May freshness review

.openpublishing.redirection.windows-security.json

@@ -9169,6 +9169,11 @@
       "source_path": "windows/security/threat-protection/security-policy-settings/user-rights-assignment.md",
       "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/cloud-security/index.md",
+      "redirect_url": "/windows/security/cloud-services",
+      "redirect_document_id": false
     }
   ]
 }

education/windows/windows-11-se-settings-list.md

@@ -2,7 +2,7 @@
 title: Windows 11 SE settings list
 description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change.
 ms.topic: reference
-ms.date: 08/18/2023
+ms.date: 05/06/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
 ms.collection:

windows/security/cloud-services/index.md

@@ -1,18 +1,18 @@
 ---
-title: Windows and cloud security
+title: Windows and cloud services
-description: Get an overview of cloud security features in Windows.
+description: Get an overview of cloud-based services in Windows.
-ms.date: 08/02/2023
+ms.date: 05/06/2024
 ms.topic: overview
 author: paolomatarazzo
 ms.author: paoloma
 ---
 
-# Windows and cloud security
+# Windows and cloud services
 
 Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We're focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
 
 From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere.
 
-Learn more about cloud security features in Windows.
+Learn more about cloud-based services in Windows.
 
 [!INCLUDE [cloud-services](../includes/sections/cloud-services.md)]

windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md

@@ -1,26 +1,26 @@
 ---
 title: Dual Enrollment
 description: Learn how to configure Windows Hello for Business dual enrollment and how to configure Active Directory to support Domain Administrator enrollment.
-ms.date: 07/05/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 
 # Dual Enrollment
 
-**Requirements**
+[!INCLUDE [intro](deploy/includes/intro.md)]
-
+- **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](deploy/includes/tooltip-deployment-onpremises.md)], [!INCLUDE [tooltip-deployment-hybrid](deploy/includes/tooltip-deployment-hybrid.md)]
-- Hybrid and On-premises Windows Hello for Business deployments
+- **Trust type:** [!INCLUDE [tooltip-cert-trust](deploy/includes/tooltip-trust-cert.md)]
-- Enterprise joined or Hybrid Azure joined devices
+- **Join type:** [!INCLUDE [tooltip-join-domain](deploy/includes/tooltip-join-domain.md)], [!INCLUDE [tooltip-join-hybrid](deploy/includes/tooltip-join-hybrid.md)]
-- Certificate trust
+---
 
 > [!IMPORTANT]
-> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature.  Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users.  Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used.  Read [Privileged Access Workstations](/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information.
+> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages organizations to use the Privileged Access Workstations for their privileged credential users. Organizations can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature can't be used. To learn more, see [Privileged Access Workstations](/windows-server/identity/securing-privileged-access/privileged-access-workstations).
 
 Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
 
-By design, Windows does not enumerate all Windows Hello for Business users from within a user's session.  Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
+By design, Windows doesn't enumerate all Windows Hello for Business users from within a user's session. Using the group policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
 
-With this setting, administrative users can sign in to Windows 10, version 1709 or later using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN.  Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument.  This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
+With this setting, administrative users can sign in to Windows using their non-privileged Windows Hello credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using `runas.exe` combined with the `/smartcard` argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
 
 > [!IMPORTANT]
 > You must configure a Windows computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
@@ -29,36 +29,44 @@ With this setting, administrative users can sign in to Windows 10, version 1709
 
 In this task, you will
 
-* Configure Active Directory to support Domain Administrator enrollment
+- Configure Active Directory to support Domain Administrator enrollment
-* Configure Dual Enrollment using Group Policy
+- Configure Dual Enrollment using Group Policy
 
 ### Configure Active Directory to support Domain Administrator enrollment
 
-The designed Windows Hello for Business configuration gives the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute.  You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
+The designed Windows Hello for Business configuration gives the `Key Admins` group read and write permissions to the `msDS-KeyCredentialsLink` attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
 
-Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
+Active Directory Domain Services uses `AdminSDHolder` to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but they will disappear from the user object unless you give the `AdminSDHolder` read and write permissions to the `msDS-KeyCredential` attribute.
 
