.25C6.75001 2.55964 7.30966 2 8.00001 2C8.69037 2 9.25001 2.55964 9.25001 3.25C9.25001 3.94036 8.69037 4.5 8.00001 4.5C7.30966 4.5 6.75001 3.94036 6.75001 3.25ZM8.00001 1C6.75737 1 5.75001 2.00736 5.75001 3.25C5.75001 3.42769 5.77061 3.60057 5.80955 3.76638L4.1981 3.11531C3.38523 2.78689 2.45661 3.17707 2.12226 3.98751C1.78682 4.8006 2.17658 5.72824 2.9921 6.05773L5 6.86897L5 9.25304L3.18661 12.6635C2.77397 13.4396 3.06858 14.4032 3.84463 14.8158C4.62069 15.2285 5.58431 14.9339 5.99695 14.1578L8.00028 10.3901L10.0037 14.158C10.4163 14.934 11.3799 15.2286 12.156 14.816C12.9321 14.4034 13.2267 13.4397 12.814 12.6637L11 9.252V6.86897L13.0079 6.05773C13.8234 5.72824 14.2132 4.80059 13.8777 3.98751C13.5434 3.17707 12.6148 2.78689 11.8019 3.11531L10.1905 3.76636C10.2294 3.60055 10.25 3.42768 10.25 3.25C10.25 2.00736 9.24265 1 8.00001 1ZM3.04668 4.36889C3.17149 4.06635 3.52005 3.91989 3.82349 4.04249L7.25078 5.42721C7.73138 5.62138 8.2686 5.62138 8.74921 5.42721L12.1765 4.04249C12.4799 3.91989 12.8285 4.06635 12.9533 4.36889C13.077 4.66879 12.9341 5.00902 12.6333 5.13055L10.6254 5.94179C10.2474 6.09449 10 6.46133 10 6.86897V9.252C10 9.41571 10.0402 9.57692 10.1171 9.72147L11.9311 13.1332C12.0844 13.4216 11.9749 13.7797 11.6865 13.9331C11.3981 14.0864 11.04 13.9769 10.8866 13.6885L8.88322 9.92064C8.50711 9.21327 7.49344 9.21326 7.11733 9.92064L5.114 13.6883C4.96065 13.9768 4.60252 14.0863 4.31411 13.9329C4.02569 13.7795 3.9162 13.4214 4.06955 13.133L5.88295 9.72251C5.9598 9.57796 6 9.41675 6 9.25304V6.86897C6 6.46133 5.75256 6.09449 5.3746 5.94179L3.3667 5.13055C3.06591 5.00902 2.92295 4.66879 3.04668 4.36889Z" fill="#0078D4" />
-</svg>
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg
deleted file mode 100644
index ab2d5152ca..0000000000
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/powershell.svg
+++ /dev/null
@@ -1,20 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
-  <defs>
-    <linearGradient id="a24f9983-911f-4df7-920f-f964c8c10f82" x1="9" y1="15.834" x2="9" y2="5.788" gradientUnits="userSpaceOnUse">
-      <stop offset="0" stop-color="#32bedd" />
-      <stop offset="0.175" stop-color="#32caea" />
-      <stop offset="0.41" stop-color="#32d2f2" />
-      <stop offset="0.775" stop-color="#32d4f5" />
-    </linearGradient>
-  </defs>
-  <title>MsPortalFx.base.images-10</title>
-  <g id="a7ef0482-71f2-4b7e-b916-b1c754245bf1">
-    <g>
-      <path d="M.5,5.788h17a0,0,0,0,1,0,0v9.478a.568.568,0,0,1-.568.568H1.068A.568.568,0,0,1,.5,15.266V5.788A0,0,0,0,1,.5,5.788Z" fill="url(#a24f9983-911f-4df7-920f-f964c8c10f82)" />
-      <path d="M1.071,2.166H16.929a.568.568,0,0,1,.568.568V5.788a0,0,0,0,1,0,0H.5a0,0,0,0,1,0,0V2.734A.568.568,0,0,1,1.071,2.166Z" fill="#0078d4" />
-      <path d="M4.292,7.153h.523a.167.167,0,0,1,.167.167v3.858a.335.335,0,0,1-.335.335H4.125a0,0,0,0,1,0,0V7.321a.167.167,0,0,1,.167-.167Z" transform="translate(-5.271 5.967) rotate(-45.081)" fill="#f2f2f2" />
-      <path d="M4.32,9.647h.523a.167.167,0,0,1,.167.167v4.131a0,0,0,0,1,0,0H4.488a.335.335,0,0,1-.335-.335v-3.8a.167.167,0,0,1,.167-.167Z" transform="translate(-0.504 23.385) rotate(-135.081)" fill="#e6e6e6" />
-      <rect x="7.221" y="12.64" width="4.771" height="1.011" rx="0.291" fill="#f2f2f2" />
-    </g>
-  </g>
-</svg>
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg
deleted file mode 100644
index dbbad7d780..0000000000
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/provisioning-package.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
-  <path d="M1544 128q75 0 143 30t120 82 82 120 31 144v328q0 26-19 45t-45 19q-26 0-45-19t-19-45V507q0-50-20-95t-55-80-80-55-96-21H346q16 15 27 28t11 36q0 26-19 45t-45 19q-26 0-45-19L147 237q-19-19-19-45t19-45L275 19q19-19 45-19t45 19 19 45q0 23-11 36t-27 28h1198zm-57 896q0 24 22 43t50 39 50 46 23 63q0 21-12 51t-30 61-37 59-33 44q-31 37-79 37-20 0-42-8t-44-17-41-17-35-8q-15 0-24 6t-14 15-8 20-5 24l-17 91q-6 34-25 52t-45 27-55 10-57 2h-5q-27 0-58-1t-58-11-47-28-26-53l-20-116q-2-14-14-26t-28-12q-20 0-40 7t-42 17-43 17-43 8q-50 0-80-37-14-16-32-43t-35-59-29-61-12-52q0-39 22-64t50-45 49-38 23-43q0-25-22-43t-50-39-50-45-23-64q0-22 12-52t30-60 37-58 33-45q31-37 79-37 20 0 42 7t43 17 40 17 36 8q21 0 32-11t16-30 8-41 7-46 11-45 24-38q12-12 29-19t37-10 40-5 39-1h15q27 0 57 1t58 11 46 28 26 53l20 116q3 18 16 27t31 10q17 0 37-7t41-17 42-17 42-8q23 0 44 10t36 28q14 17 32 44t36 58 29 61 12 52q0 39-22 64t-50 45-49 38-23 43zm-128 0q0-37 12-64t31-50 45-42 52-42q-13-30-29-58t-36-54q-36 13-76 29t-80 16q-24 0-44-6t-42-18q-33-19-51-42t-27-51-13-59-11-67q-16-2-32-3t-33-1q-17 0-33 1t-32 3q-7 35-11 66t-14 58-28 52-51 43q-21 13-41 18t-45 6q-40 0-79-16t-76-30q-38 51-66 112 26 22 51 42t45 42 32 50 12 65q0 37-12 64t-31 50-45 42-52 42q13 30 29 58t36 54q35-13 74-29t79-16q32 0 61 10t52 30 39 46 22 58l17 99q17 2 32 3t33 1q17 0 33-1t33-3q5-30 9-59t13-57 24-52 43-43q23-15 48-23t53-9q18 0 38 5t40 12 39 15 37 14q38-51 66-112-26-22-51-42t-45-42-32-50-12-65zm-207 0q0 27-10 50t-27 40-41 28-50 10q-27 0-50-10t-41-27-27-40-10-51q0-27 10-50t27-40 41-28 50-10q26 0 49 10t41 27 28 41 10 50zm768 832q0 26-19 45l-128 128q-19 19-45 19t-45-19-19-45q0-23 11-36t27-28H504q-75 0-143-30t-120-82-82-120-31-144v-328q0-26 19-45t45-19q26 0 45 19t19 45v325q0 50 20 95t55 80 80 55 96 21h1195q-14-14-26-28t-12-36q0-26 19-45t45-19q26 0 45 19l128 128q19 19 19 45z" fill="#0078D4" />
-</svg>
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg b/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg
deleted file mode 100644
index 06ab4c09d7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/registry.svg
+++ /dev/null
@@ -1,22 +0,0 @@
-<svg id="b9b1f1bd-1131-4ac5-b607-ad500ee51398" data-name="fluent_icons" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="18" height="18" viewBox="0 0 18 18">
-  <defs>
-    <linearGradient id="b0b22e7a-bfc7-4dec-91e9-5f981ed97407" x1="8.55" y1="0.41" x2="8.48" y2="18.62" gradientUnits="userSpaceOnUse">
-      <stop offset="0" stop-color="#76bc2d" />
-      <stop offset="0.32" stop-color="#73b82c" />
-      <stop offset="0.65" stop-color="#6cab29" />
-      <stop offset="0.99" stop-color="#5e9724" />
-      <stop offset="1" stop-color="#5e9624" />
-    </linearGradient>
-    <linearGradient id="e827adc5-7c19-488a-9b2c-abb70d46ae5e" x1="14.75" y1="5.9" x2="14.75" y2="1.1" gradientTransform="translate(18.1 -11.21) rotate(90)" gradientUnits="userSpaceOnUse">
-      <stop offset="0" stop-color="#0078d4" />
