diff --git a/education/index.yml b/education/index.yml
index 1da8d77fdb..d70de3747c 100644
--- a/education/index.yml
+++ b/education/index.yml
@@ -8,7 +8,7 @@ metadata:
   title: Microsoft 365 Education Documentation
   description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers.
   ms.topic: hub-page
-  ms.date: 07/22/2024
+  ms.date: 12/05/2024
 
 productDirectory:
   title: For IT admins
diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md
index 54bf350d77..4f9ce1a8ed 100644
--- a/education/windows/configure-aad-google-trust.md
+++ b/education/windows/configure-aad-google-trust.md
@@ -1,7 +1,7 @@
 ---
-title: Configure federation between Google Workspace and Microsoft Entra ID
+title: Configure Federation Between Google Workspace And Microsoft Entra Id
 description: Configuration of a federated trust between Google Workspace and Microsoft Entra ID, with Google Workspace acting as an identity provider (IdP) for Microsoft Entra ID.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: how-to
 appliesto:
 ---
@@ -43,10 +43,10 @@ To test federation, the following prerequisites must be met:
 1. In the search results page, hover over the *Microsoft Office 365 - Web (SAML)* app and select **Select**
    :::image type="content" source="images/google/google-admin-search-app.png" alt-text="Screenshot showing Google Workspace and the search button for Microsoft Office 365 SAML app.":::
 1. On the **Google Identity Provider details** page, select **Download Metadata** and take note of the location where the **IdP metadata** - *GoogleIDPMetadata.xml* - file is saved, as it's used to set up Microsoft Entra ID later
-1. On the **Service provider detail's** page
+1. On the **Service provider detail's** page:
       - Select the option **Signed response**
       - Verify that the Name ID format is set to **PERSISTENT**
-      - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping.\
+      - Depending on how the Microsoft Entra users have been provisioned in Microsoft Entra ID, you might need to adjust the **Name ID** mapping\
         If using Google autoprovisioning, select **Basic Information > Primary email**
       - Select **Continue**
 1. On the **Attribute mapping** page, map the Google attributes to the Microsoft Entra attributes
@@ -139,4 +139,4 @@ From a private browser session, navigate to https://portal.azure.com and sign in
 1. The user is redirected to Google Workspace to sign in
 1. After Google Workspace authentication, the user is redirected back to Microsoft Entra ID and signed in
 
-:::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::
+    :::image type="content" source="images/google/google-sso.gif" alt-text="A GIF that shows the user authenticating the Azure portal using a Google Workspace federated identity.":::
diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md
index 889b10b393..bdd5d2761c 100644
--- a/education/windows/edu-stickers.md
+++ b/education/windows/edu-stickers.md
@@ -1,7 +1,7 @@
 ---
-title: Configure Stickers for Windows 11 SE
+title: Configure Stickers For Windows 11 SE
 description: Learn about the Stickers feature and how to configure it via Intune and provisioning package.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md
index b0d6efa639..727c1a26bd 100644
--- a/education/windows/edu-themes.md
+++ b/education/windows/edu-themes.md
@@ -1,7 +1,7 @@
 ---
-title: Configure education themes for Windows 11
+title: Configure Education Themes For Windows 11
 description: Learn about education themes for Windows 11 and how to configure them via Intune and provisioning package.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index d5a0cb61fa..8d3050097f 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -1,8 +1,8 @@
 ---
-title: Get and deploy Minecraft Education
+title: Deploy Minecraft Education To Windows Devices
 description: Learn how to obtain and distribute Minecraft Education to Windows devices.
 ms.topic: how-to
-ms.date: 04/10/2024
+ms.date: 12/5/2024
 ms.collection:
   - education
   - tier2
@@ -48,7 +48,7 @@ To purchase direct licenses:
 1. Select the quantity of licenses you'd like to purchase and select **Place Order**
 1. After you've purchased licenses, you'll need to [assign Minecraft Education licenses to your users](#assign-minecraft-education-licenses)
 
-If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).
+   If you need more licenses for Minecraft Education, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses)
 
 ### Volume licensing
 
@@ -88,14 +88,14 @@ You must be a *Global*, *License*, or *User admin* to assign licenses. For more
 1. Go to [https://admin.microsoft.com](https://admin.microsoft.com) and sign in with an account that can assign licenses in your organization
 1. From the left-hand menu in Microsoft Admin Center, select *Users*
 1. From the Users list, select the users you want to add or remove for Minecraft Education access
-1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it not assigned already
+1. Add the relevant Minecraft Education, A1 for device or A3/A5 license if it is not assigned already
     > [!Note]
-    > If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions.
+    > If you add a faculty license, the user will be assigned a *teacher* role in the application and will have elevated permissions
 1. If you've assigned a Microsoft 365 A3 or A5 license, after selecting the product license, ensure to toggle *Minecraft Education* on
     > [!Note]
     > If you turn off this setting after students have been using Minecraft Education, they will have up to 30 more days to use Minecraft Education before they don't have access
 
-:::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png":::
+    :::image type="content" source="images/minecraft/admin-center-minecraft-license.png" alt-text="Screenshot of the Microsoft 365 admin center - assignment of a Minecraft Education license to a user." lightbox="images/minecraft/admin-center-minecraft-license.png":::
 
 For more information about license assignment, see [Manage Licenses in the Admin Center][EDU-5].
 
@@ -118,31 +118,31 @@ If you're using Microsoft Intune to manage your devices, follow these steps to d
 1. Select **Next**
 1. On the *Review + Create* screen, select **Create**
 
-Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs.
+   Intune will install Minecraft Education at the next device check-in, or will make it available in Company Portal for on-demand installs.
 
-:::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device.":::
+   :::image type="content" source="images/minecraft/win11-minecraft-education.png" alt-text="Screenshot of Minecraft Education executing on a Windows 11 device.":::
 
-For more information how to deploy Minecraft Education, see:
+   For more information how to deploy Minecraft Education, see:
 
-- [Windows installation guide][EDU-6]
-- [Chromebook installation guide][EDU-7]
-- [iOS installation guide][EDU-8]
-- [macOS installation guide][EDU-9]
+    - [Windows installation guide][EDU-6]
+    - [Chromebook installation guide][EDU-7]
+    - [iOS installation guide][EDU-8]
+    - [macOS installation guide][EDU-9]
 
-If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1].
+   If you're having trouble installing the app, you can get more help on the [Minecraft Education support page][AKA-1].
 
-<!--links-->
-[EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432
-[EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532
-[EDU-3]: https://www.microsoft.com/education/products/office
-[EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812
-[EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956
-[EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672
-[EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516
-[EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351
-[EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792
+   <!--links-->
+    [EDU-1]: https://educommunity.minecraft.net/hc/articles/360047116432
+    [EDU-2]: https://educommunity.minecraft.net/hc/articles/360061371532
+    [EDU-3]: https://www.microsoft.com/education/products/office
+    [EDU-4]: https://educommunity.minecraft.net/hc/articles/360061369812
+    [EDU-6]: https://educommunity.minecraft.net/hc/articles/13106858087956
+    [EDU-5]: https://educommunity.minecraft.net/hc/articles/360047118672
+    [EDU-7]: https://educommunity.minecraft.net/hc/articles/4404625978516
+    [EDU-8]: https://educommunity.minecraft.net/hc/articles/360047556351
+    [EDU-9]: https://educommunity.minecraft.net/hc/articles/360047118792
 
-[M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription
-[M365-2]: /microsoft-365/admin/add-users/about-admin-roles
+    [M365-1]: /microsoft-365/commerce/billing-and-payments/pay-for-your-subscription
+    [M365-2]: /microsoft-365/admin/add-users/about-admin-roles
 
-[AKA-1]: https://aka.ms/minecraftedusupport
+    [AKA-1]: https://aka.ms/minecraftedusupport
diff --git a/education/windows/suspcs/provisioning-package.md b/education/windows/suspcs/provisioning-package.md
index 677b9b7b6f..bde1800fa4 100644
--- a/education/windows/suspcs/provisioning-package.md
+++ b/education/windows/suspcs/provisioning-package.md
@@ -1,7 +1,7 @@
 ---
-title: What's in Set up School PCs provisioning package
+title: What's In Set up School PCs Provisioning Package
 description: Learn about the settings that are configured in the provisioning package created with the Set up School PCs app.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: reference
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
diff --git a/education/windows/take-tests-in-windows.md b/education/windows/take-tests-in-windows.md
index 8c46ac4b93..b43345436f 100644
--- a/education/windows/take-tests-in-windows.md
+++ b/education/windows/take-tests-in-windows.md
@@ -1,7 +1,7 @@
 ---
 title: Take tests and assessments in Windows
 description: Learn about the built-in Take a Test app for Windows and how to use it.
-ms.date: 02/29/2024
+ms.date: 11/11/2024
 ms.topic: how-to
 ---
 
@@ -9,11 +9,11 @@ ms.topic: how-to
 
 Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. To help schools with testing, Windows provides an application called **Take a Test**. The application is a secure browser that provides different features to help with testing, and can be configured to only allow access a specific URL or a list of URLs. When using Take a Test, students can't:
 
-- print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
-- access other applications
-- change system settings, such as display extension, notifications, updates
-- access Cortana
-- access content copied to the clipboard
+- Print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
+- Access other applications
+- Change system settings, such as display extension, notifications, updates
+- Access Cortana
+- Access content copied to the clipboard
 
 ## How to use Take a Test
 
@@ -22,7 +22,7 @@ There are different ways to use Take a Test, depending on the use case:
 - For lower stakes assessments, such a quick quiz in a class, a teacher can generate a *secure assessment URL* and share it with the students. Students can then open the URL to access the assessment through Take a Test. To learn more, see the next section: [Create a secure assessment link](#create-a-secure-assessment-link)
 - For higher stakes assessments, you can configure Windows devices to use a dedicated account for testing and execute Take a Test in a locked-down mode, called **kiosk mode**. Once signed in with the dedicated account, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. For more information, see [Configure Take a Test in kiosk mode](edu-take-a-test-kiosk-mode.md)
 
-:::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false":::
+  :::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false":::
 
 ## Create a secure assessment link
 
@@ -37,9 +37,9 @@ To create a secure assessment link to the test, there are two options:
 
 For this option, copy the assessment URL and open the web application <a href="https://aka.ms/create-a-take-a-test-link" target="_blank"><u>Customize your assessment URL</u></a>, where you can:
 
-- Paste the link to the assessment URL
-- Select the options you want to allow during the test
-- Generate the link by selecting the button Create link
+- Paste the link to the assessment URL.
+- Select the options you want to allow during the test.
+- Generate the link by selecting the button Create link.
 
 This is an ideal option for teachers who want to create a link to a specific assessment and share it with students using OneNote, for example.
 
@@ -67,7 +67,7 @@ To enable permissive mode, don't include `enforceLockdown` in the schema paramet
 
 ## Distribute the secure assessment link
 
-Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choosing.
+Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choice.
 
 For example, you can create and copy the shortcut to the assessment URL to the students' desktop.
 
@@ -85,4 +85,4 @@ To take the test, have the students open the link.
 
 Teachers can use **Microsoft Forms** to create tests. For more information, see [Create tests using Microsoft Forms](https://support.microsoft.com/en-us/office/create-a-quiz-with-microsoft-forms-a082a018-24a1-48c1-b176-4b3616cdc83d).
 
-To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).
\ No newline at end of file
+To learn more about the policies and settings set by the Take a Test app, see [Take a Test app technical reference](take-a-test-app-technical.md).
diff --git a/education/windows/tutorial-deploy-apps-winse/considerations.md b/education/windows/tutorial-deploy-apps-winse/considerations.md
index 7f2a9f9207..54cb82322a 100644
--- a/education/windows/tutorial-deploy-apps-winse/considerations.md
+++ b/education/windows/tutorial-deploy-apps-winse/considerations.md
@@ -1,7 +1,7 @@
 ---
-title: Important considerations before deploying apps with managed installer
+title: Important Considerations Before Deploying Apps With Managed Installer For Windows 11 SE
 description: Learn about important aspects to consider before deploying apps with managed installer.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
diff --git a/education/windows/tutorial-deploy-apps-winse/create-policies.md b/education/windows/tutorial-deploy-apps-winse/create-policies.md
index 26e022bbbf..6947d4612d 100644
--- a/education/windows/tutorial-deploy-apps-winse/create-policies.md
+++ b/education/windows/tutorial-deploy-apps-winse/create-policies.md
@@ -1,7 +1,7 @@
 ---
-title: Create policies to enable applications
+title: Create Policies To Enable Applications In Windows 11 SE
 description: Learn how to create policies to enable the installation and execution of apps on Windows SE.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
index 62442e2058..4ab613f7f0 100644
--- a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
+++ b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
@@ -1,7 +1,7 @@
 ---
-title: Applications deployment considerations
+title: Applications Deployment Considerations In Windows 11 SE
 description: Learn how to deploy different types of applications to Windows 11 SE and some considerations before deploying them.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md
index 63f6143853..990f4c894b 100644
--- a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md
+++ b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md
@@ -1,7 +1,7 @@
 ---
-title: Deploy policies to enable applications
+title: Deploy Policies To Enable Applications In Windows 11 SE
 description: Learn how to deploy AppLocker policies to enable apps execution on Windows SE devices.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
diff --git a/education/windows/tutorial-deploy-apps-winse/index.md b/education/windows/tutorial-deploy-apps-winse/index.md
index 1c09685eed..c96283ec0c 100644
--- a/education/windows/tutorial-deploy-apps-winse/index.md
+++ b/education/windows/tutorial-deploy-apps-winse/index.md
@@ -1,7 +1,7 @@
 ---
-title: Deploy applications to Windows 11 SE with Intune
+title: Deploy Applications To Windows 11 SE With Intune
 description: Learn how to deploy applications to Windows 11 SE with Intune and how to validate the apps.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
diff --git a/education/windows/tutorial-deploy-apps-winse/troubleshoot.md b/education/windows/tutorial-deploy-apps-winse/troubleshoot.md
index 38a3ee9d4c..f23a6c4034 100644
--- a/education/windows/tutorial-deploy-apps-winse/troubleshoot.md
+++ b/education/windows/tutorial-deploy-apps-winse/troubleshoot.md
@@ -1,7 +1,7 @@
 ---
-title: Troubleshoot app deployment issues in Windows SE
+title: Troubleshoot App Deployment Issues In Windows Se
 description: Troubleshoot common issues when deploying apps to Windows SE devices.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
diff --git a/education/windows/tutorial-deploy-apps-winse/validate-apps.md b/education/windows/tutorial-deploy-apps-winse/validate-apps.md
index 211638de72..4cfa11748b 100644
--- a/education/windows/tutorial-deploy-apps-winse/validate-apps.md
+++ b/education/windows/tutorial-deploy-apps-winse/validate-apps.md
@@ -1,7 +1,7 @@
 ---
-title: Validate the applications deployed to Windows SE devices
+title: Validate The Applications Deployed To Windows Se Devices
 description: Learn how to validate the applications deployed to Windows SE devices via Intune.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
diff --git a/windows/client-management/declared-configuration.md b/windows/client-management/declared-configuration.md
index a0a28f91ae..ec20778da6 100644
--- a/windows/client-management/declared-configuration.md
+++ b/windows/client-management/declared-configuration.md
@@ -121,7 +121,7 @@ If the processing of declared configuration document fails, the errors are logge
 
 - If the Document ID doesn't match between the `<LocURI>` and inside DeclaredConfiguration document, Admin event log shows an error message similar to:
 
-    `MDM Declared Configuration: End document parsing from CSP: Document Id: (DCA000B5-397D-40A1-AABF-40B25078A7F91), Scenario: (MSFTVPN), Version: (A0), Enrollment Id: (DAD70CC2-365B-450D-A8AB-2EB23F4300CC), Current User: (S-1-5-21-3436249567-4017981746-3373817415-1001), Schema: (1.0), Download URL: (), Scope: (0x1), Enroll Type: (0x1A), File size: (0xDE2), CSP Count: (0x1), URI Count: (0xF), Action Requested: (0x0), Model: (0x1), Result:(0x8000FFFF) Catastrophic failure.`
+    `MDM Declared Configuration: End document parsing from CSP: Document Id: (DCA000B5-397D-40A1-AABF-40B25078A7F91), Scenario: (MSFTVPN), Version: (A0), Enrollment Id: (DAD70CC2-365B-450D-A8AB-2EB23F4300CC), Current User: (S-1-5-21-1004336348-1177238915-682003330-1234), Schema: (1.0), Download URL: (), Scope: (0x1), Enroll Type: (0x1A), File size: (0xDE2), CSP Count: (0x1), URI Count: (0xF), Action Requested: (0x0), Model: (0x1), Result:(0x8000FFFF) Catastrophic failure.`
 
 - Any typo in the OMA-URI results in a failure. In this example, `TrafficFilterList` is specified instead of `TrafficFilterLists`, and Admin event log shows an error message similar to:
 
@@ -129,4 +129,4 @@ If the processing of declared configuration document fails, the errors are logge
 
     There's also another warning message in operational channel:
 
-    `MDM Declared Configuration: Function (DeclaredConfigurationExtension_PolicyCSPConfigureGivenCurrentDoc) operation (ErrorAtDocLevel: one or more CSPs failed) failed with (Unknown Win32 Error code: 0x82d00007)`
\ No newline at end of file
+    `MDM Declared Configuration: Function (DeclaredConfigurationExtension_PolicyCSPConfigureGivenCurrentDoc) operation (ErrorAtDocLevel: one or more CSPs failed) failed with (Unknown Win32 Error code: 0x82d00007).`
diff --git a/windows/client-management/images/8908044-recall-search.png b/windows/client-management/images/8908044-recall-search.png
new file mode 100644
index 0000000000..16ec5fda8b
Binary files /dev/null and b/windows/client-management/images/8908044-recall-search.png differ
diff --git a/windows/client-management/images/8908044-recall.png b/windows/client-management/images/8908044-recall.png
deleted file mode 100644
index 92c93c46cb..0000000000
Binary files a/windows/client-management/images/8908044-recall.png and /dev/null differ
diff --git a/windows/client-management/manage-recall.md b/windows/client-management/manage-recall.md
index 82a405289c..f8a052962b 100644
--- a/windows/client-management/manage-recall.md
+++ b/windows/client-management/manage-recall.md
@@ -1,9 +1,9 @@
 ---
 title: Manage Recall for Windows clients
-description: Learn how to manage Recall for commercial environments using MDM and group policy. Learn about Recall features.
+description: Learn how to manage Recall for commercial environments and about Recall features.
 ms.topic: how-to
 ms.subservice: windows-copilot
-ms.date: 06/13/2024
+ms.date: 11/22/2024
 ms.author: mstewart
 author: mestew
 ms.collection:
@@ -18,72 +18,161 @@ appliesto:
 <!--8908044-->
 >**Looking for consumer information?** See [Retrace your steps with Recall](https://support.microsoft.com/windows/retrace-your-steps-with-recall-aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c).
 
