Finished text review.

Author: Heidilohr

articles/virtual-desktop/security-guide.md

@@ -67,7 +67,7 @@ Requiring multi-factor authentication for all users and admins in Windows Virtua
 
 ### Enable Conditional Access
 
-Enabling [Conditional Access](../active-directory/conditional-access/best-practices.md) helps you manage risks before you grant users access to your Windows Virtual Desktop environment. When deciding which users to allow access, we recommend you also consider who the user is, which sign-in method they're using, and which device they're using.
+Enabling [Conditional Access](../active-directory/conditional-access/best-practices.md) lets you manage risks before you grant users access to your Windows Virtual Desktop environment. When deciding which users to grant access to, we recommend you also consider who the user is, how they sign in, and which device they're using.
 
 ### Collect audit logs
 
@@ -82,63 +82,67 @@ Enabling audit log collection lets you view user and admin activity related to W
 
 ### Use RemoteApps
 
-When choosing a deployment model, you have the choice to provide remote users access to desktops or applications. Remote applications provide a more seamless experience with other applications a user may be interacting with and reduces risk, since the user is only interacting with a subset of the remote machine that is exposed by the application.
+When choosing a deployment model, you can either provide remote users access to entire virtual desktops or only select applications. Remote applications, or RemoteApps, provide a more seamless experience with other applications the user interacts with and reduces risk, since the user is only interacting with a subset of the remote machine exposed by the application.
 
 ### Monitor usage with Azure Monitor
 
-Ensure that the Windows Virtual Desktop service is monitored using [Azure Monitor](https://azure.microsoft.com/en-us/services/monitor/) for usage and availability. Consider creating [service health alerts](../service-health/alerts-activity-log-service-notifications.md) for the Windows Virtual Desktop service to receive notification in the event of a service impacting event.
+Monitor your Windows Virtual Desktop service's usage and availability with [Azure Monitor](https://azure.microsoft.com/services/monitor/). Consider creating [service health alerts](../service-health/alerts-activity-log-service-notifications.md) for the Windows Virtual Desktop service to receive notifications whenever there's a service impacting event.
 
 ## Session host security best practices
 
+This section describes best practices for session host security.
+
 ### Enable endpoint protection
 
-To prevent against known malicious software, we recommend enabling endpoint protection on all session hosts. You may choose to use either Windows Defender Antivirus or a third-party program. To optimize for a VDI environment, follow the recommendations outlined [here](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). Additionally, for profile solutions like FSLogix or others that mount VHD files, we recommend excluding VHD file extensions.
+To protect your deployment from known malicious software, we recommend enabling endpoint protection on all session hosts. You can use either Windows Defender Antivirus or a third-party program. Learn how to set up Windows Defender for a VDI environment, at [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). 
+
+For profile solutions like FSLogix or other solutions that mount VHD files, we recommend excluding VHD file extensions.
 
-### Install an endpoint detection and response (EDR) product
+### Install an endpoint detection and response product
 
-To provide advanced detection and response capabilities, we recommend that you install an EDR product. For server operating systems that have [Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-services?tabs=features-windows) enabled, this will deploy Defender ATP. For client operating systems, you can deploy [Defender ATP](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/onboarding) or a third party product to those endpoints.
+We recommend you install an endpoint detection and response (EDR) product to provide advanced detection and response capabilities. For server operating systems with [Azure Security Center](../security-center/security-center-services?tabs=features-windows.md) enabled, this will deploy Defender ATP. For client operating systems, you can deploy [Defender ATP](/windows/security/threat-protection/microsoft-defender-atp/onboarding) or a third-party product to those endpoints.
 
 ### Enable threat and vulnerability management assessments
 
-Identifying software vulnerabilities that exist in operating systems and applications is critical to keeping your environment secure. Azure Security Center can fulfill this need, as it includes vulnerability assessments for server operating systems. You can also use Defender ATP, which provides threat and vulnerability management for desktop operating systems, or even leverage a third party to address this best practice.
+Identifying software vulnerabilities that exist in operating systems and applications is critical to keeping your environment secure. Azure Security Center can help you identify problem spots through vulnerability assessments for server operating systems. You can also use Defender ATP, which provides threat and vulnerability management for desktop operating systems.
 
 ### Patch software vulnerabilities in your environment
 
-Identifying a software vulnerability won’t do you any good unless you follow up by patching it, which is why we recommend vulnerability identification and patching go hand in hand. This extends to virtual environments as well which includes the running operating systems, applications deployed inside of them, and the images that new machines are created from. Follow your vendor patch notification communications and apply patches in a timely manner. We recommend patching your base images monthly to ensure that newly deployed machines address the most recent set of security vulnerabilities.
+Once you identify a vulnerability, you must patch it. This applies to virtual environments as well which includes the running operating systems, applications deployed inside of them, and the images that new machines are created from. Follow your vendor patch notification communications and apply patches in a timely manner. We recommend patching your base images monthly to ensure that newly-deployed machines are as secure as possible.
 
