diff --git a/i18n/ar/basics/multi-factor-authentication.md b/i18n/ar/basics/multi-factor-authentication.md
index d94d4718..6db88c50 100644
--- a/i18n/ar/basics/multi-factor-authentication.md
+++ b/i18n/ar/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/ar/basics/passwords-overview.md b/i18n/ar/basics/passwords-overview.md
index 63aca1b5..898d198d 100644
--- a/i18n/ar/basics/passwords-overview.md
+++ b/i18n/ar/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/ar/multi-factor-authentication.md b/i18n/ar/multi-factor-authentication.md
index 34728aa1..217b5d35 100644
--- a/i18n/ar/multi-factor-authentication.md
+++ b/i18n/ar/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/ar/os/index.md b/i18n/ar/os/index.md
new file mode 100644
index 00000000..25f7d659
--- /dev/null
+++ b/i18n/ar/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/ar/os/windows/group-policies.md b/i18n/ar/os/windows/group-policies.md
new file mode 100644
index 00000000..756e23bb
--- /dev/null
+++ b/i18n/ar/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/ar/os/windows/index.md b/i18n/ar/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/ar/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/ar/security-keys.md b/i18n/ar/security-keys.md
new file mode 100644
index 00000000..657e068f
--- /dev/null
+++ b/i18n/ar/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/ar/tools.md b/i18n/ar/tools.md
index e5053637..6bbf4fa7 100644
--- a/i18n/ar/tools.md
+++ b/i18n/ar/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile
diff --git a/i18n/bn-IN/basics/multi-factor-authentication.md b/i18n/bn-IN/basics/multi-factor-authentication.md
index 28f8aa2f..c6ce79bd 100644
--- a/i18n/bn-IN/basics/multi-factor-authentication.md
+++ b/i18n/bn-IN/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ If you have a hardware security key with TOTP support (such as a YubiKey with [Y
 
 আপনার উজার-নেম, পাসওয়ার্ড এবং বর্তমান TOTP কোড হাতানোর জন্য, আপনাকে প্রতারণা করার চেষ্টায় একজন আক্ক্রমণকারী একটি অফিসিয়াল পরিষেবার অনুকরণ করে একটি ওয়েবসাইট সেট আপ করতে পারে। আক্রমণকারী সেই রেকর্ড করা তথ্যগুলি ব্যবহার করে প্রকৃত পরিষেবাতে লগ ইন করতে এবং অ্যাকাউন্ট হাইজ্যাক করতে সক্ষম হতে পারে।
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### হার্ডওয়্যার সিকিউরিটি কী
 
diff --git a/i18n/bn-IN/basics/passwords-overview.md b/i18n/bn-IN/basics/passwords-overview.md
index 63aca1b5..898d198d 100644
--- a/i18n/bn-IN/basics/passwords-overview.md
+++ b/i18n/bn-IN/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/bn-IN/multi-factor-authentication.md b/i18n/bn-IN/multi-factor-authentication.md
index 34728aa1..217b5d35 100644
--- a/i18n/bn-IN/multi-factor-authentication.md
+++ b/i18n/bn-IN/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/bn-IN/os/index.md b/i18n/bn-IN/os/index.md
new file mode 100644
index 00000000..25f7d659
--- /dev/null
+++ b/i18n/bn-IN/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/bn-IN/os/windows/group-policies.md b/i18n/bn-IN/os/windows/group-policies.md
new file mode 100644
index 00000000..756e23bb
--- /dev/null
+++ b/i18n/bn-IN/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/bn-IN/os/windows/index.md b/i18n/bn-IN/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/bn-IN/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/bn-IN/security-keys.md b/i18n/bn-IN/security-keys.md
new file mode 100644
index 00000000..657e068f
--- /dev/null
+++ b/i18n/bn-IN/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/bn-IN/tools.md b/i18n/bn-IN/tools.md
index bf994374..f28c2cb8 100644
--- a/i18n/bn-IN/tools.md
+++ b/i18n/bn-IN/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile
diff --git a/i18n/bn/basics/multi-factor-authentication.md b/i18n/bn/basics/multi-factor-authentication.md
index d94d4718..6db88c50 100644
--- a/i18n/bn/basics/multi-factor-authentication.md
+++ b/i18n/bn/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/bn/basics/passwords-overview.md b/i18n/bn/basics/passwords-overview.md
index 63aca1b5..898d198d 100644
--- a/i18n/bn/basics/passwords-overview.md
+++ b/i18n/bn/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/bn/multi-factor-authentication.md b/i18n/bn/multi-factor-authentication.md
index 34728aa1..217b5d35 100644
--- a/i18n/bn/multi-factor-authentication.md
+++ b/i18n/bn/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/bn/os/index.md b/i18n/bn/os/index.md
new file mode 100644
index 00000000..25f7d659
--- /dev/null
+++ b/i18n/bn/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/bn/os/windows/group-policies.md b/i18n/bn/os/windows/group-policies.md
new file mode 100644
index 00000000..756e23bb
--- /dev/null
+++ b/i18n/bn/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/bn/os/windows/index.md b/i18n/bn/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/bn/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/bn/security-keys.md b/i18n/bn/security-keys.md
new file mode 100644
index 00000000..657e068f
--- /dev/null
+++ b/i18n/bn/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/bn/tools.md b/i18n/bn/tools.md
index bf994374..f28c2cb8 100644
--- a/i18n/bn/tools.md
+++ b/i18n/bn/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile
diff --git a/i18n/cs/basics/multi-factor-authentication.md b/i18n/cs/basics/multi-factor-authentication.md
index d94d4718..6db88c50 100644
--- a/i18n/cs/basics/multi-factor-authentication.md
+++ b/i18n/cs/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/cs/basics/passwords-overview.md b/i18n/cs/basics/passwords-overview.md
index 63aca1b5..898d198d 100644
--- a/i18n/cs/basics/passwords-overview.md
+++ b/i18n/cs/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/cs/multi-factor-authentication.md b/i18n/cs/multi-factor-authentication.md
index 34728aa1..217b5d35 100644
--- a/i18n/cs/multi-factor-authentication.md
+++ b/i18n/cs/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/cs/os/index.md b/i18n/cs/os/index.md
new file mode 100644
index 00000000..25f7d659
--- /dev/null
+++ b/i18n/cs/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/cs/os/windows/group-policies.md b/i18n/cs/os/windows/group-policies.md
new file mode 100644
index 00000000..756e23bb
--- /dev/null
+++ b/i18n/cs/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/cs/os/windows/index.md b/i18n/cs/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/cs/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/cs/security-keys.md b/i18n/cs/security-keys.md
new file mode 100644
index 00000000..657e068f
--- /dev/null
+++ b/i18n/cs/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/cs/tools.md b/i18n/cs/tools.md
index bf994374..f28c2cb8 100644
--- a/i18n/cs/tools.md
+++ b/i18n/cs/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile
diff --git a/i18n/de/basics/multi-factor-authentication.md b/i18n/de/basics/multi-factor-authentication.md
index 58089934..f1351cce 100644
--- a/i18n/de/basics/multi-factor-authentication.md
+++ b/i18n/de/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/de/basics/passwords-overview.md b/i18n/de/basics/passwords-overview.md
index f7e41f23..92d8c861 100644
--- a/i18n/de/basics/passwords-overview.md
+++ b/i18n/de/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/de/multi-factor-authentication.md b/i18n/de/multi-factor-authentication.md
index 17c59e94..e0df3478 100644
--- a/i18n/de/multi-factor-authentication.md
+++ b/i18n/de/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Faktor-Authentifizierung"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warnung</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warnung</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warnung</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/de/os/index.md b/i18n/de/os/index.md
new file mode 100644
index 00000000..25f7d659
--- /dev/null
+++ b/i18n/de/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/de/os/windows/group-policies.md b/i18n/de/os/windows/group-policies.md
new file mode 100644
index 00000000..3242b467
--- /dev/null
+++ b/i18n/de/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Suche
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/de/os/windows/index.md b/i18n/de/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/de/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/de/security-keys.md b/i18n/de/security-keys.md
new file mode 100644
index 00000000..c5a6c938
--- /dev/null
+++ b/i18n/de/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warnung</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warnung</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warnung</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warnung</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/de/tools.md b/i18n/de/tools.md
index 33057563..11890b60 100644
--- a/i18n/de/tools.md
+++ b/i18n/de/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile
diff --git a/i18n/el/basics/multi-factor-authentication.md b/i18n/el/basics/multi-factor-authentication.md
index 41bf41af..a3a419ce 100644
--- a/i18n/el/basics/multi-factor-authentication.md
+++ b/i18n/el/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/el/basics/passwords-overview.md b/i18n/el/basics/passwords-overview.md
index 1edd844f..2ca6ccb6 100644
--- a/i18n/el/basics/passwords-overview.md
+++ b/i18n/el/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/el/multi-factor-authentication.md b/i18n/el/multi-factor-authentication.md
index 34728aa1..5f91b1ff 100644
--- a/i18n/el/multi-factor-authentication.md
+++ b/i18n/el/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Αυθεντικοποίηση Πολλών Παραγόντων"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/el/os/index.md b/i18n/el/os/index.md
new file mode 100644
index 00000000..25f7d659
--- /dev/null
+++ b/i18n/el/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/el/os/windows/group-policies.md b/i18n/el/os/windows/group-policies.md
new file mode 100644
index 00000000..1dfbf394
--- /dev/null
+++ b/i18n/el/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### Σύστημα
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Αναζήτηση
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/el/os/windows/index.md b/i18n/el/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/el/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/el/security-keys.md b/i18n/el/security-keys.md
new file mode 100644
index 00000000..657e068f
--- /dev/null
+++ b/i18n/el/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/el/tools.md b/i18n/el/tools.md
index 2b82a6fa..65ec7c32 100644
--- a/i18n/el/tools.md
+++ b/i18n/el/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile
diff --git a/i18n/eo/basics/multi-factor-authentication.md b/i18n/eo/basics/multi-factor-authentication.md
index d94d4718..6db88c50 100644
--- a/i18n/eo/basics/multi-factor-authentication.md
+++ b/i18n/eo/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/eo/basics/passwords-overview.md b/i18n/eo/basics/passwords-overview.md
index 63aca1b5..898d198d 100644
--- a/i18n/eo/basics/passwords-overview.md
+++ b/i18n/eo/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/eo/multi-factor-authentication.md b/i18n/eo/multi-factor-authentication.md
index 34728aa1..217b5d35 100644
--- a/i18n/eo/multi-factor-authentication.md
+++ b/i18n/eo/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/eo/os/index.md b/i18n/eo/os/index.md
new file mode 100644
index 00000000..25f7d659
--- /dev/null
+++ b/i18n/eo/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/eo/os/windows/group-policies.md b/i18n/eo/os/windows/group-policies.md
new file mode 100644
index 00000000..756e23bb
--- /dev/null
+++ b/i18n/eo/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/eo/os/windows/index.md b/i18n/eo/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/eo/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/eo/security-keys.md b/i18n/eo/security-keys.md
new file mode 100644
index 00000000..657e068f
--- /dev/null
+++ b/i18n/eo/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/eo/tools.md b/i18n/eo/tools.md
index bf994374..f28c2cb8 100644
--- a/i18n/eo/tools.md
+++ b/i18n/eo/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile
diff --git a/i18n/es/basics/multi-factor-authentication.md b/i18n/es/basics/multi-factor-authentication.md
index 393fd1f3..ac5d240c 100644
--- a/i18n/es/basics/multi-factor-authentication.md
+++ b/i18n/es/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ A diferencia de [WebAuthn](#fido-fast-identity-online), TOTP no ofrece protecci
 
 Un adversario podría crear un sitio web para imitar un servicio oficial en un intento de engañarte para que des tu nombre de usuario, contraseña y código TOTP actual. Si el adversario utiliza esas credenciales registradas puede ser capaz de entrar en el servicio real y secuestrar la cuenta.
 
-Aunque no es perfecto, TOTP es lo suficientemente seguro para la mayoría de la gente, y cuando las [llaves de seguridad de hardware](../multi-factor-authentication.md#hardware-security-keys) no son compatibles las [aplicaciones de autenticación](../multi-factor-authentication.md#authenticator-apps) siguen siendo una buena opción.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Llaves de seguridad de hardware
 
diff --git a/i18n/es/basics/passwords-overview.md b/i18n/es/basics/passwords-overview.md
index 213e4956..7977468a 100644
--- a/i18n/es/basics/passwords-overview.md
+++ b/i18n/es/basics/passwords-overview.md
@@ -113,7 +113,7 @@ Hay muchas buenas opciones para elegir, tanto basadas en la nube como locales. E
 <div class="admonition warning" markdown>
 <p class="admonition-title">No coloques tus contraseñas y tokens TOTP en el mismo gestor de contraseñas</p>
 
-Cuando utilices códigos TOTP como [autenticación multifactor](../multi-factor-authentication.md), la mejor práctica de seguridad es mantener tus códigos TOTP en una [app separada](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Almacenar tus tokens TOTP en el mismo lugar que tus contraseñas, aunque cómodo, reduce las cuentas a un único factor en caso de que un adversario acceda a tu gestor de contraseñas.
 
diff --git a/i18n/es/multi-factor-authentication.md b/i18n/es/multi-factor-authentication.md
index db256f3e..580ff4b9 100644
--- a/i18n/es/multi-factor-authentication.md
+++ b/i18n/es/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Autenticadores de Múltiples Factores"
+title: "Autenticación de Múltiples Factores"
 icon: 'material/two-factor-authentication'
 description: Estas herramientas te ayudan a proteger tus cuentas de Internet con la autenticación multifactor sin enviar tus secretos a terceros.
 cover: multi-factor-authentication.webp
 ---
 
-## Llaves de Seguridad
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-Las **YubiKeys** están entre las llaves de seguridad más populares. Algunos modelos de YubiKey tienen una amplia gama de características, como: autenticación [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 y WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP y HOTP](https://developers.yubico.com/OATH).
-
-Una de las ventajas de la YubiKey es que una llave puede hacer casi todo (YubiKey 5) lo que se podría esperar de una llave de seguridad. Te animamos a que hagas el [cuestionario](https://yubico.com/quiz) antes de comprar para asegurarte de que tomas la decisión correcta.
-
-[:octicons-home-16: Página Principal](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Política de Privacidad" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentación}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-La [tabla de comparación](https://yubico.com/store/compare) muestra las características y cómo se comparan las YubiKeys. Le recomendamos que seleccione las llaves de las YubiKey 5 Series.
-
-Las YubiKeys se pueden programar utilizando [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) o [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). Para gestionar los códigos TOTP, puedes utilizar [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). Todos los clientes de Yubico son de código abierto.
-
-Para los modelos que soportan HOTP y TOTP, hay 2 ranuras en la interfaz OTP que pueden utilizarse para HOTP y 32 ranuras para almacenar secretos TOTP. Estos secretos se almacenan cifrados en la llave y nunca se exponen a los dispositivos a los que se conectan. Una vez que se ha proporcionado una semilla (secreto compartido) a Yubico Authenticator, éste sólo proporcionará los códigos de seis dígitos, pero nunca la semilla. Este modelo de seguridad ayuda a limitar lo que un atacante puede hacer si compromete uno de los dispositivos que ejecutan Yubico Authenticator y hace que la YubiKey sea resistente a un atacante físico.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Advertencia</p>
-
-El firmware de YubiKey no es de código abierto y no se puede actualizar. Si desea características en versiones de firmware más nuevas, o si hay una vulnerabilidad en la versión de firmware que está utilizando, tendría que comprar una nueva llave.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** tiene una clave de seguridad capaz de [FIDO2 y WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) llamada **Nitrokey FIDO2**. Para obtener compatibilidad con PGP, deberá adquirir una de sus otras llaves, como la **Nitrokey Start**, la **Nitrokey Pro 2** o la **Nitrokey Storage 2**.
-
-[:octicons-home-16: Página Principal](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Política de Privacidad" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentación}
-
-</details>
-
-</div>
-
-La [tabla de comparación](https://nitrokey.com/#comparison) muestra las características y cómo se comparan los modelos de las Nitrokey. La **Nitrokey 3** listada tendrá un conjunto de características combinadas.
-
-Los modelos de Nitrokey se pueden configurar usando la [aplicación de Nitrokey](https://nitrokey.com/download).
-
-Para los modelos que admiten HOTP y TOTP, hay 3 ranuras para HOTP y 15 para TOTP. Algunas Nitrokeys pueden actuar como administrador de contraseñas. Pueden almacenar 16 credenciales diferentes y cifrarlas utilizando la misma contraseña que la interfaz OpenPGP.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Advertencia</p>
-
-Aunque las Nitrokeys no revelan los secretos HOTP/TOTP al dispositivo al que están conectadas, el almacenamiento HOTP y TOTP **no** está cifrado y es vulnerable a ataques físicos. Si desea almacenar secretos HOTP o TOTP, le recomendamos encarecidamente que utilice una YubiKey en su lugar.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Advertencia</p>
-
-El restablecimiento de la interfaz OpenPGP en una Nitrokey también hará la base de datos de contraseñas [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-La Nitrokey Pro 2, la Nitrokey Storage 2 y la próxima Nitrokey 3 admiten la verificación de la integridad del sistema para portátiles con el firmware [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net).
-
-El firmware de Nitrokey es de código abierto, a diferencia del de YubiKey. El firmware de los modelos NitroKey modernos (excepto el de la **NitroKey Pro 2**) se puede actualizar.
-
-### Criterios
-
-**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted.
-
-#### Requisitos Mínimos
-
-- Debe utilizar módulos de seguridad de hardware de alta calidad y resistentes a la manipulación.
-- Debe ser compatible con la última especificación FIDO2.
-- No debe permitir la extracción de claves privadas.
-- Los dispositivos que cuesten más de 35$ deben soportar el manejo de OpenPGP y S/MIME.
-
-#### Mejor Caso
-
-Nuestro criterio del mejor caso representa lo que nos gustaría ver del proyecto perfecto en esta categoría. Es posible que nuestras recomendaciones no incluyan todas o algunas de estas funciones, pero las que sí las incluyan pueden estar mejor clasificadas que otras en esta página.
-
-- Debe estar disponible en formato USB-C.
-- Debe estar disponible con NFC.
-- Debe soportar el almacenamiento de secretos TOTP.
-- Debe soportar actualizaciones seguras de firmware.
-
-## Aplicaciones de Autenticación
-
-Las Aplicaciones de Autenticación implementan un estándar de seguridad adoptado por el Grupo de Trabajo de Ingeniería de Internet (IETF) llamado **Contraseñas de un solo uso basadas en el tiempo** o **TOTP**. Se trata de un método en el que los sitios web comparten un secreto con usted que es utilizado por su aplicación de autenticación para generar un código de seis dígitos (normalmente) basado en la hora actual, que introduce al iniciar sesión para que el sitio web lo compruebe. Normalmente, estos códigos se regeneran cada 30 segundos, y una vez que se genera uno nuevo, el anterior queda inutilizado. Incluso si un pirata informático consigue un código de seis dígitos, no hay forma de que invierta ese código para obtener el secreto original ni de que pueda predecir cuáles serán los códigos futuros.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. Se trata de un método en el que los sitios web comparten un secreto con usted que es utilizado por su aplicación de autenticación para generar un código de seis dígitos (normalmente) basado en la hora actual, que introduce al iniciar sesión para que el sitio web lo compruebe. Normalmente, estos códigos se regeneran cada 30 segundos, y una vez que se genera uno nuevo, el anterior queda inutilizado. Incluso si un pirata informático consigue un código de seis dígitos, no hay forma de que invierta ese código para obtener el secreto original ni de que pueda predecir cuáles serán los códigos futuros.
 