-      <stop offset="0.17" stop-color="#1c84dc" />
-      <stop offset="0.38" stop-color="#3990e4" />
-      <stop offset="0.59" stop-color="#4d99ea" />
-      <stop offset="0.8" stop-color="#5a9eee" />
-      <stop offset="1" stop-color="#5ea0ef" />
-    </linearGradient>
-  </defs>
-  <title>Icon-general-18</title>
-  <path d="M6.27,13.29h4.49v4.49H6.27ZM1,3.43V7.3h4.5V2.81H1.65A.63.63,0,0,0,1,3.43ZM1,17.16a.63.63,0,0,0,.63.62H5.52V13.29H1Zm0-4.62h4.5V8.05H1Zm10.49,5.24h3.87a.62.62,0,0,0,.62-.62V13.29H11.51ZM6.27,12.54h4.49V8.05H6.27Zm5.24-4.49v4.49H16V8.05ZM6.27,7.3h4.49V2.81H6.27Z" fill="url(#b0b22e7a-bfc7-4dec-91e9-5f981ed97407)" />
-  <rect x="12.2" y="1.14" width="4.8" height="4.8" rx="0.25" transform="translate(5.14 15.21) rotate(-64.59)" fill="url(#e827adc5-7c19-488a-9b2c-abb70d46ae5e)" />
-</svg>
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png
deleted file mode 100644
index a3286fb528..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-security-center.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png b/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png
deleted file mode 100644
index e51cd9384c..0000000000
Binary files a/windows/security/threat-protection/microsoft-defender-smartscreen/images/windows-defender-smartscreen-control.png and /dev/null differ
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index 393d33b206..ba53584a0f 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -10,6 +10,7 @@ manager: aaroncz
 ms.technology: itpro-security
 adobe-target: true
 ms.collection: 
+  - tier2
   - highpri
 ms.date: 12/31/2017
 ms.topic: article
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
deleted file mode 100644
index 0ee92c6736..0000000000
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Set up and use Microsoft Defender SmartScreen on individual devices (Windows)
-description: Learn how employees can use Windows Security to set up Microsoft Defender SmartScreen. Microsoft Defender SmartScreen protects users from running malicious apps.
-ms.prod: windows-client
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 10/13/2017
-ms.reviewer: 
-manager: aaroncz
-ms.author: vinpa
-ms.technology: itpro-security
-ms.topic: how-to
----
-
-# Set up and use Microsoft Defender SmartScreen on individual devices
-
-**Applies to:**
-- Windows 10, version 1703
-- Windows 11
-- Microsoft Edge
-
-Microsoft Defender SmartScreen helps to protect users if they try to visit sites previously reported as phishing or malware websites, or if a user tries to download potentially malicious files.
-
-## How users can use Windows Security to set up Microsoft Defender SmartScreen
-Starting with Windows 10, version 1703, users can use Windows Security to set up Microsoft Defender SmartScreen for an individual device; unless an administrator has used Group Policy or Microsoft Intune to prevent it.
-
->[!NOTE]
->If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee.
-
-**To use Windows Security to set up Microsoft Defender SmartScreen on a device**
-1. Open the Windows Security app, and then select **App & browser control** > **Reputation-based protection settings**.
-
-2. In the **Reputation-based protection** screen, choose from the following options:
-
-   - In the **Check apps and files** area:
-
-       - **On.** Warns users that the apps and files being downloaded from the web are potentially dangerous but allows the action to continue.
-
-       - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files.
-
-   - In the **Microsoft Defender SmartScreen for Microsoft Edge** area:
-        
-       - **On.** Warns users that sites and downloads are potentially dangerous but allows the action to continue while running in Microsoft Edge.
-        
-       - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from downloading potentially malicious apps and files.
-   - In the **Potentially unwanted app blocking** area:
-
-      - **On.** Turns on both the 'Block apps' and 'Block downloads settings. To learn more, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md#potentially-unwanted-application-pua).
-          - **Block apps.** This setting will prevent new apps from installing on the device and warn users of apps that are existing on the device.
-
-          - **Block downloads.** This setting will alert users and stop the downloads of apps in the Microsoft Edge browser (based on Chromium).
-
-      - **Off.** Turns off Potentially unwanted app blocking, so a user isn't alerted or stopped from downloading or installing potentially unwanted apps.
-
-   - In the **Microsoft Defender SmartScreen from Microsoft Store apps** area:
-        
-     - **On.** Warns users that the sites and downloads used by Microsoft Store apps are potentially dangerous but allows the action to continue.
-        
-     - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
-
-       ![Windows Security, Microsoft Defender SmartScreen controls.](images/windows-defender-smartscreen-control-2020.png)
-
-## How Microsoft Defender SmartScreen works when a user tries to run an app
-Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization.
-
-By default, users can bypass Microsoft Defender SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block your employees from using unrecognized apps, or to entirely turn off Microsoft Defender SmartScreen (not recommended).
-
-## How users can report websites as safe or unsafe
-Microsoft Defender SmartScreen can be configured to warn users from going to a potentially dangerous site. Users can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11.
-
-**To report a website as safe from the warning message**
-- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions.
-
-**To report a website as unsafe from Microsoft Edge**
-- If a site seems potentially dangerous, users can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**.
-
-**To report a website as unsafe from Internet Explorer 11**
-- If a site seems potentially dangerous, users can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**.
-
-## Related topics
-- [Threat protection](../index.md)
-
-- [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md)
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
index e6f9bec119..969423ed4a 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 08/16/2021
 ms.technology: itpro-security
@@ -23,7 +24,7 @@ ms.technology: itpro-security
 
