acrolinx improvements

Author: v-sissondan

azure-local/security-book/conclusion.md

@@ -12,19 +12,19 @@ ms.reviewer: alkohli
 
 [!INCLUDE [hci-applies-to-23h2](../includes/hci-applies-to-23h2.md)]
 
-We designed Azure Local so it is secure right out of the box. Further, we have provided mechanisms to help the system remain secure over time. We will continue to build on our security foundations with innovations that deliver powerful protection now and in the future.
+We designed Azure Local so it's secure right out of the box. Further, we provide mechanisms to help the system remain secure over time. We'll continue to build on our security foundations with innovations that deliver powerful protection now and in the future.
 
 ## Endnotes
 
-The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
+The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it shouldn't be interpreted to be a commitment on the part of Microsoft, and Microsoft can't guarantee the accuracy of any information presented after the date of publication.
 
 This paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.
 
-Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.  
+Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means electronic, mechanical, photocopying, recording, or otherwise, or for any purpose, without the express written permission of Microsoft Corporation.  
 
-Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 
+Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document doesn't give you any license to these patents, trademarks, copyrights, or other intellectual property. 
 
-Microsoft, Azure, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.  
+Microsoft, Azure, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned here may be the trademarks of their respective owners.  
 
 © 2025 Microsoft Corporation. All rights reserved.
 

azure-local/security-book/operational-security-compliance.md

@@ -17,25 +17,25 @@ ms.reviewer: alkohli
 
 With Azure Local, you can apply the recommended Azure Local security baseline and Secured-core settings, monitor, and perform drift protection from desired state during both deployment and run-time, using the built-in configuration management stack in the operating system. You can choose if you want drift protection to be turned on or off during deployment time or after deployment using Windows Admin Center or PowerShell.
 
-Once drift protection is applied, the security settings will be refreshed at regular intervals, thus ensuring any change from desired state is remediated. This continuous monitoring and auto-remediation allows you to have consistent and reliable security posture throughout the lifecycle of the system.
+Once drift protection is applied, the security settings are refreshed at regular intervals, thus ensuring any change from desired state is remediated. This continuous monitoring and autoremediation allows you to have consistent and reliable security posture throughout the lifecycle of the system.
 
-For those who need to adjust or update security settings based on their own business requirements, in addition to keeping a balanced security posture based on Microsoft’s recommendation, you can still leverage the initial security baseline, stop the drift control, and make any modification over any of the 300+ settings initially defined. To learn more, see [Security baseline and drift control](../manage/manage-secure-baseline.md).
+For those who need to adjust or update security settings based on their own business requirements, in addition to keeping a balanced security posture based on Microsoft’s recommendation, you can still apply the initial security baseline, stop the drift control, and make any modification over any of the 300+ settings initially defined. To learn more, see [Security baseline and drift control](../manage/manage-secure-baseline.md).
 
 ## Azure security baseline compliance assessment
 
-[Azure Policy](/azure/governance/policy/overview) helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, perpolicy granularity.
+[Azure Policy](/azure/governance/policy/overview) helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity.
 
-During run-time, you can use Azure Policy to audit Azure Local host machine configuration and perform compliance assessments based on Azure security baseline policies. In the future, we will also have the capability to remediate the security settings via Azure Policy. 
+During run-time, you can use Azure Policy to audit Azure Local host machine configuration and perform compliance assessments based on Azure security baseline policies. In the future, we'll also have the capability to remediate the security settings via Azure Policy. 
 
 ## SIEM integration
 
-Security compliance requires strict logging and auditing of security events. In Azure Local, we recommend customers to use our Cloud SIEM [Azure Sentinel](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-sentinel/) service. For those organizations that use their own SIEM, Azure Local comes with an [integrated syslog forwarder](/azure/azure-local/manage/manage-syslog-forwarding?tabs=syslog-message-schema) mechanism which can be used to forward security related events to a SIEM.
+Security compliance requires strict logging and auditing of security events. In Azure Local, we recommend customers to use our Cloud SIEM [Azure Sentinel](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-sentinel/) service. For those organizations that use their own SIEM, Azure Local comes with an [integrated syslog forwarder](/azure/azure-local/manage/manage-syslog-forwarding?tabs=syslog-message-schema) mechanism, which can be used to forward security related events to a SIEM.
 
 The integrated syslog forwarder, once configured, emits syslog messages as defined in RFC 3164, with the payload in Common Event Format (CEF).  All audits and security events are collected on each host and exported via syslog with CEF payload to a Syslog Server endpoint.  
 