 ### Establish maximum inactive time and disconnection policies
 
-Logging users off when they are inactive is a best practice. This helps preserve resources and prevent unintentional access. We recommend that timeouts balance user productivity as well as resource usage. For users that interact with stateless applications, consider more aggressive policies which lets machines to be turned off and resources to be preserved. Be aware, however, disconnecting long running applications which continue to run a user is idle, such as a simulation or CAD rendering, are disconnected, may interrupt their work and require it to be restarted.
+Signing users out when they're inactive preserves resources and prevents access by unauthorized users. We recommend that timeouts balance user productivity as well as resource usage. For users that interact with stateless applications, consider more aggressive policies that turn off machines and preserve resources. Be aware that disconnecting long running applications that continue to run if a user is idle, such as a simulation or CAD rendering, can interrupt the user's work and may even require restarting the computer.
 
 ### Set up screen locks for idle sessions
 
-Setting virtual desktop to lock a machine's screen during idle time and requiring authentication to unlock helps to prevent against unwanted system access.
+You can prevent unwanted system access by configuring Windows Virtual Desktop to lock a machine's screen during idle time and requiring authentication to unlock it.
 
 ### Establish tiered admin access
 
-As a best practice, we recommend users not be granted admin access to virtual desktops. If software packages are needed, we recommend they be made available through configuration management utilities like Microsoft Endpoint Manager. In a multi session environment it is strongly recommended that users are not allowed to install software directly.
+We recommend you don't grant your users admin access to virtual desktops. If you need software packages, we recommend you make them available available through configuration management utilities like Microsoft Endpoint Manager. In a multi-session environment, we recommend you don't let users install software directly.
 
-### Consider what resources should be accessible to which users
+### Consider which users should access which resources
 
-Consider session hosts as an extension of your existing desktop deployment. We recommend ensuring that you are controlling access to network resources in the same way that you do for other desktops in your environment, including using network segmentation and filtering. By default, Session Hosts will have the ability to connect to any resource on the internet. There are several ways to limit traffic including using Azure Firewall, Network Virtual Appliances or Proxies. If limiting traffic is needed, ensure that the proper rules are added to allow Windows Virtual Desktop to operate properly.
+Consider session hosts as an extension of your existing desktop deployment. We recommend you control access to network resources the same way you would for other desktops in your environment, such as using network segmentation and filtering. By default, session hosts can connect to any resource on the internet. There are several ways you can limit traffic, including using Azure Firewall, Network Virtual Appliances, or proxies. If you need to limit traffic, make sure you add the proper rules so that Windows Virtual Desktop can work properly.
 
 ### Manage Office Pro Plus security
 
-In addition to adopting practices to secure session hosts, it is important to consider the security of applications running inside of them. Office Pro Plus is one of the most common applications that is deployed. To improve the security for Office deployments, Microsoft recommends using the [Security Policy Advisor](/DeployOffice/overview-of-security-policy-advisor) for Microsoft 365 Apps for Enterprise. This tool will help to identify policies that can be applied to improve security and provide recommendations to help assess the impact on both security and productivity.
+In addition to securing your session hosts, it's important to also secure the applications running inside of them. Office Pro Plus is one of the most common applications deployed in session hosts. To improve the Office deployment security, we recommend you use the [Security Policy Advisor](/DeployOffice/overview-of-security-policy-advisor) for Microsoft 365 Apps for Enterprise. This tool identifies policies that can you can apply to your deployment for more security, and also gives recommendations that assess the impact of these policies on both security and productivity.
 
 ### Other security tips for session hosts
 
-By restricting operating system capabilities, you can strengthen the security of your session hosts. Here are a few examples of how to do this:
+By restricting operating system capabilities, you can strengthen the security of your session hosts. Here are a few things you can do:
 
-- **Control device redirection**: In a remote desktop session, drives, printers, and USB devices can be redirected to a user’s local device. We recommend that you evaluate your security requirements and check if these features ought to be disabled or not.
+- Control device redirection by redirecting drives, printers, and USB devices to a user's local device in a remote desktop session. We recommend that you evaluate your security requirements and check if these features ought to be disabled or not.
 
-- **Restrict Windows Explorer Access**: Consider hiding local and remote drive mappings. This prevents users from discovering unwanted information about system configuration and users.
+- Restrict Windows Explorer access by hiding local and remote drive mappings. This prevents users from discovering unwanted information about system configuration and users.
 
-- **Avoid direct RDP to session hosts:** Do not allow direct RDP access to session hosts in your environment. If this is needed for administration or troubleshooting, enable [just-in-time](http://go.microsoft.com/fwlink/?LinkId=2004425) access to limit the attack surface on a session host.
+- Avoid direct RDP access to session hosts in your environment. If you need direct RDP access for administration or troubleshooting, enable [just-in-time](../security-center/security-center-just-in-time.md) access to limit the potential attack surface on a session host.
 
-- **Grant users limited permissions:** Ensure that your local and remote file systems use access control lists with least privilege, so that users only have access to what they need and cannot change or delete critical resources.
+- Grant users limited permissions when they access local and remote file systems. You can restrict permissions by making sure your local and remote file systems use access control lists with least privilege. This way, users can only access what they need and can't change or delete critical resources.
 
-- **Prevent unwanted software from running on session hosts:** Enable App Locker for additional security on Session Hosts. App Locker lets hosts to be locked down so that only approved applications will be allowed to run.
+- Prevent unwanted software from running on session hosts. You can enable App Locker for additional security on session hosts, ensuring that only the apps you allow can run on the host.
 
 ## Next steps