 **Applies to**
 -   Windows 11
--   Windows 10
+-   Windows 10
 
 Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting.
 
@@ -47,7 +48,7 @@ It's advisable to set **Account lockout duration** to approximately 15 minutes.
 
 ### Default values
 
-The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page.
 
 | Server type or Group Policy Object (GPO) | Default value |
 | - | - |
diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
index 7436c55ccd..1aa90a6526 100644
--- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
+++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 11/02/2018
 ms.technology: itpro-security
@@ -34,7 +35,7 @@ The **Account lockout threshold** policy setting determines the number of failed
 Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks.
 However, it's important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of **Account lockout threshold**, the attacker could potentially lock every account.
 
-Failed attempts to unlock a workstation can cause account lockout even if the [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) security option is disabled. Windows doesn’t need to contact a domain controller for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a domain controller in case you had changed your password from another machine.
+Failed attempts to unlock a workstation can cause account lockout even if the [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) security option is disabled. Windows doesn't need to contact a domain controller for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a domain controller in case you had changed your password from another machine.
 
 ### Possible values
 
@@ -46,7 +47,7 @@ Because vulnerabilities can exist when this value is configured and when it's no
 
 ### Best practices
 
-The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](../windows-security-baselines.md) recommend a value of 10 could be an acceptable starting point for your organization.
+The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend a value of 10 could be an acceptable starting point for your organization.
 
 As with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
 
@@ -116,7 +117,7 @@ Because vulnerabilities can exist when this value is configured and when it's no
     
 -   Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account.
 
-    [Windows security baselines](../windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack.
+    [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack.
     
     Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it's needed to help mitigate massive lockouts caused by an attack on your systems.
 
diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
index bd80ebe594..760392434f 100644
--- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
+++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md
@@ -27,7 +27,7 @@ Describes the best practices, location, values, management, and security conside
 
 ## Reference
 
-This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more information, see [Microsoft Accounts](../../identity-protection/access-control/microsoft-accounts.md).
+This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more information, see [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts).
 