 Recomendamos encarecidamente que utilice aplicaciones TOTP para móviles en lugar de alternativas de escritorio, ya que Android e iOS tienen mejor seguridad y aislamiento de aplicaciones que la mayoría de los sistemas operativos de escritorio.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ Recomendamos encarecidamente que utilice aplicaciones TOTP para móviles en luga
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ Recomendamos encarecidamente que utilice aplicaciones TOTP para móviles en luga
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criterios
+## Criterios
 
 **Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted.
 
diff --git a/i18n/es/os/index.md b/i18n/es/os/index.md
new file mode 100644
index 00000000..eaf75ca8
--- /dev/null
+++ b/i18n/es/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Sistemas Operativos
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/es/os/windows/group-policies.md b/i18n/es/os/windows/group-policies.md
new file mode 100644
index 00000000..1963f8fc
--- /dev/null
+++ b/i18n/es/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### Sistema
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### Perfiles de usuario
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Buscar
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/es/os/windows/index.md b/i18n/es/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/es/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/es/security-keys.md b/i18n/es/security-keys.md
new file mode 100644
index 00000000..b7c2ea63
--- /dev/null
+++ b/i18n/es/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: Estas herramientas te ayudan a proteger tus cuentas de Internet con la autenticación multifactor sin enviar tus secretos a terceros.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Advertencia</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Advertencia</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Advertencia</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Advertencia</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criterios
+
+**Por favor, ten en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que te familiarices con esta lista, antes de decidir utilizar un proyecto y realizar tu propia investigación para asegurarte de que es la elección ideal para ti.
+
+### Requisitos Mínimos
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Mejor Caso
+
+Nuestro criterio del mejor caso representa lo que nos gustaría ver del proyecto perfecto en esta categoría. Es posible que nuestras recomendaciones no incluyan todas o algunas de estas funciones, pero las que sí las incluyan pueden estar mejor clasificadas que otras en esta página.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/es/tools.md b/i18n/es/tools.md
index 3f39b2ce..344eb231 100644
--- a/i18n/es/tools.md
+++ b/i18n/es/tools.md
@@ -166,7 +166,7 @@ Para obtener más información sobre cada proyecto, por qué han sido elegidos y
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ Para cifrar la unidad de su sistema operativo, normalmente recomendamos utilizar
 
 ### Herramientas de Autenticación de Múltiples Factores
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ Para cifrar la unidad de su sistema operativo, normalmente recomendamos utilizar
 
 [Más información :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Más información :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Sistemas Operativos
 
 ### Móvil
diff --git a/i18n/fa/basics/multi-factor-authentication.md b/i18n/fa/basics/multi-factor-authentication.md
index ae0fcabd..91a37a03 100644
--- a/i18n/fa/basics/multi-factor-authentication.md
+++ b/i18n/fa/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/fa/basics/passwords-overview.md b/i18n/fa/basics/passwords-overview.md
index 63aca1b5..898d198d 100644
--- a/i18n/fa/basics/passwords-overview.md
+++ b/i18n/fa/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/fa/multi-factor-authentication.md b/i18n/fa/multi-factor-authentication.md
index 34728aa1..217b5d35 100644
--- a/i18n/fa/multi-factor-authentication.md
+++ b/i18n/fa/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/fa/os/index.md b/i18n/fa/os/index.md
new file mode 100644
index 00000000..25f7d659
--- /dev/null
+++ b/i18n/fa/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/fa/os/windows/group-policies.md b/i18n/fa/os/windows/group-policies.md
new file mode 100644
index 00000000..967c730c
--- /dev/null
+++ b/i18n/fa/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### جستجو
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/fa/os/windows/index.md b/i18n/fa/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/fa/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/fa/security-keys.md b/i18n/fa/security-keys.md
new file mode 100644
index 00000000..657e068f
--- /dev/null
+++ b/i18n/fa/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/fa/tools.md b/i18n/fa/tools.md
index bf994374..f28c2cb8 100644
--- a/i18n/fa/tools.md
+++ b/i18n/fa/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile
diff --git a/i18n/fr/basics/multi-factor-authentication.md b/i18n/fr/basics/multi-factor-authentication.md
index cadb1792..4bf45271 100644
--- a/i18n/fr/basics/multi-factor-authentication.md
+++ b/i18n/fr/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Contrairement à [WebAuthn](#fido-fast-identity-online), TOTP n'offre aucune pro
 
 Un adversaire pourrait créer un site web imitant un service officiel afin de vous inciter à donner votre nom d'utilisateur, votre mot de passe et votre code TOTP actuel. Si l'adversaire utilise ensuite ces informations d'identification enregistrées, il peut être en mesure de se connecter au service réel et de détourner le compte.
 
-Bien qu'imparfait, TOTP est suffisamment sûr pour la plupart des gens, et lorsque [les clés de sécurité matérielles](../multi-factor-authentication.md#hardware-security-keys) ne sont pas prises en charge [les applications d'authentification](../multi-factor-authentication.md#authenticator-apps) restent une bonne option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Clés de Sécurité Matérielles
 
diff --git a/i18n/fr/basics/passwords-overview.md b/i18n/fr/basics/passwords-overview.md
index 3722a67a..58d026ce 100644
--- a/i18n/fr/basics/passwords-overview.md
+++ b/i18n/fr/basics/passwords-overview.md
@@ -113,7 +113,7 @@ Il existe de nombreuses options intéressantes, qu'elles soient basées sur le c
 <div class="admonition warning" markdown>
 <p class="admonition-title">Ne placez pas vos mots de passe et vos codes TOTP dans le même gestionnaire de mots de passe</p>
 
-Lorsque vous utilisez des codes TOTP comme [authentification à multi-facteurs](../multi-factor-authentication.md), la meilleure pratique de sécurité consiste à conserver vos codes TOTP dans une [application séparée](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Le stockage de vos codes TOTP au même endroit que vos mots de passe, bien que pratique, réduit les comptes à un seul facteur dans le cas où un adversaire aurait accès à votre gestionnaire de mots de passe.
 
diff --git a/i18n/fr/multi-factor-authentication.md b/i18n/fr/multi-factor-authentication.md
index da70ec08..bedcc52b 100644
--- a/i18n/fr/multi-factor-authentication.md
+++ b/i18n/fr/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Authentification multi-facteurs"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Clés de sécurité matérielles
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-Les **YubiKeys** font partie des clés de sécurité les plus populaires. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-L'un des avantages de la YubiKey est qu'une seule clé peut faire presque tout (YubiKey 5) ce que vous pouvez attendre d'une clé de sécurité matérielle. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. Nous vous recommandons vivement de choisir des clés de la série YubiKey 5.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). Tous les clients de Yubico sont open source.
-
-Pour les modèles qui supportent HOTP et TOTP, il y a 2 emplacements dans l'interface OTP qui peuvent être utilisés pour HOTP et 32 emplacements pour stocker les secrets TOTP. Ces secrets sont stockés et chiffrés sur la clé et ne sont jamais exposés aux appareils sur lesquels elle est branchée. Une fois qu'une graine (secret partagé) est donnée à l'authentificateur Yubico, celui-ci ne donnera que les codes à six chiffres, mais jamais la graine. Ce modèle de sécurité permet de limiter ce qu'un attaquant peut faire s'il compromet l'un des appareils exécutant le Yubico Authenticator et rend la YubiKey résistante à un attaquant physique.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Avertissement</p>
-
-The firmware of YubiKey is not open source and is not updatable. Si vous souhaitez obtenir des fonctionnalités dans des versions plus récentes du firmware, ou si la version du firmware que vous utilisez présente une vulnérabilité, vous devrez acheter une nouvelle clé.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** possède une clé de sécurité qui prend en charge [FIDO2 et WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) appelée la **Nitrokey FIDO2**. Pour la prise en charge de PGP, vous devez acheter l'une de leurs autres clés comme la **Nitrokey Start**, la **Nitrokey Pro 2** ou la **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. La **Nitrokey 3** répertoriée aura un ensemble de fonctionnalités combinées.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-Pour les modèles qui supportent HOTP et TOTP, il y a 3 emplacements pour HOTP et 15 pour TOTP. Certaines Nitrokeys peuvent faire office de gestionnaire de mots de passe. Ils peuvent stocker 16 identifiants différents et les chiffrer en utilisant le même mot de passe que l'interface OpenPGP.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Avertissement</p>
-
-Bien que les Nitrokeys ne divulguent pas les secrets HOTP/TOTP à l'appareil auquel ils sont connectés, le stockage HOTP et TOTP n'est **pas** chiffré et est vulnérable aux attaques physiques. Si vous cherchez à stocker des secrets HOTP ou TOTP, nous vous recommandons vivement d'utiliser plutôt un YubiKey.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Avertissement</p>
-
-La réinitialisation de l'interface OpenPGP sur une Nitrokey rendra également la base de données des mots de passe [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Le micrologiciel de la Nitrokey est open source, contrairement à la YubiKey. Le micrologiciel des modèles NitroKey modernes (à l'exception de la **NitroKey Pro 2**) peut être mis à jour.
-
-### Critères
-
-**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous.
-
-#### Exigences minimales
-
-- Doit utiliser des modules de sécurité matériels de haute qualité et resistant aux attaques physiques.
-- Doit prendre en charge la dernière spécification FIDO2.
-- Ne doit pas permettre l'extraction de la clé privée.
-- Les appareils qui coûtent plus de 35 $ doivent prendre en charge la gestion d'OpenPGP et de S/MIME.
-
-#### Dans le meilleur des cas
-
-Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page.
-
-- Devrait être disponible en format USB-C.
-- Devrait être disponible avec NFC.
-- Devrait prendre en charge le stockage de secrets de TOTP.
-- Devrait prendre en charge les mises à jour sécurisées du micrologiciel.
-
-## Applications d'authentification
-
-Les applications d'authentification implémentent une norme de sécurité adoptée par l'Internet Engineering Task Force (IETF) appelée **Mots de Passe à Usage Unique Basé sur le Temps**, ou **Time based One Time Password (TOTP)**. Il s'agit d'une méthode par laquelle les sites web partagent avec vous un secret qui est utilisé par votre application d'authentification pour générer un code à six chiffres (généralement) basé sur l'heure actuelle, que vous saisissez lorsque vous vous connectez pour que le site web puisse le vérifier. En général, ces codes sont régénérés toutes les 30 secondes, et dès qu'un nouveau code est généré, l'ancien devient inutile. Même si un pirate obtient un code à six chiffres, il n'a aucun moyen d'inverser ce code pour obtenir le secret original, ni de prédire quels seront les codes futurs.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. Il s'agit d'une méthode par laquelle les sites web partagent avec vous un secret qui est utilisé par votre application d'authentification pour générer un code à six chiffres (généralement) basé sur l'heure actuelle, que vous saisissez lorsque vous vous connectez pour que le site web puisse le vérifier. En général, ces codes sont régénérés toutes les 30 secondes, et dès qu'un nouveau code est généré, l'ancien devient inutile. Même si un pirate obtient un code à six chiffres, il n'a aucun moyen d'inverser ce code pour obtenir le secret original, ni de prédire quels seront les codes futurs.
 
 Nous vous recommandons vivement d'utiliser des applications TOTP mobiles plutôt que des alternatives de bureau, car Android et IOS offrent une meilleure sécurité et une meilleure isolation des applications que la plupart des systèmes d'exploitation de bureau.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ Nous vous recommandons vivement d'utiliser des applications TOTP mobiles plutôt
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ Nous vous recommandons vivement d'utiliser des applications TOTP mobiles plutôt
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Critères
+## Critères
 
 **Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous.
 
diff --git a/i18n/fr/os/index.md b/i18n/fr/os/index.md
new file mode 100644
index 00000000..e552bec3
--- /dev/null
+++ b/i18n/fr/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Systèmes d'exploitation
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/fr/os/windows/group-policies.md b/i18n/fr/os/windows/group-policies.md
new file mode 100644
index 00000000..09a599c5
--- /dev/null
+++ b/i18n/fr/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### Système
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### Profils utilisateurs
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Recherche
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/fr/os/windows/index.md b/i18n/fr/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/fr/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/fr/security-keys.md b/i18n/fr/security-keys.md
new file mode 100644
index 00000000..1bbb5002
--- /dev/null
+++ b/i18n/fr/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Avertissement</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Avertissement</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Avertissement</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Avertissement</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Critères
+
+**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous.
+
+### Exigences minimales
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Dans le meilleur des cas
+
+Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/fr/tools.md b/i18n/fr/tools.md
index 0a6e580e..91fce113 100644
--- a/i18n/fr/tools.md
+++ b/i18n/fr/tools.md
@@ -166,9 +166,9 @@ Nous [recommandons](dns.md#recommended-providers) un certain nombre de serveurs
 
 <div class="grid cards" markdown>
 
-- ![Logo d'Ente](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Logo d'Ente](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
-- ![Logo de Stingle](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Logo de Stingle](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
-- ![Logo de PhotoPrism](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
+- ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
+- ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
 </div>
 
@@ -336,12 +336,12 @@ Pour chiffrer le disque de votre système d'exploitation, nous vous recommandons
 
 ### Outils d'authentification multi-facteurs
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
-- ![Logo d'Ente Auth](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
-- ![Logo d'Aegis](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
+- ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
+- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
 </div>
 
@@ -423,6 +423,20 @@ Pour chiffrer le disque de votre système d'exploitation, nous vous recommandons
 
 [En savoir plus :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[En savoir plus :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Systèmes d'exploitation
 
 ### Mobile
diff --git a/i18n/he/basics/multi-factor-authentication.md b/i18n/he/basics/multi-factor-authentication.md
index e1c87f65..8ebb651c 100644
--- a/i18n/he/basics/multi-factor-authentication.md
+++ b/i18n/he/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ If you have a hardware security key with TOTP support (such as a YubiKey with [Y
 
 יריב יכול להקים אתר כדי לחקות שירות רשמי בניסיון להערים עליך למסור את שם המשתמש, הסיסמה וקוד ה-TOTP הנוכחי שלך. אם היריב ישתמש באותם אישורים מוקלטים, ייתכן שהוא יוכל להיכנס לשירות האמיתי ולחטוף את החשבון.
 