-Recall allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Recall takes snapshots of your screen and stores them in a timeline. Snapshots are taken every five seconds while content on the screen is different from the previous snapshot. Snapshots are locally stored and locally analyzed on your PC. Recall's analysis allows you to search for content, including both images and text, using natural language.
+Recall (preview) allows users to search locally saved and locally analyzed snapshots of their screen using natural language. By default, Recall is disabled and removed on managed devices. IT admins can choose if they want to allow Recall to be used in their organizations and users, on their own, won't be able to enable it on their managed device if the Allow Recall policy is disabled. IT admins, on their own, can't start saving snapshots for end users. Recall is an opt-in experience that requires end user consent to save snapshots. Users can choose to enable or disable saving snapshots for themselves anytime. IT admins can only set policies that give users the option to enable saving snapshots and configure certain policies for Recall.
+
+This article provides information about Recall and how to manage it in a commercial environment.
 
 > [!NOTE]
-> Recall is coming soon through a post-launch Windows update. See [aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs). 
+> - Recall is now available in preview to Copilot+ PCs through the Windows Insider Program. For more information, see [Previewing Recall with Click to Do on Copilot+ PCs with Windows Insiders in the Dev Channel](https://blogs.windows.com/windows-insider/2024/11/22/previewing-recall-with-click-to-do-on-copilot-pcs-with-windows-insiders-in-the-dev-channel/).
+> - In-market commercial devices are defined as devices with an Enterprise (ENT) or Education (EDU) SKU or any premium SKU device that is managed by an IT administrator (whether via Microsoft Endpoint Manager or other endpoint management solution), has a volume license key, or is joined to a domain. Commercial devices during Out of Box Experience (OOBE) are defined as those with ENT or EDU SKU or any premium SKU device that has a volume license key or is Microsoft Entra joined. 
+> - Recall is optimized for select languages English, Chinese (simplified), French, German, Japanese, and Spanish. Content-based and storage limitations apply. For more information, see [https://aka.ms/copilotpluspcs](https://aka.ms/copilotpluspcs).
 
-When Recall opens the snapshot a user selected, it enables screenray, which runs on top of the saved snapshot. Screenray analyzes what's in the snapshot and allows users to interact with individual elements in the snapshot. For instance, users can copy text from the snapshot or send pictures from the snapshot to an app that supports `jpeg` files.
+## What is Recall?
 
-:::image type="content" source="images/8908044-recall.png" alt-text="Screenshot of Recall with search results displayed for a query about a restaurant that the user's friend sent them." lightbox="images/8908044-recall.png":::
+Recall (preview) allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Snapshots are taken periodically while content on the screen is different from the previous snapshot. The snapshots of your screen are organized into a timeline. Snapshots are locally stored and locally analyzed on your PC. Recall's analysis allows you to search for content, including both images and text, using natural language.
+
+When Recall opens a snapshot you selected, it enables Click to Do, which runs on top of the saved snapshot. Click to Do analyzes what's in the snapshot and allows you to interact with individual elements in the snapshot. For instance, you can copy text from the snapshot or send pictures from the snapshot to an app that supports `jpeg` files.
+
+:::image type="content" border="true" source="images/8908044-recall-search.png" alt-text="Screenshot of Recall with search results displayed for a query for a presentation with a red barn." lightbox="images/8908044-recall-search.png":::
+
+### Recall security and privacy architecture
+
+Privacy and security are built into Recall's design. With Copilot+ PCs, you get powerful AI that runs locally on the device. No internet or cloud connections are required or used to save and analyze snapshots. Snapshots aren't sent to Microsoft. Recall AI processing occurs locally, and snapshots are securely stored on the local device only.
+
+Recall doesn't share snapshots with other users that are signed into Windows on the same device and IT admins can't access or view the snapshots on end-user devices. Microsoft can't access or view the snapshots. Recall requires users to confirm their identity with [Windows Hello](https://support.microsoft.com/windows/configure-windows-hello-dae28983-8242-bb2a-d3d1-87c9d265a5f0) before it launches and before accessing snapshots. At least one biometric sign-in option must be enabled for Windows Hello, either facial recognition or a fingerprint, to launch and use Recall. Before snapshots start getting saved to the device, users need to open Recall and authenticate. Recall takes advantage of just in time decryption protected by [Hello Enhanced Sign-in Security (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security). Snapshots and any associated information in the vector database are always encrypted. Encryption keys are protected via Trusted Platform Module (TPM), which is tied to the user's Windows Hello ESS identity, and can be used by operations within a secure environment called a [Virtualization-based Security Enclave (VBS Enclave)](/windows/win32/trusted-execution/vbs-enclaves). This means that other users can't access these keys and thus can't decrypt this information. Device Encryption or BitLocker are enabled by default on Windows 11. For more information, see [Recall security and privacy architecture in the Windows Experience Blog](https://blogs.windows.com/windowsexperience/?p=179096).
+
+When using Recall, the **Sensitive information filtering** setting is enabled by default to help ensure your data's confidentiality. This feature operates directly on your device, utilizing the NPU and the Microsoft Classification Engine (MCE) - the same technology leveraged by [Microsoft Purview](/purview/purview) for detecting and labeling sensitive information. When this setting is enabled, snapshots won't be saved when potentially sensitive information is detected. Most importantly, the sensitive information remains on the device at all times, regardless of whether the **Sensitive information filtering** setting is enabled or disabled. For more information about the types of potentially sensitive information, see [Reference for sensitive information filtering in Recall](recall-sensitive-information-filtering.md).
+
+In keeping with Microsoft's commitment to data privacy and security, all saved images and processed data are kept on the device and processed locally. However, Click to Do allows users to choose if they want to perform additional actions on their content.
+
+Click to Do allows users to choose to get more information about their selected content online. When users choose one of the following Click to Do actions, the selected content is sent to the online provider from the local device to complete the request:
+
+-	**Search the web**: Sends the selected content to the default search engine of the default browser
+-	**Open website**: Opens the selected website in the default browser
+-	**Visual search with Bing**: Sends the selected content to Bing visual search using the default browser. 
+
+When you choose to send info from Click to Do to an app, like Paint, Click to Do will temporarily save this info in order to complete the transfer. Click to Do creates a temporary file in the following location: 
+
+- `C:\Users\[username]\AppData\Local\Temp` 
+
+Temporary files may also be saved when you choose send feedback. These temporary files aren't saved long term. Click to Do doesn't keep any content from your screen after completing the requested action, but some basic telemetry is gathered to keep Click to Do secure, up to date, and working.
 
 ## System requirements
-Recall has the following minimum system requirements:
 
-- A [Copilot+ PC](https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs)
+Recall has the following minimum requirements:
+
+- A [Copilot+ PC](https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs) that meets the [Secured-core standard](/windows-hardware/design/device-experiences/oem-highly-secure-11)
+- 40 TOPs NPU ([neural processing unit](https://support.microsoft.com/windows/all-about-neural-processing-units-npus-e77a5637-7705-4915-96c8-0c6a975f9db4))
 - 16 GB RAM
 - 8 logical processors
 - 256 GB storage capacity
   - To enable Recall, you need at least 50 GB of space free
-  - Snapshot capture automatically pauses once the device has less than 25 GB of disk space
+  - Saving snapshots automatically pauses once the device has less than 25 GB of storage space
+- Users need to enable Device Encryption or BitLocker
+- Users need to enroll into [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) with at least one biometric sign-in option enabled in order to authenticate.
 
 ## Supported browsers
 
-Users need a supported browser for Recall to [filter websites](#user-controlled-settings-for-recall) and to automatically filter private browsing activity. Supported browsers, and their capabilities include:
+Users need a supported browser for Recall to [filter websites](#app-and-website-filtering-policies) and to automatically filter private browsing activity. Supported browsers, and their capabilities include:
 
-- **Microsoft Edge**: blocks websites and filters private browsing activity
-- **Firefox**: blocks websites and filters private browsing activity
-- **Opera**: blocks websites and filters private browsing activity
-- **Google Chrome**: blocks websites and filters private browsing activity
-- **Chromium based browsers** (124 or later): For Chromium-based browsers not listed above, filters private browsing activity only, doesn't block specific websites
+- **Microsoft Edge**: filters specified websites and filters private browsing activity
+- **Firefox**: filters specified websites and filters private browsing activity
+- **Opera**: filtered specified websites and filters private browsing activity
+- **Google Chrome**: filters specified websites and filters private browsing activity
+- **Chromium based browsers** (124 or later): For Chromium-based browsers not listed, filters private browsing activity only, doesn't filter specific websites
 
 
 ## Configure policies for Recall
 
-Organizations that aren't ready to use AI for historical analysis can disable it until they're ready with the **Turn off saving snapshots for Windows** policy. If snapshots were previously saved on a device, they'll be deleted when this policy is enabled. The following policy allows you to disable analysis of user content:
+By default, Recall is removed on commercially managed devices. If you want to allow Recall to be available for users in your organization and allow them to choose to save snapshots, you need to configure both the **Allow Recall to be enabled** and **Turn off saving snapshots for Windows** policies. Policies for Recall fall into the following general areas:
+
+- [Allow Recall and snapshots policies](#allow-recall-and-snapshots-policies)
+- [Storage policies](#storage-policies)
+- [App and website filtering policies](#app-and-website-filtering-policies)
+
+
+### Allow Recall and snapshots policies
+
+The **Allow Recall to be enabled** policy setting allows you to determine whether the Recall optional component is available for end users to enable on their device. By default, Recall is disabled and removed for managed devices. Recall isn't available on managed devices by default, and individual users can't enable Recall on their own. If you disable this policy, the Recall component will be in disabled state and the bits for Recall will be removed from the device. If snapshots were previously saved on the device, they'll be deleted when this policy is disabled. Removing Recall requires a device restart. If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users will be able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device.
 
 | &nbsp; | Setting  |
 |---|---|
-| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis) |
-| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** |
-
-## Limitations
-
-In two specific scenarios, Recall captures snapshots that include InPrivate windows, blocked apps, and blocked websites. If Recall gets launched, or the **Now** option is selected in Recall, then a snapshot is taken even when InPrivate windows, blocked apps, and blocked websites are displayed. However, Recall doesn't save these snapshots. If you choose to send the information from this snapshot to another app, a temp file is created in `C:\Users\[username]\AppData\Local\Temp` to share the content. The temporary file is deleted once the content is transferred over the app you selected to use.
-
-## User controlled settings for Recall
-
-The following options are user controlled in Recall from the **Settings** > **Privacy & Security** > **Recall & Snapshots** page:
-
-- Website filtering
-- App filtering
-- Storage allocation
-    - When the storage limit is reached, the oldest snapshots are deleted first.
-- Deleting snapshots
-    - Delete all snapshots
-    - Delete snapshots within a specific time frame
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[AllowRecallEnablement](mdm/policy-csp-windowsai.md#allowrecallenablement) |
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Allow Recall to be enabled** |
 
 
-### Storage allocation
+The **Turn off saving snapshots for Windows** policy allows you to give the users the choice to save snapshots of their screen for use with Recall. Administrators can't enable saving snapshots on behalf of their users. The choice to enable saving snapshots requires individual user opt-in consent. By default, snapshots won't be saved for use with Recall. If snapshots were previously saved on a device, they'll be deleted when this policy is enabled. If you set this policy to disabled, end users will have a choice to save snapshots of their screen and use Recall to find things they've seen on their device.
 
-The amount of disk space users can allocate to Recall varies depending on how much storage the device has. The following chart shows the storage space options for Recall:
-
-| Device storage capacity | Storage allocation options for Recall |
+| &nbsp; | Setting  |
 |---|---|
-| 256 GB | 25 GB (default), 10 GB |
-| 512 GB | 75 GB (default), 50 GB, 25 GB |
-| 1 TB, or more | 150 GB (default), 100 GB, 75 GB, 50 GB, 25 GB |
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis) </br> </br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[DisableAIDataAnalysis](mdm/policy-csp-windowsai.md#disableaidataanalysis)|
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **Turn off saving snapshots for Windows** |
 
+### Storage policies
+
+You can define how much disk space Recall can use by using the **Set maximum storage for snapshots used by Recall** policy. You can set the maximum amount of disk space for snapshots to be 10, 25, 50, 75, 100, or 150 GB. When the storage limit is reached, the oldest snapshots are deleted first. When this setting isn't configured, the OS configures the storage allocation for snapshots based on the device storage capacity. 25 GB is allocated when the device storage capacity is 256 GB. 75 GB is allocated when the device storage capacity is 512 GB. 150 GB is allocated when the device storage capacity is 1 TB or higher.	
+
+| &nbsp; | Setting  |
+|---|---|
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageSpaceForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots) </br> </br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageSpaceForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)|
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** </br></br> User Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** |
+
+You can define how long snapshots can be retained on the device by using the **Set maximum duration for storing snapshots used by Recall** policy. You can configure the maximum storage duration to be 30, 60, 90, or 180 days. If the policy isn't configured, snapshots aren't deleted until the maximum storage allocation is reached, and then the oldest snapshots are deleted first.
+
+| &nbsp; | Setting  |
+|---|---|
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageDurationForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots) </br></br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetMaximumStorageDurationForRecallSnapshots](mdm/policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)|
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum storage for snapshots used by Recall** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **Set maximum duration for storing snapshots used by Recall** |
+
+
+### App and website filtering policies
+
+You can filter both apps and websites from being saved in snapshots. Users are able to add to these filter lists from the **Recall & Snapshots** settings page. Some remote desktop connection clients are filtered by default from snapshots. For more information, see the [Remote desktop connection clients filtered from snapshots](#remote-desktop-connection-clients-filtered-from-snapshots) section.
+
+To filter websites from being saved in snapshots, use the **Set a list of URIs to be filtered from snapshots for Recall** policy. Define the list using a semicolon to separate URIs. Make sure you include the URL scheme such as `http://`, `file://`, `https://www.`. Sites local to a supported browser like `edge://`, or `chrome://`, are filtered by default. For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com`
+
+> [!NOTE]
+> - Private browsing activity is filtered by default when using [supported web browsers](#supported-browsers). 
+> - Be aware that websites are filtered when they are in the foreground or are in the currently opened tab of a supported browser. Parts of filtered websites can still appear in snapshots such as embedded content, the browser's history, or an opened tab that isn't in the foreground.
+> - Filtering doesn't prevent browsers, internet service providers (ISPs), websites, organizations, or others from knowing that the website was accessed and building a history.
+> - Changes to this policy take effect after device restart.
+
+| &nbsp; | Setting  |
+|---|---|
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyUriListForRecall](mdm/policy-csp-windowsai.md#setdenyurilistforrecall) </br></br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyUriListForRecall](mdm/policy-csp-windowsai.md#setdenyurilistforrecall)|
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **>Set a list of URIs to be filtered from snapshots for Recall** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **>Set a list of URIs to be filtered from snapshots for Recall** |
+
+
+**Set a list of apps to be filtered from snapshots for Recall** policy allows you to filter apps from being saved in snapshots. Define the list using a semicolon to separate apps. The list can include Application User Model IDs (AUMID) or the name of the executable file. For example: `code.exe;Microsoft. WindowsNotepad_8wekyb3d8bbwe!App;ms-teams.exe`
+
+> [!Note]
+> -	Like other Windows apps, such as the Snipping Tool, Recall won't store digital rights management (DRM) content.
+> - Changes to this policy take effect after device restart.
+
+| &nbsp; | Setting  |
+|---|---|
+| **CSP** | ./Device/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyAppListForRecall](mdm/policy-csp-windowsai.md#setdenyapplistforrecall) </br></br> ./User/Vendor/MSFT/Policy/Config/WindowsAI/[SetDenyAppListForRecall](mdm/policy-csp-windowsai.md#setdenyapplistforrecall)|
+| **Group policy** | Computer Configuration > Administrative Templates > Windows Components > Windows AI > **Set a list of apps to be filtered from snapshots for Recall** </br></br>User Configuration > Administrative Templates > Windows Components > Windows AI > **Set a list of apps to be filtered from snapshots for Recall**|
+
+
+#### Remote desktop connection clients filtered from snapshots
+
+Snapshots won't be saved when remote desktop connection clients are used. The following remote desktop connection clients are filtered from snapshots:<!--9119193-->
+
+   - [Remote Desktop Connection (mstsc.exe)](/windows-server/administration/windows-commands/mstsc)
+   - [VMConnect.exe](/windows-server/virtualization/hyper-v/learn-more/hyper-v-virtual-machine-connect) 
+      - [Microsoft Remote Desktop from the Microsoft Store](/windows-server/remote/remote-desktop-services/clients/windows) is saved in snapshots. To prevent the app from being saved in snapshots, add it to the app filtering list.
+   - [Azure Virtual Desktop (MSI)](/azure/virtual-desktop/users/connect-windows) 
+      - [Azure Virtual Desktop apps from the Microsoft Store](/azure/virtual-desktop/users/connect-remote-desktop-client) are saved in snapshots. To prevent these apps from being saved in snapshots, add them to the app filtering list.
+  - [Remote applications integrated locally (RAIL)](/openspecs/windows_protocols/ms-rdperp/485e6f6d-2401-4a9c-9330-46454f0c5aba) windows
+  - [Windows App from the Microsoft Store](/windows-app/get-started-connect-devices-desktops-apps) is saved in snapshots. To prevent the app from being saved in snapshots, add it to the app filtering list.
+
+
+
+
+## Information for developers
+
+If you're a developer and want to launch Recall, you can call the `ms-recall` protocol URI. When you call this URI, Recall opens and takes a snapshot of the screen, which is the default behavior for when Recall is launched. For more information about using Recall in your Windows app, see [Recall overview](/windows/ai/apis/recall) in the Windows AI API documentation.
 