 There are two options if this setting is enabled:
 
diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
index 8cdc5e7f53..f28c135001 100644
--- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png b/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png
deleted file mode 100644
index 52acafba66..0000000000
Binary files a/windows/security/threat-protection/security-policy-settings/images/uac-admin-approval-mode-for-the-built-in-administrator-account.png and /dev/null differ
diff --git a/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png b/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png
deleted file mode 100644
index 858be4e70e..0000000000
Binary files a/windows/security/threat-protection/security-policy-settings/images/uac-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.png and /dev/null differ
diff --git a/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png b/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png
deleted file mode 100644
index 2efa6877c8..0000000000
Binary files a/windows/security/threat-protection/security-policy-settings/images/uac-notify-me-only-when-apps-try-to-make-changes-to-my-pc.png and /dev/null differ
diff --git a/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md b/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md
deleted file mode 100644
index f0dbde13f1..0000000000
--- a/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-author: dansimp
-ms.author: dansimp
-ms.date: 1/4/2019
-ms.reviewer: 
-manager: aaroncz
-ms.topic: include
-ms.prod: m365-security
----
-Using SMB packet signing can degrade performance on file service transactions, depending on the version of SMB and available CPU cycles.
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index b65e3da751..41c09e6eb4 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/18/2018
 ms.technology: itpro-security
@@ -29,7 +30,7 @@ Describes the best practices, location, values, management, and security conside
 
 ## Reference
 
-Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user’s session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy **User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy.
+Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the user's session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy **User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy.
 
 > [!NOTE]
 > If the **Interactive logon: Machine inactivity limit** security policy setting is configured, the device locks not only when inactive time exceeds the inactivity limit, but also when the screensaver activates or when the display turns off because of power settings.
@@ -42,7 +43,7 @@ If **Machine will be locked after** is set to zero (0) or has no value (blank),
 
 ### Best practices
 
-Set the time for elapsed user-input inactivity based on the device’s usage and location requirements. For example, if the device or device is in a public area, you might want to have the device automatically lock after a short period of inactivity to prevent unauthorized access. However, if the device is used by an individual or group of trusted individuals, such as in a restricted manufacturing area, automatically locking the device might hinder productivity.
+Set the time for elapsed user-input inactivity based on the device's usage and location requirements. For example, if the device or device is in a public area, you might want to have the device automatically lock after a short period of inactivity to prevent unauthorized access. However, if the device is used by an individual or group of trusted individuals, such as in a restricted manufacturing area, automatically locking the device might hinder productivity.
 
 ### Location
 
@@ -52,7 +53,7 @@ Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Pol
 
 ### Default values
 
-The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page.
 
 | Server type or GPO | Default value |
 | - | - |
@@ -85,7 +86,7 @@ This policy setting helps you prevent unauthorized access to devices under your
 
 ### Countermeasure
 
-Set the time for elapsed user-input inactivity time by using the security policy setting **Interactive logon: Machine inactivity limit** based on the device’s usage and location requirements.
+Set the time for elapsed user-input inactivity time by using the security policy setting **Interactive logon: Machine inactivity limit** based on the device's usage and location requirements.
 
 ### Potential impact
 
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
index 91919d8ae3..92341b9213 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
@@ -52,7 +52,7 @@ encrypting the information and keeping the cached credentials in the system's re
 
 ### Best practices
 
-The [Windows security baselines](../windows-security-baselines.md) don't recommend configuring this setting. 
+The [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) don't recommend configuring this setting. 
 
 ### Location
 
diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
index bcdeda1852..5eb5a6a0b4 100644
--- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
+++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
index 02c1a25fd5..f9b90574fd 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md
@@ -35,7 +35,7 @@ The **Minimum password age** policy setting determines the period of time (in da
 
 ### Best practices
 
-[Windows security baselines](../windows-security-baselines.md) recommend setting **Minimum password age** to one day. 
+[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend setting **Minimum password age** to one day. 
 
 Setting the number of days to 0 allows immediate password changes. This setting isn't recommended. 
 Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again. 
diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
index cde1a5df8b..b74a12c22c 100644
--- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
+++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 03/30/2022
 ms.technology: itpro-security
@@ -50,7 +51,7 @@ In addition, requiring long passwords can actually decrease the security of an o
 
 ### Default values
 
-The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page.
+The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page.
 
 | Server type or Group Policy Object (GPO) | Default value |
 | - | - |
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 67f28accd4..42cb403da5 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -11,6 +11,7 @@ ms.reviewer:
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ---
 
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index a9b0b1ae89..465adda6a7 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -9,6 +9,7 @@ author: vinaypamnani-msft
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
index e1585d602e..23edb11516 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
@@ -75,7 +76,7 @@ HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
 
 ### Default values
 
-The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
+The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page.
 
 | Server type or GPO | Default value |
 | - | - |
diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
index d6f73cfb32..b84eb1eaf9 100644
--- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
+++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.technology: itpro-security
 ms.date: 12/31/2017
diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md
index b4163b8525..e28f4796b7 100644
--- a/windows/security/threat-protection/security-policy-settings/password-policy.md
+++ b/windows/security/threat-protection/security-policy-settings/password-policy.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
index 1891e3b322..275d4a0bd8 100644
--- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
+++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md
@@ -40,7 +40,7 @@ The disadvantage of a high setting is that users lock themselves out for an inco
 
 Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. 
 
-[Windows security baselines](../windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
+[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
 
 ### Location
 
@@ -69,7 +69,7 @@ Users can accidentally lock themselves out of their accounts if they mistype the
 
 ### Countermeasure
 
-[Windows security baselines](../windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15.
+[Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15.
 
