diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index 72bcfc72c9..c23e505800 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 audience: itpro
 author: greg-lindsay
 ms.author: greglin
-manager: laurawi
+manager: dougeby
 ms.topic: article
 ---
 # Windows 10 features we’re no longer developing
@@ -26,6 +26,7 @@ The features described below are no longer being actively developed, and might b
 
 |Feature    |  Details and mitigation  | Announced in version |
 | ----------- | --------------------- | ---- |
+| BitLocker To Go Reader | Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11.<br>The following items might not be available in a future release of Windows client:<br>- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**<br>- Command line parameter: [manage-bde -DiscoveryVolumeType](/windows-server/administration/windows-commands/manage-bde-on) (-dv)<br>- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**<br>- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files  | 21H1 |
 | Internet Explorer (IE) 11 | The IE11 desktop application will end support for certain operating systems starting June 15, 2022. For more information, see [Internet Explorer 11](/lifecycle/products/internet-explorer-11). | 21H1 |
 | Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
 | Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 semi-annual channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself is not affected. | 21H1 |
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index d13521f976..5e5d767e80 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -32,14 +32,21 @@
     - name: Kernel DMA Protection
       href: information-protection/kernel-dma-protection-for-thunderbolt.md
 - name: Operating system security
-  href: operating-system.md
   items: 
+   - name: Overview
+     href: operating-system.md
    - name: System security   
      items:
-     - name: Secure the Windows 10 boot process
-       href: information-protection/secure-the-windows-10-boot-process.md
-   - name: Encryption and data protection
+     - name: Trusted Boot
+       href: trusted-boot.md
+     - name: Cryptography and certificate management
+       href: cryptography-certificate-mgmt.md
+     - name: The Windows Security app
+       href: threat-protection/windows-defender-security-center/windows-defender-security-center.md
+   - name: Encryption and data protection 
+     href: encryption-data-protection.md
      items:
+     
      - name: Encrypted Hard Drive
        href: information-protection/encrypted-hard-drive.md
      - name: Bitlocker 
@@ -194,12 +201,33 @@
           href: identity-protection/vpn/vpn-office-365-optimization.md
      - name: Windows Defender Firewall
        href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
-- name: Threat protection
-  items: 
-    - name: Microsoft Defender Antivirus
-      href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md
-- name: Application protection
+   - name: Threat protection
+     items: 
+     - name: Microsoft Defender Antivirus
+       href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
+     - name: Attack surface reduction rules
+       href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction
+     - name: Tamper protection
+       href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
+     - name: Network protection
+       href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection
+     - name: Controlled folder access
+       href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders
+     - name: Exploit protection
+       href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection
+     - name: Microsoft Defender for Endpoint
+       href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint
+- name: Application security
+  href: apps.md
   items:
+- name: Secured identity
+  href: identity.md
+  items:
+- name: Cloud services
+  href: cloud.md
+  items:
+    - name: MDM and Windows 11
+      href: mdm-windows.md
 - name: User protection
   items:
     - name: Technical support policy for lost or forgotten passwords
diff --git a/windows/security/apps.md b/windows/security/apps.md
index 4b15230a76..098f9524ea 100644
--- a/windows/security/apps.md
+++ b/windows/security/apps.md
@@ -1,6 +1,6 @@
 ---
 title: Windows application security
-description: 
+description: Get an overview of application security in Windows 11
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
diff --git a/windows/security/cloud.md b/windows/security/cloud.md
index cbce8d9341..f167df48d7 100644
--- a/windows/security/cloud.md
+++ b/windows/security/cloud.md
@@ -1,6 +1,6 @@
 ---
 title: Windows and cloud security
-description: 
+description: Get an overview of cloud services supported in Windows 11
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
@@ -13,5 +13,17 @@ author: dansimp
 