 ## Microsoft's commitment to responsible AI
 
@@ -91,6 +180,10 @@ Microsoft has been on a responsible AI journey since 2017, when we defined our p
 
 Recall uses optical character recognition (OCR), local to the PC, to analyze snapshots and facilitate search. For more information about OCR, see [Transparency note and use cases for OCR](/legal/cognitive-services/computer-vision/ocr-transparency-note). For more information about privacy and security, see [Privacy and control over your Recall experience](https://support.microsoft.com/windows/privacy-and-control-over-your-recall-experience-d404f672-7647-41e5-886c-a3c59680af15).
 
-## Information for developers
-
-If you're a developer and want to launch Recall, you can call the `ms-recall` protocol URI. When you call this, Recall opens and takes a snapshot of the screen, which is the default behavior for when Recall is launched. For more information about using Recall in your Windows app, see [Recall overview](/windows/ai/apis/recall) in the Windows AI API documentation.
+## Related links
+- [Policy CSP - WindowsAI](/windows/client-management/mdm/policy-csp-windowsai)
+- [Update on Recall security and privacy architecture](https://blogs.windows.com/windowsexperience/2024/09/27/update-on-recall-security-and-privacy-architecture/)
+- [Retrace your steps with Recall](https://support.microsoft.com/windows/aa03f8a0-a78b-4b3e-b0a1-2eb8ac48701c)
+- [Privacy and control over your Recall experience](https://support.microsoft.com/windows/d404f672-7647-41e5-886c-a3c59680af15)
+- [Click to Do in Recall](https://support.microsoft.com/topic/967304a8-32d1-4812-a904-fad59b5e6abf)
+- [Previewing Recall with Click to Do on Copilot+ PCs with Windows Insiders in the Dev Channel](https://blogs.windows.com/windows-insider/2024/11/22/previewing-recall-with-click-to-do-on-copilot-pcs-with-windows-insiders-in-the-dev-channel/)
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index cc69b6bb5a..279c109882 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -1,7 +1,7 @@
 ---
 title: AssignedAccess CSP
 description: Learn more about the AssignedAccess CSP.
-ms.date: 04/10/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -126,7 +126,7 @@ To learn how to configure xml file, see [Create an Assigned Access configuration
 <!-- Description-Source-DDF -->
 This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
 
-Example: `{"User":"domain\\user", "AUMID":"Microsoft. WindowsCalculator_8wekyb3d8bbwe!App"}`.
+Example: `{"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}`.
 
 When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
 
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 9841e9f442..ac0fd65b21 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -1,7 +1,7 @@
 ---
 title: Defender CSP
 description: Learn more about the Defender CSP.
-ms.date: 09/27/2024
+ms.date: 11/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -3775,9 +3775,9 @@ Enable this policy to specify when devices receive Microsoft Defender security i
 
 | Value | Description |
 |:--|:--|
-| 0 (Default) | Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices. |
-| 4 | Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). |
-| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
+| 0 (Default) | Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment. |
+| 4 | Current Channel (Staged): Same as Current Channel (Broad). |
+| 5 | Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production. |
 <!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-AllowedValues-End -->
 
 <!-- Device-Configuration-SecurityIntelligenceUpdatesChannel-Examples-Begin -->
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index 2055d5bdf0..1e199886e7 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -1,7 +1,7 @@
 ---
 title: Defender DDF file
 description: View the XML file containing the device description framework (DDF) for the Defender configuration service provider.
-ms.date: 09/27/2024
+ms.date: 11/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -1627,15 +1627,15 @@ The following XML file contains the device description framework (DDF) for the D
           <MSFT:AllowedValues ValueType="ENUM">
             <MSFT:Enum>
               <MSFT:Value>0</MSFT:Value>
-              <MSFT:ValueDescription>Not configured (Default). The device will stay up to date automatically during the gradual release cycle. Suitable for most devices.</MSFT:ValueDescription>
+              <MSFT:ValueDescription>Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment</MSFT:ValueDescription>
             </MSFT:Enum>
             <MSFT:Enum>
               <MSFT:Value>4</MSFT:Value>
-              <MSFT:ValueDescription>Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).</MSFT:ValueDescription>
+              <MSFT:ValueDescription>Current Channel (Staged): Same as Current Channel (Broad).</MSFT:ValueDescription>
             </MSFT:Enum>
             <MSFT:Enum>
               <MSFT:Value>5</MSFT:Value>
-              <MSFT:ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).</MSFT:ValueDescription>
+              <MSFT:ValueDescription>Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production.</MSFT:ValueDescription>
             </MSFT:Enum>
           </MSFT:AllowedValues>
         </DFProperties>
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index ef825d0541..a348f66fcb 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -1,7 +1,7 @@
 ---
 title: DevDetail CSP
 description: Learn more about the DevDetail CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -1259,7 +1259,7 @@ Returns the name of the Original Equipment Manufacturer (OEM) as a string, as de
 
 <!-- Device-SwV-Description-Begin -->
 <!-- Description-Source-DDF -->
-Returns the Windows 10 OS software version in the format MajorVersion. MinorVersion. BuildNumber. QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
+Returns the Windows 10 OS software version in the format `MajorVersion.MinorVersion.BuildNumber.QFEnumber`. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge.
 <!-- Device-SwV-Description-End -->
 
 <!-- Device-SwV-Editable-Begin -->
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 10c971f332..79e8b34817 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -1,7 +1,7 @@
 ---
 title: DMClient CSP
 description: Learn more about the DMClient CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -1654,7 +1654,7 @@ This node allows the MDM to set custom error text, detailing what the user needs
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2` Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps.
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Editable-Begin -->
@@ -1694,7 +1694,7 @@ This node contains a list of LocURIs that refer to App Packages the ISV expects
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps.
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-End -->
 
 <!-- Device-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Editable-Begin -->
@@ -4311,7 +4311,7 @@ This node allows the MDM to set custom error text, detailing what the user needs
 
 <!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2 Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000" ./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2` Which will represent that App Package PackageFullName contains 4 apps, whereas PackageFullName2 contains 2 apps. This is per user.
 <!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Description-End -->
 
 <!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedModernAppPackages-Editable-Begin -->
@@ -4351,7 +4351,7 @@ This node contains a list of LocURIs that refer to App Packages the ISV expects
 
 <!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. E. G. ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2 Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
+This node contains a list of LocURIs that refer to App Packages the ISV expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` Which will represent that App Package ProductID1 contains 4 apps, whereas ProductID2 contains 2 apps. This is per user.
 <!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Description-End -->
 
 <!-- User-Provider-{ProviderID}-FirstSyncStatus-ExpectedMSIAppPackages-Editable-Begin -->
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index 6357958bf3..fc8a278aae 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -1,7 +1,7 @@
 ---
 title: EnterpriseModernAppManagement CSP
 description: Learn more about the EnterpriseModernAppManagement CSP.
-ms.date: 09/11/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -6951,7 +6951,7 @@ Interior node for all managed app setting values.
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-Begin -->
 <!-- Description-Source-DDF -->
-The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
+The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-End -->
 
 <!-- User-AppManagement-AppStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-Begin -->
@@ -8193,7 +8193,7 @@ This node is only supported in the user context.
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-Begin -->
 <!-- Description-Source-DDF -->
-The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
+The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-End -->
 
 <!-- User-AppManagement-nonStore-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-Begin -->
@@ -9495,7 +9495,7 @@ This node is only supported in the user context.
 
 <!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-Begin -->
 <!-- Description-Source-DDF -->
-The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed. App. Settings container.
+The SettingValue and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the `Managed.App.Settings` container.
 <!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Description-End -->
 
 <!-- User-AppManagement-System-{PackageFamilyName}-AppSettingPolicy-{SettingValue}-Editable-Begin -->
diff --git a/windows/client-management/mdm/personaldataencryption-csp.md b/windows/client-management/mdm/personaldataencryption-csp.md
index 2a4648393a..1efd2767f5 100644
--- a/windows/client-management/mdm/personaldataencryption-csp.md
+++ b/windows/client-management/mdm/personaldataencryption-csp.md
@@ -1,25 +1,31 @@
 ---
-title: PDE CSP
-description: Learn more about the PDE CSP.
-ms.date: 01/18/2024
+title: Personal Data Encryption CSP
+description: Learn more about the Personal Data Encryption CSP.
+ms.date: 11/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
 
 <!-- PDE-Begin -->
-# PDE CSP
+# Personal Data Encryption CSP
 
 <!-- PDE-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-The Personal Data Encryption (PDE) configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
+The Personal Data Encryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
 <!-- PDE-Editable-End -->
 
 <!-- PDE-Tree-Begin -->
-The following list shows the PDE configuration service provider nodes:
+The following list shows the Personal Data Encryption configuration service provider nodes:
 
 - ./User/Vendor/MSFT/PDE
   - [EnablePersonalDataEncryption](#enablepersonaldataencryption)
+  - [ProtectFolders](#protectfolders)
+    - [ProtectDesktop](#protectfoldersprotectdesktop)
+    - [ProtectDocuments](#protectfoldersprotectdocuments)
+    - [ProtectPictures](#protectfoldersprotectpictures)
   - [Status](#status)
+    - [FolderProtectionStatus](#statusfolderprotectionstatus)
+    - [FoldersProtected](#statusfoldersprotected)
     - [PersonalDataEncryptionStatus](#statuspersonaldataencryptionstatus)
 <!-- PDE-Tree-End -->
 
@@ -45,7 +51,7 @@ Allows the Admin to enable Personal Data Encryption. Set to '1' to set this poli
 
 <!-- User-EnablePersonalDataEncryption-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for PDE to be enabled.
+The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for Personal Data Encryption to be enabled.
 <!-- User-EnablePersonalDataEncryption-Editable-End -->
 
 <!-- User-EnablePersonalDataEncryption-DFProperties-Begin -->
@@ -72,6 +78,191 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u
 
 <!-- User-EnablePersonalDataEncryption-End -->
 
+<!-- User-ProtectFolders-Begin -->
+## ProtectFolders
+
+<!-- User-ProtectFolders-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+<!-- User-ProtectFolders-Applicability-End -->
+
+<!-- User-ProtectFolders-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/PDE/ProtectFolders
+```
+<!-- User-ProtectFolders-OmaUri-End -->
+
+<!-- User-ProtectFolders-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- User-ProtectFolders-Description-End -->
+
+<!-- User-ProtectFolders-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- User-ProtectFolders-Editable-End -->
+
+<!-- User-ProtectFolders-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+<!-- User-ProtectFolders-DFProperties-End -->
+
+<!-- User-ProtectFolders-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- User-ProtectFolders-Examples-End -->
+
+<!-- User-ProtectFolders-End -->
+
+<!-- User-ProtectFolders-ProtectDesktop-Begin -->
+### ProtectFolders/ProtectDesktop
+
+<!-- User-ProtectFolders-ProtectDesktop-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+<!-- User-ProtectFolders-ProtectDesktop-Applicability-End -->
+
+<!-- User-ProtectFolders-ProtectDesktop-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDesktop
+```
+<!-- User-ProtectFolders-ProtectDesktop-OmaUri-End -->
+
+<!-- User-ProtectFolders-ProtectDesktop-Description-Begin -->
+<!-- Description-Source-DDF -->
+Allows the Admin to enable Personal Data Encryption on Desktop folder. Set to '1' to set this policy.
+<!-- User-ProtectFolders-ProtectDesktop-Description-End -->
+
+<!-- User-ProtectFolders-ProtectDesktop-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- User-ProtectFolders-ProtectDesktop-Editable-End -->
+
+<!-- User-ProtectFolders-ProtectDesktop-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` <br> Dependency Allowed Value: `1` <br> Dependency Allowed Value Type: `ENUM` <br>  |
+<!-- User-ProtectFolders-ProtectDesktop-DFProperties-End -->
+
+<!-- User-ProtectFolders-ProtectDesktop-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
+| 1 | Enable Personal Data Encryption on the folder. |
+<!-- User-ProtectFolders-ProtectDesktop-AllowedValues-End -->
+
+<!-- User-ProtectFolders-ProtectDesktop-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- User-ProtectFolders-ProtectDesktop-Examples-End -->
+
+<!-- User-ProtectFolders-ProtectDesktop-End -->
+
+<!-- User-ProtectFolders-ProtectDocuments-Begin -->
+### ProtectFolders/ProtectDocuments
+
+<!-- User-ProtectFolders-ProtectDocuments-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+<!-- User-ProtectFolders-ProtectDocuments-Applicability-End -->
+
+<!-- User-ProtectFolders-ProtectDocuments-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDocuments
+```
+<!-- User-ProtectFolders-ProtectDocuments-OmaUri-End -->
+
+<!-- User-ProtectFolders-ProtectDocuments-Description-Begin -->
+<!-- Description-Source-DDF -->
+Allows the Admin to enable Personal Data Encryption on Documents folder. Set to '1' to set this policy.
+<!-- User-ProtectFolders-ProtectDocuments-Description-End -->
+
+<!-- User-ProtectFolders-ProtectDocuments-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- User-ProtectFolders-ProtectDocuments-Editable-End -->
+
+<!-- User-ProtectFolders-ProtectDocuments-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` <br> Dependency Allowed Value: `1` <br> Dependency Allowed Value Type: `ENUM` <br>  |
+<!-- User-ProtectFolders-ProtectDocuments-DFProperties-End -->
+
+<!-- User-ProtectFolders-ProtectDocuments-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
+| 1 | Enable Personal Data Encryption on the folder. |
+<!-- User-ProtectFolders-ProtectDocuments-AllowedValues-End -->
+
+<!-- User-ProtectFolders-ProtectDocuments-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- User-ProtectFolders-ProtectDocuments-Examples-End -->
+
+<!-- User-ProtectFolders-ProtectDocuments-End -->
+
+<!-- User-ProtectFolders-ProtectPictures-Begin -->
+### ProtectFolders/ProtectPictures
+
+<!-- User-ProtectFolders-ProtectPictures-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+<!-- User-ProtectFolders-ProtectPictures-Applicability-End -->
+
+<!-- User-ProtectFolders-ProtectPictures-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/PDE/ProtectFolders/ProtectPictures
+```
+<!-- User-ProtectFolders-ProtectPictures-OmaUri-End -->
+
+<!-- User-ProtectFolders-ProtectPictures-Description-Begin -->
+<!-- Description-Source-DDF -->
+Allows the Admin to enable Personal Data Encryption on Pictures folder. Set to '1' to set this policy.
+<!-- User-ProtectFolders-ProtectPictures-Description-End -->
+
+<!-- User-ProtectFolders-ProtectPictures-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- User-ProtectFolders-ProtectPictures-Editable-End -->
+
+<!-- User-ProtectFolders-ProtectPictures-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Dependency [EnablePersonalDataEncryptionDependency] | Dependency Type: `DependsOn` <br> Dependency URI: `User/Vendor/MSFT/PDE/EnablePersonalDataEncryption` <br> Dependency Allowed Value: `1` <br> Dependency Allowed Value Type: `ENUM` <br>  |
+<!-- User-ProtectFolders-ProtectPictures-DFProperties-End -->
+
+<!-- User-ProtectFolders-ProtectPictures-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Disable Personal Data Encryption on the folder. If the folder is currently protected by Personal Data Encryption, this will result in unprotecting the folder. |
+| 1 | Enable Personal Data Encryption on the folder. |
+<!-- User-ProtectFolders-ProtectPictures-AllowedValues-End -->
+
+<!-- User-ProtectFolders-ProtectPictures-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- User-ProtectFolders-ProtectPictures-Examples-End -->
+
+<!-- User-ProtectFolders-ProtectPictures-End -->
+
 <!-- User-Status-Begin -->
 ## Status
 
@@ -93,10 +284,10 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u
 
 <!-- User-Status-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-Reports the current status of Personal Data Encryption (PDE) for the user.
+Reports the current status of Personal Data Encryption for the user.
 