 ### Potential impact
 
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index 79136b00da..e5a2bba1d9 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 04/19/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
index f8f1af1c61..205e5f9c9a 100644
--- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
+++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md
@@ -59,7 +59,7 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP
 
 We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it's operating in FIPS 140-2 approved mode.
 
-For a complete list of Microsoft-recommended configuration settings, see [Windows security baselines](../windows-security-baselines.md). For more information about Windows and FIPS 140-2, see [FIPS 140 Validation](../fips-140-validation.md).
+For a complete list of Microsoft-recommended configuration settings, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines). For more information about Windows and FIPS 140-2, see [FIPS 140 Validation](../fips-140-validation.md).
 
 ### Location
 
diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
index 0439fc8ee1..7e7e14c8c0 100644
--- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
+++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 12/16/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
index c2987aea45..bf315dd58b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 10/16/2017
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
deleted file mode 100644
index acdfc6b79b..0000000000
--- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
+++ /dev/null
@@ -1,165 +0,0 @@
----
-title: Use audit events to create then enforce WDAC policy rules (Windows)
-description: Learn how audits allow admins to discover apps, binaries, and scripts that should be added to a WDAC policy, then learn how to switch that WDAC policy from audit to enforced mode.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: windows-client
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: jsuther1974
-ms.reviewer: jogeurte
-ms.author: vinpa
-manager: aaroncz
-ms.date: 05/03/2021
-ms.technology: itpro-security
-ms.topic: article
----
-
-# Use audit events to create WDAC policy rules and Convert **base** policy from audits to enforced
-
-**Applies to:**
-
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
-
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md).
-
-Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your Windows Defender Application Control policy (WDAC) but should be included.
-
-While a WDAC policy is running in audit mode, any binary that runs but would have been denied is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. Script and MSI are logged in the **Applications and Services Logs\\Microsoft\\Windows\\AppLocker\\MSI and Script** event log. These events can be used to generate a new WDAC policy that can be merged with the original Base policy or deployed as a separate Supplemental policy, if allowed.
-
-## Overview of the process to create WDAC policy to allow apps using audit events
-
-> [!NOTE]
-> You must have already deployed a WDAC audit mode policy to use this process. If you have not already done so, see [Deploying Windows Defender Application Control policies](windows-defender-application-control-deployment-guide.md).
-
-To familiarize yourself with creating WDAC rules from audit events, follow these steps on a device with a WDAC audit mode policy.
-
-1. Install and run an application not allowed by the WDAC policy but that you want to allow.
-
-2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md).
-
-   **Figure 1. Exceptions to the deployed WDAC policy** <br>
-
-   ![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png)
-
-3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
-
-   ```powershell
-   $PolicyName= "Lamna_FullyManagedClients_Audit"
-   $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
-   $EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml"
-   $EventsPolicyWarnings=$env:userprofile+"\Desktop\EventsPolicyWarnings.txt"
-   ```
-
-4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**.
-
-   ```powershell
-   New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings
-   ```
-
-   > [!NOTE]
-   > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **FilePublisher** rule level with a fallback level of  **Hash**, which may be more specific than desired. You can re-run the above command using different **-Level** and **-Fallback** options to meet your needs. For more information about WDAC rule levels, see [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md).
-
-5. Find and review the WDAC policy file **EventsPolicy.xml** that should be found on your desktop. Ensure that it only includes file and signer rules for applications, binaries, and scripts you wish to allow. You can remove rules by manually editing the policy XML or use the WDAC Policy Wizard tool (see [Editing existing base and supplemental WDAC policies with the Wizard](wdac-wizard-editing-policy.md)).
-
-6. Find and review the text file **EventsPolicyWarnings.txt** that should be found on your desktop. This file will include a warning for any files that WDAC couldn't create a rule for at either the specified rule level or fallback rule level.
-
-   > [!NOTE]
-   > New-CIPolicy only creates rules for files that can still be found on disk. Files which are no longer present on the system will not have a rule created to allow them. However, the event log should have sufficient information to allow these files by manually editing the policy XML to add rules. You can use an existing rule as a template and verify your results against the WDAC policy schema definition found at **%windir%\schemas\CodeIntegrity\cipolicy.xsd**.
-
-7. Merge **EventsPolicy.xml** with the Base policy **Lamna_FullyManagedClients_Audit.xml** or convert it to a supplemental policy.
-
-    For information on merging policies, refer to [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) and for information on supplemental policies see [Use multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md).
-
-8. Convert the Base or Supplemental policy to binary and deploy using your preferred method.
-
-## Convert WDAC **BASE** policy from audit to enforced
-
-As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
-
-**Alice Pena** is the IT team lead responsible for Lamna's WDAC rollout.
-
-Alice previously created and deployed a policy for the organization's [fully managed devices](create-wdac-policy-for-fully-managed-devices.md). They updated the policy based on audit event data as described in [Use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md) and redeployed it. All remaining audit events are as expected and Alice is ready to switch to enforcement mode.
-
-1. Initialize the variables that will be used and create the enforced policy by copying the audit version.
-
-   ```powershell
-   $EnforcedPolicyName = "Lamna_FullyManagedClients_Enforced"
-   $AuditPolicyXML = $env:USERPROFILE+"\Desktop\Lamna_FullyManagedClients_Audit.xml"
-   $EnforcedPolicyXML = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+".xml"
-   cp $AuditPolicyXML $EnforcedPolicyXML
-   ```
-
-2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new policy a unique ID, and descriptive name. Changing the ID and name lets you deploy the enforced policy side by side with the audit policy. Do this step if you plan to harden your WDAC policy over time. If you prefer to replace the audit policy in-place, you can skip this step.
-
-   ```powershell
