diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md
index 9d773b6938..a4d388a053 100644
--- a/windows/security/book/cloud-services-protect-your-work-information.md
+++ b/windows/security/book/cloud-services-protect-your-work-information.md
@@ -78,6 +78,20 @@ Windows 11 built-in management features include:
 
 - [Mobile device management overview](/windows/client-management/mdm-overview)
 
+### Remote wipe
+
+When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
+
+Windows 11 supports the Remote Wipe configuration service provider (CSP) so that device management solutions can remotely initiate any of the following operations:
+
+- Reset the device and remove user accounts and data
+- Reset the device and clean the drive
+- Reset the device but persist user accounts and data
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Remote wipe CSP](/windows/client-management/mdm/remotewipe-csp)
+
 ## Microsoft Intune
 
 Microsoft Intune<sup>[\[15\]](conclusion.md#footnote15)</sup> is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
@@ -92,6 +106,16 @@ Windows 11 enables IT professionals to move to the cloud while consistently enfo
 
 - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune)
 
+### Windows enrollment attestation
+
+When a device enrolls into device management, the administrator expects it to receive the appropriate policies to secure and manage the PC. However, in some cases, malicious actors can remove enrollment certificates and use them on unmanaged PCs, making them appear enrolled but without the intended security and management policies.
+
+With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certificates are bound to a device using the Trusted Platform Module (TPM). This ensures that the certificates cannot be transferred from one device to another, maintaining the integrity of the enrollment process.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows enrollment attestation](/mem/intune/enrollment/windows-enrollment-attestation)
+
 ### Endpoint Privilege Management (EPM)
 
 Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run tasks allowed by the organization to remain productive.
@@ -116,14 +140,6 @@ With Intune, organizations can also extend MAM App Config, MAM App Protection, a
 
 - [Data protection for Windows MAM](/mem/intune/apps/protect-mam-windows?formCode=MG0AV3)
 
-## MDM enrollment certificate attestation
-
-When a device is enrolled into device management, the administrator assumes that the device will enroll and receive appropriate policies to secure and manage the PC as they expect. In some circumstances, enrollment certificates can be removed by malicious actors and then used on unmanaged PCs to appear as though they are enrolled, but without the security and management policies the administrator intended. With MDM enrollment certificate attestation, the certificate and keys are bound to a specific machine through the use of the Trusted Platform Module (TPM) to ensure that they can't be lifted from one device and applied to another.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows enrollment attestation](/mem/intune/enrollment/windows-enrollment-attestation)
-
 ## Local Administrator Password (LAPs)
 
 Local Administrator Password solution was a key consideration for many customers when deciding to make the transition from on-premises to cloud-managed devices using Intune. With LAPS, organizations can automatically manage and back up the password of a local administrator account on Microsoft Entra ID joined or hybrid Microsoft Entra ID joined devices.
@@ -160,20 +176,6 @@ The security baseline has been enhanced with over 70 new settings, enabling loca
 - [Intune security baseline overview](/mem/intune/protect/security-baselines)
 - [List of the settings in the Windows security baseline in Intune](/mem/intune/protect/security-baseline-settings-mdm-all)
 
-## Remote Wipe
-
-When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
-
-Windows 11 supports the Remote Wipe configuration service provider (CSP) so that MDM Solutions<sup>[\[9\]](conclusion.md#footnote9)</sup> can remotely initiate any of the following operations:
-
-- Reset the device and remove user accounts and data
-- Reset the device and clean the drive
-- Reset the device but persist user accounts and data
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp)
-
 ## Microsoft Azure Attestation Service
 
 Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they are allowed to access resources. Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> integrates with [Microsoft Azure Attestation Service](/azure/attestation/overview) to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> Conditional Access.
@@ -225,7 +227,7 @@ There's a lot more to learn about Windows Autopatch: this [Forrester Consulting
 
 - [Windows Autopatch documentation](https://aka.ms/Autopatchdocs)
 
