From aeea05f84f43116110a96551f11e58c0c8e9163f Mon Sep 17 00:00:00 2001
From: Microsoft Shawarma <93281617+microsoftshawarma@users.noreply.github.com>
Date: Wed, 9 Oct 2024 16:54:05 +0000
Subject: [PATCH 1/4] adding updates to FIDO2 support and passkeys section in
 Windows Security book

---
 .../book/identity-protection-passwordless-sign-in.md       | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md
index ea5dc404e6..469c77df8e 100644
--- a/windows/security/book/identity-protection-passwordless-sign-in.md
+++ b/windows/security/book/identity-protection-passwordless-sign-in.md
@@ -133,15 +133,16 @@ Enhanced Sign-in Security is configured by device manufacturers during the manuf
 
 The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) have worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications, which are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
 
-Windows 11 can also use passkeys from external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services.
+Windows 11 can also use external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services. 
 
 ### Passkeys
 
 Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the cross-platform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services.
 
-A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey with Windows Hello, an external security provider, or their mobile device.
+A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey with Windows Hello, a third-party passkey provider, an external FIDO2 security key, or their mobile device.
+
+Passkeys created and saved with Windows Hello are protected by Windows Hello or Windows Hello for Business and are managed on the Windows 11 device account settings. When a third-party passkey provider is used, passkeys are protected and managed by the third-party. Users can sign in to the site or app using their face, fingerprint, or device PIN. Passkeys on Windows work in any browsers or apps that support them for sign in. 
 
-Passkeys on Windows 11 are protected by Windows Hello or Windows Hello for Business. This enables users to sign in to the site or app using their face, fingerprint, or device PIN. Passkeys on Windows work in any browsers or apps that support them for sign in. Users can manage passkeys on their device on Windows 11 account settings.
 
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 

From b8ef051c038ef3c99905890f35178a7d1a66b92c Mon Sep 17 00:00:00 2001
From: MokumaPM <105771503+MokumaPM@users.noreply.github.com>
Date: Wed, 9 Oct 2024 10:02:15 -0700
Subject: [PATCH 2/4] Updates

---
 .../book/identity-protection-passwordless-sign-in.md         | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md
index 469c77df8e..a246593d3f 100644
--- a/windows/security/book/identity-protection-passwordless-sign-in.md
+++ b/windows/security/book/identity-protection-passwordless-sign-in.md
@@ -179,7 +179,7 @@ Windows 11 supports federated sign-in with external education identity managemen
 
 - [Configure federated sign-in for Windows devices][LINK-14]
 
-## Smart cards for Windows
+## Smart cards
 
 Organizations can also opt for smart cards, an authentication method that existed before biometric authentication. These tamper-resistant, portable storage devices enhance Windows security by authenticating users, signing code, securing e-mails, and signing in with Windows domain accounts.
 
@@ -193,8 +193,7 @@ Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID
 
 When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Microsoft Entra ID certificate-based authentication. Smart cards can't be used with local accounts.
 
-> [!WARNING]
-> [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/) and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys.
+[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/) and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys.
 
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 

From 3b198dfd8130049423a839ed5abd59fbb758090f Mon Sep 17 00:00:00 2001
From: MokumaPM <105771503+MokumaPM@users.noreply.github.com>
Date: Wed, 9 Oct 2024 22:31:46 -0700
Subject: [PATCH 3/4] Updates

---
 .../book/identity-protection-advanced-credential-protection.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md
index 39110959fb..e6776cff12 100644
--- a/windows/security/book/identity-protection-advanced-credential-protection.md
+++ b/windows/security/book/identity-protection-advanced-credential-protection.md
@@ -15,7 +15,7 @@ In addition to adopting passwordless sign-in, organizations can strengthen secur
 
 Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Entra.
 
-To help keep these credentials safe, with 24H2 LSA protection is enabled by default on all devices (MSA, Entra joined, hybrid, and local) after an evaluation period. By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection supports configuration using group policy and other device management solutions.
+To help keep these credentials safe, LSA protection is enabled by default on all devices (MSA, Entra joined, hybrid, and local) with 24H2. For new installs, it is enabled immediately, and for upgrades, it is enabled after an evaluation period. By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection supports configuration using group policy and other device management solutions.
 
 Users have the ability to manage the LSA protection state in the Windows Security application under **Device Security** > **Core Isolation** > **Local Security Authority protection**.
 

From 995ce8714eb932fbe93451c1c7548d5727248294 Mon Sep 17 00:00:00 2001
From: MokumaPM <105771503+MokumaPM@users.noreply.github.com>
Date: Wed, 9 Oct 2024 22:56:33 -0700
Subject: [PATCH 4/4] Updates

---
 .../book/cloud-services-protect-your-work-information.md         | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md
index 668b1ae727..52a21d0ff0 100644
--- a/windows/security/book/cloud-services-protect-your-work-information.md
+++ b/windows/security/book/cloud-services-protect-your-work-information.md
@@ -240,6 +240,7 @@ There's a lot more to learn about Windows Autopatch: this [Forrester Consulting
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 
 - [Windows Autopatch documentation](/windows/deployment/windows-autopatch/)
+- [Windows updates API overview](/graph/windowsupdates-concept-overview)
 
 ## OneDrive for work or school