 # Windows and cloud security
 
-Today’s workforce has more freedom and mobility than ever before. With the growth of enterprise cloud adoption, increased personal app usage, and increased 3rd party apps, the risk of data exposure is at its highest. Enabling Zero-Trust protection, Windows 11 works with Microsoft cloud services to help organizations strengthen their multi-cloud security infrastructure, protect hybrid cloud workloads and safeguard sensitive information while controlling access and mitigating threats. 
+*This article provides an overview of cloud services built into Windows 11.*
+
+Today’s workforce has more freedom and mobility than ever before. With the growth of enterprise cloud adoption, increased personal app usage, and increased use of third-party apps, the risk of data exposure is at its highest. Enabling Zero-Trust protection, Windows 11 works with Microsoft cloud services. Windows and cloud services together help organizations strengthen their multi-cloud security infrastructure, protect hybrid cloud workloads, and safeguard sensitive information while controlling access and mitigating threats. 
+
+Windows 11 includes the cloud services that are listed in the following table:<br/><br/>
+
+| Service type | Description |
+|:---|:---|
+| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.<br/><br/>With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.<br/><br/>To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) |
+| Modern device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.<br/><br/>Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.<br/><br/>To learn more, see [MDM and Windows 11](mdm-windows.md). |
+| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices. <br/><br/>The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards. <br/><br/>To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).|
+| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data. <br/><br/>The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4). <br/><br/>In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). |
+| Family safety | Microsoft Family Safety empowers people and their family members to create healthy habits and protect their loved ones, both online and offline. People can use their Microsoft account to create a family group on Windows, Xbox, or your mobile devices, and then customize their family settings by using the `family.microsoft.com` website or the Microsoft Family Safety app on Android and iOS.<br/><br/>[Learn more about Microsoft Family Safety](https://www.microsoft.com/en-us/microsoft-365/family-safety).   |
 
diff --git a/windows/security/cryptography-certificate-mgmt.md b/windows/security/cryptography-certificate-mgmt.md
new file mode 100644
index 0000000000..f5d63c9686
--- /dev/null
+++ b/windows/security/cryptography-certificate-mgmt.md
@@ -0,0 +1,43 @@
+---
+title: Cryptography and Certificate Management
+description: Get an overview of cryptography and certificate management in Windows 11
+search.appverid: MET150  
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp 
+audience: ITPro
+ms.topic: conceptual
+ms.date: 09/07/2021
+ms.prod: w11
+ms.localizationpriority: medium
+ms.collection: 
+ms.custom: 
+ms.reviewer: skhadeer, raverma
+f1.keywords: NOCSH 
+---
+
+# Cryptography and Certificate Management
+
+*This article describes cryptography and certificate management in Windows 11.*
+
+## Cryptography
+
+Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets. 
+
+All cryptography on Windows 11 is Federal Information Processing Standards (FIPS) 140 certified. FIPS 140 certification ensures that US government approved algorithms are being used (RSA for signing, ECDH with NIST curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove that no tampering has occurred and proves the randomness for entropy sources.
+
+Windows cryptographic modules provide low-level primitives such as:
+
+- Random number generators (RNG)
+- Symmetric and asymmetric encryption (support for  AES 128/256 and RSA 512 to 16384, in 64-bit increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521)
+- Hashing (support for SHA-256, SHA-384, and SHA-512)
+- Signing and verification (padding support for OAEP, PSS, PKCS1)
+- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521, and HKDF)
+
+These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG). 
+
+## Certificate management
+
+Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to auto-enroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately. 
+
+Windows also offers enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web application triggering a name mismatch will start event logging and prevent user access from Edge or Internet Explorer. 
diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md
new file mode 100644
index 0000000000..1841a48867
--- /dev/null
+++ b/windows/security/encryption-data-protection.md
@@ -0,0 +1,57 @@
+---
+title: Encryption and data protection in Windows 11
+description: Get an overview encryption and data protection in Windows 11
+search.appverid: MET150 
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp 
+audience: ITPro
+ms.topic: conceptual
+ms.date: 09/08/2021
+ms.prod: w11
+ms.localizationpriority: medium
+ms.collection: 
+ms.custom: 
+ms.reviewer: deepakm, rafals
+f1.keywords: NOCSH  
+---
+
+# Encryption and data protection in Windows 11
+
+*This article provides a brief overview of encryption and data protection built into Windows 11.*
+
+When people travel with their computers and devices, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, starting with the Encrypting File System (EFS) in the Windows 2000 operating system. 
+
+In Windows 11, encryption and data protection features include:
+
+- Encrypted Hard Drive
+- BitLocker
+
+## Encrypted Hard Drive
+
+Encrypted Hard Drive uses the rapid encryption provided by BitLocker Drive Encryption to enhance data security and management.
+By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
+
+Encrypted hard drives provide:
+
+- Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
+- Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system.
+- Ease of use: Encryption is transparent to the user, and the user does not need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
+- Lower cost of ownership: There is no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process.
+
+Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption. 
+
+## BitLocker
+
+BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. 
+
+BitLocker provides encryption for the operating system, fixed data, and removable data drives, using technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. 
+
+Windows consistently improves data protection by improving existing options and providing new strategies.
+
+
+## See also
+
+- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md)
+- [BitLocker](information-protection/bitlocker/bitlocker-overview.md)
+
diff --git a/windows/security/hardware.md b/windows/security/hardware.md
index 34c5329f7f..cd1daa5805 100644
--- a/windows/security/hardware.md
+++ b/windows/security/hardware.md
@@ -1,6 +1,6 @@
 ---
 title: Windows hardware security
-description: 
+description: Get an overview of hardware security in Windows 11
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
diff --git a/windows/security/identity.md b/windows/security/identity.md
index 61afd163d1..f943325f1d 100644
--- a/windows/security/identity.md
+++ b/windows/security/identity.md
@@ -1,6 +1,6 @@
 ---
 title: Windows identity security
-description: 
+description: Get an overview of identity security in Windows 11
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
diff --git a/windows/security/images/windows-security-app-w11.png b/windows/security/images/windows-security-app-w11.png
new file mode 100644
index 0000000000..e062b0d292
Binary files /dev/null and b/windows/security/images/windows-security-app-w11.png differ
diff --git a/windows/security/index.yml b/windows/security/index.yml
index e59fa8c210..6f614b438e 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -11,7 +11,7 @@ metadata:
   ms.collection: m365-security-compliance
   author: dansimp #Required; your GitHub user alias, with correct capitalization.
   ms.author: dansimp #Required; microsoft alias of author; optional team alias.
-  ms.date: 09/01/2021
+  ms.date: 09/07/2021
   localization_priority: Priority
     