-## Windows Autopilot and zero-touch deployment
+## Windows Autopilot
 
 Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. If you're purchasing new devices or managing device refresh cycles for employees, you can use Windows Autopilot to set up and preconfigure new devices, getting them ready for productive use. Autopilot helps you ensure your devices are delivered locked down and compliant with corporate security policies. The solution can also be used to reset, repurpose, and recover devices with zero touch by your IT team and no infrastructure to manage, enhancing efficiency with a process that's both easy and simple.
 
diff --git a/windows/security/book/features-index.md b/windows/security/book/features-index.md
index f036d23ac8..152c6e2cdc 100644
--- a/windows/security/book/features-index.md
+++ b/windows/security/book/features-index.md
@@ -7,4 +7,4 @@ ms.date: 09/06/2024
 
 # Features index
 
-[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)<br>[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)<br>[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)<br>[App containers](application-security-application-isolation.md#app-containers)<br>[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)<br>[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)<br>[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)<br>[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)<br>[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)<br>[Certificates](operating-system-security-system-security.md#certificates)<br>[Cloud-native management](cloud-services-protect-your-work-information.md#cloud-native-management)<br>[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)<br>[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)<br>[Config Refresh](operating-system-security-system-security.md#config-refresh)<br>[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)<br>[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)<br>[Cryptography](operating-system-security-system-security.md#cryptography)<br>[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)<br>[Device health attestation](operating-system-security-system-security.md#device-health-attestation)<br>[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)<br>[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)<br>[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)<br>[Enhanced phishing protection with Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-with-microsoft-defender-smartscreen)<br>[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)<br>[Exploit protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)<br>[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)<br>[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)<br>[FIDO2](identity-protection-passwordless-sign-in.md#fido2)<br>[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)<br>[Kernel Direct Memory Access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)<br>[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)<br>[Local Administrator Password (LAPs)](cloud-services-protect-your-work-information.md#local-administrator-password-laps)<br>[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)<br>[MDM enrollment certificate attestation](cloud-services-protect-your-work-information.md#mdm-enrollment-certificate-attestation)<br>[Microsoft Account](cloud-services-protect-your-personal-information.md#microsoft-account)<br>[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)<br>[Microsoft Azure Attestation Service](cloud-services-protect-your-work-information.md#microsoft-azure-attestation-service)<br>[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)<br>[Microsoft Defender for Endpoint](operating-system-security-virus-and-threat-protection.md#microsoft-defender-for-endpoint)<br>[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)<br>[Microsoft Entra ID](cloud-services-protect-your-work-information.md#microsoft-entra-id)<br>[Microsoft Intune](cloud-services-protect-your-work-information.md#microsoft-intune)<br>[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)<br>[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)<br>[Microsoft security baselines](cloud-services-protect-your-work-information.md#microsoft-security-baselines)<br>[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)<br>[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)<br>[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)<br>[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)<br>[OneDrive for work or school](cloud-services-protect-your-work-information.md#onedrive-for-work-or-school)<br>[OneDrive Personal Vault](cloud-services-protect-your-personal-information.md#onedrive-personal-vault)<br>[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)<br>[Personal data encryption (PDE)](operating-system-security-encryption-and-data-protection.md#personal-data-encryption-pde)<br>[Privacy dashboard and report](privacy-controls.md#privacy-dashboard-and-report)<br>[Privacy resource usage](privacy-controls.md#privacy-resource-usage)<br>[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)<br>[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)<br>[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)<br>[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)<br>[Secured-core PC](hardware-security-silicon-assisted-security.md#secured-core-pc)<br>[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)<br>[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)<br>[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)<br>[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)<br>[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)<br>[Token protection](identity-protection-advanced-credential-protection.md#token-protection)<br>[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)<br>[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)<br>[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)<br>[Trusted signing](application-security-application-and-driver-control.md#trusted-signing)<br>[Universal Print](cloud-services-protect-your-work-information.md#universal-print)<br>[User Account Control](application-security-application-and-driver-control.md#user-account-control)<br>[VBS key protection](identity-protection-advanced-credential-protection.md#vbs-key-protection)<br>[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)<br>[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)<br>[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)<br>[Win32 app isolation](application-security-application-isolation.md#win32-app-isolation)<br>[Windows App software development kit (SDK)](security-foundation-secure-supply-chain.md#windows-app-software-development-kit-sdk)<br>[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)<br>[Windows Autopilot and zero-touch deployment](cloud-services-protect-your-work-information.md#windows-autopilot-and-zero-touch-deployment)<br>[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)<br>[Windows Firewall](operating-system-security-network-security.md#windows-firewall)<br>[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)<br>[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)<br>[Windows Insider and Bug Bounty program](security-foundation-offensive-research.md#windows-insider-and-bug-bounty-program)<br>[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)<br>[Windows protected print](operating-system-security-system-security.md#windows-protected-print)<br>[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)<br>[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)<br>[Windows security settings](operating-system-security-system-security.md#windows-security-settings)<br>[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)<br>[Windows Update for Business deployment service](cloud-services-protect-your-work-information.md#windows-update-for-business-deployment-service)<br>[Windows Update Management](cloud-services-protect-your-work-information.md#windows-update-management)