-- If prerequisites of PDE aren't met, then the status will be 0.
-- If all prerequisites are met for PDE, then PDE will be enabled and status will be 1.
+- If prerequisites of Personal Data Encryption aren't met, then the status will be 0.
+- If all prerequisites are met for Personal Data Encryption, then Personal Data Encryption will be enabled and status will be 1.
 <!-- User-Status-Editable-End -->
 
 <!-- User-Status-DFProperties-Begin -->
@@ -114,6 +305,95 @@ Reports the current status of Personal Data Encryption (PDE) for the user.
 
 <!-- User-Status-End -->
 
+<!-- User-Status-FolderProtectionStatus-Begin -->
+### Status/FolderProtectionStatus
+
+<!-- User-Status-FolderProtectionStatus-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+<!-- User-Status-FolderProtectionStatus-Applicability-End -->
+
+<!-- User-Status-FolderProtectionStatus-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/PDE/Status/FolderProtectionStatus
+```
+<!-- User-Status-FolderProtectionStatus-OmaUri-End -->
+
+<!-- User-Status-FolderProtectionStatus-Description-Begin -->
+<!-- Description-Source-DDF -->
+This node reports folder protection status for a user.
+<!-- User-Status-FolderProtectionStatus-Description-End -->
+
+<!-- User-Status-FolderProtectionStatus-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- User-Status-FolderProtectionStatus-Editable-End -->
+
+<!-- User-Status-FolderProtectionStatus-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get |
+<!-- User-Status-FolderProtectionStatus-DFProperties-End -->
+
+<!-- User-Status-FolderProtectionStatus-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Protection not started. |
+| 1 | Protection is completed with no failures. |
+| 2 | Protection in progress. |
+| 3 | Protection failed. |
+<!-- User-Status-FolderProtectionStatus-AllowedValues-End -->
+
+<!-- User-Status-FolderProtectionStatus-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- User-Status-FolderProtectionStatus-Examples-End -->
+
+<!-- User-Status-FolderProtectionStatus-End -->
+
+<!-- User-Status-FoldersProtected-Begin -->
+### Status/FoldersProtected
+
+<!-- User-Status-FoldersProtected-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device <br> ✅ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+<!-- User-Status-FoldersProtected-Applicability-End -->
+
+<!-- User-Status-FoldersProtected-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/PDE/Status/FoldersProtected
+```
+<!-- User-Status-FoldersProtected-OmaUri-End -->
+
+<!-- User-Status-FoldersProtected-Description-Begin -->
+<!-- Description-Source-DDF -->
+This node reports all folders (full path to each folder) that have been protected.
+<!-- User-Status-FoldersProtected-Description-End -->
+
+<!-- User-Status-FoldersProtected-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- User-Status-FoldersProtected-Editable-End -->
+
+<!-- User-Status-FoldersProtected-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Get |
+<!-- User-Status-FoldersProtected-DFProperties-End -->
+
+<!-- User-Status-FoldersProtected-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- User-Status-FoldersProtected-Examples-End -->
+
+<!-- User-Status-FoldersProtected-End -->
+
 <!-- User-Status-PersonalDataEncryptionStatus-Begin -->
 ### Status/PersonalDataEncryptionStatus
 
diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md
index 165f97507c..e59ad7a14f 100644
--- a/windows/client-management/mdm/personaldataencryption-ddf-file.md
+++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md
@@ -1,14 +1,14 @@
 ---
-title: PDE DDF file
-description: View the XML file containing the device description framework (DDF) for the PDE configuration service provider.
-ms.date: 06/28/2024
+title: Personal Data Encryption DDF file
+description: View the XML file containing the device description framework (DDF) for the Personal Data Encryption configuration service provider.
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
 
-# PDE DDF file
+# Personal Data Encryption DDF file
 
-The following XML file contains the device description framework (DDF) for the PDE configuration service provider.
+The following XML file contains the device description framework (DDF) for the Personal Data Encryption configuration service provider.
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
@@ -76,6 +76,171 @@ The following XML file contains the device description framework (DDF) for the P
         </MSFT:AllowedValues>
       </DFProperties>
     </Node>
+    <Node>
+      <NodeName>ProtectFolders</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+        </AccessType>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>1.0</MSFT:CspVersion>
+        </MSFT:Applicability>
+      </DFProperties>
+      <Node>
+        <NodeName>ProtectDocuments</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+          <MSFT:DependencyBehavior>
+            <MSFT:DependencyGroup FriendlyId="EnablePersonalDataEncryptionDependency">
+              <MSFT:Dependency Type="DependsOn">
+                <MSFT:DependencyUri>User/Vendor/MSFT/PDE/EnablePersonalDataEncryption</MSFT:DependencyUri>
+                <MSFT:DependencyAllowedValue ValueType="ENUM">
+                  <MSFT:Enum>
+                    <MSFT:Value>1</MSFT:Value>
+                    <MSFT:ValueDescription>Requires EnablePersonalDataEncryption to be set to 1.</MSFT:ValueDescription>
+                  </MSFT:Enum>
+                </MSFT:DependencyAllowedValue>
+              </MSFT:Dependency>
+            </MSFT:DependencyGroup>
+          </MSFT:DependencyBehavior>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>ProtectDesktop</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+          <MSFT:DependencyBehavior>
+            <MSFT:DependencyGroup FriendlyId="EnablePersonalDataEncryptionDependency">
+              <MSFT:Dependency Type="DependsOn">
+                <MSFT:DependencyUri>User/Vendor/MSFT/PDE/EnablePersonalDataEncryption</MSFT:DependencyUri>
+                <MSFT:DependencyAllowedValue ValueType="ENUM">
+                  <MSFT:Enum>
+                    <MSFT:Value>1</MSFT:Value>
+                    <MSFT:ValueDescription>Requires EnablePersonalDataEncryption to be set to 1.</MSFT:ValueDescription>
+                  </MSFT:Enum>
+                </MSFT:DependencyAllowedValue>
+              </MSFT:Dependency>
+            </MSFT:DependencyGroup>
+          </MSFT:DependencyBehavior>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>ProtectPictures</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Add />
+            <Delete />
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Dynamic />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Enable PDE on the folder.</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+          <MSFT:DependencyBehavior>
+            <MSFT:DependencyGroup FriendlyId="EnablePersonalDataEncryptionDependency">
+              <MSFT:Dependency Type="DependsOn">
+                <MSFT:DependencyUri>User/Vendor/MSFT/PDE/EnablePersonalDataEncryption</MSFT:DependencyUri>
+                <MSFT:DependencyAllowedValue ValueType="ENUM">
+                  <MSFT:Enum>
+                    <MSFT:Value>1</MSFT:Value>
+                    <MSFT:ValueDescription>Requires EnablePersonalDataEncryption to be set to 1.</MSFT:ValueDescription>
+                  </MSFT:Enum>
+                </MSFT:DependencyAllowedValue>
+              </MSFT:Dependency>
+            </MSFT:DependencyGroup>
+          </MSFT:DependencyBehavior>
+        </DFProperties>
+      </Node>
+    </Node>
     <Node>
       <NodeName>Status</NodeName>
       <DFProperties>
@@ -116,6 +281,74 @@ The following XML file contains the device description framework (DDF) for the P
           </DFType>
         </DFProperties>
       </Node>
+      <Node>
+        <NodeName>FolderProtectionStatus</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>This node reports folder protection status for a user. </Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.0</MSFT:CspVersion>
+          </MSFT:Applicability>
+          <MSFT:AllowedValues ValueType="ENUM">
+            <MSFT:Enum>
+              <MSFT:Value>0</MSFT:Value>
+              <MSFT:ValueDescription>Protection not started.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>1</MSFT:Value>
+              <MSFT:ValueDescription>Protection is completed with no failures.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>2</MSFT:Value>
+              <MSFT:ValueDescription>Protection in progress.</MSFT:ValueDescription>
+            </MSFT:Enum>
+            <MSFT:Enum>
+              <MSFT:Value>3</MSFT:Value>
+              <MSFT:ValueDescription>Protection failed.</MSFT:ValueDescription>
+            </MSFT:Enum>
+          </MSFT:AllowedValues>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>FoldersProtected</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <Description>This node reports all folders (full path to each folder) that have been protected.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME />
+          </DFType>
+          <MSFT:Applicability>
+            <MSFT:OsBuildVersion>10.0.26100</MSFT:OsBuildVersion>
+            <MSFT:CspVersion>1.0</MSFT:CspVersion>
+          </MSFT:Applicability>
+        </DFProperties>
+      </Node>
     </Node>
   </Node>
 </MgmtTree>
@@ -123,4 +356,4 @@ The following XML file contains the device description framework (DDF) for the P
 
 ## Related articles
 
-[PDE configuration service provider reference](personaldataencryption-csp.md)
+[Personal Data Encryption configuration service provider reference](personaldataencryption-csp.md)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index ea1f4f9b24..057bf0381f 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -1,7 +1,7 @@
 ---
 title: Policies supported by Windows 10 Team
 description: Learn about the policies supported by Windows 10 Team.
-ms.date: 11/05/2024
+ms.date: 11/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -382,8 +382,10 @@ This article lists the policies that are applicable for the Surface Hub operatin
 
 ## Start
 
+- [AlwaysShowNotificationIcon](policy-csp-start.md#alwaysshownotificationicon)
 - [HideRecommendedPersonalizedSites](policy-csp-start.md#hiderecommendedpersonalizedsites)
 - [StartLayout](policy-csp-start.md#startlayout)
+- [TurnOffAbbreviatedDateTimeFormat](policy-csp-start.md#turnoffabbreviateddatetimeformat)
 
 ## System
 
diff --git a/windows/client-management/mdm/policies-in-preview.md b/windows/client-management/mdm/policies-in-preview.md
index 57e70841a5..0e4249d643 100644
--- a/windows/client-management/mdm/policies-in-preview.md
+++ b/windows/client-management/mdm/policies-in-preview.md
@@ -1,7 +1,7 @@
 ---
 title: Configuration service provider preview policies
 description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
-ms.date: 11/05/2024
+ms.date: 11/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -62,6 +62,7 @@ This article lists the policies that are applicable for Windows Insider Preview
 ## Display
 
 - [ConfigureMultipleDisplayMode](policy-csp-display.md#configuremultipledisplaymode)
+- [SetClonePreferredResolutionSource](policy-csp-display.md#setclonepreferredresolutionsource)
 
 ## DMClient CSP
 
@@ -106,6 +107,10 @@ This article lists the policies that are applicable for Windows Insider Preview
 - [ConfigureDeviceStandbyAction](policy-csp-mixedreality.md#configuredevicestandbyaction)
 - [ConfigureDeviceStandbyActionTimeout](policy-csp-mixedreality.md#configuredevicestandbyactiontimeout)
 
+## NewsAndInterests
+
+- [DisableWidgetsOnLockScreen](policy-csp-newsandinterests.md#disablewidgetsonlockscreen)
+
 ## PassportForWork CSP
 
 - [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)
@@ -118,6 +123,11 @@ This article lists the policies that are applicable for Windows Insider Preview
 
 - [TS_SERVER_REMOTEAPP_USE_SHELLAPPRUNTIME](policy-csp-remotedesktopservices.md#ts_server_remoteapp_use_shellappruntime)
 
+## Start
+
+- [AlwaysShowNotificationIcon](policy-csp-start.md#alwaysshownotificationicon)
+- [TurnOffAbbreviatedDateTimeFormat](policy-csp-start.md#turnoffabbreviateddatetimeformat)
+
 ## SurfaceHub CSP
 
 - [ExchangeModernAuthEnabled](surfacehub-csp.md#deviceaccountexchangemodernauthenabled)
@@ -137,9 +147,14 @@ This article lists the policies that are applicable for Windows Insider Preview
 
 ## WindowsAI
 
-- [SetCopilotHardwareKey](policy-csp-windowsai.md#setcopilothardwarekey)
+- [SetDenyAppListForRecall](policy-csp-windowsai.md#setdenyapplistforrecall)
+- [SetDenyUriListForRecall](policy-csp-windowsai.md#setdenyurilistforrecall)
+- [SetMaximumStorageSpaceForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragespaceforrecallsnapshots)
+- [SetMaximumStorageDurationForRecallSnapshots](policy-csp-windowsai.md#setmaximumstoragedurationforrecallsnapshots)
 - [DisableImageCreator](policy-csp-windowsai.md#disableimagecreator)
 - [DisableCocreator](policy-csp-windowsai.md#disablecocreator)
+- [DisableGenerativeFill](policy-csp-windowsai.md#disablegenerativefill)
+- [AllowRecallEnablement](policy-csp-windowsai.md#allowrecallenablement)
 
 ## WindowsLicensing CSP
 
diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md
index 00b4cf5513..c31407acd6 100644
--- a/windows/client-management/mdm/policy-csp-admx-bits.md
+++ b/windows/client-management/mdm/policy-csp-admx-bits.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_Bits Policy CSP
 description: Learn more about the ADMX_Bits Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -348,7 +348,7 @@ This policy setting limits the network bandwidth that Background Intelligent Tra
 
 - If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period.
 
-You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A. M. to 10:00 A. M. on a maintenance schedule.
+You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule.
 
 - If you disable or don't configure this policy setting, the limits defined for work or nonwork schedules will be used.
 
@@ -412,7 +412,7 @@ This policy setting limits the network bandwidth that Background Intelligent Tra
 
 - If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and nonwork hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low.
 
-You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A. M. to 5:00 P. M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours.
+You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for nonwork hours.
 
 - If you disable or don't configure this policy setting, BITS uses all available unused bandwidth for background job transfers.
 <!-- BITS_MaxBandwidthV2_Work-Description-End -->
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
index b819fe73bf..db99a6aa70 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_ControlPanel Policy CSP
 description: Learn more about the ADMX_ControlPanel Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -36,7 +36,7 @@ This setting allows you to display or hide specified Control Panel items, such a
 
 If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen.
 
-To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization.
+To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter `Microsoft.Mouse`, `Microsoft.System`, or `Microsoft.Personalization`.
 
 > [!NOTE]
 > For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item doesn't have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items".
@@ -243,7 +243,7 @@ If users try to select a Control Panel item from the Properties item on a contex
 <!-- Description-Source-ADMX -->
 This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
 
-To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft. Mouse, Microsoft. System, or Microsoft. Personalization.
+To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter `Microsoft.Mouse`, `Microsoft.System`, or `Microsoft.Personalization`.
 
 > [!NOTE]
 > For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item doesn't have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items".
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
index fa0478440b..3afb3d8385 100644
--- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
+++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_ControlPanelDisplay Policy CSP
 description: Learn more about the ADMX_ControlPanelDisplay Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -519,7 +519,7 @@ Prevents users from changing the background image shown when the machine is lock
 
 By default, users can change the background image shown when the machine is locked or displaying the logon screen.
 
-If you enable this setting, the user won't be able to change their lock screen and logon image, and they will instead see the default image.
+If you enable this setting, the user won't be able to change their lock screen and logon image, and they'll instead see the default image.
 <!-- CPL_Personalization_NoChangingLockScreen-Description-End -->
 
 <!-- CPL_Personalization_NoChangingLockScreen-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
index fd3f6d2bcd..a1d1ae6ea2 100644
--- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
+++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_DiskDiagnostic Policy CSP
 description: Learn more about the ADMX_DiskDiagnostic Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -32,7 +32,7 @@ ms.date: 08/06/2024
 
 <!-- DfdAlertPolicy-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S. M. A. R. T. fault.
+This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault.
 
 - If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
 
@@ -97,15 +97,15 @@ This policy setting only takes effect if the Disk Diagnostic scenario policy set
 
 <!-- WdiScenarioExecutionPolicy-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting determines the execution level for S. M. A. R. T.-based disk diagnostics.
+This policy setting determines the execution level for S.M.A.R.T.-based disk diagnostics.
 
-Self-Monitoring And Reporting Technology (S. M. A. R. T). is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S. M. A. R. T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S. M. A. R. T. faults to the event log when they occur.
+Self-Monitoring And Reporting Technology (S.M.A.R.T). is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur.
 
-- If you enable this policy setting, the DPS also warns users of S. M. A. R. T. faults and guides them through backup and recovery to minimize potential data loss.
+- If you enable this policy setting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss.
 
-- If you disable this policy, S. M. A. R. T. faults are still detected and logged, but no corrective action is taken.
+- If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken.
 
