diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index adc2f3d815..15b7d22d04 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -20,6 +20,8 @@ To enable Autopilot Reset you must: 1. [Enable the policy for the feature](#enable-autopilot-reset) 2. [Trigger a reset for each device](#trigger-autopilot-reset) +[!INCLUDE [remote-wipe-autopilot-reset](../../includes/licensing/remote-wipe-autopilot-reset.md)] + ## Enable Autopilot Reset To use Autopilot Reset, [Windows Recovery Environment (WinRE) must be enabled on the device](#winre). diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md index 2e86f60f6a..d32bed289c 100644 --- a/windows/client-management/config-lock.md +++ b/windows/client-management/config-lock.md @@ -26,11 +26,9 @@ To summarize, config lock: ## Configuration Flow -After a secured-core PC reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies). +After a [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure) reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies). -## System Requirements - -Config lock will be available for all Windows Professional and Enterprise Editions running on [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure). +[!INCLUDE [secured-core-configuration-lock](../../includes/licensing/secured-core-configuration-lock.md)] ## Enabling config lock using Microsoft Intune diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index ecc058a048..65a8d393da 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -56,6 +56,8 @@ For more information about the MDM policies defined in the MDM security baseline For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all). +[!INCLUDE [manage-by-mobile-device-management-mdm-and-group-policy](../../includes/licensing/manage-by-mobile-device-management-mdm-and-group-policy.md)] + ## Frequently Asked Questions ### Can there be more than one MDM server to enroll and manage devices in Windows? diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index fca2b5ab94..0fdc2d15c1 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -71,6 +71,8 @@ There are several kiosk configuration methods that you can choose from, dependin >[!IMPORTANT] >Single-app kiosk mode isn't supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. +[!INCLUDE [assigned-access-kiosk-mode](../../includes/licensing/assigned-access-kiosk-mode.md)] + ## Methods for a single-app kiosk running a UWP app You can use this method | For this edition | For this kiosk account type diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml index 27c8a6dad3..3190bc8236 100644 --- a/windows/security/identity-protection/toc.yml +++ b/windows/security/identity-protection/toc.yml @@ -7,7 +7,7 @@ items: items: - name: Windows Hello for Business 🔗 href: hello-for-business/index.yml - - name: Windows presence sensing 🔗 + - name: Windows presence sensing href: https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb - name: Windows Hello for Business Enhanced Security Sign-in (ESS) 🔗 href: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index dbb586c517..cb05a5d266 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -50,6 +50,8 @@ Microsoft Defender SmartScreen provide an early warning system against websites > [!IMPORTANT] > SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares. +[!INCLUDE [microsoft-defender-smartscreen](../../../../includes/licensing/microsoft-defender-smartscreen.md)] + ## Submit files to Microsoft Defender SmartScreen for review If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](/microsoft-365/security/intelligence/submission-guide). diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md index 8597ee9893..58dea5e41a 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md @@ -39,6 +39,8 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc - **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios will show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature will be in audit mode if the other settings, which correspond to notification policies, aren't enabled. +[!INCLUDE [enhanced-phishing-protection-with-smartscreen](../../../../includes/licensing/enhanced-phishing-protection-with-smartscreen.md)] + ## Configure Enhanced Phishing Protection for your organization Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow the instructions below to configure your devices using either Microsoft Intune, GPO or CSP. diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index b6fcd28bd2..a29c0cb634 100644 --- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -1,5 +1,5 @@ --- -title: Control the health of Windows 10-based devices (Windows 10) +title: Control the health of Windows devices description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices. ms.prod: windows-client ms.date: 10/13/2017 @@ -11,7 +11,7 @@ manager: dougeby ms.topic: conceptual --- -# Control the health of Windows 10-based devices +# Control the health of Windows devices **Applies to** @@ -327,6 +327,8 @@ For Windows 10-based devices, Microsoft introduces a new public API that will al For more information on device health attestation, see the [Detect an unhealthy Windows 10-based device](#detect-unhealthy) section. +[!INCLUDE [device-health-attestation-service](../../../includes/licensing/device-health-attestation-service.md)] + ### Hardware requirements The following table details the hardware requirements for both virtualization-based security services and the health attestation feature. For more information, see [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview). diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md index 03d4f6bba0..301d74416d 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md @@ -32,6 +32,8 @@ The following topics provide a discussion of each policy setting's implementatio >[!NOTE] >Account lockout settings for remote access clients can be configured separately by editing the Registry on the server that manages the remote access. For more information, see [How to configure remote access client account lockout](/troubleshoot/windows-server/networking/configure-remote-access-client-account-lockout). +[!INCLUDE [account-lockout-policy](../../../../includes/licensing/account-lockout-policy.md)] + ## In this section | Topic | Description | diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md index e5a2bba1d9..5cac6b5f49 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md @@ -71,6 +71,8 @@ The Security Settings extension of the Local Group Policy Editor includes the fo - **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks by using cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address. - **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under Local Policies. +[!INCLUDE [windows-security-policy-settings-and-auditing](../../../../includes/licensing/windows-security-policy-settings-and-auditing.md)] + ## Policy-based security settings management The Security Settings extension to Group Policy provides an integrated policy-based management infrastructure to help you manage and enforce your security policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 161e563a19..a03dd12363 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -59,6 +59,8 @@ The blocklist is updated with each new major release of Windows, typically 1-2 t Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we've provided a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, you can use the XML provided below to create your own custom WDAC policies. +[!INCLUDE [microsoft-vulnerable-driver-blocklist](../../../../includes/licensing/microsoft-vulnerable-driver-blocklist.md)] + ## Blocking vulnerable drivers using WDAC Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking [this list of drivers](#vulnerable-driver-blocklist-xml) within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index 282125d3bd..a5468a9a20 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -23,7 +23,7 @@ Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Serv The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it doesn't provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. - +[!INCLUDE [windows-firewall](../../../../includes/licensing/windows-firewall.md)] ## Feature description diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index 74e81b1a05..8f3d7bd7de 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -32,10 +32,10 @@ Windows Sandbox has the following properties: > [!IMPORTANT] > Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking). +[!INCLUDE [windows-sandbox](../../../../includes/licensing/windows-sandbox.md)] + ## Prerequisites -- Windows 10, version 1903 and later, or Windows 11 -- Windows Pro, Enterprise or Education edition - ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture - Virtualization capabilities enabled in BIOS - At least 4 GB of RAM (8 GB recommended) diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md index ad5c50ecc7..8790964196 100644 --- a/windows/security/trusted-boot.md +++ b/windows/security/trusted-boot.md @@ -29,6 +29,8 @@ Trusted Boot picks up the process that started with Secure Boot. The Windows boo Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally. +[!INCLUDE [secure-boot-and-trusted-boot](../../includes/licensing/secure-boot-and-trusted-boot.md)] + ## See also [Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md) \ No newline at end of file