\ No newline at end of file
+[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)<br>[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)<br>[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)<br>[App containers](application-security-application-isolation.md#app-containers)<br>[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)<br>[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)<br>[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)<br>[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)<br>[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)<br>[Certificates](operating-system-security-system-security.md#certificates)<br>[Cloud-native management](cloud-services-protect-your-work-information.md#cloud-native-management)<br>[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)<br>[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)<br>[Config Refresh](operating-system-security-system-security.md#config-refresh)<br>[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)<br>[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)<br>[Cryptography](operating-system-security-system-security.md#cryptography)<br>[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)<br>[Device health attestation](operating-system-security-system-security.md#device-health-attestation)<br>[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)<br>[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)<br>[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)<br>[Enhanced phishing protection with Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-with-microsoft-defender-smartscreen)<br>[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)<br>[Exploit protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)<br>[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)<br>[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)<br>[FIDO2](identity-protection-passwordless-sign-in.md#fido2)<br>[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)<br>[Kernel Direct Memory Access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)<br>[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)<br>[Local Administrator Password (LAPs)](cloud-services-protect-your-work-information.md#local-administrator-password-laps)<br>[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)<br>[Microsoft Account](cloud-services-protect-your-personal-information.md#microsoft-account)<br>[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)<br>[Microsoft Azure Attestation Service](cloud-services-protect-your-work-information.md#microsoft-azure-attestation-service)<br>[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)<br>[Microsoft Defender for Endpoint](operating-system-security-virus-and-threat-protection.md#microsoft-defender-for-endpoint)<br>[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)<br>[Microsoft Entra ID](cloud-services-protect-your-work-information.md#microsoft-entra-id)<br>[Microsoft Intune](cloud-services-protect-your-work-information.md#microsoft-intune)<br>[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)<br>[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)<br>[Microsoft security baselines](cloud-services-protect-your-work-information.md#microsoft-security-baselines)<br>[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)<br>[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)<br>[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)<br>[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)<br>[OneDrive for work or school](cloud-services-protect-your-work-information.md#onedrive-for-work-or-school)<br>[OneDrive Personal Vault](cloud-services-protect-your-personal-information.md#onedrive-personal-vault)<br>[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)<br>[Personal data encryption (PDE)](operating-system-security-encryption-and-data-protection.md#personal-data-encryption-pde)<br>[Privacy dashboard and report](privacy-controls.md#privacy-dashboard-and-report)<br>[Privacy resource usage](privacy-controls.md#privacy-resource-usage)<br>[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)<br>[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)<br>[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)<br>[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)<br>[Secured-core PC](hardware-security-silicon-assisted-security.md#secured-core-pc)<br>[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)<br>[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)<br>[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)<br>[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)<br>[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)<br>[Token protection](identity-protection-advanced-credential-protection.md#token-protection)<br>[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)<br>[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)<br>[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)<br>[Trusted signing](application-security-application-and-driver-control.md#trusted-signing)<br>[Universal Print](cloud-services-protect-your-work-information.md#universal-print)<br>[User Account Control](application-security-application-and-driver-control.md#user-account-control)<br>[VBS key protection](identity-protection-advanced-credential-protection.md#vbs-key-protection)<br>[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)<br>[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)<br>[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)<br>[Win32 app isolation](application-security-application-isolation.md#win32-app-isolation)<br>[Windows App software development kit (SDK)](security-foundation-secure-supply-chain.md#windows-app-software-development-kit-sdk)<br>[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)<br>[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)<br>[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)<br>[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)<br>[Windows Firewall](operating-system-security-network-security.md#windows-firewall)<br>[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)<br>[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)<br>[Windows Insider and Bug Bounty program](security-foundation-offensive-research.md#windows-insider-and-bug-bounty-program)<br>[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)<br>[Windows protected print](operating-system-security-system-security.md#windows-protected-print)<br>[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)<br>[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)<br>[Windows security settings](operating-system-security-system-security.md#windows-security-settings)<br>[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)<br>[Windows Update for Business deployment service](cloud-services-protect-your-work-information.md#windows-update-for-business-deployment-service)<br>[Windows Update Management](cloud-services-protect-your-work-information.md#windows-update-management)
\ No newline at end of file
diff --git a/windows/security/book/images/chip-to-cloud.png b/windows/security/book/images/chip-to-cloud.png
index 750897f646..b4b937fca4 100644
Binary files a/windows/security/book/images/chip-to-cloud.png and b/windows/security/book/images/chip-to-cloud.png differ
diff --git a/windows/security/book/images/operating-system.png b/windows/security/book/images/operating-system.png
index 48947fda46..c3bb6d70b9 100644
Binary files a/windows/security/book/images/operating-system.png and b/windows/security/book/images/operating-system.png differ
diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md
index a91e4ac7cc..c9e968cf46 100644
--- a/windows/security/book/operating-system-security-encryption-and-data-protection.md
+++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md
@@ -64,8 +64,14 @@ With the first release of PDE (Windows 11, version 22H2), the PDE API was availa
 