-למרות שאינו מושלם, TOTP מאובטח מספיק עבור רוב האנשים, ומתי ש[מפתחות אבטחה חומרה](../multi-factor-authentication.md#hardware-security-keys) אינם נתמכים [אפליקציות אימות](../multi-factor-authentication.md#authenticator-apps) עדיין אפשרות טובה.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### מפתחות אבטחת חומרה
 
diff --git a/i18n/he/basics/passwords-overview.md b/i18n/he/basics/passwords-overview.md
index 06c68cf3..ba50971c 100644
--- a/i18n/he/basics/passwords-overview.md
+++ b/i18n/he/basics/passwords-overview.md
@@ -113,7 +113,7 @@ Let's put all of this in perspective: A seven word passphrase using [EFF's large
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-בעת שימוש בקודי TOTP כ[אימות רב-גורמי](../multi-factor-authentication.md), שיטת האבטחה הטובה ביותר היא לשמור את קודי ה-TOTP שלך ב[אפליקציה נפרדת](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 אחסון אסימוני ה-TOTP שלך באותו מקום כמו הסיסמאות שלך, למרות שהוא נוח, מצמצם את החשבונות לגורם יחיד במקרה שיריב יקבל גישה למנהל הסיסמאות שלך.
 
diff --git a/i18n/he/multi-factor-authentication.md b/i18n/he/multi-factor-authentication.md
index a1bfcee0..55ea158a 100644
--- a/i18n/he/multi-factor-authentication.md
+++ b/i18n/he/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "אימות מרובה גורמים"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## מפתחות אבטחה של חומרה
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-**YubiKeys** הם בין מפתחות האבטחה הפופולריים ביותר. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-אחד היתרונות של YubiKey הוא שמפתח אחד יכול לעשות כמעט הכל (YubiKey 5), שאפשר לצפות ממפתח אבטחת חומרה. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. אנו ממליצים בחום לבחור במפתחות מסדרת YubiKey 5.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). כל הלקוחות של Yubico הם קוד פתוח.
-
-עבור דגמים התומכים ב - HOTP וב - TOTP, ישנם 2 חריצים בממשק ה - OTP שניתן להשתמש בהם עבור HOTP ו -32 חריצים לאחסון סודות TOTP. סודות אלה מאוחסנים מוצפנים על המפתח ואף פעם לא לחשוף אותם למכשירים הם מחוברים. ברגע שזרע (סוד משותף) ניתן למאמת Yubico, הוא ייתן רק את הקודים בני שש הספרות, אך לעולם לא את הזרע. מודל אבטחה זה עוזר להגביל את מה שתוקף יכול לעשות אם הוא מסכן את אחד המכשירים המריצים את המאמת של Yubico והופך את ה - YubiKey לעמיד בפני תוקף פיזי.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. אם אתה רוצה תכונות בגרסאות קושחה חדשות יותר, או אם ישנה פגיעות בגרסת הקושחה שבה אתה משתמש, תצטרך לרכוש מפתח חדש.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**ל - Nitrokey** יש מפתח אבטחה המסוגל ל- [FIDO2 ו- WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) בשם **Nitrokey FIDO2**. לתמיכה ב-PGP, עליך לרכוש אחד מהמפתחות האחרים שלהם כגון **Nitrokey Start**, **Nitrokey Pro 2** או **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. ל**Nitrokey 3** המופיע ברשימה תהיה ערכת תכונות משולבת.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-עבור הדגמים התומכים ב - HOTP וב - TOTP, ישנם 3 חריצים עבור HOTP ו -15 עבור TOTP. Nitrokeys מסוימים יכולים לשמש כמנהל סיסמאות. הם יכולים לאחסן 16 אישורים שונים ולהצפין אותם באמצעות אותה סיסמה כמו ממשק OpenPGP.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-בעוד ש-Nitrokeys אינם משחררים את סודות ה-HOTP/TOTP למכשיר שאליו הם מחוברים, אחסון ה-HOTP וה-TOTP **לא** מוצפן ופגיע להתקפות פיזיות. אם אתם מחפשים לאחסן סודות HOTP או TOTP, אנו ממליצים בחום להשתמש במפתח YubiKey.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-איפוס ממשק OpenPGP על Nitrokey גם יגרום למסד הנתונים סיסמה [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-הקושחה של Nitrokey היא קוד פתוח, שלא כמו YubiKey. הקושחה בדגמי NitroKey המודרניים (למעט ה**NitroKey Pro 2**) ניתנת לעדכון.
-
-### קריטריונים
-
-**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך.
-
-#### דרישות מינימליות
-
-- יש להשתמש במודולי אבטחה עמידים לחומרה באיכות גבוהה.
-- חייב לתמוך במפרט FIDO2 העדכני ביותר.
-- אסור לאפשר חילוץ מפתח פרטי.
-- מכשירים שעולים מעל $35 חייבים לתמוך בטיפול ב-OpenPGP וב-S/MIME.
-
-#### המקרה הטוב ביותר
-
-הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה.
-
-- אמור להיות זמין בפורמט USB-C.
-- אמור להיות זמין עם NFC.
-- אמור לתמוך באחסון סודי ב-TOTP.
-- אמור לתמוך בעדכוני קושחה מאובטחים.
-
-## אפליקציות מאמתות
-
-יישומי אימות מיישמים תקן אבטחה שאומץ על ידי כוח המשימה להנדסת אינטרנט (IETF) הנקרא **סיסמאות חד פעמיות חד פעמיות מבוססות זמן**, או **TOTP**. זוהי שיטה שבה אתרי אינטרנט משתפים איתך סוד המשמש את אפליקציית האימות שלך כדי ליצור קוד בן שש ספרות (בדרך כלל) בהתבסס על השעה הנוכחית, שאותה אתה מזין בעת הכניסה לאתר כדי לבדוק. בדרך כלל קודים אלה מתחדשים כל 30 שניות, וברגע שנוצר קוד חדש הקוד הישן הופך לחסר תועלת. גם אם האקר מקבל קוד אחד בן שש ספרות, אין דרך להפוך את הקוד כדי לקבל את הסוד המקורי או אחרת להיות מסוגל לחזות מה כל קודים עתידיים עשויים להיות.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. זוהי שיטה שבה אתרי אינטרנט משתפים איתך סוד המשמש את אפליקציית האימות שלך כדי ליצור קוד בן שש ספרות (בדרך כלל) בהתבסס על השעה הנוכחית, שאותה אתה מזין בעת הכניסה לאתר כדי לבדוק. בדרך כלל קודים אלה מתחדשים כל 30 שניות, וברגע שנוצר קוד חדש הקוד הישן הופך לחסר תועלת. גם אם האקר מקבל קוד אחד בן שש ספרות, אין דרך להפוך את הקוד כדי לקבל את הסוד המקורי או אחרת להיות מסוגל לחזות מה כל קודים עתידיים עשויים להיות.
 
 אנו ממליצים בחום להשתמש באפליקציות TOTP למכשירים ניידים במקום בחלופות לשולחן העבודה, מכיוון שלאנדרואיד ול-iOS יש אבטחה ובידוד אפליקציות טובים יותר מרוב מערכות ההפעלה השולחניות.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports sys
 
 </div>
 
-### Aegis Authenticator (אנדרואיד)
+## Aegis Authenticator (אנדרואיד)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports sys
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### קריטריונים
+## קריטריונים
 
 **שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך.
 
diff --git a/i18n/he/os/index.md b/i18n/he/os/index.md
new file mode 100644
index 00000000..b97d6fbc
--- /dev/null
+++ b/i18n/he/os/index.md
@@ -0,0 +1,19 @@
+---
+title: מערכות הפעלה
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/he/os/windows/group-policies.md b/i18n/he/os/windows/group-policies.md
new file mode 100644
index 00000000..aca83294
--- /dev/null
+++ b/i18n/he/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### מערכת
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### פרופילי משתמשים
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### חיפוש
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/he/os/windows/index.md b/i18n/he/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/he/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/he/security-keys.md b/i18n/he/security-keys.md
new file mode 100644
index 00000000..018f45b9
--- /dev/null
+++ b/i18n/he/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## קריטריונים
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך.
+
+### דרישות מינימליות
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### המקרה הטוב ביותר
+
+הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/he/tools.md b/i18n/he/tools.md
index eeb9b139..46434081 100644
--- a/i18n/he/tools.md
+++ b/i18n/he/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### כלי אימות רב-גורמי
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [למד עוד :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[למד עוד :material-arrow-right-drop-circle:](security-keys.md)
+
 ## מערכות הפעלה
 
 ### נייד
diff --git a/i18n/hi/basics/multi-factor-authentication.md b/i18n/hi/basics/multi-factor-authentication.md
index d94d4718..6db88c50 100644
--- a/i18n/hi/basics/multi-factor-authentication.md
+++ b/i18n/hi/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/hi/basics/passwords-overview.md b/i18n/hi/basics/passwords-overview.md
index 63aca1b5..898d198d 100644
--- a/i18n/hi/basics/passwords-overview.md
+++ b/i18n/hi/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/hi/multi-factor-authentication.md b/i18n/hi/multi-factor-authentication.md
index 34728aa1..217b5d35 100644
--- a/i18n/hi/multi-factor-authentication.md
+++ b/i18n/hi/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/hi/os/index.md b/i18n/hi/os/index.md
new file mode 100644
index 00000000..25f7d659
--- /dev/null
+++ b/i18n/hi/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/hi/os/windows/group-policies.md b/i18n/hi/os/windows/group-policies.md
new file mode 100644
index 00000000..756e23bb
--- /dev/null
+++ b/i18n/hi/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/hi/os/windows/index.md b/i18n/hi/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/hi/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/hi/security-keys.md b/i18n/hi/security-keys.md
new file mode 100644
index 00000000..657e068f
--- /dev/null
+++ b/i18n/hi/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/hi/tools.md b/i18n/hi/tools.md
index bf994374..f28c2cb8 100644
--- a/i18n/hi/tools.md
+++ b/i18n/hi/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile
diff --git a/i18n/hu/basics/multi-factor-authentication.md b/i18n/hu/basics/multi-factor-authentication.md
index f5eadc07..53f23ab4 100644
--- a/i18n/hu/basics/multi-factor-authentication.md
+++ b/i18n/hu/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/hu/basics/passwords-overview.md b/i18n/hu/basics/passwords-overview.md
index eea5e838..a40ae39f 100644
--- a/i18n/hu/basics/passwords-overview.md
+++ b/i18n/hu/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/hu/multi-factor-authentication.md b/i18n/hu/multi-factor-authentication.md
index dbf9714f..61678b94 100644
--- a/i18n/hu/multi-factor-authentication.md
+++ b/i18n/hu/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication - Többlépcsős Hitelesítés"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Figyelmeztetés</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Figyelmeztetés</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Figyelmeztetés</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Követelmények
-
-**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra.
-
-#### Alap elvárások
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Legjobb esetben
-
-A legjobb esetben alkalmazott követelményeink azt fejezik ki, hogy mit szeretnénk látni egy kifogástalan projekttől ebben a kategóriában. Előfordulhat, hogy ajánlásaink nem tartalmazzák az összes ilyen funkciót, de azok, amelyek igen, magasabb helyen szerepelhetnek, mint mások ezen az oldalon.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Követelmények
+## Követelmények
 
 **Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra.
 
diff --git a/i18n/hu/os/index.md b/i18n/hu/os/index.md
new file mode 100644
index 00000000..b9d3e42a
--- /dev/null
+++ b/i18n/hu/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operációs Rendszerek
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/hu/os/windows/group-policies.md b/i18n/hu/os/windows/group-policies.md
new file mode 100644
index 00000000..1a628dd3
--- /dev/null
+++ b/i18n/hu/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### Felhasználói Profilok
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/hu/os/windows/index.md b/i18n/hu/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/hu/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/hu/security-keys.md b/i18n/hu/security-keys.md
new file mode 100644
index 00000000..8f282cb6
--- /dev/null
+++ b/i18n/hu/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Figyelmeztetés</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Figyelmeztetés</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Figyelmeztetés</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Figyelmeztetés</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Követelmények
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra.
+
+### Alap elvárások
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Legjobb esetben
+
+A legjobb esetben alkalmazott követelményeink azt fejezik ki, hogy mit szeretnénk látni egy kifogástalan projekttől ebben a kategóriában. Előfordulhat, hogy ajánlásaink nem tartalmazzák az összes ilyen funkciót, de azok, amelyek igen, magasabb helyen szerepelhetnek, mint mások ezen az oldalon.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/hu/tools.md b/i18n/hu/tools.md
index a5725884..442ff3d1 100644
--- a/i18n/hu/tools.md
+++ b/i18n/hu/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Többlépcsős Hitelesítési Eszközök
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [További információ :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[További információ :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operációs Rendszerek
 
 ### Mobil
diff --git a/i18n/id/basics/multi-factor-authentication.md b/i18n/id/basics/multi-factor-authentication.md
index 45b5261d..b9b4ea04 100644
--- a/i18n/id/basics/multi-factor-authentication.md
+++ b/i18n/id/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Tidak seperti [WebAuthn](#fido-fast-identity-online), TOTP tidak menawarkan perl
 
 Musuh dapat membuat situs web untuk meniru layanan resmi dalam upaya mengelabui Anda untuk memberikan nama pengguna, kata sandi, dan kode TOTP Anda saat ini. Jika musuh kemudian menggunakan kredensial yang berhasil dicatat tersebut, mereka mungkin dapat masuk ke layanan yang sebenarnya dan membajak akun tersebut.
 
-Meskipun tidak sempurna, TOTP cukup aman untuk kebanyakan orang, dan ketika [kunci keamanan perangkat keras](../multi-factor-authentication.md#hardware-security-keys) tidak didukung, [aplikasi autentikator](../multi-factor-authentication.md#authenticator-apps) masih menjadi pilihan yang baik.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Kunci keamanan perangkat keras
 
diff --git a/i18n/id/basics/passwords-overview.md b/i18n/id/basics/passwords-overview.md
index d3d5cb70..095aca78 100644
--- a/i18n/id/basics/passwords-overview.md
+++ b/i18n/id/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Pilih sa
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/id/multi-factor-authentication.md b/i18n/id/multi-factor-authentication.md
index 86758971..a1835960 100644
--- a/i18n/id/multi-factor-authentication.md
+++ b/i18n/id/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Autentikasi Multifaktor"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). Semua klien Yubico bersumber terbuka.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Firmware Nitrokey bersumber terbuka, tidak seperti YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Kriteria
-
-**Harap diperhatikan bahwa kami tidak berafiliasi dengan proyek-proyek yang kami rekomendasikan.** Selain [kriteria standar kami](about/criteria.md), kami telah mengembangkan serangkaian persyaratan yang jelas untuk memungkinkan kami memberikan rekomendasi yang objektif. Kami sarankan Anda membiasakan diri dengan daftar ini sebelum memilih untuk menggunakan sebuah proyek, dan melakukan penelitian sendiri untuk memastikan bahwa itu adalah pilihan yang tepat untuk Anda.
-
-#### Persyaratan Minimum
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Kasus Terbaik
-
-Kriteria kasus terbaik kami mewakili apa yang ingin kami lihat dari proyek yang sempurna dalam kategori ini. Rekomendasi kami mungkin tidak menyertakan salah satu atau semua fungsi ini, tetapi rekomendasi yang menyertakan fungsi ini mungkin memiliki peringkat yang lebih tinggi daripada yang lain di halaman ini.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Kriteria
+## Kriteria
 
 **Harap diperhatikan bahwa kami tidak berafiliasi dengan proyek-proyek yang kami rekomendasikan.** Selain [kriteria standar kami](about/criteria.md), kami telah mengembangkan serangkaian persyaratan yang jelas untuk memungkinkan kami memberikan rekomendasi yang objektif. Kami sarankan Anda membiasakan diri dengan daftar ini sebelum memilih untuk menggunakan sebuah proyek, dan melakukan penelitian sendiri untuk memastikan bahwa itu adalah pilihan yang tepat untuk Anda.
 
diff --git a/i18n/id/os/index.md b/i18n/id/os/index.md
new file mode 100644
index 00000000..e0fac8f4
--- /dev/null
+++ b/i18n/id/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Sistem Operasi
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/id/os/windows/group-policies.md b/i18n/id/os/windows/group-policies.md
new file mode 100644
index 00000000..26b698c9
--- /dev/null
+++ b/i18n/id/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### Profil Pengguna
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/id/os/windows/index.md b/i18n/id/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/id/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/id/security-keys.md b/i18n/id/security-keys.md
new file mode 100644
index 00000000..009a98c8
--- /dev/null
+++ b/i18n/id/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Kriteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. Kami sarankan Anda membiasakan diri dengan daftar ini sebelum memilih untuk menggunakan sebuah proyek, dan melakukan penelitian sendiri untuk memastikan bahwa itu adalah pilihan yang tepat untuk Anda.
+
+### Persyaratan Minimum
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Kasus Terbaik
+
+Kriteria kasus terbaik kami mewakili apa yang ingin kami lihat dari proyek yang sempurna dalam kategori ini. Rekomendasi kami mungkin tidak menyertakan salah satu atau semua fungsi ini, tetapi rekomendasi yang menyertakan fungsi ini mungkin memiliki peringkat yang lebih tinggi daripada yang lain di halaman ini.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/id/tools.md b/i18n/id/tools.md
index a7cff011..1256e5a4 100644
--- a/i18n/id/tools.md
+++ b/i18n/id/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Alat Autentikasi Multi-Faktor
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Pelajari lebih lanjut :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Pelajari lebih lanjut :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Sistem Operasi
 
 ### Seluler
diff --git a/i18n/it/basics/multi-factor-authentication.md b/i18n/it/basics/multi-factor-authentication.md
index 4a5c02d9..b2162579 100644
--- a/i18n/it/basics/multi-factor-authentication.md
+++ b/i18n/it/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ A differenza di [WebAuthn](#fido-fast-identity-online), TOTP non offre alcuna pr
 
 Un malintenzionato potrebbe configurare un sito web che imiti un servizio ufficiale, nel tentativo di ingannarti nel comunicare il tuo nome utente, la tua password e il codice TOTP corrente. Se questi, poi, utilizza tali credenziali registrate, potrebbe riuscire ad accedere al servizio reale e dirottare il profilo.
 
-Sebbene non sia perfetta, la TOTP è abbastanza sicura per gran parte delle persone e, quando le [chiavi di sicurezza hardware](../multi-factor-authentication.md#hardware-security-keys) non sono supportate, le [app d'autenticazione](../multi-factor-authentication.md#authenticator-apps) restano una buona opzione.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Chiavi di sicurezza hardware
 
diff --git a/i18n/it/basics/passwords-overview.md b/i18n/it/basics/passwords-overview.md
index cdaedc7e..79b997cb 100644
--- a/i18n/it/basics/passwords-overview.md
+++ b/i18n/it/basics/passwords-overview.md
@@ -113,7 +113,7 @@ Esistono molte buone opzioni da cui scegliere, sia basate su cloud che locali. S
 <div class="admonition warning" markdown>
 <p class="admonition-title">Non inserire le tue password e i token TOTP nello stesso gestore di password</p>
 
-Utilizzando i codici TOTP come [autenticazione a più fattori](../multi-factor-authentication.md), la migliore pratica di sicurezza è mantenerli in un'[app separata](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Memorizzare i token TOTP nello stesso luogo delle tue password, sebbene comodo, riduce i profili a un singolo fattore, nel caso in cui un malintenzionato ottenga l'accesso al tuo gestore di password.
 
diff --git a/i18n/it/multi-factor-authentication.md b/i18n/it/multi-factor-authentication.md
index f2ea803b..eed1be86 100644
--- a/i18n/it/multi-factor-authentication.md
+++ b/i18n/it/multi-factor-authentication.md
@@ -5,106 +5,18 @@ description: Questi strumenti ti assistono nella protezione dei tuoi account Int
 cover: multi-factor-authentication.webp
 ---
 
-## Chiavi di Sicurezza Hardware
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-Le **YubiKey** sono tra le chiavi di sicurezza più popolari. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-Uno dei benefici della YubiKey è che una chiave (YubiKey 5) può fare quasi tutto ciò che ti potresti aspettare da una chiave di sicurezza hardware. Ti invitiamo a rispondere al [quiz](https://yubico.com/quiz) prima dell'acquisto per essere sicuro di fare la scelta giusta.
-
-[:octicons-home-16: Pagina Principale](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Politica sulla Privacy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentazione}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. Ti consigliamo vivamente di selezionare le chiavi tra le YubiKey 5 Series.
-
-Le YubiKey possono essere programmate utilizzando [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) o [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). Per gestire i codici TOTP, puoi utilizzare [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). Tutti i client di Yubico sono open source.
-
-Per i modelli che supportano HOTP e TOTP, esistono 2 slot nell'interfaccia OTP che potrebbero essere utilizzati per HOTP e 32 slot per memorizzare i codici segreti TOTP. Questi codici segreti sono memorizzati e crittografati sulla chiave e non sono mai esposti ai dispositivi cui questa è collegata. Una volta fornito un seed (codice segreto condiviso) a Yubico Authenticator, questo fornirà soltanto il codice a sei cifre, mai il seed. Questo modello di sicurezza aiuta a limitare ciò che un malintenzionato può fare, qualora dovesse compromettere uno dei dispositivi che operano Yubico Authenticator, rendendo la YubiKey resistente agli attacchi fisici.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Avviso</p>
-
-Il firmware di YubiKey non è open source e non è aggiornabile. Se desideri avere le funzionalità nelle versioni del firmware più recenti, o se è presente una vulnerabilità nella versione del firmware in uso, dovrai acquistare una nuova chiave.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** dispone di una chiave di sicurezza che supporta [FIDO2 e WebAuthn] (basics/multi-factor-authentication.md#fido-fast-identity-online), detta **Nitrokey FIDO2**. Per il supporto PGP, devi acquistare un'altra delle loro chiavi, come la **Nitrokey Start**, la **Nitrokey Pro 2** o la **Nitrokey Storage 2**.
-
-[:octicons-home-16: Pagina Principale](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Politica sulla Privacy" }
-[:octicons-info-16:](https://docs.nitrokey.com/it/){ .card-link title=Documentazione}
-
-</details>
-
-</div>
-
-La [tabella di confronto](https://nitrokey.com/#comparison) mostra le caratteristiche e confronta i modelli Nitrokey. La **Nitrokey 3** elencata ha un insieme di funzionalità combinate.
-
-I modelli di Nitrokey possono essere configurati tramite l'[app Nitrokey](https://nitrokey.com/download).
-
-Per i modelli che supportano HOTP e TOTP, ci sono 3 slot per HOTP e 15 per TOTP. Alcune Nitrokey possono fungere da gestori di password. Possono memorizzare fino a 16 credenziali differenti e crittografarle utilizzando la stessa password dell'interfaccia OpenPGP.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Avviso</p>
-
-Sebbene le Nitrokey non rilascino i codici segreti HOTP/TOTP al dispositivo a cui sono collegati, la memoria HOTP e TOTP *non* è crittografata ed è vulnerabile agli attacchi fisici. Se vorresti memorizzare i codici segreti HOTP e TOTP, consigliamo vivamente di utilizzare, piuttosto, una YubiKey.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Avviso</p>
-
-Ripristinare l'interfaccia di OpenPGP su una Nitrokey, inoltre, renderà il database delle password [inaccessibile](https://docs.nitrokey.com/pro/factory-reset.html).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Il firmware di Nitrokey è open source, a differenza di YubiKey. Il firmware dei modelli NitroKey moderni (tranne che per **NitroKey Pro 2**) è aggiornabile.
-
-### Criteri
-
-**Ti preghiamo di notare che non siamo affiliati con alcun progetto consigliato.** Oltre ai [nostri criteri standard](about/criteria.md), abbiamo sviluppato una serie chiara di requisiti per consentirci di fornire consigli oggettivi. Ti suggeriamo di familiarizzare con questo elenco prima di scegliere di utilizzare un progetto e di condurre le tue ricerche per assicurarti che si tratti della scelta adatta a te.
-
-#### Requisiti minimi
-
-- Deve utilizzare moduli di sicurezza hardware di alta qualità e resistenti alla manomissione.
-- Deve supportare le ultime specifiche di FIDO2.
-- Non deve consentire l'estrazione della chiave privata.
-- I dispositivi che costano più di $35 devono supportare la gestione di OpenPGP e S/MIME.
-
-#### Miglior Caso
-
-I nostri criteri ottimali rappresentano ciò che vorremmo vedere dal progetto perfetto in questa categoria. I nostri consigli potrebbero non includere tutte o alcune di queste funzionalità, ma quelli che le includono potrebbero essere preferiti ad altri su questa pagina.
-
-- Dovrebbe essere disponibile in formato USB-C.
-- Dovrebbe essere disponibile con NFC.
-- Dovrebbe supportare l'archiviazione dei codici segreti TOTP.
-- Dovrebbe supportare gli aggiornamenti del firmware sicuri.
-
-## App di Autenticazione
-
-Le App d'Autenticazione implementano uno standard di sicurezza aadottato dalla Task Force Ingegneristica di Internet (IETF), detto **Password Una Tantum basate sul Tempo** o **TOTP**. Tramite questo metodo i siti web condividono un codice segreto con te, utilizzato dalla tua app d'autenticazione per generare un codice (solitamente) a sei cifre, a seconda dell'ora corrente, che inserisci accedendo al sito web, per verificarti. Tipicamente, questi codici sono rigenerati ogni 30 secondi e, una volta generato un nuovo codice, quello precedente diventa inutile. Anche se un hacker ottiene il codice a sei cifre, non gli sarà possibile decrittografarlo per ottenere quello originale, o per altrimenti poter prevedere quali potrebbero essere i codici futuri.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. Tramite questo metodo i siti web condividono un codice segreto con te, utilizzato dalla tua app d'autenticazione per generare un codice (solitamente) a sei cifre, a seconda dell'ora corrente, che inserisci accedendo al sito web, per verificarti. Tipicamente, questi codici sono rigenerati ogni 30 secondi e, una volta generato un nuovo codice, quello precedente diventa inutile. Anche se un hacker ottiene il codice a sei cifre, non gli sarà possibile decrittografarlo per ottenere quello originale, o per altrimenti poter prevedere quali potrebbero essere i codici futuri.
 
 Consigliamo vivamente l'utilizzo delle app TOTP mobili, invece delle alternative desktop, poiché Android e iOS forniscono una migliore sicurezza e isolamento delle app, rispetto a gran parte dei sistemi operativi per desktop.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ Consigliamo vivamente l'utilizzo delle app TOTP mobili, invece delle alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ Consigliamo vivamente l'utilizzo delle app TOTP mobili, invece delle alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteri
+## Criteri
 
 **Ti preghiamo di notare che non siamo affiliati con alcun progetto consigliato.** Oltre ai [nostri criteri standard](about/criteria.md), abbiamo sviluppato una serie chiara di requisiti per consentirci di fornire consigli oggettivi. Ti suggeriamo di familiarizzare con questo elenco prima di scegliere di utilizzare un progetto e di condurre le tue ricerche per assicurarti che si tratti della scelta adatta a te.
 
diff --git a/i18n/it/os/index.md b/i18n/it/os/index.md
new file mode 100644
index 00000000..1a9fd8cd
--- /dev/null
+++ b/i18n/it/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Sistemi Operativi
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/it/os/windows/group-policies.md b/i18n/it/os/windows/group-policies.md
new file mode 100644
index 00000000..5b521836
--- /dev/null
+++ b/i18n/it/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### Sistema
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### Profili Utente
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Ricerca
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/it/os/windows/index.md b/i18n/it/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/it/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/it/security-keys.md b/i18n/it/security-keys.md
new file mode 100644
index 00000000..b220c0d6
--- /dev/null
+++ b/i18n/it/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: Questi strumenti ti assistono nella protezione dei tuoi account Internet con l'autenticazione a più fattori, senza inviare i tuoi codici segreti a terze parti.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Avviso</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Avviso</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Avviso</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Avviso</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteri
+
+**Ti preghiamo di notare che non siamo affiliati con alcun progetto consigliato.** Oltre ai [nostri criteri standard](about/criteria.md), abbiamo sviluppato una serie chiara di requisiti per consentirci di fornire consigli oggettivi. Ti suggeriamo di familiarizzare con questo elenco prima di scegliere di utilizzare un progetto e di condurre le tue ricerche per assicurarti che si tratti della scelta adatta a te.
+
+### Requisiti minimi
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Caso migliore
+
+I nostri criteri ottimali rappresentano ciò che vorremmo vedere dal progetto perfetto in questa categoria. I nostri consigli potrebbero non includere tutte o alcune di queste funzionalità, ma quelli che le includono potrebbero essere preferiti ad altri su questa pagina.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/it/tools.md b/i18n/it/tools.md
index 24c99165..5d152fc0 100644
--- a/i18n/it/tools.md
+++ b/i18n/it/tools.md
@@ -166,9 +166,9 @@ Per ulteriori dettagli su ogni progetto, perché è stato scelto e ulteriori con
 
 <div class="grid cards" markdown>
 
-- ![Logo di Ente](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Logo di Ente](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
-- ![Logo di Stingle](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Logo di Stingle](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
-- ![Logo di PhotoPrism](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
+- ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
+- ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
 </div>
 
@@ -336,12 +336,12 @@ Per crittografare l'unità del sistema operativo, in genere si consiglia di util
 
 ### Strumenti di autenticazione a più fattori
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
-- ![Logo di Ente Auth](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
-- ![Logo di Aegis](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
+- ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
+- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
 </div>
 
@@ -423,6 +423,20 @@ Per crittografare l'unità del sistema operativo, in genere si consiglia di util
 
 [Scopri di più :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Scopri di più :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Sistemi Operativi
 
 ### Mobile
diff --git a/i18n/ja/basics/multi-factor-authentication.md b/i18n/ja/basics/multi-factor-authentication.md
index 786580a8..ff1ec496 100644
--- a/i18n/ja/basics/multi-factor-authentication.md
+++ b/i18n/ja/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### ハードウェアのセキュリティキー
 
diff --git a/i18n/ja/basics/passwords-overview.md b/i18n/ja/basics/passwords-overview.md
index 870cc715..240eba86 100644
--- a/i18n/ja/basics/passwords-overview.md
+++ b/i18n/ja/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/ja/multi-factor-authentication.md b/i18n/ja/multi-factor-authentication.md
index 48da2798..3c48ce8f 100644
--- a/i18n/ja/multi-factor-authentication.md
+++ b/i18n/ja/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "多要素認証（Multi-Factor Authentication）"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## ハードウェアセキュリティ
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-**YubiKeys**は最も人気のあるセキュリティ・キーのひとつです。 Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-YubiKeyの利点の1つは、1つのキーでハードウェア・セキュリティ・キーに期待されるほとんどのこと(YubiKey 5)ができることです。 We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). Yubicoのクライアントはすべてオープンソースです。
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Nitrokeyの中には、パスワードマネージャーとして機能するものもあります。 They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### 規準
-
-**私たちは、推薦するどのプロジェクトとも提携していません。**客観的に推薦できるよう、[標準となる規準](about/criteria.md)に加えて、一連の明確な要件を定めています。 プロジェクトを利用する前に、このリストをよく理解し、ご自身で調査を行って、そのプロジェクトがあなたにとって適切な選択かどうかをご確認ください。
-
-#### 最低要件
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### 満たされることが望ましい基準
-
-満たされることが望ましい基準には、このカテゴリーの完璧なプロジェクトに私たちが望むものを示しています。 私たちが推薦するプロジェクトは、この機能の一部または全部を含んでいないかもしれませんが、もし含んでいれば、このページで他のプロジェクトよりも上位にランクされるかもしれません。
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## 認証アプリ
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### 規準
+## 規準
 
 **私たちは、推薦するどのプロジェクトとも提携していません。**客観的に推薦できるよう、[標準となる規準](about/criteria.md)に加えて、一連の明確な要件を定めています。 プロジェクトを利用する前に、このリストをよく理解し、ご自身で調査を行って、そのプロジェクトがあなたにとって適切な選択かどうかをご確認ください。
 
diff --git a/i18n/ja/os/index.md b/i18n/ja/os/index.md
new file mode 100644
index 00000000..1613c314
--- /dev/null
+++ b/i18n/ja/os/index.md
@@ -0,0 +1,19 @@
+---
+title: オペレーティングシステム
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/ja/os/windows/group-policies.md b/i18n/ja/os/windows/group-policies.md
new file mode 100644
index 00000000..6f00cd64
--- /dev/null
+++ b/i18n/ja/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### システム
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### ユーザープロフィール
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### 検索
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/ja/os/windows/index.md b/i18n/ja/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/ja/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/ja/security-keys.md b/i18n/ja/security-keys.md
new file mode 100644
index 00000000..b8670e90
--- /dev/null
+++ b/i18n/ja/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## 規準
+
+\*\*私たちは、推薦するどのプロジェクトとも提携していません。\*\*客観的に推薦できるよう、[標準となる規準](about/criteria.md)に加えて、一連の明確な要件を定めています。 プロジェクトを利用する前に、このリストをよく理解し、ご自身で調査を行って、そのプロジェクトがあなたにとって適切な選択かどうかをご確認ください。
+
+### 最低要件
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### 満たされることが望ましい基準
+
+満たされることが望ましい基準には、このカテゴリーの完璧なプロジェクトに私たちが望むものを示しています。 私たちが推薦するプロジェクトは、この機能の一部または全部を含んでいないかもしれませんが、もし含んでいれば、このページで他のプロジェクトよりも上位にランクされるかもしれません。
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/ja/tools.md b/i18n/ja/tools.md
index 75db15b1..e0e185e2 100644
--- a/i18n/ja/tools.md
+++ b/i18n/ja/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### 多要素認証ツール
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [詳細 :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[詳細 :material-arrow-right-drop-circle:](security-keys.md)
+
 ## オペレーティングシステム
 
 ### モバイル
diff --git a/i18n/ko/basics/multi-factor-authentication.md b/i18n/ko/basics/multi-factor-authentication.md
index f83088eb..89cc5e65 100644
--- a/i18n/ko/basics/multi-factor-authentication.md
+++ b/i18n/ko/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ If you have a hardware security key with TOTP support (such as a YubiKey with [Y
 
 공격자는 어떤 서비스의 공식 웹사이트를 흉내낸 웹사이트를 만들어서 여러분이 사용자 이름, 비밀번호, 현재 TOTP 코드를 제출하도록 유도할 수도 있습니다. 만약 여러분이 이를 제출할 경우, 공격자는 해당 자격 증명 내용을 이용해 실제 서비스에 로그인하여 계정을 탈취할 수 있습니다.
 
-TOTP는 완벽하지는 않습니다. 하지만 대부분의 사람들에게 있어서 충분히 안전하며, [하드웨어 보안 키](../multi-factor-authentication.md#hardware-security-keys)가 지원되지 않는 경우에는 [인증 앱](../multi-factor-authentication.md#authenticator-apps)도 여전히 훌륭한 선택지입니다.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### 하드웨어 보안 키
 
diff --git a/i18n/ko/basics/passwords-overview.md b/i18n/ko/basics/passwords-overview.md
index 099ca8de..79780243 100644
--- a/i18n/ko/basics/passwords-overview.md
+++ b/i18n/ko/basics/passwords-overview.md
@@ -113,7 +113,7 @@ Let's put all of this in perspective: A seven word passphrase using [EFF's large
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-TOTP 코드 [다중 인증](../multi-factor-authentication.md) 방식을 사용하는 경우, TOTP 코드는 [별도 앱](../multi-factor-authentication.md#authenticator-apps)에서 보관하는 것이 가장 좋은 방법입니다.
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 TOTP 토큰과 비밀번호를 한 곳에서 관리하면 편리하지만, 만약 공격자가 여러분의 비밀번호 관리자에 접근 가능할 경우 다중 인증은 무용지물이 됩니다.
 
diff --git a/i18n/ko/multi-factor-authentication.md b/i18n/ko/multi-factor-authentication.md
index 03c789ed..49676341 100644
--- a/i18n/ko/multi-factor-authentication.md
+++ b/i18n/ko/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "다중 인증"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## 하드웨어 보안 키
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. Privacy Guides에서는 YubiKey 5 시리즈를 사용하실 것을 권장드립니다.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### 평가 기준
-
-**Privacy Guides는 권장 목록의 어떠한 프로젝트와도 제휴를 맺지 않았습니다.** 객관적인 권장 목록을 제공하기 위해, [일반적인 평가 기준](about/criteria.md)에 더해 명확한 요구 사항을 정립하였습니다. 어떠한 프로젝트를 선택해 사용하기 전에, 이러한 요구 사항들을 숙지하고 여러분 스스로 조사하는 과정을 거쳐 적절한 선택을 하시기 바랍니다.
-
-#### 최소 요구 사항
-
-- 고품질의 변조 방지 하드웨어 보안 모듈을 사용해야 합니다.
-- 최신 FIDO2 사양을 지원해야 합니다.
-- 개인 키 추출을 허용해서는 안 됩니다.
-- 가격이 $35 이상인 기기는 OpenPGP, S/MIME를 지원해야 합니다.
-
-#### 우대 사항
-
-평가 기준에서 '우대 사항'은 해당 부문에서 완벽한 프로젝트에 기대하는 바를 나타냅니다. 다음의 우대 사항에 해당하지 않더라도 권장 목록에 포함될 수 있습니다. 단, 우대 사항에 해당할수록 이 페이지의 다른 항목보다 높은 순위를 갖습니다.
-
-- USB-C 단자로 된 버전을 제공해야 합니다.
-- NFC를 지원해야 합니다.
-- TOTP 비밀 저장소(Secret Storage)를 지원해야 합니다.
-- 보안 펌웨어 업데이트를 지원해야 합니다.
-
-## 인증 앱
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### 평가 기준
+## 평가 기준
 
 **Privacy Guides는 권장 목록의 어떠한 프로젝트와도 제휴를 맺지 않았습니다.** 객관적인 권장 목록을 제공하기 위해, [일반적인 평가 기준](about/criteria.md)에 더해 명확한 요구 사항을 정립하였습니다. 어떠한 프로젝트를 선택해 사용하기 전에, 이러한 요구 사항들을 숙지하고 여러분 스스로 조사하는 과정을 거쳐 적절한 선택을 하시기 바랍니다.
 
diff --git a/i18n/ko/os/index.md b/i18n/ko/os/index.md
new file mode 100644
index 00000000..76d170a1
--- /dev/null
+++ b/i18n/ko/os/index.md
@@ -0,0 +1,19 @@
+---
+title: 운영 체제
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/ko/os/windows/group-policies.md b/i18n/ko/os/windows/group-policies.md
new file mode 100644
index 00000000..c8ffe1b4
--- /dev/null
+++ b/i18n/ko/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### 시스템
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### 사용자 프로필
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### 검색
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/ko/os/windows/index.md b/i18n/ko/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/ko/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/ko/security-keys.md b/i18n/ko/security-keys.md
new file mode 100644
index 00000000..6fde8f8c
--- /dev/null
+++ b/i18n/ko/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## 평가 기준
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. 어떠한 프로젝트를 선택해 사용하기 전에, 이러한 요구 사항들을 숙지하고 여러분 스스로 조사하는 과정을 거쳐 적절한 선택을 하시기 바랍니다.
+
+### 최소 요구 사항
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### 우대 사항
+
+평가 기준에서 '우대 사항'은 해당 부문에서 완벽한 프로젝트에 기대하는 바를 나타냅니다. 다음의 우대 사항에 해당하지 않더라도 권장 목록에 포함될 수 있습니다. 단, 우대 사항에 해당할수록 이 페이지의 다른 항목보다 높은 순위를 갖습니다.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/ko/tools.md b/i18n/ko/tools.md
index 8889ce1c..7780739a 100644
--- a/i18n/ko/tools.md
+++ b/i18n/ko/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### 다중 인증 수단
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [자세히 알아보기 :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[자세히 알아보기 :material-arrow-right-drop-circle:](security-keys.md)
+
 ## 운영 체제
 
 ### 모바일
diff --git a/i18n/ku-IQ/basics/multi-factor-authentication.md b/i18n/ku-IQ/basics/multi-factor-authentication.md
index d94d4718..6db88c50 100644
--- a/i18n/ku-IQ/basics/multi-factor-authentication.md
+++ b/i18n/ku-IQ/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/ku-IQ/basics/passwords-overview.md b/i18n/ku-IQ/basics/passwords-overview.md
index 63aca1b5..898d198d 100644
--- a/i18n/ku-IQ/basics/passwords-overview.md
+++ b/i18n/ku-IQ/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/ku-IQ/multi-factor-authentication.md b/i18n/ku-IQ/multi-factor-authentication.md
index 34728aa1..217b5d35 100644
--- a/i18n/ku-IQ/multi-factor-authentication.md
+++ b/i18n/ku-IQ/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/ku-IQ/os/index.md b/i18n/ku-IQ/os/index.md
new file mode 100644
index 00000000..25f7d659
--- /dev/null
+++ b/i18n/ku-IQ/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/ku-IQ/os/windows/group-policies.md b/i18n/ku-IQ/os/windows/group-policies.md
new file mode 100644
index 00000000..756e23bb
--- /dev/null
+++ b/i18n/ku-IQ/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/ku-IQ/os/windows/index.md b/i18n/ku-IQ/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/ku-IQ/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/ku-IQ/security-keys.md b/i18n/ku-IQ/security-keys.md
new file mode 100644
index 00000000..657e068f
--- /dev/null
+++ b/i18n/ku-IQ/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/ku-IQ/tools.md b/i18n/ku-IQ/tools.md
index bf994374..f28c2cb8 100644
--- a/i18n/ku-IQ/tools.md
+++ b/i18n/ku-IQ/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile
diff --git a/i18n/nl/basics/multi-factor-authentication.md b/i18n/nl/basics/multi-factor-authentication.md
index 36c453a3..58e9bcb2 100644
--- a/i18n/nl/basics/multi-factor-authentication.md
+++ b/i18n/nl/basics/multi-factor-authentication.md
@@ -42,7 +42,7 @@ In tegenstelling tot [WebAuthn](#fido-fast-identity-online)biedt TOTP geen besch
 
 Een tegenstander kan een website opzetten om een officiële dienst te imiteren in een poging om je te verleiden jouw gebruikersnaam, wachtwoord en huidige TOTP-code te geven. Als de tegenstander vervolgens deze vastgelegde gegevens gebruikt, kan hij op de echte dienst inloggen en de account kapen.
 
-Hoewel niet perfect, is TOTP veilig genoeg voor de meeste mensen, en wanneer [hardware security keys](/multi-factor-authentication/#hardware-security-keys) niet worden ondersteund zijn [authenticator apps](/multi-factor-authentication/#authenticator-apps) nog steeds een goede optie.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 
 
diff --git a/i18n/nl/basics/passwords-overview.md b/i18n/nl/basics/passwords-overview.md
index c0c13e31..46b6080a 100644
--- a/i18n/nl/basics/passwords-overview.md
+++ b/i18n/nl/basics/passwords-overview.md
@@ -113,7 +113,7 @@ Er zijn veel goede opties om uit te kiezen, zowel cloud-gebaseerd als lokaal. Ki
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-Wanneer je TOTP-codes gebruikt als [multi-factor authenticatie](../multi-factor-authentication.md), is de beste beveiligingspraktijk om jouw TOTP-codes in een [aparte app] te bewaren(../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Het opslaan van jouw TOTP-tokens op dezelfde plaats als jouw wachtwoorden is weliswaar handig, maar beperkt de accounts tot één factor in het geval dat een tegenstander toegang krijgt tot jouw wachtwoord manager.
 
diff --git a/i18n/nl/multi-factor-authentication.md b/i18n/nl/multi-factor-authentication.md
index a97ad830..1ba8ce6a 100644
--- a/i18n/nl/multi-factor-authentication.md
+++ b/i18n/nl/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multifactor-authenticatie"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Veiligheidssleutels
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-De **YubiKeys** behoren tot de meest populaire beveiligingssleutels. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-Een van de voordelen van de YubiKey is dat één sleutel bijna alles kan (YubiKey 5), wat je van een hardware beveiligingssleutel mag verwachten. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. Wij raden je ten zeerste aan om sleutels uit de YubiKey 5-serie te kiezen.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-Voor modellen die HOTP en TOTP ondersteunen, zijn er 2 slots in de OTP-interface die kunnen worden gebruikt voor HOTP en 32 slots om TOTP geheimen op te slaan. Deze geheimen worden versleuteld opgeslagen op de sleutel en worden nooit blootgesteld aan de apparaten waarop ze zijn aangesloten. Zodra een "seed" ( het gedeeld geheim) aan de Yubico Authenticator is gegeven, zal deze alleen de zescijferige codes geven, maar nooit de seed. Dit beveiligingsmodel beperkt wat een aanvaller kan doen als hij een van de apparaten waarop de Yubico Authenticator draait, in gevaar brengt en maakt de YubiKey bestand tegen een fysieke aanvaller.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. Als je functies in nieuwere firmwareversies wilt, of als er een kwetsbaarheid is in de firmwareversie die je gebruikt, moet je een nieuwe sleutel kopen.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** heeft een beveiligingssleutel die geschikt is voor [FIDO2 en WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) genaamd de **Nitrokey FIDO2**. Voor PGP-ondersteuning moet je een van hun andere sleutels kopen, zoals de **Nitrokey Start**, **Nitrokey Pro 2** of de **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. De genoemde **Nitrokey 3** zal een gecombineerde functieset hebben.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-Voor de modellen die HOTP en TOTP ondersteunen, zijn er 3 slots voor HOTP en 15 voor TOTP. Sommige Nitrokeys kunnen functioneren als een wachtwoord manager. Ze kunnen 16 verschillende inloggegevens opslaan en deze versleutelen met hetzelfde wachtwoord als de OpenPGP-interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Hoewel Nitrokeys de HOTP/TOTP geheimen niet vrijgeven aan het apparaat waar ze op aangesloten zijn, is de HOTP en TOTP opslag **niet** versleuteld en is kwetsbaar voor fysieke aanvallen. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Het resetten van de OpenPGP interface op een Nitrokey zal ook de wachtwoord database [inaccessible]maken (https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. De firmware op moderne NitroKey-modellen (behalve de **NitroKey Pro 2**) kan worden bijgewerkt.
-
-### Criteria
-
-**Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt.
-
-#### Minimale vereisten
-
-- Moet gebruik maken van hoogwaardige, fraudebestendige hardwarebeveiligingsmodules.
-- Moet de meest recente FIDO2-specificatie ondersteunen.
-- Mag geen extractie van de private sleutel toestaan.
-- Apparaten die meer dan 35 dollar kosten, moeten OpenPGP en S/MIME aankunnen.
-
-#### Beste geval
-
-Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina.
-
-- Zou beschikbaar moeten zijn in USB-C vorm-factor.
-- Zou beschikbaar moeten zijn met NFC.
-- Moet TOTP opslag ondersteunen.
-- Moet veilige firmware-updates ondersteunen.
-
-## Authenticator Apps
-
-Authenticator Apps implementeren een beveiligingsstandaard die is aangenomen door de Internet Engineering Task Force (IETF), genaamd **Time-based One-time Passwords**, of **TOTP**. Dit is een methode waarbij websites een geheim met je delen dat door jouw authenticator-app wordt gebruikt om een code van zes (meestal) cijfers te genereren op basis van de huidige tijd, die je invoert terwijl je inlogt om de website te controleren. Deze codes worden gewoonlijk om de 30 seconden geregenereerd, en zodra een nieuwe code is gegenereerd, wordt de oude nutteloos. Zelfs als een hacker één zescijferige code bemachtigt, is er geen manier om die code om te keren om het oorspronkelijke geheim te bemachtigen of om anderszins te kunnen voorspellen wat eventuele toekomstige codes zouden kunnen zijn.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. Dit is een methode waarbij websites een geheim met je delen dat door jouw authenticator-app wordt gebruikt om een code van zes (meestal) cijfers te genereren op basis van de huidige tijd, die je invoert terwijl je inlogt om de website te controleren. Deze codes worden gewoonlijk om de 30 seconden geregenereerd, en zodra een nieuwe code is gegenereerd, wordt de oude nutteloos. Zelfs als een hacker één zescijferige code bemachtigt, is er geen manier om die code om te keren om het oorspronkelijke geheim te bemachtigen of om anderszins te kunnen voorspellen wat eventuele toekomstige codes zouden kunnen zijn.
 
 Wij raden je ten zeerste aan om mobiele TOTP apps te gebruiken in plaats van desktop alternatieven, aangezien Android en IOS een betere beveiliging en app isolatie hebben dan de meeste desktop besturingssystemen.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ Wij raden je ten zeerste aan om mobiele TOTP apps te gebruiken in plaats van des
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ Wij raden je ten zeerste aan om mobiele TOTP apps te gebruiken in plaats van des
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Wij zijn niet verbonden aan de projecten die wij aanbevelen.** Naast [onze standaardcriteria](about/criteria.md)hebben wij een duidelijke reeks eisen ontwikkeld om objectieve aanbevelingen te kunnen doen. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt.
 
diff --git a/i18n/nl/os/index.md b/i18n/nl/os/index.md
new file mode 100644
index 00000000..d71596fe
--- /dev/null
+++ b/i18n/nl/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Besturingssystemen
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/nl/os/windows/group-policies.md b/i18n/nl/os/windows/group-policies.md
new file mode 100644
index 00000000..372d1817
--- /dev/null
+++ b/i18n/nl/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### Systeem
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### Gebruikers Profielen
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Zoeken
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/nl/os/windows/index.md b/i18n/nl/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/nl/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/nl/security-keys.md b/i18n/nl/security-keys.md
new file mode 100644
index 00000000..6af4f31a
--- /dev/null
+++ b/i18n/nl/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. Wij stellen voor dat je jezelf vertrouwd maakt met deze lijst voordat je een project kiest, en jouw eigen onderzoek uitvoert om er zeker van te zijn dat je de juiste keuze maakt.
+
+### Minimale vereisten
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Beste geval
+
+Onze best-case criteria geven aan wat wij zouden willen zien van het perfecte project in deze categorie. Het is mogelijk dat onze aanbevelingen geen of niet alle functies bevatten, maar degene die dat wel doen kunnen hoger gerangschikt worden dan andere op deze pagina.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/nl/tools.md b/i18n/nl/tools.md
index 6085e3fa..9173cd6b 100644
--- a/i18n/nl/tools.md
+++ b/i18n/nl/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-factor authenticatie Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Meer informatie :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Meer informatie :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Besturingssystemen
 
 ### Mobiel
diff --git a/i18n/pl/basics/multi-factor-authentication.md b/i18n/pl/basics/multi-factor-authentication.md
index 725ad611..e9085100 100644
--- a/i18n/pl/basics/multi-factor-authentication.md
+++ b/i18n/pl/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/pl/basics/passwords-overview.md b/i18n/pl/basics/passwords-overview.md
index 314e30de..f4d89b31 100644
--- a/i18n/pl/basics/passwords-overview.md
+++ b/i18n/pl/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/pl/multi-factor-authentication.md b/i18n/pl/multi-factor-authentication.md
index 34728aa1..825b58dc 100644
--- a/i18n/pl/multi-factor-authentication.md
+++ b/i18n/pl/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Uwierzytelnianie wieloskładnikowe"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/pl/os/index.md b/i18n/pl/os/index.md
new file mode 100644
index 00000000..25f7d659
--- /dev/null
+++ b/i18n/pl/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/pl/os/windows/group-policies.md b/i18n/pl/os/windows/group-policies.md
new file mode 100644
index 00000000..e0157f10
--- /dev/null
+++ b/i18n/pl/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Wyszukiwarka
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/pl/os/windows/index.md b/i18n/pl/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/pl/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/pl/security-keys.md b/i18n/pl/security-keys.md
new file mode 100644
index 00000000..657e068f
--- /dev/null
+++ b/i18n/pl/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/pl/tools.md b/i18n/pl/tools.md
index abeaa2ca..c59402b1 100644
--- a/i18n/pl/tools.md
+++ b/i18n/pl/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Dowiedz się więcej :hero-arrow-circle-right-fill:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Dowiedz się więcej :hero-arrow-circle-right-fill:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile
diff --git a/i18n/pt-BR/basics/multi-factor-authentication.md b/i18n/pt-BR/basics/multi-factor-authentication.md
index 56edb0b3..e0429207 100644
--- a/i18n/pt-BR/basics/multi-factor-authentication.md
+++ b/i18n/pt-BR/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/pt-BR/basics/passwords-overview.md b/i18n/pt-BR/basics/passwords-overview.md
index ebdd3ca1..deca7ecc 100644
--- a/i18n/pt-BR/basics/passwords-overview.md
+++ b/i18n/pt-BR/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/pt-BR/multi-factor-authentication.md b/i18n/pt-BR/multi-factor-authentication.md
index 5817143b..c7f9b2fd 100644
--- a/i18n/pt-BR/multi-factor-authentication.md
+++ b/i18n/pt-BR/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Autenticação de Múltiplos Fatores"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Melhor Caso
-
-Nosso critério de melhor caso representa o que gostaríamos de ver em um projeto perfeito nessa categoria. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/pt-BR/os/index.md b/i18n/pt-BR/os/index.md
new file mode 100644
index 00000000..d3b05245
--- /dev/null
+++ b/i18n/pt-BR/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Sistemas Operacionais
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/pt-BR/os/windows/group-policies.md b/i18n/pt-BR/os/windows/group-policies.md
new file mode 100644
index 00000000..8456c2b9
--- /dev/null
+++ b/i18n/pt-BR/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### Sistema
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### Perfis de Usuário
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Pesquisa
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/pt-BR/os/windows/index.md b/i18n/pt-BR/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/pt-BR/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/pt-BR/security-keys.md b/i18n/pt-BR/security-keys.md
new file mode 100644
index 00000000..7b6989e0
--- /dev/null
+++ b/i18n/pt-BR/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Melhor Caso
+
+Nosso critério de melhor caso representa o que gostaríamos de ver em um projeto perfeito nessa categoria. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/pt-BR/tools.md b/i18n/pt-BR/tools.md
index 0e521536..6189d3ef 100644
--- a/i18n/pt-BR/tools.md
+++ b/i18n/pt-BR/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Ferramentas de Autenticação de Múltiplos Fatores (MFA)
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Saiba mais :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Saiba mais :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Sistemas Operacionais
 
 ### Celular
diff --git a/i18n/pt/basics/multi-factor-authentication.md b/i18n/pt/basics/multi-factor-authentication.md
index 61226bf9..17e4ff3c 100644
--- a/i18n/pt/basics/multi-factor-authentication.md
+++ b/i18n/pt/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Um adversário poderia criar um site para imitar um serviço oficial, numa tenta
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Chaves de segurança do hardware
 
diff --git a/i18n/pt/basics/passwords-overview.md b/i18n/pt/basics/passwords-overview.md
index 3c1f388a..0d041b50 100644
--- a/i18n/pt/basics/passwords-overview.md
+++ b/i18n/pt/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/pt/multi-factor-authentication.md b/i18n/pt/multi-factor-authentication.md
index 81981179..2ae5456a 100644
--- a/i18n/pt/multi-factor-authentication.md
+++ b/i18n/pt/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Autenticação multi-fator"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Chaves de Segurança de Hardware
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-fator-authentication/yubikey.png)
-
-As **YubiKeys** estão entre as chaves de segurança mais populares. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-Um dos benefícios da YubiKey é o facto de ser uma chave que pode fazer quase tudo (YubiKey 5), e que realmente tudo aquilo que se espera de uma chave de segurança de hardware. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. Recomendamos vivamente que selecione as chaves da série YubiKey 5.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-Para os modelos que suportam HOTP e TOTP, existem 2 slots na interface OTP que podem ser utilizadas para HOTP e 32 slots que permitem armazenar segredos TOTP. Estes segredos são armazenados de forma encriptada na chave e nunca são expostos aos dispositivos a que estão ligados. Uma vez que uma semente (segredo compartilhado) é dada ao Yubico Authenticator, o output só consistirá num código de seis dígitos, e nunca na semente. Este modelo de segurança ajuda a limitar o que um atacante pode fazer se comprometer um dos dispositivos que executam o Yubico Authenticator, fazendo com que a YubiKey seja resistente a um atacante físico.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. Se pretender novas funcionalidades ou se existir uma vulnerabilidade na versão de firmware que está a utilizar, terá de adquirir uma nova chave.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-fator-authentication/nitrokey.jpg){ align=right }
-
-A **Nitrokey** tem uma chave de segurança que suporta [FIDO2 e WebAuthn](basics/multi-fator-authentication.md#fido-fast-identity-online) chamada **Nitrokey FIDO2**. Para suporte de PGP, é necessário adquirir uma das outras chaves, como a **Nitrokey Start**, **Nitrokey Pro 2** ou **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. O **Nitrokey 3** listado terá um conjunto de características combinadas.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-Para os modelos que suportam HOTP e TOTP, existem 3 slots para HOTP e 15 para TOTP. Alguns Nitrokeys podem funcionar como gestores de palavras-passe. Podem armazenar 16 credenciais diferentes e encriptá-las utilizando a mesma palavra-passe que a interface OpenPGP.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Embora as Nitrokeys não libertem os segredos HOTP/TOTP para o dispositivo a que estão ligados, o armazenamento HOTP e TOTP **não** é encriptado e é vulnerável a ataques físicos. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-A reposição da interface OpenPGP numa Nitrokey também fará com que a base de dados de palavras-passe fique [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. O firmware dos modelos NitroKey modernos (exceto o **NitroKey Pro 2**) pode ser atualizado.
-
-### Critérios
-
-**Note que não estamos associados a nenhum dos projetos que recomendamos.** Para além dos [nossos critérios padrão](about/criteria.md), temos um conjunto claro de requisitos que nos permitem fornecer recomendações objetivas. Sugerimos que se familiarize com esta lista antes de optar por um projeto e que desenvolva a sua própria investigação para garantir que se trata da escolha certa para si.
-
-#### Requisitos mínimos
-
-- Devem ser utilizados módulos de segurança de hardware de alta qualidade e invioláveis.
-- Deve ser suportada a especificação FIDO2 mais recente.
-- Não deverá ser permitida a extração de chaves privadas.
-- Os dispositivos que custam mais de 35 dólares devem suportar o manuseamento de OpenPGP e S/MIME.
-
-#### Melhor caso
-
-Os nossos melhores critérios representam o que gostaríamos de ver num projeto perfeito desta categoria. As nossas recomendações podem não incluir todas as funcionalidades, mas incluem as que, na nossa opinião, têm um impacto mais elevado.
-
-- Devem estar disponíveis no formato USB-C.
-- Deverão disponibilizar NFC.
-- Devem suportar o armazenamento de segredos TOTP.
-- Devem suportar atualizações de firmware seguras.
-
-## Aplicações de Autenticação
-
-As Aplicações de Autenticação implementam uma norma de segurança que ºe adotada pela Internet Engineering Task Force (IETF), denominada **Time-based One-time Passwords**, ou **TOTP**. Este é um método através do qual os sites partilham um segredo, que é utilizado pela sua aplicação de autenticação para gerar um código de seis dígitos (normalmente) com base na hora atual, que deverá introduzir ao iniciar sessão, para que o site o possa verificar. Normalmente, estes códigos são regenerados de 30 em 30 segundos e, quando é gerado um novo código, o antigo deixa de poder ser utilizado. Mesmo que um pirata informático obtenha o código de seis dígitos, não há forma de reverter esse código para obter o segredo original ou de prever quais serão os códigos futuros.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. Este é um método através do qual os sites partilham um segredo, que é utilizado pela sua aplicação de autenticação para gerar um código de seis dígitos (normalmente) com base na hora atual, que deverá introduzir ao iniciar sessão, para que o site o possa verificar. Normalmente, estes códigos são regenerados de 30 em 30 segundos e, quando é gerado um novo código, o antigo deixa de poder ser utilizado. Mesmo que um pirata informático obtenha o código de seis dígitos, não há forma de reverter esse código para obter o segredo original ou de prever quais serão os códigos futuros.
 
 Recomendamos vivamente que utilize aplicações TOTP para dispositivos móveis, em vez de alternativas para computador, uma vez que o Android e o iOS têm melhor segurança e isolamento de aplicações do que a maioria dos sistemas operativos para PC.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ Recomendamos vivamente que utilize aplicações TOTP para dispositivos móveis,
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ Recomendamos vivamente que utilize aplicações TOTP para dispositivos móveis,
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Critérios
+## Critérios
 
 **Note que não estamos associados a nenhum dos projetos que recomendamos.** Para além dos [nossos critérios padrão](about/criteria.md), temos um conjunto claro de requisitos que nos permitem fornecer recomendações objetivas. Sugerimos que se familiarize com esta lista antes de optar por um projeto e que desenvolva a sua própria investigação para garantir que se trata da escolha certa para si.
 
diff --git a/i18n/pt/os/index.md b/i18n/pt/os/index.md
new file mode 100644
index 00000000..eaf75ca8
--- /dev/null
+++ b/i18n/pt/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Sistemas Operativos
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/pt/os/windows/group-policies.md b/i18n/pt/os/windows/group-policies.md
new file mode 100644
index 00000000..783a432a
--- /dev/null
+++ b/i18n/pt/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### Sistema
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Pesquisa
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/pt/os/windows/index.md b/i18n/pt/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/pt/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/pt/security-keys.md b/i18n/pt/security-keys.md
new file mode 100644
index 00000000..67d8a253
--- /dev/null
+++ b/i18n/pt/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Framadate
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Requisitos mínimos
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Melhor caso
+
+Os nossos melhores critérios representam o que gostaríamos de ver num projeto perfeito desta categoria. As nossas recomendações podem não incluir todas as funcionalidades, mas incluem as que, na nossa opinião, têm um impacto mais elevado.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/pt/tools.md b/i18n/pt/tools.md
index 078923ce..b174c2ea 100644
--- a/i18n/pt/tools.md
+++ b/i18n/pt/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Ferramentas de autenticação multifator
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Saiba mais :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Saiba mais :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Sistemas Operativos
 
 ### Móvel
diff --git a/i18n/ru/basics/multi-factor-authentication.md b/i18n/ru/basics/multi-factor-authentication.md
index 9b326b13..2f42f21d 100644
--- a/i18n/ru/basics/multi-factor-authentication.md
+++ b/i18n/ru/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ If you have a hardware security key with TOTP support (such as a YubiKey with [Y
 
 Злоумышленник может создать сайт, имитирующий официальный сервис, чтобы обманом заставить вас сообщить свое имя пользователя, пароль и текущий код TOTP. Если злоумышленник затем использует эти записанные учетные данные, он сможет войти в реальный сервис и завладеть учетной записью.
 
-Хотя TOTP не совершенен, он достаточно безопасен для большинства людей, и если аппаратные ключи безопасности [](../multi-factor-authentication.md#hardware-security-keys) не поддерживаются, то [ приложения-аутентификаторы](../multi-factor-authentication.md#authenticator-apps) все ещё являются хорошим вариантом.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Аппаратные ключи безопасности
 
diff --git a/i18n/ru/basics/passwords-overview.md b/i18n/ru/basics/passwords-overview.md
index 69d0fb95..ad224085 100644
--- a/i18n/ru/basics/passwords-overview.md
+++ b/i18n/ru/basics/passwords-overview.md
@@ -113,7 +113,7 @@ Let's put all of this in perspective: A seven word passphrase using [EFF's large
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-При использовании TOTP-кодов в качестве [многофакторной аутентификации](../multi-factor-authentication.md), лучшей практикой безопасности является хранение TOTP-кодов в [отдельном приложении](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Хранение TOTP-токенов в том же месте, что и паролей, хотя и удобно, но сводит защиту учетных записей к одному фактору в случае, если злоумышленник получит доступ к вашему менеджеру паролей.
 
diff --git a/i18n/ru/multi-factor-authentication.md b/i18n/ru/multi-factor-authentication.md
index e6aeebf5..6e8f1aa9 100644
--- a/i18n/ru/multi-factor-authentication.md
+++ b/i18n/ru/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Многофакторная аутентификация"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Аппаратные ключи безопасности
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-Ключи **YubiKeys** являются одними из самых популярных ключей безопасности. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-Одним из преимуществ YubiKey является то, что всего лишь один ключ может делать практически всё (YubiKey 5), что можно ожидать от аппаратного ключа безопасности. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. Мы настоятельно рекомендуем вам выбрать ключи из серии YubiKey 5.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-Для моделей, поддерживающих HOTP и TOTP, в интерфейсе OTP есть 2 слота, которые можно использовать для HOTP, и 32 слота для хранения секретов TOTP. Эти секреты хранятся в зашифрованном виде на ключе и никогда не раскрывают их для устройств, к которым они подключены. После того как Yubico Authenticator получит семя (общий секрет), он будет выдавать только шестизначные коды. Секрет никогда выдаваться не будет. Эта модель безопасности помогает ограничить возможности злоумышленника, если он скомпрометирует одно из устройств, на которых работает Yubico Authenticator, и делает YubiKey устойчивым к физическому воздействию злоумышленника.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Предупреждение</p>
-
-The firmware of YubiKey is not open source and is not updatable. Если вам нужны функции, которые доступны только в более новых версиях прошивки или если в используемой вами версии прошивки есть уязвимость, вам нужно будет приобрести новый ключ.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-У **Nitrokey** есть ключ безопасности, поддерживающий [FIDO2 и WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) и называемый **Nitrokey FIDO2**. Для использования PGP необходимо приобрести один из других ключей, таких как **Nitrokey Start**, **Nitrokey Pro 2** или **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. Перечисленные ключи **Nitrokey 3** будут обладать комбинированным набором функций.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-Для моделей, поддерживающих HOTP и TOTP, есть 3 слота для HOTP и 15 для TOTP. Некоторые Nitrokeys могут работать в качестве менеджера паролей. Они могут хранить 16 различных учетных данных и шифровать их с помощью того же пароля, что и интерфейс OpenPGP.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Предупреждение</p>
-
-Хотя Nitrokeys не передают секреты HOTP/TOTP на устройство, к которому они подключены, хранилище HOTP и TOTP **не** зашифровано и уязвимо для физических атак. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Предупреждение</p>
-
-Сброс интерфейса OpenPGP на Nitrokey также сделает базу данных паролей [недоступной](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. Прошивка современных моделей NitroKey (кроме **NitroKey Pro 2**) является обновляемой.
-
-### Критерии
-
-**Обрати внимание, что у нас нет связей ни с одним проектом, который мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md) мы разработали четкий набор требований, позволяющий давать объективные рекомендации. Перед тем, как вы решите выбрать какой-либо проект, мы рекомендуем вам ознакомиться со списком критериев и провести собственное исследование, чтобы убедиться в правильности своего выбора.
-
-#### Минимальные требования
-
-- Должны использоваться высококачественные, устойчивые к взлому аппаратные модули безопасности.
-- Должна поддерживаться последняя спецификация FIDO2.
-- Не должны допускать извлечение приватного ключа.
-- Устройства, стоимостью более 35 $, должны поддерживать работу с OpenPGP и S/MIME.
-
-#### В лучшем случае
-
-Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных.
-
-- Должен быть доступен в форм-факторе USB-C.
-- Должен быть доступен с NFC.
-- Должен поддерживать хранение секретов TOTP.
-- Должен поддерживать безопасное обновление прошивки.
-
-## Приложение-аутентификатор
-
-Приложения аутентификаторы реализуют стандарт безопасности, принятый рабочей группой инженеров интернета (IETF), который называется **Time-based One-time Passwords** или **TOTP**. При этом методе веб-сайты делятся с вами секретом, который вносится в приложение аутентификации. Затем приложение генерирует шестизначные коды, основанные на текущем времени, которые вы вводите при входе на сайт для проверки. Обычно эти коды обновляются каждые 30 секунд, и как только генерируется новый код, старый становится бесполезным. Даже если хакер получит один шестизначный код, у него не будет возможности анализировать этот код, чтобы получить исходный секрет, или каким-либо другим способом предсказать, какими могут быть будущие коды.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. При этом методе веб-сайты делятся с вами секретом, который вносится в приложение аутентификации. Затем приложение генерирует шестизначные коды, основанные на текущем времени, которые вы вводите при входе на сайт для проверки. Обычно эти коды обновляются каждые 30 секунд, и как только генерируется новый код, старый становится бесполезным. Даже если хакер получит один шестизначный код, у него не будет возможности анализировать этот код, чтобы получить исходный секрет, или каким-либо другим способом предсказать, какими могут быть будущие коды.
 
 Мы настоятельно рекомендуем вам использовать мобильные приложения TOTP вместо настольных альтернатив, поскольку Android и iOS имеют лучшую безопасность и изоляцию приложений, чем большинство настольных операционных систем.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ Nitrokey's firmware is open source, unlike the YubiKey. Прошивка сов
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ Nitrokey's firmware is open source, unlike the YubiKey. Прошивка сов
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Критерии
+## Критерии
 
 **Обрати внимание, что у нас нет связей ни с одним проектом, который мы рекомендуем.** В дополнение к [нашим стандартным критериям](about/criteria.md) мы разработали четкий набор требований, позволяющий давать объективные рекомендации. Перед тем, как вы решите выбрать какой-либо проект, мы рекомендуем вам ознакомиться со списком критериев и провести собственное исследование, чтобы убедиться в правильности своего выбора.
 
diff --git a/i18n/ru/os/index.md b/i18n/ru/os/index.md
new file mode 100644
index 00000000..80a5bf83
--- /dev/null
+++ b/i18n/ru/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Операционные системы
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/ru/os/windows/group-policies.md b/i18n/ru/os/windows/group-policies.md
new file mode 100644
index 00000000..0cfe8d01
--- /dev/null
+++ b/i18n/ru/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### Система
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### Профили пользователей
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Поиск
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/ru/os/windows/index.md b/i18n/ru/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/ru/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/ru/security-keys.md b/i18n/ru/security-keys.md
new file mode 100644
index 00000000..996fba62
--- /dev/null
+++ b/i18n/ru/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Предупреждение</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Предупреждение</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Предупреждение</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Предупреждение</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Критерии
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. Перед тем, как вы решите выбрать какой-либо проект, мы рекомендуем вам ознакомиться со списком критериев и провести собственное исследование, чтобы убедиться в правильности своего выбора.
+
+### Минимальные требования к сервисам
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### В лучшем случае
+
+Эти критерии представляют собой то, что мы хотели бы видеть от идеального проекта в этой категории. Наши рекомендации могут не соответствовать всем или нескольким из этих критериев, но проекты, которые им соответствуют, расположены выше остальных.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/ru/tools.md b/i18n/ru/tools.md
index 14afb354..43b1a0ab 100644
--- a/i18n/ru/tools.md
+++ b/i18n/ru/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Многофакторная аутентификация
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Узнать больше :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Узнать больше :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Операционные системы
 
 ### Для телефонов
diff --git a/i18n/sv/basics/multi-factor-authentication.md b/i18n/sv/basics/multi-factor-authentication.md
index 0bab8d1f..bad25acf 100644
--- a/i18n/sv/basics/multi-factor-authentication.md
+++ b/i18n/sv/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/sv/basics/passwords-overview.md b/i18n/sv/basics/passwords-overview.md
index 311b80d5..7a63eb59 100644
--- a/i18n/sv/basics/passwords-overview.md
+++ b/i18n/sv/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/sv/multi-factor-authentication.md b/i18n/sv/multi-factor-authentication.md
index 9ac52c32..dfce884c 100644
--- a/i18n/sv/multi-factor-authentication.md
+++ b/i18n/sv/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Faktor Autentisering"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** har en säkerhetsnyckel som kan [FIDO2 och WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) som heter **Nitrokey FIDO2**. För PGP-stöd måste du köpa en av deras andra nycklar som * * Nitrokey Start * *, * *NitrokeyPro 2** eller **NitrokeyStorage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. De **Nitrokey 3** listade kommer att ha en kombinerad funktionsuppsättning.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-För de modeller som stöder HOTP och TOTP finns det 3 platser för HOTP och 15 för TOTP. Vissa Nitrokeys kan fungera som en lösenordshanterare. De kan lagra 16 olika autentiseringsuppgifter och kryptera dem med samma lösenord som OpenPGP-gränssnittet.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Även om Nitrokeys inte lämnar ut HOTP/TOTP-hemligheterna till den enhet de är anslutna till, är HOTP- och TOTP-lagringen **inte** krypterad och sårbar för fysiska attacker. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Återställning av OpenPGP-gränssnittet på en Nitrokey kommer också att göra lösenordsdatabasen [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. Den inbyggda programvaran på moderna NitroKey-modeller (utom **NitroKey Pro 2**) kan uppdateras.
-
-### Kriterier
-
-**Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig.
-
-#### Minimikrav
-
-- Måste använda högkvalitativa, manipuleringssäkra hårdvarusäkerhetsmoduler.
-- Måste stödja den senaste FIDO2-specifikationen.
-- Får inte tillåta utvinning av privata nycklar.
-- Enheter som kostar mer än 35 dollar måste ha stöd för hantering av OpenPGP och S/MIME.
-
-#### Bästa fall
-
-Våra kriterier för bästa fall representerar vad vi skulle vilja se av det perfekta projektet i denna kategori. Våra rekommendationer kanske inte innehåller alla eller några av dessa funktioner, men de som gör det kan vara högre rankade än andra på den här sidan.
-
-- Bör finnas tillgänglig i USB-C-format.
-- Bör finnas tillgängligt med NFC.
-- Bör stödja TOTP hemlig lagring.
-- Bör stödja säkra uppdateringar av fast programvara.
-
-## Autentiseringsapp
-
-Authenticator Apps implementerar en säkerhetsstandard som antagits av Internet Engineering Task Force (IETF) kallad **Time-based Engångslösenord**eller **TOTP**. Detta är en metod där webbplatser delar en hemlighet med dig som används av din autentiseringsapp för att generera en sex (vanligtvis) siffrig kod baserat på aktuell tid, som du anger när du loggar in för att webbplatsen ska kontrollera. Vanligtvis regenereras dessa koder var 30: e sekund, och när en ny kod genereras blir den gamla värdelös. Även om en hackare får tag på en sexsiffrig kod finns det inget sätt för dem att vända på koden för att få fram den ursprungliga hemligheten eller på annat sätt kunna förutsäga vad framtida koder kan vara.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. Detta är en metod där webbplatser delar en hemlighet med dig som används av din autentiseringsapp för att generera en sex (vanligtvis) siffrig kod baserat på aktuell tid, som du anger när du loggar in för att webbplatsen ska kontrollera. Vanligtvis regenereras dessa koder var 30: e sekund, och när en ny kod genereras blir den gamla värdelös. Även om en hackare får tag på en sexsiffrig kod finns det inget sätt för dem att vända på koden för att få fram den ursprungliga hemligheten eller på annat sätt kunna förutsäga vad framtida koder kan vara.
 
 Vi rekommenderar starkt att du använder mobila TOTP-appar i stället för alternativ för datorer eftersom Android och iOS har bättre säkerhet och appisolering än de flesta operativsystem för datorer.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ Vi rekommenderar starkt att du använder mobila TOTP-appar i stället för alter
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ Vi rekommenderar starkt att du använder mobila TOTP-appar i stället för alter
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Kriterier
+## Kriterier
 
 **Observera att vi inte är knutna till något av de projekt som vi rekommenderar.** Förutom [våra standardkriterier](about/criteria.md)har vi utvecklat en tydlig uppsättning krav som gör det möjligt för oss att ge objektiva rekommendationer. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig.
 
diff --git a/i18n/sv/os/index.md b/i18n/sv/os/index.md
new file mode 100644
index 00000000..de800378
--- /dev/null
+++ b/i18n/sv/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operativsystem
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/sv/os/windows/group-policies.md b/i18n/sv/os/windows/group-policies.md
new file mode 100644
index 00000000..756e23bb
--- /dev/null
+++ b/i18n/sv/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/sv/os/windows/index.md b/i18n/sv/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/sv/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/sv/security-keys.md b/i18n/sv/security-keys.md
new file mode 100644
index 00000000..4c343d30
--- /dev/null
+++ b/i18n/sv/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Kriterier
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. Vi föreslår att du bekantar dig med den här listan innan du väljer att använda ett projekt, och att du gör din egen forskning för att se till att det är rätt val för dig.
+
+### Minimikrav
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Bästa fall
+
+Våra kriterier för bästa fall representerar vad vi skulle vilja se av det perfekta projektet i denna kategori. Våra rekommendationer kanske inte innehåller alla eller några av dessa funktioner, men de som gör det kan vara högre rankade än andra på den här sidan.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/sv/tools.md b/i18n/sv/tools.md
index 7a63fea7..dafbf7a5 100644
--- a/i18n/sv/tools.md
+++ b/i18n/sv/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Faktor Autentisering
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Läs mer :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Läs mer :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operativsystem
 
 ### Mobil
diff --git a/i18n/tr/basics/multi-factor-authentication.md b/i18n/tr/basics/multi-factor-authentication.md
index f3551250..1dc85664 100644
--- a/i18n/tr/basics/multi-factor-authentication.md
+++ b/i18n/tr/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/tr/basics/passwords-overview.md b/i18n/tr/basics/passwords-overview.md
index 63aca1b5..898d198d 100644
--- a/i18n/tr/basics/passwords-overview.md
+++ b/i18n/tr/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/tr/multi-factor-authentication.md b/i18n/tr/multi-factor-authentication.md
index 34728aa1..cfec471f 100644
--- a/i18n/tr/multi-factor-authentication.md
+++ b/i18n/tr/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Çok Faktörlü Kimlik Doğrulama"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/tr/os/index.md b/i18n/tr/os/index.md
new file mode 100644
index 00000000..25f7d659
--- /dev/null
+++ b/i18n/tr/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/tr/os/windows/group-policies.md b/i18n/tr/os/windows/group-policies.md
new file mode 100644
index 00000000..756e23bb
--- /dev/null
+++ b/i18n/tr/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/tr/os/windows/index.md b/i18n/tr/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/tr/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/tr/security-keys.md b/i18n/tr/security-keys.md
new file mode 100644
index 00000000..657e068f
--- /dev/null
+++ b/i18n/tr/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/tr/tools.md b/i18n/tr/tools.md
index 7d81bef5..edc3f5a5 100644
--- a/i18n/tr/tools.md
+++ b/i18n/tr/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile
diff --git a/i18n/uk/basics/multi-factor-authentication.md b/i18n/uk/basics/multi-factor-authentication.md
index d94d4718..6db88c50 100644
--- a/i18n/uk/basics/multi-factor-authentication.md
+++ b/i18n/uk/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/uk/basics/passwords-overview.md b/i18n/uk/basics/passwords-overview.md
index 67bf3583..381682f7 100644
--- a/i18n/uk/basics/passwords-overview.md
+++ b/i18n/uk/basics/passwords-overview.md
@@ -113,7 +113,7 @@ Let's put all of this in perspective: A seven word passphrase using [EFF's large
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-При використанні кодів TOTP як [багатофакторної автентифікації](../multi-factor-authentication.md), найкращим вибором є зберігання кодів TOTP в [окремому додатку](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Зберігання токенів TOTP в одному місці з паролями хоч і зручно, але зводить облікові записи до одного фактору в разі, якщо зловмисник отримає доступ до вашого менеджера паролів.
 
diff --git a/i18n/uk/multi-factor-authentication.md b/i18n/uk/multi-factor-authentication.md
index 34728aa1..217b5d35 100644
--- a/i18n/uk/multi-factor-authentication.md
+++ b/i18n/uk/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/uk/os/index.md b/i18n/uk/os/index.md
new file mode 100644
index 00000000..25f7d659
--- /dev/null
+++ b/i18n/uk/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/uk/os/windows/group-policies.md b/i18n/uk/os/windows/group-policies.md
new file mode 100644
index 00000000..fc6859d1
--- /dev/null
+++ b/i18n/uk/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### Профілі користувачів
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/uk/os/windows/index.md b/i18n/uk/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/uk/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/uk/security-keys.md b/i18n/uk/security-keys.md
new file mode 100644
index 00000000..657e068f
--- /dev/null
+++ b/i18n/uk/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/uk/tools.md b/i18n/uk/tools.md
index b2155f45..10239f80 100644
--- a/i18n/uk/tools.md
+++ b/i18n/uk/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile
diff --git a/i18n/vi/basics/multi-factor-authentication.md b/i18n/vi/basics/multi-factor-authentication.md
index d94d4718..6db88c50 100644
--- a/i18n/vi/basics/multi-factor-authentication.md
+++ b/i18n/vi/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 
diff --git a/i18n/vi/basics/passwords-overview.md b/i18n/vi/basics/passwords-overview.md
index 63aca1b5..898d198d 100644
--- a/i18n/vi/basics/passwords-overview.md
+++ b/i18n/vi/basics/passwords-overview.md
@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 
diff --git a/i18n/vi/multi-factor-authentication.md b/i18n/vi/multi-factor-authentication.md
index 7b9ec89a..7ff7e128 100644
--- a/i18n/vi/multi-factor-authentication.md
+++ b/i18n/vi/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Framadate
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Framadate
+## Framadate
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/vi/os/index.md b/i18n/vi/os/index.md
new file mode 100644
index 00000000..25f7d659
--- /dev/null
+++ b/i18n/vi/os/index.md
@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/vi/os/windows/group-policies.md b/i18n/vi/os/windows/group-policies.md
new file mode 100644
index 00000000..756e23bb
--- /dev/null
+++ b/i18n/vi/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/vi/os/windows/index.md b/i18n/vi/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/vi/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/vi/security-keys.md b/i18n/vi/security-keys.md
new file mode 100644
index 00000000..209b1b41
--- /dev/null
+++ b/i18n/vi/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Framadate
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/vi/tools.md b/i18n/vi/tools.md
index 0b5d51d9..cd9b9f78 100644
--- a/i18n/vi/tools.md
+++ b/i18n/vi/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile
diff --git a/i18n/zh-Hant/basics/multi-factor-authentication.md b/i18n/zh-Hant/basics/multi-factor-authentication.md
index ca218c1d..2130664a 100644
--- a/i18n/zh-Hant/basics/multi-factor-authentication.md
+++ b/i18n/zh-Hant/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ TOTP 是最常見的 MFA 形式之一。 當您設置TOTP時，您通常需要
 
 對手可以建立一個網站來模仿官方服務，試圖欺騙你提供你的用戶名，密碼和當前的 TOTP 代碼。 如果對手使用這些記錄的憑證，他們可能能夠登錄到真正的服務並劫持帳戶。
 
-雖然不完美，但 TOTP 對大多數人來說足夠安全，當 [硬件安全金鑰](../multi-factor-authentication.md#hardware-security-keys) 不受支持時， [驗證器應用程序](../multi-factor-authentication.md#authenticator-apps) 仍然是一個不錯的選擇。
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### 硬體安全金鑰
 
diff --git a/i18n/zh-Hant/basics/passwords-overview.md b/i18n/zh-Hant/basics/passwords-overview.md
index e6896db5..971a0863 100644
--- a/i18n/zh-Hant/basics/passwords-overview.md
+++ b/i18n/zh-Hant/basics/passwords-overview.md
@@ -113,7 +113,7 @@ Diceware 是一種創建密碼短語的方法，這些密短口令易於記憶
 <div class="admonition warning" markdown>
 <p class="admonition-title">Warning "不要將密碼和 TOTP 令牌放在同一個密碼管理器中</p>
 
-當使用 TOTP 代碼作為 [多因素驗證](../multi-factor-authentication.md) 時，最好的安全措施是將 TOTP 代碼保存在 [分開的應用程序](../multi-factor-authentication.md#authenticator-apps) 中。
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 將您的 TOTP 令牌存儲在與密碼相同的位置，雖然方便，但假若對手可以存取密碼管理器，則帳戶安全驗證則減少為單一因素。
 
diff --git a/i18n/zh-Hant/multi-factor-authentication.md b/i18n/zh-Hant/multi-factor-authentication.md
index 405174b2..8cd9f84f 100644
--- a/i18n/zh-Hant/multi-factor-authentication.md
+++ b/i18n/zh-Hant/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "多重因素驗證器"
+title: "多重身分驗證"
 icon: 'material/two-factor-authentication'
 description: 這些工具可協助透過多重身份驗證保護網路帳戶，而無需將您的祕密傳送給第三方。
 cover: multi-factor-authentication.webp
 ---
 
-## 安全金鑰硬體
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-**YubiKeys** 是最常用的安全金鑰之一。 有些 YubiKey 型號具廣泛的功能，例如： [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor)、[FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online)、[Yubico OTP](basics/multi-factor-authentication.md#yubico-otp)、[Personal Identity Verification (PIV)](https://developers.yubico.com/PIV)、 [OpenPGP](https://developers.yubico.com/PGP)、[TOTP and HOTP](https://developers.yubico.com/OATH)驗證。
-
-YubiKey 好處之一是，一支密鑰（ 例如 YubiKey 5 ）可以滿足對安全密鑰硬體的全部期待。 建議購買前先 [作個小測驗](https://yubico.com/quiz/) ，以確保做出正確的選擇。
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-[比較表](https://yubico.com/store/compare) 顯示了各型號 YubiKeys 功能比較。 我們強烈建議您從YubiKey 5系列中挑選。
-
-YubiKey 可使用 [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) 或 [YubiKey 個人化工具](https://yubico.com/support/download/yubikey-personalization-tools)。 若要管理 TOTP 程式碼，可使用 [Yubico Authenticator](https://yubico.com/products/yubico-authenticator)。 Yubico 所有客戶端軟體都是開源。
-
-支持 HOTP 和 TOTP 的機型， OTP 介面中有2個插槽可用於HOTP 和32個插槽來存儲 TOTP 機密。 這些機密經加密後存儲在密鑰上，永遠不會將它們暴露在插入的設備上。 一旦向 Yubico Authenticator 提供種子（共享祕密） ，它將只會給出六位數的代碼，但永遠不會提供種子。 此安全模型有助於限制攻擊者，即便運行 Yubico Authenticator的設備受到破壞，讓受到物理攻擊時 Yubikey 仍具抵抗力。
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">警告</p>
-
-YubiKey 軔體並不開源，無法更新。 如果您想要使用較新韌體版本的功能，或者使用中的韌體版本存在漏洞，則需要購買新的金鑰。
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** 能夠 [FIDO2 和 WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online)的安全金鑰，稱為 **Nitrokey FIDO2**。 若要獲得 PGP 支援，您需要購買他們其他鑰匙，例如 **Nitrokey Start**、**Nitrokey Pro 2** 或 **Nitrokey Storage 2**。
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-[比較表](https://nitrokey.com/#comparison) 顯示了各型號 Nitrokey 功能比較。 **Nitrokey 3** 具有組合的功能集。
-
-可以使用 [Nitrokey 應用程序](https://nitrokey.com/download)配置 Nitrokey 模型。
-
-支持 HOTP 和 TOTP 的型號，有3個 HOTP 插槽，15 個 TOTP 插槽。 有些 Nitrokeys 可以充當密碼管理器。 可以存儲 16 組憑證，並使用與 OpenPGP 接口相同的密碼對憑證加密。
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">警告</p>
-
-雖然 Nitrokeys 不會將 HOTP/TOTP 機密釋放給所插入的設備，但HOTP 和 TOTP存儲* *未經加密* * ，容易受到物理攻擊。 如果需要存儲 HOTP 或 TOTP 這類祕密，強烈建議使用Yubikey 代替。
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">警告</p>
-
-重置 Nitrokey 的 OpenPGP 介面會使密碼資料庫變為 [無法存取](https://docs.nitrokey.com/pro/linux/factory-reset)。
-
-</div>
-
-Nitrokey Pro 2、Nitrokey Storage 2 和即將推出的 Nitrokey 3 支持筆記型電腦的 [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) 軔體與系統完整性驗證。
-
-不同於 YubiKey，Nitrokey 軔體是開源。 NitroKey 型號可（ **NitroKey Pro 2**除外）可更新軔體。
-
-### 標準
-
-**請注意，我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外，我們還發展出一套明確要求以提出客觀建議。 建議您在選擇使用項目之前先熟悉此列表，並進行自己的研究，以確保它是您的正確選擇。
-
-#### 最低合格要求
-
-- 必須使用高品質、防篡改的硬體安全模組。
-- 必須支援最新的 FIDO2 規格。
-- 必須不允許私鑰提取。
-- 價格超過 35美元的裝置必須支援處理 OpenPGP 和 S/MIME。
-
-#### 最好的情况
-
-最佳案例標準代表了我們希望從這個類別的完美項目應具備的條件。 推薦產品可能沒有此功能，但若有這些功能則會讓排名更為提高。
-
-- 應採用 USB-C 格式。
-- 應與 NFC一起使用。
-- 支持 TOTP 機密儲存。
-- 應支持安全軔體更新。
-
-## 認證器應用程式
-
-驗證器應用程式實施網際網路工程任務組( IETF)採行的安全標準，稱為 **依據時間的單次密碼**或 **TOTP**。 這是一種網站與您共享祕密的方法，驗證器應用程式使用該祕密根據當前時間生成（通常為）六位數驗證碼，您在登錄網站時輸入以供網站檢查。 通常這些驗證碼每30 秒重新生成一次，一旦生成新碼，舊碼就無用了。 即使駭客獲得六位數的驗證碼，也無法逆轉該代碼去取得原始祕密或透過其他方式去預測以後的驗證碼。
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. 這是一種網站與您共享祕密的方法，驗證器應用程式使用該祕密根據當前時間生成（通常為）六位數驗證碼，您在登錄網站時輸入以供網站檢查。 通常這些驗證碼每30 秒重新生成一次，一旦生成新碼，舊碼就無用了。 即使駭客獲得六位數的驗證碼，也無法逆轉該代碼去取得原始祕密或透過其他方式去預測以後的驗證碼。
 
 我們強烈建議您使用行動 TOTP 應用程式而不是桌面替代方案，因為 Android 和 iOS 比大多數桌面作業系統具有更好的安全性和應用程式隔離性。
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ Nitrokey Pro 2、Nitrokey Storage 2 和即將推出的 Nitrokey 3 支持筆記
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ Nitrokey Pro 2、Nitrokey Storage 2 和即將推出的 Nitrokey 3 支持筆記
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### 標準
+## 標準
 
 **請注意，我們所推薦專案沒有任何瓜葛。 ** 除了 [標準準則](about/criteria.md)外，我們還發展出一套明確要求以提出客觀建議。 建議您在選擇使用項目之前先熟悉此列表，並進行自己的研究，以確保它是您的正確選擇。
 
diff --git a/i18n/zh-Hant/os/index.md b/i18n/zh-Hant/os/index.md
new file mode 100644
index 00000000..b552ceb7
--- /dev/null
+++ b/i18n/zh-Hant/os/index.md
@@ -0,0 +1,19 @@
+---
+title: 作業系統
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/zh-Hant/os/windows/group-policies.md b/i18n/zh-Hant/os/windows/group-policies.md
new file mode 100644
index 00000000..eb39fd92
--- /dev/null
+++ b/i18n/zh-Hant/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### 系統
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### 用戶設定檔
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### 搜尋
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/zh-Hant/os/windows/index.md b/i18n/zh-Hant/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/zh-Hant/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/zh-Hant/security-keys.md b/i18n/zh-Hant/security-keys.md
new file mode 100644
index 00000000..f0cefb85
--- /dev/null
+++ b/i18n/zh-Hant/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: 這些工具可協助透過多重身份驗證保護網路帳戶，而無需將您的祕密傳送給第三方。
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">警告</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">警告</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">警告</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">警告</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## 標準
+
+請注意，我們所推薦專案沒有任何瓜葛。 除[標準準則](about/criteria.md)外，我們還發展出一套明確要求以提出客觀建議。 我們建議您在選擇使用項目之前先熟悉此列表，並進行自己的研究，以確保它是您的正確選擇。
+
+### 最低合格要求
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### 最佳案例
+
+最佳案例標準代表了我們希望從這個類別的完美項目應具備的功能。 推薦產品可能沒有此功能，但若有這些功能則會讓排名更為提高。
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/zh-Hant/tools.md b/i18n/zh-Hant/tools.md
index b76eb329..bb6b2198 100644
--- a/i18n/zh-Hant/tools.md
+++ b/i18n/zh-Hant/tools.md
@@ -166,7 +166,7 @@ description: Privacy Guides 是最透明和可靠的網站，用於尋找保護
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ description: Privacy Guides 是最透明和可靠的網站，用於尋找保護
 
 ### 多因素驗證工具
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ description: Privacy Guides 是最透明和可靠的網站，用於尋找保護
 
 [了解更多 :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[了解更多 :material-arrow-right-drop-circle:](security-keys.md)
+
 ## 作業系統
 
 ### 行動
diff --git a/i18n/zh/basics/multi-factor-authentication.md b/i18n/zh/basics/multi-factor-authentication.md
index 716a2585..ecc63cc2 100644
--- a/i18n/zh/basics/multi-factor-authentication.md
+++ b/i18n/zh/basics/multi-factor-authentication.md
@@ -36,7 +36,7 @@ If you have a hardware security key with TOTP support (such as a YubiKey with [Y
 
 对手可以建立一个网站来模仿官方服务，试图欺骗你提供你的用户名、密码和当前的TOTP代码。 如果对手随后使用这些记录下来的凭证，他们可能能够登录到真正的服务并劫持该账户。
 
-虽然不完美，但TOTP对大多数人来说是足够安全的，即使不支持使用 [硬件安全密钥](/multi-factor-authentication/#hardware-security-keys) ， 一个[认证器应用程序](/multi-factor-authentication/#authenticator-apps) 仍然是一个不错的选择。
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### 硬件安全密钥
 
diff --git a/i18n/zh/basics/passwords-overview.md b/i18n/zh/basics/passwords-overview.md
index 55885939..6f1ce748 100644
--- a/i18n/zh/basics/passwords-overview.md
+++ b/i18n/zh/basics/passwords-overview.md
@@ -113,7 +113,7 @@ Let's put all of this in perspective: A seven word passphrase using [EFF's large
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-如果您将TOTP用作任何帐户的 [多因素身份验证](../multi-factor-authentication.md) 方法，请勿在密码管理器中存储这些令牌、它们的任何备份代码或TOTP秘密本身，那样会抵消掉多因认证的益处。
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 你应该使用专门的[TOTP应用程序]（.../multi-factor-authentication.md/#authenticator-apps）来代替。
 
diff --git a/i18n/zh/multi-factor-authentication.md b/i18n/zh/multi-factor-authentication.md
index d75aa180..565d261a 100644
--- a/i18n/zh/multi-factor-authentication.md
+++ b/i18n/zh/multi-factor-authentication.md
@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "多因认证"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## 硬件安全密钥
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">警告</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">警告</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">警告</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 
diff --git a/i18n/zh/os/index.md b/i18n/zh/os/index.md
new file mode 100644
index 00000000..af781e51
--- /dev/null
+++ b/i18n/zh/os/index.md
@@ -0,0 +1,19 @@
+---
+title: 服务供应商
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)
diff --git a/i18n/zh/os/windows/group-policies.md b/i18n/zh/os/windows/group-policies.md
new file mode 100644
index 00000000..dac85ab8
--- /dev/null
+++ b/i18n/zh/os/windows/group-policies.md
@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### 系统
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### 用户资料
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### 搜索
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**
diff --git a/i18n/zh/os/windows/index.md b/i18n/zh/os/windows/index.md
new file mode 100644
index 00000000..651040a2
--- /dev/null
+++ b/i18n/zh/os/windows/index.md
@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.
diff --git a/i18n/zh/security-keys.md b/i18n/zh/security-keys.md
new file mode 100644
index 00000000..b3e9b8db
--- /dev/null
+++ b/i18n/zh/security-keys.md
@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">警告</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">警告</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">警告</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">警告</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.
diff --git a/i18n/zh/tools.md b/i18n/zh/tools.md
index d392dc2e..fc311dd8 100644
--- a/i18n/zh/tools.md
+++ b/i18n/zh/tools.md
@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### 数据和元数据处理
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [了解更多 :hero-arrow-circle-right-fill:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[了解更多 :hero-arrow-circle-right-fill:](security-keys.md)
+
 ## 服务供应商
 
 ### Android
diff --git a/includes/strings.ar.env b/includes/strings.ar.env
index a402a834..793ccb24 100644
--- a/includes/strings.ar.env
+++ b/includes/strings.ar.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Operating Systems"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.bn-IN.env b/includes/strings.bn-IN.env
index fe53fb0e..64c055ee 100644
--- a/includes/strings.bn-IN.env
+++ b/includes/strings.bn-IN.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Operating Systems"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.bn.env b/includes/strings.bn.env
index fc169655..20de5830 100644
--- a/includes/strings.bn.env
+++ b/includes/strings.bn.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Operating Systems"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.cs.env b/includes/strings.cs.env
index d2c13960..b7766753 100644
--- a/includes/strings.cs.env
+++ b/includes/strings.cs.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Operating Systems"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.de.env b/includes/strings.de.env
index bfd5efa0..6a87b4a7 100644
--- a/includes/strings.de.env
+++ b/includes/strings.de.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Betriebssysteme"
 NAV_PROVIDERS="Anbieter"
 NAV_RECOMMENDATIONS="Empfehlungen"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technische Leitfäden"
 NAV_TECHNOLOGY_ESSENTIALS="Technische Grundlagen"
 NAV_WRITING_GUIDE="Schreibleitfaden"
diff --git a/includes/strings.el.env b/includes/strings.el.env
index 46b3d231..92bdc0df 100644
--- a/includes/strings.el.env
+++ b/includes/strings.el.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Λειτουργικά Συστήματα"
 NAV_PROVIDERS="Πάροχοι"
 NAV_RECOMMENDATIONS="Συστάσεις"
 NAV_SOFTWARE="Λογισμικό"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Τεχνικές Οδηγίες"
 NAV_TECHNOLOGY_ESSENTIALS="Τεχνολογικά Απαραίτητα"
 NAV_WRITING_GUIDE="Οδηγίες Συγγραφής"
diff --git a/includes/strings.eo.env b/includes/strings.eo.env
index d9c2490b..8cfe0ee3 100644
--- a/includes/strings.eo.env
+++ b/includes/strings.eo.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Operating Systems"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.es.env b/includes/strings.es.env
index e0ed139b..216d2ff8 100644
--- a/includes/strings.es.env
+++ b/includes/strings.es.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Sistemas Operativos"
 NAV_PROVIDERS="Proveedores"
 NAV_RECOMMENDATIONS="Recomendaciones"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Guías Técnicas"
 NAV_TECHNOLOGY_ESSENTIALS="Aspectos Tecnológicos Esenciales"
 NAV_WRITING_GUIDE="Guía de Redacción"
diff --git a/includes/strings.fa.env b/includes/strings.fa.env
index 9af0caa5..f3b37462 100644
--- a/includes/strings.fa.env
+++ b/includes/strings.fa.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Operating Systems"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.fr.env b/includes/strings.fr.env
index ce40d0f5..d82f4c5e 100644
--- a/includes/strings.fr.env
+++ b/includes/strings.fr.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Systèmes d'exploitation"
 NAV_PROVIDERS="Fournisseurs"
 NAV_RECOMMENDATIONS="Recommandations"
 NAV_SOFTWARE="Logiciels"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Guides techniques"
 NAV_TECHNOLOGY_ESSENTIALS="Les essentiels de la technologie"
 NAV_WRITING_GUIDE="Guide de rédaction"
diff --git a/includes/strings.he.env b/includes/strings.he.env
index 5e0299c1..f81eacaf 100644
--- a/includes/strings.he.env
+++ b/includes/strings.he.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="מערכות הפעלה"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="תוכנה"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.hi.env b/includes/strings.hi.env
index 1181544a..cdbfa19e 100644
--- a/includes/strings.hi.env
+++ b/includes/strings.hi.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Operating Systems"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.hu.env b/includes/strings.hu.env
index 69170899..4d0df552 100644
--- a/includes/strings.hu.env
+++ b/includes/strings.hu.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Operációs Rendszerek"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Szoftver"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.id.env b/includes/strings.id.env
index 35af60bc..a9bbf481 100644
--- a/includes/strings.id.env
+++ b/includes/strings.id.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Sistem Operasi"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Perangkat lunak"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.it.env b/includes/strings.it.env
index 69cb63d7..04f5e5ae 100644
--- a/includes/strings.it.env
+++ b/includes/strings.it.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Sistemi Operativi"
 NAV_PROVIDERS="Fornitori"
 NAV_RECOMMENDATIONS="Raccomandazioni"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Guide tecniche"
 NAV_TECHNOLOGY_ESSENTIALS="Fondamenti di Tecnologia"
 NAV_WRITING_GUIDE="Guida alla scrittura"
diff --git a/includes/strings.ja.env b/includes/strings.ja.env
index a175fb23..0f9c2374 100644
--- a/includes/strings.ja.env
+++ b/includes/strings.ja.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="オペレーティングシステム"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="ソフトウェア"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.ko.env b/includes/strings.ko.env
index dc859163..418b37c2 100644
--- a/includes/strings.ko.env
+++ b/includes/strings.ko.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="운영 체제"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="소프트웨어"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.ku-IQ.env b/includes/strings.ku-IQ.env
index cf8e6b02..11816642 100644
--- a/includes/strings.ku-IQ.env
+++ b/includes/strings.ku-IQ.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Operating Systems"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.nl.env b/includes/strings.nl.env
index 6cbea7b7..6600637a 100644
--- a/includes/strings.nl.env
+++ b/includes/strings.nl.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Besturingssystemen"
 NAV_PROVIDERS="Aanbieders"
 NAV_RECOMMENDATIONS="Aanbevelingen"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technische gids"
 NAV_TECHNOLOGY_ESSENTIALS="Technologie Essenties"
 NAV_WRITING_GUIDE="Schrijfgids"
diff --git a/includes/strings.pl.env b/includes/strings.pl.env
index 781f485b..a554ebf2 100644
--- a/includes/strings.pl.env
+++ b/includes/strings.pl.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Systemy operacyjne"
 NAV_PROVIDERS="Dostawcy"
 NAV_RECOMMENDATIONS="Rekomendacje"
 NAV_SOFTWARE="Oprogramowanie"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Poradniki techniczne"
 NAV_TECHNOLOGY_ESSENTIALS="Niezbędnik technologiczny"
 NAV_WRITING_GUIDE="Przewodnik redagowania"
diff --git a/includes/strings.pt-BR.env b/includes/strings.pt-BR.env
index bd69ce58..c4b1e760 100644
--- a/includes/strings.pt-BR.env
+++ b/includes/strings.pt-BR.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Sistemas Operacionais"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Programas (Software)"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.pt.env b/includes/strings.pt.env
index 651dabce..356ea570 100644
--- a/includes/strings.pt.env
+++ b/includes/strings.pt.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Sistemas Operativos"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.ru.env b/includes/strings.ru.env
index 252f68fe..b0973115 100644
--- a/includes/strings.ru.env
+++ b/includes/strings.ru.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Операционные системы"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Программное обеспечение"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.sv.env b/includes/strings.sv.env
index af669664..21ace6a3 100644
--- a/includes/strings.sv.env
+++ b/includes/strings.sv.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Operativsystem"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Programvara"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.tr.env b/includes/strings.tr.env
index 131f7b21..6e7b15a7 100644
--- a/includes/strings.tr.env
+++ b/includes/strings.tr.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Operating Systems"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.uk.env b/includes/strings.uk.env
index 984fa5d1..e2b7f6fb 100644
--- a/includes/strings.uk.env
+++ b/includes/strings.uk.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Operating Systems"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.vi.env b/includes/strings.vi.env
index f9810a3e..df5b65c6 100644
--- a/includes/strings.vi.env
+++ b/includes/strings.vi.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="Operating Systems"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"
diff --git a/includes/strings.zh-Hant.env b/includes/strings.zh-Hant.env
index 6f1b1db0..d1bb16b0 100644
--- a/includes/strings.zh-Hant.env
+++ b/includes/strings.zh-Hant.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="作業系統"
 NAV_PROVIDERS="提供商"
 NAV_RECOMMENDATIONS="推薦"
 NAV_SOFTWARE="軟體"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="技術指南"
 NAV_TECHNOLOGY_ESSENTIALS="技術要點"
 NAV_WRITING_GUIDE="撰寫指南"
diff --git a/includes/strings.zh.env b/includes/strings.zh.env
index 3e03c90e..f07814e3 100644
--- a/includes/strings.zh.env
+++ b/includes/strings.zh.env
@@ -34,6 +34,7 @@ NAV_OPERATING_SYSTEMS="服务供应商"
 NAV_PROVIDERS="Providers"
 NAV_RECOMMENDATIONS="Recommendations"
 NAV_SOFTWARE="Software"
+NAV_HARDWARE="Hardware"
 NAV_TECHNICAL_GUIDES="Technical Guides"
 NAV_TECHNOLOGY_ESSENTIALS="Technology Essentials"
 NAV_WRITING_GUIDE="Writing Guide"