-   $EnforcedPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedPolicyXML -PolicyName $EnforcedPolicyName -ResetPolicyID
-   $EnforcedPolicyID = $EnforcedPolicyID.Substring(11)
-   ```
-
-   > [!NOTE]
-   > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
-
-3. *[Optionally]* Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”). Option 9 allows users to disable WDAC enforcement for a single boot session from a pre-boot menu. Option 10 instructs Windows to switch the policy from enforcement to audit only if a boot critical kernel-mode driver is blocked. We strongly recommend these options when deploying a new enforced policy to your first deployment ring. Then, if no issues are found, you can remove the options and restart your deployment.
-
-   ```powershell
-   Set-RuleOption -FilePath $EnforcedPolicyXML -Option 9
-   Set-RuleOption -FilePath $EnforcedPolicyXML -Option 10
-   ```
-
-4. Use Set-RuleOption to delete the audit mode rule option, which changes the policy to enforcement:
-
-   ```powershell
-   Set-RuleOption -FilePath $EnforcedPolicyXML -Option 3 -Delete
-   ```
-
-5. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary:
-
-   > [!NOTE]
-   > If you did not use -ResetPolicyID in Step 2 above, then you must replace $EnforcedPolicyID in the following command with the *PolicyID* attribute found in your base policy XML.
-
-   ```powershell
-   $EnforcedPolicyBinary = $env:USERPROFILE+"\Desktop\"+$EnforcedPolicyName+"_"+$EnforcedPolicyID+".xml"
-   ConvertFrom-CIPolicy $EnforcedPolicyXML $EnforcedPolicyBinary
-   ```
-
-## Make copies of any needed **supplemental** policies to use with the enforced base policy
-
-Since the enforced policy was given a unique PolicyID in the previous procedure, you need to duplicate any needed supplemental policies to use with the enforced policy. Supplemental policies always inherit the Audit or Enforcement mode from the base policy they modify. If you didn't reset the enforcement base policy's PolicyID, you can skip this procedure.
-
-1. Initialize the variables that will be used and create a copy of the current supplemental policy. Some variables and files from the previous procedure will also be used.
-
-   ```powershell
-   $SupplementalPolicyName = "Lamna_Supplemental1"
-   $CurrentSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Audit.xml"
-   $EnforcedSupplementalPolicy = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_Enforced.xml"
-   ```
-
-2. Use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) to give the new supplemental policy a unique ID and descriptive name, and change which base policy to supplement.
-
-   ```powershell
-   $SupplementalPolicyID = Set-CIPolicyIdInfo -FilePath $EnforcedSupplementalPolicy -PolicyName $SupplementalPolicyName -SupplementsBasePolicyID $EnforcedPolicyID -BasePolicyToSupplementPath $EnforcedPolicyXML -ResetPolicyID
-   $SupplementalPolicyID = $SupplementalPolicyID.Substring(11)
-   ```
-
-   > [!NOTE]
-   > If Set-CIPolicyIdInfo does not output the new PolicyID value on your Windows 10 version, you will need to obtain the *PolicyId* value from the XML directly.
-
-3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC supplemental policy to binary:
-
-   ```powershell
-   $EnforcedSuppPolicyBinary = $env:USERPROFILE+"\Desktop\"+$SupplementalPolicyName+"_"+$SupplementalPolicyID+".xml"
-   ConvertFrom-CIPolicy $EnforcedSupplementalPolicy $EnforcedSuppPolicyBinary
-   ```
-
-4. Repeat the steps above if you have other supplemental policies to update.
-
-## Deploy your enforced policy and supplemental policies
-
-Now that your base policy is in enforced mode, you can begin to deploy it to your managed endpoints. For information about deploying policies, see [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png b/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png
deleted file mode 100644
index dac1240786..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png b/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png
deleted file mode 100644
index 6d265509ea..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png
deleted file mode 100644
index cefb124344..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png
deleted file mode 100644
index 938e397751..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png
deleted file mode 100644
index 3c93b2b948..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png
deleted file mode 100644
index 4f6746eddf..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png
deleted file mode 100644
index e3729e8214..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png
deleted file mode 100644
index 782c2017ae..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png
deleted file mode 100644
index b9a4b1881f..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png
deleted file mode 100644
index 25f73eb190..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png
deleted file mode 100644
index d640052d26..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png
deleted file mode 100644
index 3a33c13350..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png b/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png
deleted file mode 100644
index 12ec2b924f..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/policy-id.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png
deleted file mode 100644
index 5cdb4cf3c4..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png
deleted file mode 100644
index 8ef2d0e3ce..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png
deleted file mode 100644
index f201956d4d..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png
deleted file mode 100644
index 0c5eacc3f9..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png
deleted file mode 100644
index 98e5507000..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png
deleted file mode 100644
index 1b5483103b..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-profile-name.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png
deleted file mode 100644
index c37d55910d..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-assignments.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png
deleted file mode 100644
index e132440266..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-custom-create-profile-name.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png
deleted file mode 100644
index cbd0366eff..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png
deleted file mode 100644
index 4d8325baa6..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png
deleted file mode 100644
index e5ae089d6b..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png
deleted file mode 100644
index 55f5173b03..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-wdac-settings.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png
deleted file mode 100644
index 67df953a08..0000000000
Binary files a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index e0b383d280..7acb0c4301 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -11,6 +11,7 @@ ms.localizationpriority: medium
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 author: jgeurten
 ms.reviewer: jsuther
 ms.author: vinpa
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index 6ac671b28d..9f5f66cd38 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -11,6 +11,7 @@ ms.localizationpriority: medium
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 author: vinaypamnani-msft
 ms.reviewer: isbrahm
 ms.author: vinpa
@@ -38,7 +39,7 @@ In most organizations, information is the most valuable asset, and ensuring that
 
 Application control can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes).
 
-Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand the significance of application control and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.).
+Application control is a crucial line of defense for protecting enterprises given today's threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand the significance of application control and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.).
 
 > [!NOTE]
 > Although application control can significantly harden your computers against malicious code, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png
deleted file mode 100644
index 363648cbc0..0000000000
Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-notif.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png
deleted file mode 100644
index eec35c6dcf..0000000000
Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-turned-off.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png
deleted file mode 100644
index abf5a30659..0000000000
Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
deleted file mode 100644
index a3773ffe67..0000000000
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Manage Windows Security in Windows 10 in S mode
-description: Learn how to manage Windows Security settings in Windows 10 in S mode. Windows 10 in S mode is streamlined for tighter security and superior performance.
-keywords: windows 10 in s mode, windows 10 s, windows 10 s mode, wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
-search.product: eADQiWindows 10XVcnh
-ms.prod: windows-client
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: vinaypamnani-msft
-ms.author: vinpa
-ms.date: 04/30/2018
-ms.reviewer: 
-manager: aaroncz
-ms.technology: itpro-security
-ms.topic: how-to
----
-
-# Manage Windows Security in Windows 10 in S mode
-
-**Applies to**
-
-- Windows 10 in S mode, version 1803
-
-Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode, users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra protections against phishing and malicious software.
-
-The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically.
-
-:::image type="content" alt-text="Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode." source="images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png":::
-
-For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode).
-
-## Managing Windows Security settings with Intune
-
-In the enterprise, you can only manage security settings for devices running Windows 10 in S mode with Microsoft Intune or other mobile device management apps. Windows 10 in S mode prevents making changes via PowerShell scripts.
-
-For information about using Intune to manage Windows Security settings on your organization's devices, see [Set up Intune](/intune/setup-steps) and [Endpoint protection settings for Windows 10 (and later) in Intune](/intune/endpoint-protection-windows-10).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index 3f25837b24..41b535c96b 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -11,6 +11,7 @@ manager: aaroncz
 ms.technology: itpro-security
 ms.collection: 
   - highpri
+  - tier2
 ms.date: 12/31/2017
 ms.topic: article
 ---
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png b/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png
deleted file mode 100644
index 99e8cb1384..0000000000
Binary files a/windows/security/threat-protection/windows-defender-system-guard/images/security-center-firmware-protection.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png
deleted file mode 100644
index fbd6a798b0..0000000000
Binary files a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-validate-system-integrity.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png b/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png
deleted file mode 100644
index 865af86b19..0000000000
Binary files a/windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index f605793303..6c14ed44e0 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -23,7 +23,7 @@ ms.topic: conceptual
 - Windows 11
 - Windows 10
 
-This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.
+This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.
 
 > [!NOTE]
 > System Guard Secure Launch feature requires a supported processor. For more information, see [System requirements for System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md#system-requirements-for-system-guard).
@@ -76,7 +76,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
 ![Verifying Secure Launch is running in the Windows Security app.](images/secure-launch-msinfo.png)
 
 > [!NOTE]
-> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
+> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
 
 > [!NOTE]
 > For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/).
diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
index 4aeb22b1f0..c1666220e4 100644
--- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/07/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
index c3caab02c2..b607d65908 100644
--- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
+++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: article
 ms.technology: itpro-security
 appliesto: 
diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
index f8f7c3977f..8fcc33e6d3 100644
--- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
+++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/07/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
index ea3861bad7..2f4b0c3d20 100644
--- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
+++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md
@@ -14,6 +14,7 @@ manager: aaroncz
 audience: ITPro
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/07/2021
 ms.technology: itpro-security
@@ -51,11 +52,13 @@ This topic describes how to create a standard port rule for a specified protocol
 
 4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
 
-   >**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
+   > [!Note]
+   > Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
 
 5. On the **Program** page, click **All programs**, and then click **Next**.
 
-   >**Note:**  This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
+   > [!Note]
+   > This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
 
 6. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number.
 
@@ -71,6 +74,7 @@ This topic describes how to create a standard port rule for a specified protocol
 
 9. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
 
-   >**Note:**  If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card’s cable. A disconnected network card is automatically assigned to the Public network location type.
+   > [!Note]
+   > If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card's cable. A disconnected network card is automatically assigned to the Public network location type.
    