 ## Email encryption
 
-Email encryption enables users to encrypt outgoing email messages and attachments so that only intended recipients with a digital identification (ID) - also called a certificate - can read them<sup>[\[10\]](conclusion.md#footnote10)</sup>. Users can digitally sign a message, which verifies the identity of the sender and ensures the message hasn't been tampered with.
+Email encryption allows users to secure email messages and attachments so that only the intended recipients with a digital identification (ID), or certificate, can read them<sup>[\[10\]](conclusion.md#footnote10)</sup>. Users can also *digitally sign* a message, which verifies the sender's identity and ensures the message hasn't been tampered with.
 
-These encrypted messages can be sent by a user to people within their organization and external contacts who have proper encryption certificates.
+The new Outlook app included in Windows 11 supports various types of email encryption, including Microsoft Purview Message Encryption, S/MIME, and Information Rights Management (IRM).
 
-However, recipients using Windows 11 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. Encrypted messages can be read only by recipients who have a certificate. If an encrypted message is sent to recipients whose encryption certificates aren't available, the app asks you to remove these recipients before sending the email.
+When using Secure/Multipurpose Internet Mail Extensions (S/MIME), users can send encrypted messages to people within their organization and to external contacts who have the proper encryption certificates. Recipients can only read encrypted messages if they have the corresponding decryption keys. If an encrypted message is sent to recipients whose encryption certificates aren't available, Outlook asks you to remove these recipients before sending the email.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [S/MIME for message signing and encryption in Exchange Online](/exchange/security-and-compliance/smime-exo/smime-exo)
+- [Get started with the new Outlook for Windows](https://support.microsoft.com/topic/656bb8d9-5a60-49b2-a98b-ba7822bc7627)
+- [Email encryption](/purview/email-encryption)