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@@ -38,34 +38,48 @@ landingContent:
       - linkListType: overview
         links:
         - text: Overview of operating system security
-          url: /windows/security/information-protection/index.md
+          url: operating-system.md
       - linkListType: concept
         links:
         - text: System security
-          url: /windows/security/information-protection/secure-the-windows-10-boot-process.md
+          url: trusted-boot.md
         - text: Encryption and data protection
-          url: /windows/security/information-protection/encrypted-hard-drive.md
+          url: encryption-data-protection.md
         - text: Network security
           url: /windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+        - text: Network security
+          url: operating-system.md
+        - text: Virus & threat protection
+          url: operating-system.md
 # Cards and links should be based on top customer tasks or top subjects
 # Start card title with a verb
   # Card (optional)
-  - title: Threat protection
-    linkLists:
-      - linkListType: overview
-        links:
-        - text: Security baselines (more to follow)
-          url: /windows/security/threat-protection/windows-security-baselines.md
-# Cards and links should be based on top customer tasks or top subjects
-# Start card title with a verb
-  # Card (optional)
-  - title: Application protection
+  - title: Application security
     linkLists:
       - linkListType: overview
         links:
         - text: article (change link later, add more)
           url: /windows/security/threat-protection/windows-security-baselines.md
 # Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+  # Card (optional)
+  - title: Secured identity
+    linkLists:
+      - linkListType: overview
+        links:
+        - text: article (change link later, add more)
+          url: /windows/security/threat-protection/windows-security-baselines.md
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+  # Card (optional)
+  - title: Cloud services
+    linkLists:
+      - linkListType: overview
+        links:
+        - text: article (change link later, add more)
+          url: /windows/security/threat-protection/windows-security-baselines.md
+
+# Cards and links should be based on top customer tasks or top subjects
 # Start card title with a verb
   # Card (optional)
   - title: User protection
diff --git a/windows/security/mdm-windows.md b/windows/security/mdm-windows.md
new file mode 100644
index 0000000000..2456527534
--- /dev/null
+++ b/windows/security/mdm-windows.md
@@ -0,0 +1,61 @@
+---
+title: Modern device management and Windows 11
+description: Get an overview of modern device management with Microsoft Endpoint Manager and Windows 11
+search.appverid: MET150 
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp 
+audience: ITPro
+ms.topic: conceptual
+ms.date: 09/08/2021
+ms.prod: w11
+ms.localizationpriority: medium
+ms.collection: 
+ms.custom: 
+ms.reviewer: 
+f1.keywords: NOCSH 
+---
+
+# Modern device management and Windows 11
+
+Windows 11 supports modern device management (MDM), an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.
+
+Windows 11 includes a management component that includes:
+
+- The enrollment client, which enrolls and configures the endpoint to communicate with the enterprise management server; and
+- The management client, which periodically synchronizes with the management server to check for updates and apply your security team's latest policies.
+
+## MDM features and capabilities
+
+MDM includes several security features & capabilities, as described in the following table:<br/><br/>
+
+| Feature/capability | Description |
+|:---|:---|
+| Remote wipe | When a device is lost or stolen, IT admins can attempt to wipe it remotely and make the data stored in memory and hard disks difficult to recover. Help desk agents can also reset devices to fix issues that are encountered by remote workers.<br/><br/>Windows 10 and Windows 11 supports the remote wipe configuration service provider (CSP) so that MDM solutions can remotely initiate any of the following operations: <br/>- Reset the device and remove user accounts and data <br/>- Reset the device and clean the drive <br/>- Reset the device but persist user accounts and data |