-- If you don't configure this policy setting, the DPS enables S. M. A. R. T. fault resolution by default.
+- If you don't configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default.
 
 This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured.
 
diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
index dc1ec2aa56..38077183bb 100644
--- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md
+++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_DnsClient Policy CSP
 description: Learn more about the ADMX_DnsClient Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -602,11 +602,11 @@ You can use this policy setting to prevent users, including local administrators
 <!-- Description-Source-ADMX -->
 Specifies if the DNS client performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
 
-By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
+By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: `mycomputer.microsoft.com`.
 
 - If you enable this policy setting, the DNS client will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by the DNS client.
 
-For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for mycomputer. VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
+For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, the DNS client will register A and PTR resource records for `mycomputer.VPNconnection` and `mycomputer.microsoft.com` when this policy setting is enabled.
 
 > [!IMPORTANT]
 > This policy setting is ignored by the DNS client if dynamic DNS registration is disabled.
diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md
index e9a61f1c6b..ab3f86952a 100644
--- a/windows/client-management/mdm/policy-csp-admx-explorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-explorer.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_Explorer Policy CSP
 description: Learn more about the ADMX_Explorer Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -120,7 +120,7 @@ This policy setting configures File Explorer to always display the menu bar.
 | Name | Value |
 |:--|:--|
 | Name | AlwaysShowClassicMenu |
-| Friendly Name | Display the menu bar in File Explorer  |
+| Friendly Name | Display the menu bar in File Explorer |
 | Location | User Configuration |
 | Path | WindowsComponents > File Explorer |
 | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md
index f62f39edaf..d75b0ff1aa 100644
--- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md
+++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_FileRevocation Policy CSP
 description: Learn more about the ADMX_FileRevocation Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -36,7 +36,7 @@ Windows Runtime applications can protect content which has been associated with
 
 Example value:
 
-Contoso.com,ContosoIT. HumanResourcesApp_m5g0r7arhahqy.
+`Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy`
 
 - If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device.
 
diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md
index 1b08f87864..7e30bbd527 100644
--- a/windows/client-management/mdm/policy-csp-admx-filesys.md
+++ b/windows/client-management/mdm/policy-csp-admx-filesys.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_FileSys Policy CSP
 description: Learn more about the ADMX_FileSys Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -317,7 +317,7 @@ Enabling Win32 long paths will allow manifested win32 applications and packaged
 <!-- Description-Source-ADMX -->
 These settings provide control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system.
 
-If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.
+If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they'll never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.
 <!-- ShortNameCreationSettings-Description-End -->
 
 <!-- ShortNameCreationSettings-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md
index 6dc909c654..80d999ad7a 100644
--- a/windows/client-management/mdm/policy-csp-admx-globalization.md
+++ b/windows/client-management/mdm/policy-csp-admx-globalization.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_Globalization Policy CSP
 description: Learn more about the ADMX_Globalization Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -638,7 +638,7 @@ This policy setting is related to the "Turn off handwriting personalization" pol
 
 <!-- LocaleSystemRestrict-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list.
+This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting doesn't change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they'll be restricted to the specified list.
 
 The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada).
 
@@ -1097,7 +1097,7 @@ This policy setting prevents the user from customizing their locale by changing
 
 Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
 
-When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user can't customize their user locale with user overrides.
+When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. The user can't customize their user locale with user overrides.
 
 - If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
 
@@ -1166,7 +1166,7 @@ This policy setting prevents the user from customizing their locale by changing
 
 Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
 
-When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user can't customize their user locale with user overrides.
+When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they'll be unable to customize those choices. The user can't customize their user locale with user overrides.
 
 - If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
 
diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
index 2664598272..4eee3e095e 100644
--- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_MicrosoftDefenderAntivirus Policy CSP
 description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -2938,7 +2938,7 @@ This policy setting allows you to manage whether or not end users can pause a sc
 
 <!-- Scan_ArchiveMaxDepth-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to configure the maximum directory depth level into which archive files such as . ZIP or . CAB are unpacked during scanning. The default directory depth level is 0.
+This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0.
 
 - If you enable this setting, archive files will be scanned to the directory depth level specified.
 
@@ -2997,7 +2997,7 @@ This policy setting allows you to configure the maximum directory depth level in
 
 <!-- Scan_ArchiveMaxSize-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to configure the maximum size of archive files such as . ZIP or . CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
+This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
 
 - If you enable this setting, archive files less than or equal to the size specified will be scanned.
 
@@ -3056,7 +3056,7 @@ This policy setting allows you to configure the maximum size of archive files su
 
 <!-- Scan_DisableArchiveScanning-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files.
+This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
 
 - If you enable or don't configure this setting, archive files will be scanned.
 
diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
index f7467145fb..1c2b4f1df2 100644
--- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_OfflineFiles Policy CSP
 description: Learn more about the ADMX_OfflineFiles Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -352,7 +352,7 @@ This setting replaces the Default Cache Size setting used by pre-Windows Vista s
 <!-- Description-Source-ADMX -->
 Determines how computers respond when they're disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting.
 
-To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they cannot.
+To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they can't.
 
 This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting doesn't prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting.
 
@@ -413,7 +413,7 @@ This setting appears in the Computer Configuration and User Configuration folder
 <!-- Description-Source-ADMX -->
 Determines how computers respond when they're disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the "Action on server disconnect" setting.
 
-To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they cannot.
+To use this setting, click Show. In the Show Contents dialog box in the Value Name column box, type the server's computer name. Then, in the Value column box, type "0" if users can work offline when they're disconnected from this server, or type "1" if they can't.
 
 This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server, the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take precedence over a user's setting. This setting doesn't prevent users from setting custom actions through the Offline Files tab. However, users are unable to change any custom actions established via this setting.
 
diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
index 01ba02840f..32edc6861a 100644
--- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
+++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_UserExperienceVirtualization Policy CSP
 description: Learn more about the ADMX_UserExperienceVirtualization Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -7541,7 +7541,7 @@ This policy setting configures where custom settings location templates are stor
 
 - If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location.
 
-If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they will be ignored.
+If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked, the UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft templates, they'll be ignored.
 
 If you specify a UNC path and check the option to replace the default Microsoft templates, all of the default Microsoft templates installed by the UE-V Agent will be deleted from the computer and only the templates located in the settings template catalog will be used.
 
diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
index f6d72112f3..2283c9803a 100644
--- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_UserProfiles Policy CSP
 description: Learn more about the ADMX_UserProfiles Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -157,7 +157,7 @@ This policy setting controls whether Windows forcefully unloads the user's regis
 <!-- Description-Source-ADMX -->
 This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion.
 
-By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.
+By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they'll need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.
 
 - If you enable this policy setting, Windows won't delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine.
 
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
index 9100a4bbb3..edcd5eab3e 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
@@ -1,7 +1,7 @@
 ---
 title: ADMX_WindowsExplorer Policy CSP
 description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -4468,7 +4468,7 @@ Shows or hides sleep from the power options menu.
 
 <!-- TryHarderPinnedLibrary-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the . Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary. Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified . Library-ms or .searchConnector-ms file.
+This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the `.Library-ms or .searchConnector-ms` file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified `.Library-ms or .searchConnector-ms` file.
 
 You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.
 
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index 885f96e31a..64cecc6c0c 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -1,7 +1,7 @@
 ---
 title: ApplicationManagement Policy CSP
 description: Learn more about the ApplicationManagement Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -371,7 +371,7 @@ If the setting is enabled or not configured, then Recording and Broadcasting (st
 <!-- Description-Source-ADMX -->
 Manages a Windows app's ability to share data between users who have installed the app.
 
-- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows. Storage API.
+- If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the `Windows.Storage` API.
 
 - If you disable this policy, a Windows app can't share app data with other instances of that app. If this policy was previously enabled, any previously shared app data will remain in the SharedLocal folder.
 <!-- AllowSharedUserAppData-Description-End -->
@@ -629,7 +629,7 @@ Disable turns off the launch of all apps from the Microsoft Store that came pre-
 | Name | Value |
 |:--|:--|
 | Name | DisableStoreApps |
-| Friendly Name | Disable all apps from Microsoft Store  |
+| Friendly Name | Disable all apps from Microsoft Store |
 | Location | Computer Configuration |
 | Path | Windows Components > Store |
 | Registry Key Name | Software\Policies\Microsoft\WindowsStore |
@@ -867,7 +867,7 @@ This policy setting directs Windows Installer to use elevated permissions when i
 <!-- Description-Source-ADMX -->
 Denies access to the retail catalog in the Microsoft Store, but displays the private store.
 
-- If you enable this setting, users won't be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store.
+- If you enable this setting, users won't be able to view the retail catalog in the Microsoft Store, but they'll be able to view apps in the private store.
 
 - If you disable or don't configure this setting, users can access the retail catalog in the Microsoft Store.
 <!-- RequirePrivateStoreOnly-Description-End -->
diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md
index 63caf16da0..c6597902db 100644
--- a/windows/client-management/mdm/policy-csp-attachmentmanager.md
+++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md
@@ -1,7 +1,7 @@
 ---
 title: AttachmentManager Policy CSP
 description: Learn more about the AttachmentManager Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -154,7 +154,7 @@ This policy setting allows you to manage whether users can manually remove the z
 
 <!-- NotifyAntivirusPrograms-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
+This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they'll all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.
 
 - If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.
 
diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md
index 01dbd07987..40fec4ce18 100644
--- a/windows/client-management/mdm/policy-csp-bits.md
+++ b/windows/client-management/mdm/policy-csp-bits.md
@@ -1,7 +1,7 @@
 ---
 title: BITS Policy CSP
 description: Learn more about the BITS Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -32,7 +32,7 @@ ms.date: 01/18/2024
 <!-- Description-Source-ADMX -->
 This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
 
-You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
+You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
 
 - If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
 
@@ -98,7 +98,7 @@ Consider using this setting to prevent BITS transfers from competing for network
 <!-- Description-Source-ADMX -->
 This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
 
-You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
+You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
 
 - If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
 
@@ -164,7 +164,7 @@ Consider using this setting to prevent BITS transfers from competing for network
 <!-- Description-Source-ADMX -->
 This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting doesn't affect foreground transfers).
 
-You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A. M. to 5:00 P. M., and use all available unused bandwidth the rest of the day's hours.
+You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
 
 - If you enable this policy setting, BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
 
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index 863938353d..62f0079893 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -37,7 +37,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
 > [!NOTE]
-> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). 
+> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). As a result, it is recommended that the same settings should not be configured in both GPO and MDM policies unless the settings are under the control of MDMWinsOverGP. Otherwise, there will be a race condition and no guarantee which one wins.
 
 This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
 
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 2eef54311e..fc264fa2a8 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -1,7 +1,7 @@
 ---
 title: Defender Policy CSP
 description: Learn more about the Defender Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -30,7 +30,7 @@ ms.date: 09/27/2024
 
 <!-- AllowArchiveScanning-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as . ZIP or . CAB files.
+This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
 
 - If you enable or don't configure this setting, archive files will be scanned.
 
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index 01753099d8..52da6d75c4 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -1,7 +1,7 @@
 ---
 title: Display Policy CSP
 description: Learn more about the Display Area in Policy CSP.
-ms.date: 11/05/2024
+ms.date: 11/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -32,7 +32,7 @@ ms.date: 11/05/2024
 
 <!-- ConfigureMultipleDisplayMode-Description-Begin -->
 <!-- Description-Source-DDF -->
-This policy set the default display to set the arrangement between cloning or extending.
+This policy sets the default display arrangement to pick between clone or extend.
 <!-- ConfigureMultipleDisplayMode-Description-End -->
 
 <!-- ConfigureMultipleDisplayMode-Editable-Begin -->
@@ -66,7 +66,7 @@ This policy set the default display to set the arrangement between cloning or ex
 |:--|:--|
 | Name | ConfigureMultipleDisplayMode |
 | Path | Display > AT > System > DisplayCat |
-| Element Name | ConfigureMultipleDisplayModePrompt |
+| Element Name | DisplayConfigureMultipleDisplayModeSettings |
 <!-- ConfigureMultipleDisplayMode-GpMapping-End -->
 
 <!-- ConfigureMultipleDisplayMode-Examples-Begin -->
@@ -298,6 +298,66 @@ Enabling this setting lets you specify the system-wide default for desktop appli
 
 <!-- EnablePerProcessDpiForApps-End -->
 
+<!-- SetClonePreferredResolutionSource-Begin -->
+## SetClonePreferredResolutionSource
+
+<!-- SetClonePreferredResolutionSource-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- SetClonePreferredResolutionSource-Applicability-End -->
+
+<!-- SetClonePreferredResolutionSource-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/Display/SetClonePreferredResolutionSource
+```
+<!-- SetClonePreferredResolutionSource-OmaUri-End -->
+
+<!-- SetClonePreferredResolutionSource-Description-Begin -->
+<!-- Description-Source-DDF -->
+This policy sets the cloned monitor preferred resolution source to an internal or external monitor by default.
+<!-- SetClonePreferredResolutionSource-Description-End -->
+
+<!-- SetClonePreferredResolutionSource-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SetClonePreferredResolutionSource-Editable-End -->
+
+<!-- SetClonePreferredResolutionSource-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- SetClonePreferredResolutionSource-DFProperties-End -->
+
+<!-- SetClonePreferredResolutionSource-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Default. |
+| 1 (Default) | Internal. |
+| 2 | External. |
+<!-- SetClonePreferredResolutionSource-AllowedValues-End -->
+
+<!-- SetClonePreferredResolutionSource-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetClonePreferredResolutionSource |
+| Path | Display > AT > System > DisplayCat |
+| Element Name | DisplaySetClonePreferredResolutionSourceSettings |
+<!-- SetClonePreferredResolutionSource-GpMapping-End -->
+
+<!-- SetClonePreferredResolutionSource-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SetClonePreferredResolutionSource-Examples-End -->
+
+<!-- SetClonePreferredResolutionSource-End -->
+
 <!-- TurnOffGdiDPIScalingForApps-Begin -->
 ## TurnOffGdiDPIScalingForApps
 
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index bfcf5c6f27..5cb73b8c77 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -1,7 +1,7 @@
 ---
 title: InternetExplorer Policy CSP
 description: Learn more about the InternetExplorer Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -2472,11 +2472,11 @@ This policy setting determines whether Internet Explorer requires that all file-
 
 <!-- DisableActiveXVersionListAutoDownload-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList. XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
+This setting determines whether IE automatically downloads updated versions of Microsoft's VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.
 
-- If you enable this setting, IE stops downloading updated versions of VersionList. XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
+- If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer.
 
-- If you disable or don't configure this setting, IE continues to download updated versions of VersionList. XML.
+- If you disable or don't configure this setting, IE continues to download updated versions of VersionList.XML.
 
 For more information, see "Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library.
 <!-- DisableActiveXVersionListAutoDownload-Description-End -->
@@ -4429,7 +4429,7 @@ This policy setting allows you to manage a list of domains on which Internet Exp
 
 - If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:
 
-1. "domain.name. TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
+1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com"
 2. "hostname". For example, if you want to include https://example, use "example".
 
 3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm".
@@ -5272,7 +5272,7 @@ This policy setting allows you to manage the loading of Extensible Application M
 
 <!-- InternetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
 
@@ -6825,7 +6825,7 @@ This policy setting allows you to manage the opening of windows and frames and a
 
 <!-- InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 
 - If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
 
@@ -7337,7 +7337,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 
 <!-- IntranetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
 
@@ -8410,7 +8410,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 
 <!-- LocalMachineZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
 
@@ -9325,7 +9325,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 
 <!-- LockedDownInternetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
 
@@ -10174,7 +10174,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 
 <!-- LockedDownIntranetZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
 
@@ -10883,7 +10883,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 
 <!-- LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
 
@@ -11662,7 +11662,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 
 <!-- LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
 
@@ -12441,7 +12441,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 
 <!-- LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
 
@@ -13373,7 +13373,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T
 | Name | Value |
 |:--|:--|
 | Name | VerMgmtDisableRunThisTime |
-| Friendly Name | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer  |
+| Friendly Name | Remove "Run this time" button for outdated ActiveX controls in Internet Explorer |
 | Location | Computer and User Configuration |
 | Path | Windows Components > Internet Explorer > Security Features > Add-on Management |
 | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Ext |
@@ -14307,7 +14307,7 @@ This policy setting allows you to manage whether a user's browser can be redirec
 
 <!-- RestrictedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
 
@@ -15862,7 +15862,7 @@ If you selected Prompt in the drop-down box, users are asked to choose whether t
 
 <!-- RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 
 - If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components.
 
@@ -16472,7 +16472,7 @@ Also, see the "Security zones: Don't allow users to change policies" policy.
 | Name | Value |
 |:--|:--|
 | Name | Security_HKLM_only |
-| Friendly Name | Security Zones: Use only machine settings  |
+| Friendly Name | Security Zones: Use only machine settings |
 | Location | Computer Configuration |
 | Path | Windows Components > Internet Explorer |
 | Registry Key Name | Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
@@ -16981,7 +16981,7 @@ This policy setting allows you to manage whether Web sites from less privileged
 
 <!-- TrustedSitesZoneAllowNETFrameworkReliantComponents-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to manage whether . NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
+This policy setting allows you to manage whether .NET Framework components that aren't signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
 
 - If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.
 