 ## Microsoft Defender for Cloud regulatory compliance
 
-Microsoft Defender for Cloud streamlines the process for meeting [regulatory compliance requirements](/azure/defender-for-cloud/update-regulatory-compliance-packages#what-regulatory-compliance-standards-are-available-in-defender-for-cloud), using the regulatory compliance dashboard. Defender for Cloud continuously assesses your hybrid cloud environment to analyze the risk factors according to the controls and best practices in the regulatory standards that you have applied to your subscriptions. The dashboard reflects the status of your compliance with those standards. The regulatory compliance dashboard provides insights into your compliance posture based on how you are meeting specific compliance requirements such as ISO 27001:2013, PCI DSS v4, and NIST SP 800-53 R5. 
+Microsoft Defender for Cloud streamlines the process for meeting [regulatory compliance requirements](/azure/defender-for-cloud/update-regulatory-compliance-packages#what-regulatory-compliance-standards-are-available-in-defender-for-cloud), using the regulatory compliance dashboard. Defender for Cloud continuously assesses your hybrid cloud environment to analyze the risk factors according to the controls and best practices in the regulatory standards that you applied to your subscriptions. The dashboard reflects the status of your compliance with those standards. The regulatory compliance dashboard provides insights into your compliance posture based on how you're meeting specific compliance requirements such as ISO 27001:2013, PCI DSS v4, and NIST SP 800-53 R5. 
 
 ## Related content
 

azure-local/security-book/silicon-assisted-security-secured-core.md

@@ -20,7 +20,7 @@ The [MagBo marketplace](https://www.zdnet.com/article/a-cybercrime-store-is-sell
 
 Given these factors, continuing to raise the security bar for critical infrastructure against attackers and making it easy for organizations to meet that higher bar is a clear priority for both customers and Microsoft. Using our learnings from the [Secured-core PC initiative](/windows-hardware/design/device-experiences/oem-highly-secure), Microsoft has teamed up with the ecosystem partners to expand Secured-core to Azure Local.
 
-Following Secured-core PC, we are introducing Secured-core Server which is built on three key pillars: simplified security, advanced protection, and preventative defense. Secured-core Servers come with the assurance that manufacturing partners have built hardware and firmware that satisfy the requirements of the operating system (OS) security features.
+Following Secured-core PC, we're introducing Secured-core Server, which is built on three key pillars: simplified security, advanced protection, and preventative defense. Secured-core Servers come with the assurance that manufacturing partners have built hardware and firmware that satisfy the requirements of the operating system (OS) security features.
 
 ## Simplified security
 
@@ -37,13 +37,13 @@ Trusted Platform Module 2.0 (TPM 2.0) comes standard with Secured-core Servers,
 
 ### Firmware protection
 
-In the last few years, there has been a significant [uptick in firmware vulnerabilities](https://www.microsoft.com/security/blog/2019/10/21/microsoft-and-partners-design-new-device-security-requirements-to-protect-against-targeted-firmware-attacks/), in large part due to the inherently higher level of privileges with which firmware runs combined with the limited visibility into firmware by traditional antivirus solutions. Using processor support for Dynamic Root of Trust of Measurement (DRTM) technology, Secured-core systems put firmware in a hardware-based sandbox helping to limit the impact of vulnerabilities in millions of lines of highly privileged firmware code. Along with pre-boot DMA protection, Secured-core systems provide protection throughout the boot process.
+In the last few years, there has been a significant [uptick in firmware vulnerabilities](https://www.microsoft.com/security/blog/2019/10/21/microsoft-and-partners-design-new-device-security-requirements-to-protect-against-targeted-firmware-attacks/), in large part due to the inherently higher level of privileges with which firmware runs combined with the limited visibility into firmware by traditional antivirus solutions. Using processor support for Dynamic Root of Trust of Measurement (DRTM) technology, Secured-core systems put firmware in a hardware-based sandbox helping to limit the impact of vulnerabilities in millions of lines of highly privileged firmware code. Along with preboot DMA protection, Secured-core systems provide protection throughout the boot process.
 
 ### Virtualization-based security (VBS)
 
-Secured-core machines support VBS and hypervisor-based code integrity (HVCI). The cryptocurrency mining attack mentioned earlier leveraged the [EternalBlue exploit](https://www.cisecurity.org/wp-content/uploads/2019/01/Security-Primer-EternalBlue.pdf). VBS and HVCI help protect against this entire class of vulnerabilities by isolating privileged parts of the OS, like the kernel, from the rest of the system. This helps to ensure that machines remain devoted to running critical workloads and helps protect related applications and data from attack and exfiltration.
+Secured-core machines support VBS and hypervisor-based code integrity (HVCI). The cryptocurrency mining attack mentioned earlier used the [EternalBlue exploit](https://www.cisecurity.org/wp-content/uploads/2019/01/Security-Primer-EternalBlue.pdf). VBS and HVCI help protect against this entire class of vulnerabilities by isolating privileged parts of the OS, like the kernel, from the rest of the system. This helps to ensure that machines remain devoted to running critical workloads and helps protect related applications and data from attack and exfiltration.
 