-Sign in to a domain controller or management workstation with access equivalent to _domain administrator_.
+Sign in to a domain controller or management workstation with access equivalent to *domain administrator*
 
-1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.</br>
+1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object
-```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink```</br>
+
-where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment.  For example:</br>
+    ```cmd
-```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink```
+    dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink
-2. To trigger security descriptor propagation, open **ldp.exe**.
+    ```
-3. Click **Connection** and select **Connect...**  Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**.
+
-4. Click **Connection** and select **Bind...**  Click **OK** to bind as the currently signed-in user.
+    where `DC=domain,DC=com` is the LDAP path of your Active Directory domain and `domainName\keyAdminGroup` is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:
-5. Click **Browser** and select **Modify**.  Leave the **DN** text box blank.  Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type **1**.  Click **Enter** to add this to the **Entry List**.
+
-6. Click **Run** to start the task.
+    ```cmd
-7. Close LDP.  
+    dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink
+    ```
+
+1. To trigger security descriptor propagation, open `ldp.exe`
+1. Select **Connection** and select **Connect...**  Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK**
+1. Select **Connection** and select **Bind...**  Select **OK** to bind as the currently signed-in user
+1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List**
+1. Select **Run** to start the task
+1. Close LDP
 
 ### Configuring Dual Enrollment using Group Policy
 
-You configure Windows 10 or Windows 11 to support dual enrollment using the computer configuration portion of a Group Policy object.
+You configure Windows to support dual enrollment using the computer configuration portion of a Group Policy object:
 
-1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
+1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users
-2. Edit the Group Policy object from step 1.
+1. Edit the Group Policy object from step 1
-3. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
+1. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**
-4. Close the Group Policy Management Editor to save the Group Policy object.  Close the GPMC.
+1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC
-5. Restart computers targeted by this Group Policy object.
+1. Restart computers targeted by this Group Policy object
 
 The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the non-privileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.

windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md

@@ -2,7 +2,7 @@
 title: PDE settings and configuration
 description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
 ms.topic: how-to
-ms.date: 08/11/2023
+ms.date: 05/06/2024
 ---
 
 # PDE settings and configuration

windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml

@@ -4,7 +4,7 @@ metadata:
   title: Frequently asked questions for Personal Data Encryption (PDE)
   description: Answers to common questions regarding Personal Data Encryption (PDE).
   ms.topic: faq
-  ms.date: 08/11/2023
+  ms.date: 05/06/2024
 
 title: Frequently asked questions for Personal Data Encryption (PDE)
 summary: |

windows/security/operating-system-security/data-protection/personal-data-encryption/index.md

@@ -2,7 +2,7 @@
 title: Personal Data Encryption (PDE)
 description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
 ms.topic: how-to
-ms.date: 08/11/2023
+ms.date: 05/06/2024
 ---
 
 # Personal Data Encryption (PDE)

windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md

@@ -1,7 +1,7 @@
 ---
 title: How to configure cryptographic settings for IKEv2 VPN connections
 description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 

windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md

@@ -1,7 +1,7 @@
 ---
 title: How to use single sign-on (SSO) over VPN and Wi-Fi connections
 description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections.
-ms.date: 12/12/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-authentication.md

@@ -1,7 +1,7 @@
 ---
 title: VPN authentication options
 description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md

@@ -1,7 +1,7 @@
 ---
 title: VPN auto-triggered profile options
 description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md

@@ -1,7 +1,7 @@
 ---
 title: VPN and conditional access
 description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md

@@ -1,7 +1,7 @@
 ---
 title: VPN connection types
 description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-guide.md

@@ -1,7 +1,7 @@
 ---
 title: Windows VPN technical guide
 description: Learn how to plan and configure Windows devices for your organization's VPN solution.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: overview
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md

@@ -1,7 +1,7 @@
 ---
 title: VPN name resolution
 description: Learn how name resolution works when using a VPN connection.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md

@@ -2,7 +2,7 @@
 title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
 description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
 ms.topic: how-to
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ---
 # Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
 

windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md

@@ -1,7 +1,7 @@
 ---
 title: VPN profile options
 description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 

windows/security/operating-system-security/network-security/vpn/vpn-routing.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 title: VPN routing decisions
 description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
 ms.topic: concept-article

windows/security/operating-system-security/network-security/vpn/vpn-security-features.md

@@ -1,7 +1,7 @@
 ---
 title: VPN security features
 description: Learn about security features for VPN, including LockDown VPN and traffic filters.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---
 

windows/security/toc.yml

@@ -16,6 +16,6 @@ items:
 - name: Identity protection
   href: identity-protection/toc.yml
 - name: Cloud security
-  href: cloud-security/toc.yml
+  href: cloud-services/toc.yml
 - name: Windows Privacy 🔗
   href: /windows/privacy