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index d2ccb8d7eb..c2b7e4d9b0 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -1,7 +1,7 @@
 ---
 title: MixedReality Policy CSP
 description: Learn more about the MixedReality Area in Policy CSP.
-ms.date: 09/11/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -139,7 +139,7 @@ This opt-in policy can help with the setup of new devices in new areas or new us
 
 <!-- AllowLaunchUriInSingleAppKiosk-Description-Begin -->
 <!-- Description-Source-DDF -->
-By default, launching applications via Launcher API (Launcher Class (Windows. System) - Windows UWP applications | Microsoft Docs) is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.
+By default, launching applications via Launcher API is disabled in single app kiosk mode. To enable applications to launch in single app kiosk mode on HoloLens devices, set the policy value to true.
 <!-- AllowLaunchUriInSingleAppKiosk-Description-End -->
 
 <!-- AllowLaunchUriInSingleAppKiosk-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md
index 16fabdc822..df2f909bd6 100644
--- a/windows/client-management/mdm/policy-csp-newsandinterests.md
+++ b/windows/client-management/mdm/policy-csp-newsandinterests.md
@@ -1,7 +1,7 @@
 ---
 title: NewsAndInterests Policy CSP
 description: Learn more about the NewsAndInterests Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 11/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,6 +9,8 @@ ms.date: 01/18/2024
 <!-- NewsAndInterests-Begin -->
 # Policy CSP - NewsAndInterests
 
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- NewsAndInterests-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- NewsAndInterests-Editable-End -->
@@ -82,6 +84,64 @@ This policy applies to the entire widgets experience, including content on the t
 
 <!-- AllowNewsAndInterests-End -->
 
+<!-- DisableWidgetsOnLockScreen-Begin -->
+## DisableWidgetsOnLockScreen
+
+<!-- DisableWidgetsOnLockScreen-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- DisableWidgetsOnLockScreen-Applicability-End -->
+
+<!-- DisableWidgetsOnLockScreen-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/NewsAndInterests/DisableWidgetsOnLockScreen
+```
+<!-- DisableWidgetsOnLockScreen-OmaUri-End -->
+
+<!-- DisableWidgetsOnLockScreen-Description-Begin -->
+<!-- Description-Source-DDF -->
+Disable widgets on lock screen.
+<!-- DisableWidgetsOnLockScreen-Description-End -->
+
+<!-- DisableWidgetsOnLockScreen-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DisableWidgetsOnLockScreen-Editable-End -->
+
+<!-- DisableWidgetsOnLockScreen-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- DisableWidgetsOnLockScreen-DFProperties-End -->
+
+<!-- DisableWidgetsOnLockScreen-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Enabled. |
+| 1 | Disabled. |
+<!-- DisableWidgetsOnLockScreen-AllowedValues-End -->
+
+<!-- DisableWidgetsOnLockScreen-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableWidgetsOnLockScreen |
+| Path | NewsAndInterests > AT > WindowsComponents > NewsAndInterests |
+<!-- DisableWidgetsOnLockScreen-GpMapping-End -->
+
+<!-- DisableWidgetsOnLockScreen-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DisableWidgetsOnLockScreen-Examples-End -->
+
+<!-- DisableWidgetsOnLockScreen-End -->
+
 <!-- NewsAndInterests-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- NewsAndInterests-CspMoreInfo-End -->
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index a3d59bef8b..898fb3e01b 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -1,7 +1,7 @@
 ---
 title: RemoteDesktopServices Policy CSP
 description: Learn more about the RemoteDesktopServices Area in Policy CSP.
-ms.date: 11/05/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -197,7 +197,7 @@ This policy applies only when using legacy authentication to authenticate to the
 | Name | Value |
 |:--|:--|
 | Name | TS_DISCONNECT_ON_LOCK_POLICY |
-| Friendly Name |  Disconnect remote session on lock for legacy authentication |
+| Friendly Name | Disconnect remote session on lock for legacy authentication |
 | Location | Computer Configuration |
 | Path | Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services |
diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
index 1def7d700f..53395cdd0b 100644
--- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
+++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md
@@ -1,7 +1,7 @@
 ---
 title: RemoteProcedureCall Policy CSP
 description: Learn more about the RemoteProcedureCall Area in Policy CSP.
-ms.date: 01/18/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -105,11 +105,11 @@ This policy setting impacts all RPC applications. In a domain environment this p
 <!-- Description-Source-ADMX -->
 This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they're making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) can't process authentication information supplied in this manner.
 
-- If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
+- If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.
 
 - If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls won't be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
 
-- If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
+- If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Windows NT4 Server Endpoint Mapper Service.
 
 > [!NOTE]
 > This policy won't be applied until the system is rebooted.
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index 418199d466..bd79220cf2 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -1,7 +1,7 @@
 ---
 title: Start Policy CSP
 description: Learn more about the Start Area in Policy CSP.
-ms.date: 08/06/2024
+ms.date: 11/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,6 +9,8 @@ ms.date: 08/06/2024
 <!-- Start-Begin -->
 # Policy CSP - Start
 
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
 <!-- Start-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Start-Editable-End -->
@@ -513,6 +515,63 @@ This policy controls the visibility of the Videos shortcut on the Start menu. Th
 
 <!-- AllowPinnedFolderVideos-End -->
 
+<!-- AlwaysShowNotificationIcon-Begin -->
+## AlwaysShowNotificationIcon
+
+<!-- AlwaysShowNotificationIcon-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- AlwaysShowNotificationIcon-Applicability-End -->
+
+<!-- AlwaysShowNotificationIcon-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/Start/AlwaysShowNotificationIcon
+```
+<!-- AlwaysShowNotificationIcon-OmaUri-End -->
+
+<!-- AlwaysShowNotificationIcon-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- AlwaysShowNotificationIcon-Description-End -->
+
+<!-- AlwaysShowNotificationIcon-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AlwaysShowNotificationIcon-Editable-End -->
+
+<!-- AlwaysShowNotificationIcon-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- AlwaysShowNotificationIcon-DFProperties-End -->
+
+<!-- AlwaysShowNotificationIcon-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Auto-hide notification bell icon. |
+| 1 | Show notification bell icon. |
+<!-- AlwaysShowNotificationIcon-AllowedValues-End -->
+
+<!-- AlwaysShowNotificationIcon-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AlwaysShowNotificationIcon |
+| Path | Taskbar > AT > StartMenu |
+<!-- AlwaysShowNotificationIcon-GpMapping-End -->
+
+<!-- AlwaysShowNotificationIcon-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AlwaysShowNotificationIcon-Examples-End -->
+
+<!-- AlwaysShowNotificationIcon-End -->
+
 <!-- ConfigureStartPins-Begin -->
 ## ConfigureStartPins
 
@@ -2247,6 +2306,63 @@ For more information on how to customize the Start layout, see [Customize the St
 
 <!-- StartLayout-End -->
 
+<!-- TurnOffAbbreviatedDateTimeFormat-Begin -->
+## TurnOffAbbreviatedDateTimeFormat
+
+<!-- TurnOffAbbreviatedDateTimeFormat-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- TurnOffAbbreviatedDateTimeFormat-Applicability-End -->
+
+<!-- TurnOffAbbreviatedDateTimeFormat-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/Start/TurnOffAbbreviatedDateTimeFormat
+```
+<!-- TurnOffAbbreviatedDateTimeFormat-OmaUri-End -->
+
+<!-- TurnOffAbbreviatedDateTimeFormat-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- TurnOffAbbreviatedDateTimeFormat-Description-End -->
+
+<!-- TurnOffAbbreviatedDateTimeFormat-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- TurnOffAbbreviatedDateTimeFormat-Editable-End -->
+
+<!-- TurnOffAbbreviatedDateTimeFormat-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- TurnOffAbbreviatedDateTimeFormat-DFProperties-End -->
+
+<!-- TurnOffAbbreviatedDateTimeFormat-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Show abbreviated time and date format. |
+| 1 | Show classic time and date format. |
+<!-- TurnOffAbbreviatedDateTimeFormat-AllowedValues-End -->
+
+<!-- TurnOffAbbreviatedDateTimeFormat-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TurnOffAbbreviatedDateTimeFormat |
+| Path | Taskbar > AT > StartMenu |
+<!-- TurnOffAbbreviatedDateTimeFormat-GpMapping-End -->
+
+<!-- TurnOffAbbreviatedDateTimeFormat-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- TurnOffAbbreviatedDateTimeFormat-Examples-End -->
+
+<!-- TurnOffAbbreviatedDateTimeFormat-End -->
+
 <!-- Start-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- Start-CspMoreInfo-End -->
diff --git a/windows/client-management/mdm/policy-csp-sudo.md b/windows/client-management/mdm/policy-csp-sudo.md
index dbcd21af22..796c69e84b 100644
--- a/windows/client-management/mdm/policy-csp-sudo.md
+++ b/windows/client-management/mdm/policy-csp-sudo.md
@@ -1,7 +1,7 @@
 ---
 title: Sudo Policy CSP
 description: Learn more about the Sudo Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -19,7 +19,7 @@ ms.date: 09/27/2024
 <!-- EnableSudo-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- EnableSudo-Applicability-End -->
 
 <!-- EnableSudo-OmaUri-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index a77f87712f..19a069926b 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1,7 +1,7 @@
 ---
 title: Update Policy CSP
 description: Learn more about the Update Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -2522,7 +2522,7 @@ Minimum number of days from update installation until restarts occur automatical
 <!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
 <!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Applicability-End -->
 
 <!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-OmaUri-Begin -->
@@ -2601,7 +2601,7 @@ This policy will override the following policies:
 <!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621] and later |
 <!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-Applicability-End -->
 
 <!-- ConfigureDeadlineNoAutoRebootForQualityUpdates-OmaUri-Begin -->
@@ -3237,7 +3237,7 @@ These policies are not exclusive and can be used in any combination. Together wi
 
 <!-- ScheduledInstallTime-Description-Begin -->
 <!-- Description-Source-DDF -->
- the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
+Enables the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
 <!-- ScheduledInstallTime-Description-End -->
 
 <!-- ScheduledInstallTime-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md
index 96d9296b8a..08d092b065 100644
--- a/windows/client-management/mdm/policy-csp-webthreatdefense.md
+++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md
@@ -1,7 +1,7 @@
 ---
 title: WebThreatDefense Policy CSP
 description: Learn more about the WebThreatDefense Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -308,7 +308,7 @@ This policy setting determines whether Enhanced Phishing Protection in Microsoft
 
 - If you disable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen is off and it won't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on.
 
-- If you don't configure this setting, users can decide whether or not they will enable Enhanced Phishing Protection in Microsoft Defender SmartScreen.
+- If you don't configure this setting, users can decide whether or not they'll enable Enhanced Phishing Protection in Microsoft Defender SmartScreen.
 <!-- ServiceEnabled-Description-End -->
 
 <!-- ServiceEnabled-Editable-Begin -->
diff --git a/windows/client-management/mdm/policy-csp-windowsai.md b/windows/client-management/mdm/policy-csp-windowsai.md
index 72d541101b..6b2b257fbe 100644
--- a/windows/client-management/mdm/policy-csp-windowsai.md
+++ b/windows/client-management/mdm/policy-csp-windowsai.md
@@ -1,7 +1,7 @@
 ---
 title: WindowsAI Policy CSP
 description: Learn more about the WindowsAI Area in Policy CSP.
-ms.date: 11/05/2024
+ms.date: 11/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -15,28 +15,103 @@ ms.date: 11/05/2024
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- WindowsAI-Editable-End -->
 
+<!-- AllowRecallEnablement-Begin -->
+## AllowRecallEnablement
+
+<!-- AllowRecallEnablement-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- AllowRecallEnablement-Applicability-End -->
+
+<!-- AllowRecallEnablement-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/AllowRecallEnablement
+```
+<!-- AllowRecallEnablement-OmaUri-End -->
+
+<!-- AllowRecallEnablement-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to determine whether the Recall optional component is available for end users to enable on their device. By default, Recall is disabled for managed commercial devices. Recall isn't available on managed devices by default, and individual users can't enable Recall on their own.
+
+- If this policy isn't configured, end users will have the Recall component in a disabled state.
+
+- If this policy is disabled, the Recall component will be in disabled state and the bits for Recall will be removed from the device. If snapshots were previously saved on the device, they'll be deleted when this policy is disabled. Removing Recall requires a device restart.
+
+- If the policy is enabled, end users will have Recall available on their device. Depending on the state of the DisableAIDataAnalysis policy (Turn off saving snapshots for use with Recall), end users will be able to choose if they want to save snapshots of their screen and use Recall to find things they've seen on their device.
+<!-- AllowRecallEnablement-Description-End -->
+
+<!-- AllowRecallEnablement-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowRecallEnablement-Editable-End -->
+
+<!-- AllowRecallEnablement-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- AllowRecallEnablement-DFProperties-End -->
+
+<!-- AllowRecallEnablement-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Recall isn't available. |
+| 1 (Default) | Recall is available. |
+<!-- AllowRecallEnablement-AllowedValues-End -->
+
+<!-- AllowRecallEnablement-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowRecallEnablement |
+| Friendly Name | Allow Recall to be enabled |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | AllowRecallEnablement |
+| ADMX File Name | WindowsCopilot.admx |
+<!-- AllowRecallEnablement-GpMapping-End -->
+
+<!-- AllowRecallEnablement-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowRecallEnablement-Examples-End -->
+
+<!-- AllowRecallEnablement-End -->
+
 <!-- DisableAIDataAnalysis-Begin -->
 ## DisableAIDataAnalysis
 
 <!-- DisableAIDataAnalysis-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
 <!-- DisableAIDataAnalysis-Applicability-End -->
 
 <!-- DisableAIDataAnalysis-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
 ```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
+```
 <!-- DisableAIDataAnalysis-OmaUri-End -->
 
 <!-- DisableAIDataAnalysis-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting allows you to control whether Windows saves snapshots of the screen and analyzes the user's activity on their device.
+This policy setting allows you to determine whether snapshots of the screen can be saved for use with Recall. By default, snapshots for Recall aren't enabled. IT administrators can't, on their own, enable saving snapshots on behalf of their users. The choice to enable saving snapshots requires individual user opt-in consent.
 
-- If you enable this policy setting, Windows won't be able to save snapshots and users won't be able to search for or browse through their historical device activity using Recall.
+- If the policy isn't configured, snapshots won't be saved for use with Recall.
 
-- If you disable or don't configure this policy setting, Windows will save snapshots of the screen and users will be able to search for or browse through a timeline of their past activities using Recall.
+- If you enable this policy, snapshots won't be saved for use with Recall. If snapshots were previously saved on the device, they'll be deleted when this policy is enabled.
+
+If you set this policy to disabled, end users will have a choice to save snapshots of their screen and use Recall to find things they've seen on their device.
 <!-- DisableAIDataAnalysis-Description-End -->
 
 <!-- DisableAIDataAnalysis-Editable-Begin -->
@@ -68,8 +143,8 @@ This policy setting allows you to control whether Windows saves snapshots of the
 | Name | Value |
 |:--|:--|
 | Name | DisableAIDataAnalysis |
-| Friendly Name | Turn off Saving Snapshots for Windows |
-| Location | User Configuration |
+| Friendly Name | Turn off saving snapshots for use with Recall |
+| Location | Computer and User Configuration |
 | Path | Windows Components > Windows AI |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
 | Registry Value Name | DisableAIDataAnalysis |
@@ -144,6 +219,68 @@ This policy setting allows you to control whether Cocreator functionality is dis
 
 <!-- DisableCocreator-End -->
 
+<!-- DisableGenerativeFill-Begin -->
+## DisableGenerativeFill
+
+<!-- DisableGenerativeFill-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- DisableGenerativeFill-Applicability-End -->
+
+<!-- DisableGenerativeFill-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/DisableGenerativeFill
+```
+<!-- DisableGenerativeFill-OmaUri-End -->
+
+<!-- DisableGenerativeFill-Description-Begin -->
+<!-- Description-Source-DDF -->
+This policy setting allows you to control whether generative fill functionality is disabled in the Windows Paint app.
+
+- If this policy is enabled, generative fill functionality won't be accessible in the Paint app.
+
+- If this policy is disabled or not configured, users will be able to access generative fill functionality.
+<!-- DisableGenerativeFill-Description-End -->
+
+<!-- DisableGenerativeFill-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- DisableGenerativeFill-Editable-End -->
+
+<!-- DisableGenerativeFill-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- DisableGenerativeFill-DFProperties-End -->
+
+<!-- DisableGenerativeFill-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Generative fill is enabled. |
+| 1 | Generative fill is disabled. |
+<!-- DisableGenerativeFill-AllowedValues-End -->
+
+<!-- DisableGenerativeFill-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | DisableGenerativeFill |
+| Path | WindowsAI > AT > WindowsComponents > Paint |
+<!-- DisableGenerativeFill-GpMapping-End -->
+
+<!-- DisableGenerativeFill-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- DisableGenerativeFill-Examples-End -->
+
+<!-- DisableGenerativeFill-End -->
+
 <!-- DisableImageCreator-Begin -->
 ## DisableImageCreator
 
@@ -212,7 +349,7 @@ This policy setting allows you to control whether Image Creator functionality is
 <!-- SetCopilotHardwareKey-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5044380](https://support.microsoft.com/help/5044380) [10.0.22621.4391] and later |
 <!-- SetCopilotHardwareKey-Applicability-End -->
 
 <!-- SetCopilotHardwareKey-OmaUri-Begin -->
@@ -222,7 +359,7 @@ This policy setting allows you to control whether Image Creator functionality is
 <!-- SetCopilotHardwareKey-OmaUri-End -->
 
 <!-- SetCopilotHardwareKey-Description-Begin -->
-<!-- Description-Source-DDF -->
+<!-- Description-Source-ADMX -->
 This policy setting determines which app opens when the user presses the Copilot key on their keyboard.
 
 - If the policy is enabled, the specified app will open when the user presses the Copilot key. Users can change the key assignment in Settings.
@@ -249,7 +386,11 @@ This policy setting determines which app opens when the user presses the Copilot
 | Name | Value |
 |:--|:--|
 | Name | SetCopilotHardwareKey |
-| Path | WindowsCopilot > AT > WindowsComponents > WindowsCopilot |
+| Friendly Name | Set Copilot Hardware Key |
+| Location | User Configuration |
+| Path | Windows Components > Windows Copilot |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\CopilotKey |
+| ADMX File Name | WindowsCopilot.admx |
 <!-- SetCopilotHardwareKey-GpMapping-End -->
 
 <!-- SetCopilotHardwareKey-Examples-Begin -->
@@ -258,6 +399,294 @@ This policy setting determines which app opens when the user presses the Copilot
 
 <!-- SetCopilotHardwareKey-End -->
 
+<!-- SetDenyAppListForRecall-Begin -->
+## SetDenyAppListForRecall
+
+<!-- SetDenyAppListForRecall-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- SetDenyAppListForRecall-Applicability-End -->
+
+<!-- SetDenyAppListForRecall-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyAppListForRecall
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyAppListForRecall
+```
+<!-- SetDenyAppListForRecall-OmaUri-End -->
+
+<!-- SetDenyAppListForRecall-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy allows you to define a list of apps that won't be included in snapshots for Recall.
+
+Users will be able to add additional applications to exclude from snapshots using Recall settings.
+
+The list can include Application User Model IDs (AUMID) or name of the executable file.
+
+Use a semicolon-separated list of apps to define the deny app list for Recall.
+
+For example: `code.exe;Microsoft.WindowsNotepad_8wekyb3d8bbwe!App;ms-teams.exe`
+
+> [!IMPORTANT]
+> When configuring this policy setting, changes won't take effect until the device restarts.
+<!-- SetDenyAppListForRecall-Description-End -->
+
+<!-- SetDenyAppListForRecall-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SetDenyAppListForRecall-Editable-End -->
+
+<!-- SetDenyAppListForRecall-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+<!-- SetDenyAppListForRecall-DFProperties-End -->
+
+<!-- SetDenyAppListForRecall-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetDenyAppListForRecall |
+| Friendly Name | Set a list of apps to be filtered from snapshots for Recall |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | SetDenyAppListForRecall |
+| ADMX File Name | WindowsCopilot.admx |
+<!-- SetDenyAppListForRecall-GpMapping-End -->
+
+<!-- SetDenyAppListForRecall-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SetDenyAppListForRecall-Examples-End -->
+
+<!-- SetDenyAppListForRecall-End -->
+
+<!-- SetDenyUriListForRecall-Begin -->
+## SetDenyUriListForRecall
+
+<!-- SetDenyUriListForRecall-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- SetDenyUriListForRecall-Applicability-End -->
+
+<!-- SetDenyUriListForRecall-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyUriListForRecall
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetDenyUriListForRecall
+```
+<!-- SetDenyUriListForRecall-OmaUri-End -->
+
+<!-- SetDenyUriListForRecall-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting lets you define a list of URIs that won't be included in snapshots for Recall when a supported browser is used. People within your organization can use Recall settings to add more websites to the list. Define the list using a semicolon to separate URIs.
+
+For example: `https://www.Contoso.com;https://www.WoodgroveBank.com;https://www.Adatum.com`
+
+Adding `https://www.WoodgroveBank.com` to the list would also filter `https://Account.WoodgroveBank.com` and `https://www.WoodgroveBank.com/Account`.
+
+> [!IMPORTANT]
+> Changes to this policy take effect after device restart.
+<!-- SetDenyUriListForRecall-Description-End -->
+
+<!-- SetDenyUriListForRecall-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SetDenyUriListForRecall-Editable-End -->
+
+<!-- SetDenyUriListForRecall-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `;`) |
+<!-- SetDenyUriListForRecall-DFProperties-End -->
+
+<!-- SetDenyUriListForRecall-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetDenyUriListForRecall |
+| Friendly Name | Set a list of URIs to be filtered from snapshots for Recall |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | SetDenyUriListForRecall |
+| ADMX File Name | WindowsCopilot.admx |
+<!-- SetDenyUriListForRecall-GpMapping-End -->
+
+<!-- SetDenyUriListForRecall-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SetDenyUriListForRecall-Examples-End -->
+
+<!-- SetDenyUriListForRecall-End -->
+
+<!-- SetMaximumStorageDurationForRecallSnapshots-Begin -->
+## SetMaximumStorageDurationForRecallSnapshots
+
+<!-- SetMaximumStorageDurationForRecallSnapshots-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- SetMaximumStorageDurationForRecallSnapshots-Applicability-End -->
+
+<!-- SetMaximumStorageDurationForRecallSnapshots-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageDurationForRecallSnapshots
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageDurationForRecallSnapshots
+```
+<!-- SetMaximumStorageDurationForRecallSnapshots-OmaUri-End -->
+
+<!-- SetMaximumStorageDurationForRecallSnapshots-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to control the maximum amount of time (in days) that Windows saves snapshots for Recall.
+
+When the policy is enabled, you can configure the maximum storage duration to be 30, 60, 90, or 180 days.
+
+When this policy isn't configured, a time frame isn't set for deleting snapshots.
+
+Snapshots aren't deleted until the maximum storage allocation for Recall is reached, and then the oldest snapshots are deleted first.
+<!-- SetMaximumStorageDurationForRecallSnapshots-Description-End -->
+
+<!-- SetMaximumStorageDurationForRecallSnapshots-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SetMaximumStorageDurationForRecallSnapshots-Editable-End -->
+
+<!-- SetMaximumStorageDurationForRecallSnapshots-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- SetMaximumStorageDurationForRecallSnapshots-DFProperties-End -->
+
+<!-- SetMaximumStorageDurationForRecallSnapshots-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Let the OS define the maximum amount of time the snapshots will be saved. |
+| 30 | 30 days. |
+| 60 | 60 days. |
+| 90 | 90 days. |
+| 180 | 180 days. |
+<!-- SetMaximumStorageDurationForRecallSnapshots-AllowedValues-End -->
+
+<!-- SetMaximumStorageDurationForRecallSnapshots-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetMaximumStorageDurationForRecallSnapshots |
+| Friendly Name | Set maximum duration for storing snapshots used by Recall |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | SetMaximumStorageDurationForRecallSnapshots |
+| ADMX File Name | WindowsCopilot.admx |
+<!-- SetMaximumStorageDurationForRecallSnapshots-GpMapping-End -->
+
+<!-- SetMaximumStorageDurationForRecallSnapshots-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SetMaximumStorageDurationForRecallSnapshots-Examples-End -->
+
+<!-- SetMaximumStorageDurationForRecallSnapshots-End -->
+
+<!-- SetMaximumStorageSpaceForRecallSnapshots-Begin -->
+## SetMaximumStorageSpaceForRecallSnapshots
+
+<!-- SetMaximumStorageSpaceForRecallSnapshots-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+<!-- SetMaximumStorageSpaceForRecallSnapshots-Applicability-End -->
+
+<!-- SetMaximumStorageSpaceForRecallSnapshots-OmaUri-Begin -->
+```User
+./User/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageSpaceForRecallSnapshots
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsAI/SetMaximumStorageSpaceForRecallSnapshots
+```
+<!-- SetMaximumStorageSpaceForRecallSnapshots-OmaUri-End -->
+
+<!-- SetMaximumStorageSpaceForRecallSnapshots-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy setting allows you to control the maximum amount of disk space that can be used by Windows to save snapshots for Recall.
+
+You can set the maximum amount of disk space for snapshots to be 10, 25, 50, 75, 100, or 150 GB.
+
+When this setting isn't configured, the OS configures the storage allocation for snapshots based on the device storage capacity.
+
+25 GB is allocated when the device storage capacity is 256 GB. 75 GB is allocated when the device storage capacity is 512 GB. 150 GB is allocated when the device storage capacity is 1 TB or higher.
+<!-- SetMaximumStorageSpaceForRecallSnapshots-Description-End -->
+
+<!-- SetMaximumStorageSpaceForRecallSnapshots-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- SetMaximumStorageSpaceForRecallSnapshots-Editable-End -->
+
+<!-- SetMaximumStorageSpaceForRecallSnapshots-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- SetMaximumStorageSpaceForRecallSnapshots-DFProperties-End -->
+
+<!-- SetMaximumStorageSpaceForRecallSnapshots-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Let the OS define the maximum storage amount based on hard drive storage size. |
+| 10000 | 10GB. |
+| 25000 | 25GB. |
+| 50000 | 50GB. |
+| 75000 | 75GB. |
+| 100000 | 100GB. |
+| 150000 | 150GB. |
+<!-- SetMaximumStorageSpaceForRecallSnapshots-AllowedValues-End -->
+
+<!-- SetMaximumStorageSpaceForRecallSnapshots-GpMapping-Begin -->
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SetMaximumStorageSpaceForRecallSnapshots |
+| Friendly Name | Set maximum storage for snapshots used by Recall |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Windows AI |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\WindowsAI |
+| Registry Value Name | SetMaximumStorageSpaceForRecallSnapshots |
+| ADMX File Name | WindowsCopilot.admx |
+<!-- SetMaximumStorageSpaceForRecallSnapshots-GpMapping-End -->
+
+<!-- SetMaximumStorageSpaceForRecallSnapshots-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- SetMaximumStorageSpaceForRecallSnapshots-Examples-End -->
+
+<!-- SetMaximumStorageSpaceForRecallSnapshots-End -->
+
 <!-- TurnOffWindowsCopilot-Begin -->
 ## TurnOffWindowsCopilot
 
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index c7a7fe256c..64a1352741 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -1,7 +1,7 @@
 ---
 title: WindowsLogon Policy CSP
 description: Learn more about the WindowsLogon Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/26/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -349,7 +349,7 @@ This policy setting allows you to control whether users see the first sign-in an
 | Name | Value |
 |:--|:--|
 | Name | EnableFirstLogonAnimation |
-| Friendly Name | Show first sign-in animation  |
+| Friendly Name | Show first sign-in animation |
 | Location | Computer Configuration |
 | Path | System > Logon |
 | Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md
index a22172669f..3c26ac2f1a 100644
--- a/windows/client-management/mdm/policy-csp-windowssandbox.md
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@@ -1,7 +1,7 @@
 ---
 title: WindowsSandbox Policy CSP
 description: Learn more about the WindowsSandbox Area in Policy CSP.
-ms.date: 09/27/2024
+ms.date: 11/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -19,7 +19,7 @@ ms.date: 09/27/2024
 <!-- AllowAudioInput-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- AllowAudioInput-Applicability-End -->
 
 <!-- AllowAudioInput-OmaUri-Begin -->
@@ -54,10 +54,18 @@ Note that there may be security implications of exposing host audio input to the
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 <!-- AllowAudioInput-DFProperties-End -->
 
+<!-- AllowAudioInput-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+<!-- AllowAudioInput-AllowedValues-End -->
+
 <!-- AllowAudioInput-GpMapping-Begin -->
 **Group policy mapping**:
 
@@ -84,7 +92,7 @@ Note that there may be security implications of exposing host audio input to the
 <!-- AllowClipboardRedirection-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- AllowClipboardRedirection-Applicability-End -->
 
 <!-- AllowClipboardRedirection-OmaUri-Begin -->
@@ -117,10 +125,18 @@ This policy setting enables or disables clipboard sharing with the sandbox.
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 <!-- AllowClipboardRedirection-DFProperties-End -->
 
+<!-- AllowClipboardRedirection-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+<!-- AllowClipboardRedirection-AllowedValues-End -->
+
 <!-- AllowClipboardRedirection-GpMapping-Begin -->
 **Group policy mapping**:
 
@@ -182,10 +198,18 @@ Note that there may be security implications of exposing folders from the host i
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 <!-- AllowMappedFolders-DFProperties-End -->
 
+<!-- AllowMappedFolders-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+<!-- AllowMappedFolders-AllowedValues-End -->
+
 <!-- AllowMappedFolders-GpMapping-Begin -->
 **Group policy mapping**:
 
@@ -212,7 +236,7 @@ Note that there may be security implications of exposing folders from the host i
 <!-- AllowNetworking-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- AllowNetworking-Applicability-End -->
 
 <!-- AllowNetworking-OmaUri-Begin -->
@@ -247,10 +271,18 @@ Note that enabling networking can expose untrusted applications to the internal
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 <!-- AllowNetworking-DFProperties-End -->
 
+<!-- AllowNetworking-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+<!-- AllowNetworking-AllowedValues-End -->
+
 <!-- AllowNetworking-GpMapping-Begin -->
 **Group policy mapping**:
 
@@ -277,7 +309,7 @@ Note that enabling networking can expose untrusted applications to the internal
 <!-- AllowPrinterRedirection-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- AllowPrinterRedirection-Applicability-End -->
 
 <!-- AllowPrinterRedirection-OmaUri-Begin -->
@@ -310,10 +342,18 @@ This policy setting enables or disables printer sharing from the host into the S
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 <!-- AllowPrinterRedirection-DFProperties-End -->
 
+<!-- AllowPrinterRedirection-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+<!-- AllowPrinterRedirection-AllowedValues-End -->
+
 <!-- AllowPrinterRedirection-GpMapping-Begin -->
 **Group policy mapping**:
 
@@ -340,7 +380,7 @@ This policy setting enables or disables printer sharing from the host into the S
 <!-- AllowVGPU-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- AllowVGPU-Applicability-End -->
 
 <!-- AllowVGPU-OmaUri-Begin -->
@@ -375,10 +415,18 @@ Note that enabling virtualized GPU can potentially increase the attack surface o
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 <!-- AllowVGPU-DFProperties-End -->
 
+<!-- AllowVGPU-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+<!-- AllowVGPU-AllowedValues-End -->
+
 <!-- AllowVGPU-GpMapping-Begin -->
 **Group policy mapping**:
 
@@ -405,7 +453,7 @@ Note that enabling virtualized GPU can potentially increase the attack surface o
 <!-- AllowVideoInput-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 21H2 [10.0.22000] and later |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 2004 [10.0.19041.4950] and later <br> ✅ Windows 10, version 20H2 [10.0.19042.4950] and later <br> ✅ Windows 10, version 21H1 [10.0.19043.4950] and later <br> ✅ Windows 11, version 21H2 [10.0.22000] and later |