+| Support for your work or school account | Adding a work or school account enables people to connect their devices to your work environment. Devices can be joined to an Active Directory domain, an Azure Active Directory (Azure AD) domain, or by quickly provisioning corporate-owned devices so they meet your security and policy guidelines. <br/><br/>When a device is joined to Azure AD and managed with MDM, you get the following security benefits: <br/>- Fully managed user/device settings and policies by default<br/>- Single Sign On to all Microsoft online services<br/>- Password management capabilities (Windows Hello for Business)<br/>- Authentication using tokens<br/>- No use of consumer Microsoft Account identities | 
+| Config Lock | Security teams and IT admins typically enforce policies on corporate devices to keep those devices in a compliant state, and protect the operating system from changes made by users.<br/><br/>When users who have local admin rights attempt to work around security policies, they run the risk of leaving the device in a non-compliant state called *config drift*. Config drift can introduce security risks until the next time the device syncs with MDM and the configuration is reset. In a worst-case scenario, correcting config drift could take up to eight hours. Many organizations consider config drift a security risk. <br/><br/> Windows 11 with Config Lock enables IT admins to remediate config drift and keep the operating system configuration to its proper state. The operating system monitors the registry keys that configures each feature and when a drift is detected, it will revert back to the IT desired state in seconds. <br/><br/>Config Lock works with Application Control, Application Guard, and BitLocker. |
+| Remote device attestation | Attestation relies on the Trusted Platform Module (TPM) and measured boot capabilities to enhance the security provided by trusted boot. IT administrators can use available boot information to protect against boot-level attacks and misconfigurations. The Microsoft Azure Attestation service securely reports on device boot health, firmware security, and other low-level security features used for device compliance. Microsoft Azure Attestation is designed to be policy-configured, giving control of your enterprise's device health to the administrator, allowing them to deal with low-level threats with confidence. Windows 11 comes with MDM integration with Microsoft Azure Attestation, allowing MDM providers to use the attestation capabilities to trust and enhance device security. <br/><br/>Learn more about [Microsoft Azure Attestation](/azure/attestation). |
+| (other stuff coming soon) | Device Installation, DMA Guard, Endpoint Detection and Response, the Microsoft Defender Security Center, Smartscreen, System Guard, and Windows Hello for Business |
+
+## Security baselines
+
+Windows 11 can be configured with the [Microsoft MDM security baseline](/mem/intune/protect/security-baseline-settings-mdm-all?pivots=mdm-december-2020) backed by ADMX policies, which functions like the Microsoft Group Policy security baseline. Security baselines enable security teams and IT admins to easily integrate this baseline into any MDM, addressing security concerns and compliance needs for modern cloud-managed devices.
+
+The MDM security baseline includes policies that cover the following areas:
+
+- Microsoft inbox security technology (such as BitLocker and Windows Defender SmartScreen), and Virtual-based security (exploit protection, Microsoft Defender Antivirus, and Windows Defender Firewall)
+- Restricting remote access to devices
+- Setting credential requirements for passwords and PINs
+- Restricting the use of legacy technology
+- Legacy technology policies that offer alternative solutions with modern technology
+
+
+## Support for non-Microsoft MDM servers
+
+Non-Microsoft MDM servers can be used to manage Windows 11 by using industry standard protocols. The built-in management client can communicate with a third-party server proxy that supports the MDM protocols to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 11 users. MDM servers do not need to create or download a client to manage Windows 11. 
+
+For details about the MDM protocols, the following resources:
+
+- [MS-MDM: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) 
+- [MS-MDE2: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692)
+
diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md
index 6c6b8529f3..ee5fa0eda4 100644
--- a/windows/security/operating-system.md
+++ b/windows/security/operating-system.md
@@ -14,14 +14,17 @@ author: denisebmsft
 