-Enabling Secured-core functionality helps proactively defend against and disrupt many of the paths attackers may use to exploit a system. These defenses also enable IT and SecOps teams to better leverage their time across the many areas that need their attention.
+Enabling Secured-core functionality helps proactively defend against and disrupt many of the paths attackers may use to exploit a system. These defenses also enable IT and SecOps teams to better use their time across the many areas that need their attention.
 
 ## Related content
 

azure-local/security-book/trustworthy-addition-data-protection.md

@@ -14,17 +14,17 @@ ms.reviewer: alkohli
 
 ## Data at rest protection
 
-[BitLocker Drive Encryption](/windows/security/operating-system-security/data-protection/bitlocker/) is a data protection feature that addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers or storage components. With Azure Local, all infrastructure and tenant data is encrypted at rest using BitLocker. Both OS volumes (or system volumes containing the OS VHDX in boot from VHDX scenarios) and Cluster Shared Volumes are by default encrypted with BitLocker using XTS-AES 256-bit encryption algorithm. In situations where BitLocker is unable to unlock a local OS volume or data volume, it will deny access to the encrypted data. To learn more about BitLocker protection, see [BitLocker encryption on Azure Local](../manage/manage-bitlocker.md).
+[BitLocker Drive Encryption](/windows/security/operating-system-security/data-protection/bitlocker/) is a data protection feature that addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers or storage components. With Azure Local, all infrastructure and tenant data is encrypted at rest using BitLocker. Both OS volumes (or system volumes containing the OS VHDX in boot from VHDX scenarios) and Cluster Shared Volumes are by default encrypted with BitLocker using XTS-AES 256-bit encryption algorithm. In situations where BitLocker is unable to unlock a local OS volume or data volume, it denies access to the encrypted data. To learn more about BitLocker protection, see [BitLocker encryption on Azure Local](../manage/manage-bitlocker.md).
 
 ## Data in transit protection
 
 ### Transport layer security (TLS)
 
-Transport Layer Security (TLS) is the internet’s most deployed security protocol, encrypting data in transit to provide a secure communication channel between two endpoints. Azure Local enables the latest protocol versions and strong cipher suites by default and offers a full suite of extensions such as client authentication for enhanced machine security, or session resumption for improved application performance. TLS 1.3 is the latest version of the protocol and is enabled by default in Azure Local. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average and supports only strong cipher suites which provide perfect forward secrecy and less operational risk. Using TLS 1.3 will provide more privacy and lower latencies for encrypted online connections. Note that if the client or machine application on either side of the connection does not support TLS 1.3, Azure Local will fall back to TLS 1.2. Azure Local uses the latest Datagram Transport Layer Security (DTLS) 1.2 for UDP communications.
+Transport Layer Security (TLS) is the internet’s most deployed security protocol, encrypting data in transit to provide a secure communication channel between two endpoints. Azure Local enables the latest protocol versions and strong cipher suites by default and offers a full suite of extensions such as client authentication for enhanced machine security, or session resumption for improved application performance. TLS 1.3 is the latest version of the protocol and is enabled by default in Azure Local. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average and supports only strong cipher suites, which provide perfect forward secrecy and less operational risk. Using TLS 1.3 provides more privacy and lower latencies for encrypted online connections. If the client or machine application on either side of the connection doesn't support TLS 1.3, Azure Local falls back to TLS 1.2. Azure Local uses the latest Datagram Transport Layer Security (DTLS) 1.2 for UDP communications.
 
 ### Server Messaging Block (SMB) signing and encryption
 
-All the major security industry baselines recommend enabling Server Message Block (SMB) signing. To make it easier for you to get your infrastructure to be compliant with those baselines and best practices, we are enabling SMB signing requirement for client connections by default in Azure Local. SMB encryption of intra-system traffic is not enabled by default but is an option you can enable during or after deployment. SMB encryption can impact performance depending on the system configuration.
+All the major security industry baselines recommend enabling Server Message Block (SMB) signing. To make it easier for you to get your infrastructure to be compliant with those baselines and best practices, we're enabling SMB signing requirement for client connections by default in Azure Local. SMB encryption of intra-system traffic isn't enabled by default but is an option you can enable during or after deployment. SMB encryption can impact performance depending on the system configuration.
 
 For signing and encryption security, Azure Local now supports AES-256-GCM and AES-256-CCM cryptographic suites for the SMB 3.1.1 protocol used by client-server file traffic as well as the intra-system data fabric. It continues to support the more broadly compatible AES-128 as well. Azure Local also supports SMB Direct encryption, an option that was previously unavailable without significant performance impact. Data is encrypted before placement, leading to less performance degradation while adding AES-128 and AES-256 protected packet privacy.