 10. On the **Name** page, type a name and description for your rule, and then click **Finish**.
diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
index 77ea069a39..cce89be934 100644
--- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
+++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
@@ -9,6 +9,7 @@ author: paolomatarazzo
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/07/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
deleted file mode 100644
index 759c9f4ce3..0000000000
--- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows)
-description: Evaluating Windows Defender Firewall with Advanced Security Design Examples
-ms.reviewer: jekrynit
-ms.author: paoloma
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 09/08/2021
-ms.technology: itpro-security
-appliesto: 
-  - ✅ <b>Windows 10</b>
-  - ✅ <b>Windows 11</b>
-  - ✅ <b>Windows Server 2016</b>
-  - ✅ <b>Windows Server 2019</b>
-  - ✅ <b>Windows Server 2022</b>
----
-
-# Evaluating Windows Defender Firewall with Advanced Security Design Examples
-
-
-The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization.
-
--   [Firewall Policy with Advanced Security Design Example](firewall-policy-design-example.md)
-
--   [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
-
--   [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
-
--   [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
-
diff --git a/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif b/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif
deleted file mode 100644
index 5c7dfb0ebc..0000000000
Binary files a/windows/security/threat-protection/windows-firewall/images/wfas-icon-checkbox.gif and /dev/null differ
diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
index 0dead272e0..7bd82a831e 100644
--- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
@@ -9,6 +9,7 @@ author: paolomatarazzo
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/08/2021
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
deleted file mode 100644
index 430a461918..0000000000
--- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Procedures Used in This Guide (Windows)
-description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide.
-ms.reviewer: jekrynit
-ms.author: paoloma
-ms.prod: windows-client
-ms.localizationpriority: medium
-author: paolomatarazzo
-manager: aaroncz
-ms.topic: conceptual
-ms.date: 09/08/2021
-ms.technology: itpro-security
-appliesto: 
-  - ✅ <b>Windows 10</b>
-  - ✅ <b>Windows 11</b>
-  - ✅ <b>Windows Server 2016</b>
-  - ✅ <b>Windows Server 2019</b>
-  - ✅ <b>Windows Server 2022</b>
----
-
-# Procedures Used in This Guide
-
-
-The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order.
-
-- [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)
-
-- [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)
-
-- [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
-
-- [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
-
-- [Configure Authentication Methods](configure-authentication-methods.md)
-
-- [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)
-
-- [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
-
-- [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)
-
-- [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
-
-- [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md)
-
-- [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
-
-- [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
-
-- [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
-
-- [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
-
-- [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
-
-- [Create a Group Policy Object](create-a-group-policy-object.md)
-
-- [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
-
-- [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
-
-- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
-
-- [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
-
-- [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
-
-- [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
-
-- [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
-
-- [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
-
-- [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
-
-- [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
-
-- [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
-
-- [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
-
-- [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
-
-- [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
-
-- [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
-
-- [Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall.md)
-
-- [Open Windows Defender Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
-
-- [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
-
-- [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
-
-- [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
index 56c5f70707..13cf7bd61a 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -8,6 +8,7 @@ ms.author: paoloma
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 09/08/2021
 ms.reviewer: jekrynit
@@ -36,7 +37,7 @@ The Windows Defender Firewall with Advanced Security MMC snap-in is more flexibl
 
 ## Feature description
 
-Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy.
+Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network's isolation strategy.
 
 ## Practical applications
 
diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md
index ecb03506c1..c79a189b61 100644
--- a/windows/security/threat-protection/windows-platform-common-criteria.md
+++ b/windows/security/threat-protection/windows-platform-common-criteria.md
@@ -10,6 +10,8 @@ ms.localizationpriority: medium
 ms.date: 11/4/2022
 ms.reviewer: paoloma
 ms.technology: itpro-security
+ms.collection:
+    - tier3
 ---
 
 # Common Criteria certifications
diff --git a/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png b/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png
deleted file mode 100644
index 94be89b74f..0000000000
Binary files a/windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index a6ce54113b..4ff1d859be 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -7,6 +7,7 @@ ms.author: vinpa
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 ms.date: 6/30/2022
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 3987f694a9..6e2f83d198 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -7,6 +7,7 @@ ms.author: vinpa
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier2
 ms.topic: article
 ms.date: 6/30/2022
 ms.technology: itpro-security
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png b/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png
deleted file mode 100644
index 242f5dd9bc..0000000000
Binary files a/windows/security/threat-protection/windows-security-configuration-framework/images/seccon-framework.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index b08b62f673..bac325bbe0 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -8,6 +8,7 @@ author: vinaypamnani-msft
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 02/14/2022
 ms.reviewer: rmunck
@@ -20,7 +21,7 @@ ms.technology: itpro-security
 
 The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
 
-The SCT enables administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
+The SCT enables administrators to effectively manage their enterprise's Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.
 <p></p>
 
 The Security Compliance Toolkit consists of:
@@ -74,9 +75,9 @@ More information on the Policy Analyzer tool can be found on the [Microsoft Secu
 
 LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. 
 Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems. 
-LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, and from formatted “LGPO text” files. 
+LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, and from formatted "LGPO text" files. 
 It can export local policy to a GPO backup. 
-It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
+It can export the contents of a Registry Policy file to the "LGPO text" format that can then be edited, and can build a Registry Policy file from an LGPO text file.
 
 Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/new-amp-updated-security-tools/ba-p/1631613) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
 
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index 0c513379b1..807e2e2800 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -8,6 +8,7 @@ author: vinaypamnani-msft
 manager: aaroncz
 ms.collection: 
   - highpri
+  - tier3
 ms.topic: conceptual
 ms.date: 01/26/2022
 ms.reviewer: jmunck
diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md
index 64689039a1..ad5c50ecc7 100644
--- a/windows/security/trusted-boot.md
+++ b/windows/security/trusted-boot.md
@@ -1,7 +1,6 @@
 ---
 title: Secure Boot and Trusted Boot
 description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
-search.appverid: MET150
 author: vinaypamnani-msft
 ms.author: vinpa
 manager: aaroncz
@@ -9,9 +8,6 @@ ms.topic: conceptual
 ms.date: 09/21/2021
 ms.prod: windows-client
 ms.technology: itpro-security
-ms.localizationpriority: medium
-ms.collection: 
-ms.custom: 
 ms.reviewer: jsuther
 ---
 
@@ -25,11 +21,11 @@ Secure Boot and Trusted Boot help prevent malware and corrupted components from
 
 The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
 
-As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it's trusted by the Secure Boot policy and hasn’t been tampered with. 
+As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader's digital signature to ensure that it's trusted by the Secure Boot policy and hasn't been tampered with. 
 
 ## Trusted Boot
 
-Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments.
+Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product's early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments.
 
 Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally.