[DOCS] Update Windows .zip install instructions for security ON by default (#80552)

* [DOCS] Update Windows .zip install instructions for security ON by default

* Rework instructions for running as a service on Windows

* Update wording and add variable for back/forward slashes

* Relocating enroll nodes steps and introducing variables

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

docs/reference/setup/install/auto-config-output.asciidoc

@@ -0,0 +1,23 @@
+[role="exclude"]
+
+["source","sh",subs="attributes"]
+----
+The generated password for the elastic built-in superuser is:
+<password>
+
+The enrollment token for Kibana instances, valid for the next 30 minutes:
+<enrollment-token>
+
+The hex-encoded SHA-256 fingerprint of the generated HTTPS CA DER-encoded certificate:
+<fingerprint>
+
+You can complete the following actions at any time:
+Reset the password of the elastic built-in superuser with
+'bin{slash}elasticsearch-reset-password -u elastic'.
+
+Generate an enrollment token for Kibana instances with
+'bin{slash}elasticsearch-create-enrollment-token -s kibana'.
+
+Generate an enrollment token for Elasticsearch nodes with
+'bin{slash}elasticsearch-create-enrollment-token -s node'.
+----

docs/reference/setup/install/check-running.asciidoc

@@ -5,7 +5,7 @@ You can test that your {es} node is running by sending an HTTPS request to port
 
 ["source","sh",subs="attributes"]
 ----
-curl --cacert {os-dir}/tls_auto_config_<timestamp>/http_ca.crt \
+curl --cacert {os-dir}{slash}tls_auto_config_<timestamp>{slash}http_ca.crt \
 -u elastic https://localhost:9200 <1>
 ----
 // NOTCONSOLE

docs/reference/setup/install/deb.asciidoc

@@ -148,6 +148,7 @@ include::systemd.asciidoc[]
 [[deb-check-running]]
 
 :os-dir:       /etc/elasticsearch
+:slash:        /
 
 include::check-running.asciidoc[]
 

docs/reference/setup/install/package-security.asciidoc

@@ -19,7 +19,7 @@ The password and certificate and keys are output to your terminal. For example:
 Authentication and authorization are enabled.
 TLS for the transport and HTTP layers is enabled and configured.
 
-The generated password for the elastic built-in superuser is : 0zq1L_CkDujyYiVoYlZo
+The generated password for the elastic built-in superuser is : <password>
 
 If this node should join an existing cluster, you can reconfigure this with
 '/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'

docs/reference/setup/install/rpm.asciidoc

@@ -141,6 +141,7 @@ include::systemd.asciidoc[]
 [[rpm-check-running]]
 
 :os-dir:       /etc/elasticsearch
+:slash:        /
 
 include::check-running.asciidoc[]
 

docs/reference/setup/install/targz-start.asciidoc

@@ -20,27 +20,9 @@ and TLS is enabled and configured with these keys and certificates.
 The password for the `elastic` user and the enrollment token for {kib} are
 output to your terminal. For example:
 
-[source,sh]
-----
-The generated password for the elastic built-in superuser is:
-H16Wd=K4dcmgZVA-GE2I
-
-The enrollment token for Kibana instances, valid for the next 30 minutes:
-eyJ2ZXIiOiI4LjAuMCIsImFkciI6WyIxOTIuMTY4Ljg2LjEyMjo5MjAwIl0sImZnciI6ImU5MmVhYWM0ZWMzMGExY2EzMDA0MzM4NDgyM2I3Y2YwNTFkMWQ3OTdkNGJlNTQxYzE3ZWY4NGFiMzBjMjlmNGUiLCJrZXkiOiJFM05YNFh3QkVYOVV2SUs0QlU2YTphVEhESktYRVFEbTctUjlFYlBneGlnIn0=
+:slash:     /
 
-The hex-encoded SHA-256 fingerprint of the generated HTTPS CA DER-encoded certificate:
-e92eaac4ec30a1ca30043384823b7cf051d1d797d4be541c17ef84ab30c29f4e
-
-You can complete the following actions at any time:
-Reset the password of the elastic built-in superuser with
-'bin/elasticsearch-reset-password -u elastic'.
-
-Generate an enrollment token for Kibana instances with
-'bin/elasticsearch-create-enrollment-token -s kibana'.
-
-Generate an enrollment token for Elasticsearch nodes with
-'bin/elasticsearch-create-enrollment-token -s node'.
-----
+include::auto-config-output.asciidoc[]
 
 If you have password-protected the {es} keystore, you will be prompted
 to enter the keystore's password. See <<secure-settings>> for more
@@ -60,6 +42,17 @@ that supports arrays and assume that Bash is available at `/bin/bash`.
 As such, Bash should be available at this path either directly or via a
 symbolic link.
 
-To enroll additional nodes in your cluster, create an enrollment token with the
-`elasticsearch-create-enrollment-token` tool. You can then start a node with the `--enrollment-token` parameter so that it
-{ref}/configuring-stack-security.html#stack-enroll-nodes[joins an existing cluster].
+[discrete]
+==== Enroll nodes in an existing cluster
+
+To enroll new nodes in your cluster, create an enrollment token with the
+`elasticsearch-create-enrollment-token` tool on any existing node in your
+cluster. You can then start a new node with the `--enrollment-token` parameter
+so that it joins an existing cluster.
+
+// The following include pulls in steps for enrolling nodes in a cluster from
+// a security page in the x-pack folder
+
+:slash:     /
+
+include::../../../../x-pack/docs/en/security/enroll-nodes.asciidoc[]

docs/reference/setup/install/targz.asciidoc

@@ -81,6 +81,7 @@ endif::include-xpack[]
 include::targz-start.asciidoc[]
 
 :os-dir:       $ES_HOME
+:slash:        /
 
 include::check-running.asciidoc[]
 

docs/reference/setup/install/zip-windows-start.asciidoc

@@ -1,19 +1,52 @@
-==== Running Elasticsearch from the command line
+==== Run {es} from the command line
 
-Elasticsearch can be started from the command line as follows:
+Run the following command to start {es} from the command line:
 
 [source,sh]
---------------------------------------------
+----
 .\bin\elasticsearch.bat
---------------------------------------------
+----
+
+When starting {es} for the first time, security features are enabled and
+configured by default. The following security configuration occurs
+automatically: 
+
+* Authentication and authorization are enabled, and a password is generated for
+the `elastic` built-in superuser.
+* Certificates and keys for TLS are generated for the transport and HTTP layer,
+and TLS is enabled and configured with these keys and certificates.
+* An enrollment token is generated for {kib}, which is valid for 30 minutes.
+
+The password for the `elastic` user and the enrollment token for {kib} are
+output to your terminal. For example:
+
+:slash:     \
+
+include::auto-config-output.asciidoc[]
 
 If you have password-protected the {es} keystore, you will be prompted to
 enter the keystore's password. See <<secure-settings>> for more details.
 
 By default {es} prints its logs to the console (`STDOUT`) and to the `<cluster
 name>.log` file within the <<path-settings,logs directory>>. {es} logs some
-information while it is starting up, but once it has finished initializing it
+information while it is starting, but after it has finished initializing it
 will continue to run in the foreground and won't log anything further until
 something happens that is worth recording. While {es} is running you can
-interact with it through its HTTP interface which is on port 9200 by default.
+interact with it through its HTTP interface which is on port `9200` by default.
+
 To stop {es}, press `Ctrl-C`.
+
+[discrete]
+==== Enroll nodes in an existing cluster
+
+To enroll new nodes in your cluster, create an enrollment token with the
+`elasticsearch-create-enrollment-token` tool on any existing node in your
+cluster. You can then start a new node with the `--enrollment-token` parameter
+so that it joins an existing cluster.
+
+// The following include pulls in steps for enrolling nodes in a cluster from
+// a security page in the x-pack folder
+
+:slash:     \
+
+include::../../../../x-pack/docs/en/security/enroll-nodes.asciidoc[]

docs/reference/setup/install/zip-windows.asciidoc

@@ -1,30 +1,30 @@
 [[zip-windows]]
-=== Install Elasticsearch with `.zip` on Windows
+=== Install {es} with `.zip` on Windows
 
-Elasticsearch can be installed on Windows using the Windows `.zip` archive. This
-comes with a `elasticsearch-service.bat` command which will setup Elasticsearch to run as a
+{es} can be installed on Windows using the Windows `.zip` archive. This
+comes with a `elasticsearch-service.bat` command which will setup {es} to run as a
 service.
 
-TIP: Elasticsearch has historically been installed on Windows using the `.zip` archive.
+TIP: {es} has historically been installed on Windows using the `.zip` archive.
 An <<windows, MSI installer package>> is available that provides the easiest getting started
 experience for Windows. You can continue using the `.zip` approach if you prefer.
 
 include::license.asciidoc[]
 
-NOTE: On Windows the Elasticsearch {ml} feature requires the Microsoft Universal
+NOTE: On Windows the {es} {ml} feature requires the Microsoft Universal
 C Runtime library. This is built into Windows 10, Windows Server 2016 and more
 recent versions of Windows. For older versions of Windows it can be installed
 via Windows Update, or from a
 https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows[separate download].
 If you cannot install the Microsoft Universal C Runtime library you can still
-use the rest of Elasticsearch if you disable the {ml} feature.
+use the rest of {es} if you disable the {ml} feature.
 
-The latest stable version of Elasticsearch can be found on the
-link:/downloads/elasticsearch[Download Elasticsearch] page.
+The latest stable version of {es} can be found on the
+link:/downloads/elasticsearch[Download {es}] page.
 Other versions can be found on the
 link:/downloads/past-releases[Past Releases page].
 
-NOTE: Elasticsearch includes a bundled version of https://openjdk.java.net[OpenJDK]
+NOTE: {es} includes a bundled version of https://openjdk.java.net[OpenJDK]
 from the JDK maintainers (GPLv2+CE). To use your own version of Java,
 see the <<jvm-version, JVM version requirements>>
 
@@ -33,21 +33,21 @@ see the <<jvm-version, JVM version requirements>>
 
 ifeval::["{release-state}"=="unreleased"]
 
-Version {version} of Elasticsearch has not yet been released.
+Version {version} of {es} has not yet been released.
 
 endif::[]
 
 ifeval::["{release-state}"!="unreleased"]
 
-Download the `.zip` archive for Elasticsearch v{version} from: https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-{version}-windows-x86_64.zip
+Download the `.zip` archive for {es} {version} from: https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-{version}-windows-x86_64.zip
 
-Unzip it with your favourite unzip tool. This will create a folder called
+Unzip it with your favorite unzip tool. This will create a folder called
 +elasticsearch-{version}+, which we will refer to as `%ES_HOME%`. In a terminal
 window, `cd` to the `%ES_HOME%` directory, for instance:
 
 ["source","sh",subs="attributes"]
 ----------------------------
-cd c:\elasticsearch-{version}
+cd C:\elasticsearch-{version}
 ----------------------------
 
 endif::[]
@@ -65,9 +65,9 @@ endif::include-xpack[]
 include::zip-windows-start.asciidoc[]
 
 [[windows-configuring]]
-==== Configuring Elasticsearch on the command line
+==== Configure {es} on the command line
 
-Elasticsearch loads its configuration from the `%ES_HOME%\config\elasticsearch.yml`
+{es} loads its configuration from the `%ES_HOME%\config\elasticsearch.yml`
 file by default. The format of this config file is explained in
 <<settings>>.
 
@@ -86,66 +86,94 @@ added to the `elasticsearch.yml` config file, while any node-specific settings
 such as `node.name` could be specified on the command line.
 
 :os-dir:       %ES_HOME%
+:slash:        \
 
 include::check-running.asciidoc[]
 
 [[windows-service]]
-==== Installing Elasticsearch as a Service on Windows
+==== Install and run {es} as a service on Windows
 
-Elasticsearch can be installed as a service to run in the background or start
-automatically at boot time without any user interaction. This can be achieved
-through the `elasticsearch-service.bat` script in the `bin\` folder which allows one to
-install, remove, manage or configure the service and potentially start and
-stop the service, all from the command-line.
+You can install {es} as a service that runs in the background or starts
+automatically at boot time without user interaction.
+
+. Install {es} as a service. The name of the service and the value of
+`ES_JAVA_HOME` will be made available during install:
++
+["source","sh",subs="attributes"]
+----
+C:\elasticsearch-{version}{backslash}bin>elasticsearch-service.bat install
+Installing service      :  "elasticsearch-service-x64"
+Using ES_JAVA_HOME (64-bit):  "C:\jvm\jdk1.8"
+The service 'elasticsearch-service-x64' has been installed.
+----
+
+. Start {es} as a service. When {es} starts, authentication is enabled by
+default:
++
+["source","sh",subs="attributes"]
+----
+C:\elasticsearch-{version}{backslash}bin>bin\elasticsearch-service.bat start
+----
++
+NOTE: TLS is not enabled or configured when you start {es} as a service.
+
+. Generate a password for the `elastic` user with the
+<<reset-password,`elasticsearch-reset-password`>> tool. The password is output
+to the command line.
++
+["source","sh",subs="attributes"]
+----
+C:\elasticsearch-{version}{backslash}bin>\bin\elasticsearch-reset-password -u elastic
+----
+
+NOTE: While a JRE can be used for the {es} service, due to its use of a client
+VM (as opposed to a server JVM which offers better performance for long-running 
+applications) its usage is discouraged and a warning will be issued.
+
+NOTE: The system environment variable `ES_JAVA_HOME` should be set to the path
+of the JDK installation that you want the service to use. If you upgrade the
+JDK, you are not required to the reinstall the service but you must set the
+value of the system environment variable `ES_JAVA_HOME` to the path to the new
+JDK installation. However, upgrading across JVM types (e.g. JRE versus SE) is
+not supported, and does require the service to be reinstalled.
+
+[[windows-service-manage]]
+===== Manage {es} as a service on Windows
+
+Run the `elasticsearch-service.bat` script in the `bin\` folder to install,
+remove, manage, or configure the service and potentially start and stop the
+service from the command line.
 
 ["source","sh",subs="attributes,callouts"]
---------------------------------------------------
-c:\elasticsearch-{version}{backslash}bin>elasticsearch-service.bat
+----
+C:\elasticsearch-{version}{backslash}bin>elasticsearch-service.bat
 
 Usage: elasticsearch-service.bat install|remove|start|stop|manager [SERVICE_ID]
---------------------------------------------------
+----
 
-The script requires one parameter (the command to execute) followed by an
+The script requires one parameter (the command to execute), followed by an
 optional one indicating the service id (useful when installing multiple
-Elasticsearch services).
+{es} services).
 
 The commands available are:
-
+--
 [horizontal]
-`install`:: Install Elasticsearch as a service
+`install`:: Install {es} as a service
 
-`remove`:: Remove the installed Elasticsearch service (and stop the service if started)
+`remove`:: Remove the installed {es} service (and stop the service if started)
 
-`start`:: Start the Elasticsearch service (if installed)
+`start`:: Start the {es} service (if installed)
 
-`stop`:: Stop the Elasticsearch service (if started)
+`stop`:: Stop the {es} service (if started)
 
 `manager`:: Start a GUI for managing the installed service
-
-The name of the service and the value of `ES_JAVA_HOME` will be made available during install:
-
-["source","sh",subs="attributes"]
---------------------------------------------------
-c:\elasticsearch-{version}{backslash}bin>elasticsearch-service.bat install
-Installing service      :  "elasticsearch-service-x64"
-Using ES_JAVA_HOME (64-bit):  "c:\jvm\jdk1.8"
-The service 'elasticsearch-service-x64' has been installed.
---------------------------------------------------
-
-NOTE: While a JRE can be used for the Elasticsearch service, due to its use of a client VM (as opposed to a server JVM which offers better performance for long-running applications) its usage is discouraged and a warning will be issued.
-
-NOTE: The system environment variable `ES_JAVA_HOME` should be set to the path
-to the JDK installation that you want the service to use. If you upgrade the
-JDK, you are not required to the reinstall the service but you must set the
-value of the system environment variable `ES_JAVA_HOME` to the path to the new
-JDK installation. However, upgrading across JVM types (e.g. JRE versus SE) is
-not supported, and does require the service to be reinstalled.
+--
 
 [[windows-service-settings]]
 [discrete]
-=== Customizing service settings
+=== Customize service settings
 
-The Elasticsearch service can be configured prior to installation by setting the following environment variables (either using the https://technet.microsoft.com/en-us/library/cc754250(v=ws.10).aspx[set command] from the command line, or through the `System Properties->Environment Variables` GUI).
+The {es} service can be configured prior to installation by setting the following environment variables (either using the https://technet.microsoft.com/en-us/library/cc754250(v=ws.10).aspx[set command] from the command line, or through the *System Properties->Environment Variables* GUI).
 
 [horizontal]
 `SERVICE_ID`::
@@ -163,11 +191,11 @@ The Elasticsearch service can be configured prior to installation by setting the
 
 `SERVICE_DISPLAY_NAME`::
 
-  The name of the service. Defaults to `Elasticsearch <version> %SERVICE_ID%`.
+  The name of the service. Defaults to `{es} <version> %SERVICE_ID%`.
 
 `SERVICE_DESCRIPTION`::
 
-  The description of the service. Defaults to `Elasticsearch <version> Windows Service - https://elastic.co`.
+  The description of the service. Defaults to `{es} <version> Windows Service - https://elastic.co`.
 
 `ES_JAVA_HOME`::
 
@@ -176,7 +204,7 @@ The Elasticsearch service can be configured prior to installation by setting the
 `SERVICE_LOG_DIR`::
 
     Service log directory, defaults to `%ES_HOME%\logs`. Note that this does
-    not control the path for the Elasticsearch logs; the path for these is set
+    not control the path for the {es} logs; the path for these is set
     via the setting `path.logs` in the `elasticsearch.yml` configuration file,
     or on the command line.
 
@@ -194,7 +222,7 @@ The Elasticsearch service can be configured prior to installation by setting the
 
     Startup mode for the service. Can be either `auto` or `manual` (default).
 
-`ES_STOP_TIMEOUT` ::
+`ES_STOP_TIMEOUT`::
 
   The timeout in seconds that procrun waits for service to exit gracefully. Defaults to `0`.
 
@@ -215,7 +243,7 @@ use the service manager: `bin\elasticsearch-service.bat manager`.
 ====
 
 NOTE: The service automatically configures a private temporary directory for use
-by Elasticsearch when it is running. This private temporary directory is
+by {es} when it is running. This private temporary directory is
 configured as a sub-directory of the private temporary directory for the user
 running the installation. If the service will run under a different user, you
 can configure the location of the temporary directory that the service should
@@ -224,11 +252,9 @@ before you execute the service installation.
 
 Using the Manager GUI::
 
-It is also possible to configure the service after it's been installed using the manager GUI (`elasticsearch-service-mgr.exe`), which offers insight into the installed service, including its status, startup type, JVM, start and stop settings amongst other things. Simply invoking `elasticsearch-service.bat manager` from the command-line will open up the manager window:
+It is also possible to configure the service after it's been installed using the manager GUI (`elasticsearch-service-mgr.exe`), which offers insight into the installed service, including its status, startup type, JVM, start and stop settings amongst other things. Invoke `elasticsearch-service.bat manager` from the command-line to open the manager window.
 
-image::images/service-manager-win.png["Windows Service Manager GUI",align="center"]
-
-Most changes (like JVM settings) made through the manager GUI will require a restart of the service in order to take affect.
+Most changes (like JVM settings) made through the manager GUI will require a restart of the service to take affect.
 
 [[windows-layout]]
 ==== Directory layout of `.zip` archive
@@ -238,7 +264,7 @@ by default, contained within `%ES_HOME%` -- the directory created when
 unpacking the archive.
 
 This is very convenient because you don't have to create any directories to
-start using Elasticsearch, and uninstalling Elasticsearch is as easy as
+start using {es}, and uninstalling {es} is as easy as
 removing the `%ES_HOME%` directory. However, it is advisable to change the
 default locations of the config directory, the data directory, and the logs
 directory so that you do not delete important data later on.
@@ -248,7 +274,7 @@ directory so that you do not delete important data later on.
 |=======================================================================
 | Type | Description | Default Location | Setting
 | home
-  | Elasticsearch home directory or `%ES_HOME%`
+  | {es} home directory or `%ES_HOME%`
  d| Directory created by unpacking the archive
   |
 
@@ -263,6 +289,11 @@ directory so that you do not delete important data later on.
   | %ES_HOME%\config
   | <<config-files-location,ES_PATH_CONF>>
 
+| conf
+  | Generated TLS keys and certificates for the transport and HTTP layer.
+  | %ES_HOME%\config\tls_auto_config_<timestamp>
+ d|
+
 | data
   | The location of the data files of each index / shard allocated
     on the node.

x-pack/docs/en/security/configuring-stack-security.asciidoc

@@ -85,31 +85,9 @@ when you started {es}.
 [[stack-enroll-nodes]]
 === Enroll additional nodes in your cluster
 
-. In a separate terminal from where {es} is running, navigate to the directory
-where you installed {es} and run the
-<<create-enrollment-token,`elasticsearch-create-enrollment-token`>> tool
-to generate an enrollment token for your additional nodes.
-+
-[source,shell]
-----
-bin/elasticsearch-create-enrollment-token -s node
-----
-+
-Copy the enrollment token, which you'll use to enroll additional nodes with
-your {es} cluster.
-
-. From the installation directory of your other node, start {es} and pass the
-enrollment token with the `--enrollment-token` parameter.
-+
-[source,shell]
-----
-bin/elasticsearch --enrollment-token <enrollment-token>
-----
-+
-{es} automatically generates certificates and keys in the
-`config/tls_auto_config_node_<timestamp>` directory.
+:slash:     /
 
-. Repeat the previous step for any additional nodes that you want to enroll.
+include::enroll-nodes.asciidoc[]
 
 [discrete]
 === What's next?

x-pack/docs/en/security/enroll-nodes.asciidoc

@@ -0,0 +1,31 @@
+[role="exclude"]
+
+. In a separate terminal from where {es} is running, navigate to the directory
+where you installed {es} and run the
+<<create-enrollment-token,`elasticsearch-create-enrollment-token`>> tool
+to generate an enrollment token for your new nodes.
++
+["source","sh",subs="attributes"]
+----
+bin{slash}elasticsearch-create-enrollment-token -s node
+----
++
+Copy the enrollment token, which you'll use to enroll new nodes with
+your {es} cluster.
+
+. From the installation directory of your new node, start {es} and pass the
+enrollment token with the `--enrollment-token` parameter.
++
+["source","sh",subs="attributes"]
+----
+bin{slash}elasticsearch --enrollment-token <enrollment-token>
+----
++
+{es} automatically generates certificates and keys in the following directory:
++
+["source","sh",subs="attributes"]
+----
+config{slash}tls_auto_config_node_<timestamp>
+----
+
+. Repeat the previous step for any new nodes that you want to enroll.