 # Windows operating system security
 
+*This article provides an overview of operating system security in Windows 11.*
+
 Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. 
 
-The following table summarizes the operating system security features and capabilities in Windows 11:<br/><br/>
+Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11:<br/><br/>
 
 | Security Measures | Features & Capabilities |
 |:---|:---|
-| System security | Trusted Boot (includes Secure Boot and Measured Boot) <br/>Cryptography and certificate management <br/>Windows Security app |
-| Encryption and data protection | BitLocker<br/>Encryption |
-| Network security | Virtual Private Networks (VPNs)<br/>Windows Defender Firewall<br/>Bluetooth<br/>DSN security<br/>Windows Wi-Fi<br/>Transport Layer Security (TLS) |
-| Protection from viruses and threats | Microsoft Defender Antivirus<br/>Attack surface reduction<br/>Tamper protection<br/>Network protection<br/>Controlled folder access<br/>Exploit protection<br/>Additional protection with Microsoft Defender for Endpoint |
+| System security | [Trusted Boot](trusted-boot.md) (includes Secure Boot and Measured Boot) <br/><br/>[Cryptography and certificate management](cryptography-certificate-mgmt.md) <br/><br/>[Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md) |
+| Encryption and data protection | [Encryption and data protection in Windows 11](encryption-data-protection.md)<br/><br/>[Encryption](encryption-data-protection.md)<br/><br/>[BitLocker](information-protection/bitlocker/bitlocker-overview.md) |
+| Network security | [Virtual Private Networks](identity-protection/vpn/vpn-guide.md) (VPNs)<br/><br/>[Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md)<br/><br/>Bluetooth (NEEDED)<br/><br/>Domain Name System (DNS) security (NEEDED)<br/><br/>Windows Wi-Fi (NEEDED)<br/><br/>Transport Layer Security (TLS) (NEEDED) |
+| Protection from viruses and threats | [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)<br/><br/>[Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)<br/><br/>[Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)<br/><br/>[Network protection](/microsoft-365/security/defender-endpoint/network-protection)<br/><br/>[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)<br/><br/>[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)<br/><br/>Integration with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) for additional threat protection |
+
 
diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md
new file mode 100644
index 0000000000..35a581f3af
--- /dev/null
+++ b/windows/security/trusted-boot.md
@@ -0,0 +1,39 @@
+---
+title: Trusted Boot
+description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
+search.appverid: MET150 
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp 
+audience: ITPro
+ms.topic: conceptual
+ms.date: 09/08/2021
+ms.prod: w11
+ms.localizationpriority: medium
+ms.collection: 
+ms.custom: 
+ms.reviewer: jsuther
+f1.keywords: NOCSH  
+---
+
+# Secure Boot and Trusted Boot
+
+*This article describes Secure Boot and Trusted Boot, security measures built into Windows 11.*
+
+Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely.
+
+## Secure Boot
+
+The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
+
+As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it is trusted by the Secure Boot policy and hasn’t been tampered with. 
+
+## Trusted Boot
+
+Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments.
+
+Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally.
+
+## See also
+
+[Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md)
\ No newline at end of file