 <!-- AllowVideoInput-Applicability-End -->
 
 <!-- AllowVideoInput-OmaUri-Begin -->
@@ -440,10 +488,18 @@ Note that there may be security implications of exposing host video input to the
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 <!-- AllowVideoInput-DFProperties-End -->
 
+<!-- AllowVideoInput-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+<!-- AllowVideoInput-AllowedValues-End -->
+
 <!-- AllowVideoInput-GpMapping-Begin -->
 **Group policy mapping**:
 
@@ -505,11 +561,19 @@ Note that there may be security implications of exposing folders from the host i
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
-| Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 | Dependency [WindowsSandbox_AllowWriteToMappedFolders_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br>  |
 <!-- AllowWriteToMappedFolders-DFProperties-End -->
 
+<!-- AllowWriteToMappedFolders-AllowedValues-Begin -->
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 | Not allowed. |
+| 1 (Default) | Allowed. |
+<!-- AllowWriteToMappedFolders-AllowedValues-End -->
+
 <!-- AllowWriteToMappedFolders-GpMapping-Begin -->
 **Group policy mapping**:
 
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index 3793140f08..687edec2d2 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -1,7 +1,7 @@
 ---
 title: SUPL CSP
 description: Learn more about the SUPL CSP.
-ms.date: 01/18/2024
+ms.date: 11/27/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -289,7 +289,7 @@ Required. The AppID for SUPL is automatically set to "ap0004". This is a read-on
 
 <!-- Device-SUPL1-Ext-Microsoft-FullVersion-Description-Begin -->
 <!-- Description-Source-DDF -->
-Optional. Determines the full version (X. Y. Z where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
+Optional. Determines the full version (`X.Y.Z` where X, Y and Z are major version, minor version, service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
 <!-- Device-SUPL1-Ext-Microsoft-FullVersion-Description-End -->
 
 <!-- Device-SUPL1-Ext-Microsoft-FullVersion-Editable-Begin -->
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 3011ad91da..4b5c7ff09c 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -837,10 +837,10 @@ items:
       items:
       - name: PassportForWork DDF file
         href: passportforwork-ddf.md
-    - name: PDE
+    - name: Personal Data Encryption
       href: personaldataencryption-csp.md
       items:
-      - name: PDE DDF file
+      - name: Personal Data Encryption DDF file
         href: personaldataencryption-ddf-file.md
     - name: Personalization
       href: personalization-csp.md
diff --git a/windows/client-management/recall-sensitive-information-filtering.md b/windows/client-management/recall-sensitive-information-filtering.md
new file mode 100644
index 0000000000..e6d8c32969
--- /dev/null
+++ b/windows/client-management/recall-sensitive-information-filtering.md
@@ -0,0 +1,190 @@
+---
+title: Sensitive information filtering in Recall
+description: Learn about the types of potentially sensitive information Recall detects.
+ms.topic: reference
+ms.subservice: windows-copilot
+ms.date: 11/22/2024
+ms.author: mstewart
+author: mestew
+ms.collection:
+  - windows-copilot
+  - magic-ai-copilot
+appliesto:
+- ✅ <a href="https://www.microsoft.com/windows/business/devices/copilot-plus-pcs#copilot-plus-pcs" target="_blank">Copilot+ PCs</a>
+---
+
+
+# Reference for sensitive information filtering in Recall
+
+This article provides information about the types of potentially sensitive information that [Recall](manage-recall.md) detects when the **Sensitive Information Filtering** setting is enabled.
+
+## Types of potentially sensitive information
+
+Types of potentially sensitive information that Recall detects and filters include:
+
+ABA Routing Number </br>
+Argentina National Identity (DNI) Number </br>
+Argentina Unique Tax Identification Key (CUIT/CUIL) </br>
+Australia Bank Account Number </br>
+Australia Drivers License Number </br>
+Australia Tax File Number </br>
+Austria Driver's License Number </br>
+Austria Identity Card </br>
+Austria Social Security Number </br>
+Austria Tax Identification Number </br>
+Austria Value Added Tax </br>
+Azure Document DB Auth Key </br>
+Azure IAAS Database Connection String and Azure SQL Connection String </br>
+Azure IoT Connection String </br>
+Azure Redis Cache Connection String </br>
+Azure SAS </br>
+Azure Secrets (Generic) </br>
+Azure Service Bus Connection String </br>
+Azure Storage Account Key </br>
+Belgium Driver's License Number </br>
+Belgium National Number </br>
+Belgium Value Added Tax Number </br>
+Brazil CPF Number </br>
+Brazil Legal Entity Number (CNPJ) </br>
+Brazil National ID Card (RG) </br>
+Bulgaria Driver's License Number </br>
+Bulgaria Uniform Civil Number </br>
+Canada Bank Account Number </br>
+Canada Driver's License Number </br>
+Canada Social Insurance Number </br>
+Chile Identity Card Number </br>
+China Resident Identity Card (PRC) Number </br>
+Colombia National ID </br>
+Credit Card Number </br>
+Croatia Driver's License Number </br>
+Croatia Identity Card Number </br>
+Croatia Personal Identification (OIB) Number </br>
+Cyprus Driver's License Number </br>
+Cyprus Identity Card </br>
+Cyprus Tax Identification Number </br>
+Czech Driver's License Number </br>
+Czech Personal Identity Number </br>
+DEA Number </br>
+Denmark Driver's License Number </br>
+Denmark Personal Identification Number </br>
+Ecuador Unique Identification Number </br>
+Estonia Driver's License Number </br>
+Estonia Personal Identification Code </br>
+EU Debit Card Number </br>
+EU Driver's License Number </br>
+EU National Id Card </br>
+EU SSN or Equivalent Number </br>
+EU Tax File Number </br>
+Finland Driver's License Number </br>
+Finnish National ID </br>
+France CNI </br>
+France Driver's License Number </br>
+France INSEE </br>
+France Tax Identification Number (numéro SPI.) </br>
+France Value Added Tax Number </br>
+General Password </br>
+German Driver's License Number </br>
+Germany Identity Card Number </br>
+Germany Tax Identification Number </br>
+Germany Value Added Tax Number </br>
+Greece Driver's License Number </br>
+Greece National ID Card </br>
+Greece Social Security Number (AMKA) </br>
+Greek Tax Identification Number </br>
+Hong Kong Identity Card (HKID) number </br>
+Hungarian Social Security Number (TAJ) </br>
+Hungarian Value Added Tax Number </br>
+Hungary Driver's License Number </br>
+Hungary Personal Identification Number </br>
+Hungary Tax Identification Number </br>
+IBAN </br>
+India Driver's License Number </br>
+India GST number </br>
+India Permanent Account Number </br>
+India Unique Identification (Aadhaar) number </br>
+India Voter Id Card </br>
+Indonesia Drivers License Number </br>
+Indonesia Identity Card (KTP) Number </br>
+Ireland Driver's License Number </br>
+Ireland Personal Public Service (PPS) Number </br>
+Israel Bank Account Number </br>
+Israel National ID Number </br>
+Italy Driver's license Number </br>
+Italy Fiscal Code </br>
+Italy Value Added Tax </br>
+Japan Bank Account Number </br>
+Japan Driver's License Number </br>
+Japan Residence Card Number </br>
+Japan Resident Registration Number </br>
+Japan Social Insurance Number </br>
+Japanese My Number – Corporate </br>
+Japanese My Number – Personal </br>
+Latvia Driver's License Number </br>
+Latvia Personal Code </br>
+Lithuania Driver's License Number </br>
+Lithuania Personal Code </br>
+Luxembourg Driver's License Number </br>
+Luxembourg National Identification Number (Natural persons) </br>
+Luxembourg National Identification Number (Non-natural persons) </br>
+Malaysia ID Card Number </br>
+Malta Driver's License Number </br>
+Malta Identity Card Number </br>
+Malta Tax ID Number </br>
+Mexico Unique Population Registry Code (CURP) </br>
+Netherlands Citizen's Service (BSN) Number </br>
+Netherlands Driver's License Number </br>
+Netherlands Tax Identification Number </br>
+Netherlands Value Added Tax Number </br>
+New Zealand Bank Account Number </br>
+New Zealand Driver License Number </br>
+New Zealand Inland Revenue Number </br>
+Newzealand Social Welfare Number </br>
+Norway Identification Number </br>
+Philippines National ID </br>
+Philippines Passport Number </br>
+Philippines Unified Multi-Purpose ID number </br>
+Poland Driver's License Number </br>
+Poland Identity Card </br>
+Poland National ID (PESEL) </br>
+Poland Tax Identification Number </br>
+Polish REGON Number </br>
+Portugal Citizen Card Number </br>
+Portugal Driver's License Number </br>
+Portugal Tax Identification Number </br>
+Qatari ID Card Number </br>
+Romania Driver's License Number </br>
+Romania Personal Numerical Code (CNP) </br>
+Saudi Arabia National ID </br>
+Singapore Driving License Number </br>
+Singapore National Registration Identity Card (NRIC) Number </br>
+Slovakia Driver's License Number </br>
+Slovakia Personal Number </br>
+Slovenia Driver's License Number </br>
+Slovenia Tax Identification Number </br>
+Slovenia Unique Master Citizen Number </br>
+South Africa Identification Number </br>
+South Korea Driver's License Number </br>
+South Korea Resident Registration Number </br>
+Spain DNI </br>
+Spain Driver's License Number </br>
+Spain SSN </br>
+Spain Tax Identification Number </br>
+Sweden Driver's License Number </br>
+Sweden National ID </br>
+Sweden Tax Identification Number </br>
+SWIFT Code </br>
+Swiss SSN AHV Number </br>
+Taiwan Resident Certificate (ARC/TARC) </br>
+Taiwanese National ID </br>
+Thai Citizen ID </br>
+Turkish National Identity </br>
+U.K. Driver's License Number </br>
+U.K. Electoral Number </br>
+U.K. NHS Number </br>
+U.K. NINO </br>
+U.K. Unique Taxpayer Reference Number </br>
+U.S. Bank Account Number </br>
+U.S. Driver's License Number </br>
+U.S. Individual Taxpayer Identification Number (ITIN) </br>
+U.S. Social Security Number </br>
+UAE Identity Card Number </br>
diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml
index 4aa913ef53..711bc21aea 100644
--- a/windows/client-management/toc.yml
+++ b/windows/client-management/toc.yml
@@ -51,7 +51,9 @@ items:
               - name: Updated Windows and Microsoft Copilot experience
                 href: manage-windows-copilot.md
               - name: Manage Recall
-                href: manage-recall.md                
+                href: manage-recall.md
+              - name: Reference for sensitive information filtering in Recall
+                href: recall-sensitive-information-filtering.md                                 
               - name: Secured-Core PC Configuration Lock
                 href: config-lock.md
               - name: Certificate renewal
diff --git a/windows/configuration/cellular/provisioning-apn.md b/windows/configuration/cellular/provisioning-apn.md
index 8fcf389cf7..860024c72c 100644
--- a/windows/configuration/cellular/provisioning-apn.md
+++ b/windows/configuration/cellular/provisioning-apn.md
@@ -2,7 +2,7 @@
 title: Configure cellular settings
 description: Learn how to provision cellular settings for devices with built-in modems or plug-in USB modem dongles.
 ms.topic: concept-article
-ms.date: 04/23/2024
+ms.date: 12/05/2024
 ---
 
 # Configure cellular settings
diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml
index fa1a297ecf..a1e1606862 100644
--- a/windows/configuration/index.yml
+++ b/windows/configuration/index.yml
@@ -11,7 +11,7 @@ metadata:
   author: paolomatarazzo
   ms.author: paoloma
   manager: aaroncz
-  ms.date: 04/25/2024
+  ms.date: 12/05/2024
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
 
diff --git a/windows/configuration/start/index.md b/windows/configuration/start/index.md
index 0627e33663..2294ebe5cc 100644
--- a/windows/configuration/start/index.md
+++ b/windows/configuration/start/index.md
@@ -1,8 +1,8 @@
 ---
-title: Configure the Start menu
+title: Configure The Windows Start Menu With Policy Settings
 description: Learn how to configure the Windows Start menu to provide quick access to the tools and applications that users need most.
 ms.topic: overview
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 zone_pivot_groups: windows-versions-11-10
 ms.collection:
 - essentials-manage
diff --git a/windows/configuration/start/layout.md b/windows/configuration/start/layout.md
index 81f5d11c75..af0a608300 100644
--- a/windows/configuration/start/layout.md
+++ b/windows/configuration/start/layout.md
@@ -1,8 +1,8 @@
 ---
-title: Customize the Start layout
+title: Customize The Start Layout For Managed Windows Devices
 description: Learn how to customize the Windows Start layout, export its configuration, and deploy the customization to other devices.
 ms.topic: how-to
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 zone_pivot_groups: windows-versions-11-10
 appliesto:
 ---
diff --git a/windows/configuration/start/xsd.md b/windows/configuration/start/xsd.md
index 714f0aa70f..ba0f818bc7 100644
--- a/windows/configuration/start/xsd.md
+++ b/windows/configuration/start/xsd.md
@@ -2,7 +2,7 @@
 title: Start XML Schema Definition (XSD)
 description: Start XSD reference article.
 ms.topic: reference
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 appliesto:
 - ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 ---
diff --git a/windows/configuration/store/index.md b/windows/configuration/store/index.md
index 09c92aea0f..b6b7609319 100644
--- a/windows/configuration/store/index.md
+++ b/windows/configuration/store/index.md
@@ -1,8 +1,8 @@
 ---
-title: Configure access to the Microsoft Store app
+title: Configure Access To The Microsoft Store App For Windows Devices
 description: Learn how to configure access to the Microsoft Store app.
 ms.topic: how-to
-ms.date: 03/13/2024
+ms.date: 12/02/2024
 ---
 
 # Configure access to the Microsoft Store app
diff --git a/windows/configuration/taskbar/xsd.md b/windows/configuration/taskbar/xsd.md
index 351c262871..da97f38e11 100644
--- a/windows/configuration/taskbar/xsd.md
+++ b/windows/configuration/taskbar/xsd.md
@@ -2,7 +2,7 @@
 title: Windows Taskbar XML Schema Definition (XSD)
 description: Reference article about the Taskbar XML schema definition (XSD).
 ms.topic: reference
-ms.date: 11/07/2024
+ms.date: 11/11/2024
 ---
 
 # Taskbar XML Schema Definition (XSD)
diff --git a/windows/configuration/windows-spotlight/index.md b/windows/configuration/windows-spotlight/index.md
index 6c056b86f1..ad39469d22 100644
--- a/windows/configuration/windows-spotlight/index.md
+++ b/windows/configuration/windows-spotlight/index.md
@@ -2,7 +2,7 @@
 title: Configure Windows spotlight
 description: Learn how to configure Windows spotlight using Group Policy and mobile device management (MDM) settings.
 ms.topic: how-to
-ms.date: 04/23/2024
+ms.date: 12/05/2024
 ms.author: paoloma
 author: paolomatarazzo
 appliesto:
diff --git a/windows/deployment/do/mcc-ent-deploy-to-linux.md b/windows/deployment/do/mcc-ent-deploy-to-linux.md
index 0fc31cdf23..8280d47b34 100644
--- a/windows/deployment/do/mcc-ent-deploy-to-linux.md
+++ b/windows/deployment/do/mcc-ent-deploy-to-linux.md
@@ -26,6 +26,10 @@ Before deploying Connected Cache to a Linux host machine, ensure that the host m
 1. Within the Azure portal, navigate to the **Provisioning** tab of your cache node and copy the provisioning command.
 1. Download the provisioning package using the option at the top of the Cache Node Configuration page and extract the package onto the host machine.
 1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
+
+    >[!Note]
+    >* If you are deploying your cache node to a Linux host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command.
+
 1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
 1. Run the provisioning command on the host machine.
 
@@ -42,6 +46,10 @@ To deploy a cache node programmatically, you'll need to use Azure CLI to get the
 1. Save the resulting output. These values will be passed as parameters within the provisioning command.
 1. Download and extract the [Connected Cache provisioning package for Linux](https://aka.ms/MCC-Ent-InstallScript-Linux) to your host machine.
 1. Open a command line window *as administrator* on the host machine, then change directory to the extracted provisioning package.
+
+    >[!Note]
+    >* If you are deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `proxyTlsCertificatePath="/path/to/pem/file"` to the provisioning command.
+
 1. Set access permissions to allow the `provisionmcc.sh` script within the provisioning package directory to execute.
 1. Replace the values in the following provisioning command before running it on the host machine.
 
diff --git a/windows/deployment/do/mcc-ent-deploy-to-windows.md b/windows/deployment/do/mcc-ent-deploy-to-windows.md
index ba27a5f82f..275b637871 100644
--- a/windows/deployment/do/mcc-ent-deploy-to-windows.md
+++ b/windows/deployment/do/mcc-ent-deploy-to-windows.md
@@ -17,7 +17,7 @@ appliesto:
 
 This article describes how to deploy Microsoft Connected Cache for Enterprise and Education caching software to a Windows host machine.
 
-Deploying Connected Cache to a Windows host machine requires designating a [Group Managed Service Account (gMSA)](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts) or a [Local User Account](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d) as the Connected Cache runtime account. This prevents tampering with the Connected Cache container and the cached content on the host machine.
+Deploying Connected Cache to a Windows host machine requires designating a [Group Managed Service Account (gMSA)](/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts) or a [local user account](https://support.microsoft.com/topic/20de74e0-ac7f-3502-a866-32915af2a34d) as the Connected Cache runtime account. This prevents tampering with the Connected Cache container and the cached content on the host machine.
 
 Before deploying Connected Cache to a Windows host machine, ensure that the host machine meets all [requirements](mcc-ent-prerequisites.md), and that you have [created and configured your Connected Cache Azure resource](mcc-ent-create-resource-and-cache.md).
 
@@ -26,14 +26,25 @@ Before deploying Connected Cache to a Windows host machine, ensure that the host
 # [Azure portal](#tab/portal)
 
 1. Within the Azure portal, navigate to the **Provisioning** tab of your cache node and copy the provisioning command.
-1. Download the provisioning package using the option at the top of the Cache Node Configuration page and extract the package onto the host machine. **Note**: The installer should be in a folder that isn't synced to OneDrive, as this will interfere with the installation process.
+1. Download the provisioning package using the option at the top of the Cache Node Configuration page and extract the archive onto the host machine.
+
+   >[!Note]
+   >* The provisioning package should be extracted to a directory that isn't synced to OneDrive, as the sychronization process will interfere with the installation. It is recommended to extract the provisioning package to the root directory of the host machine (e.g. C:\mccInstaller)
+
 1. Open a PowerShell window *as administrator* on the host machine, then change directory to the extracted provisioning package.
+
+   >[!Note]
+   >* If you are deploying your cache node to a Windows host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `-proxyTlsCertificatePemFileName "mycert.pem"` to the provisioning command.
+
 1. Set the Execution Policy to *Unrestricted* to allow the provisioning scripts to run.
-1. Create a `$User` environment variable containing the username of the account you intend to designate as the Connected Cache runtime account. 
+1. Create a `$User` PowerShell variable containing the username of the account you intend to designate as the Connected Cache runtime account.
 
-    For gMSAs, the value should be formatted as `"Domain\Username$"`. For Local User accounts, `$User` should be formatted as `"LocalMachineName\Username"`.
+    For gMSAs, the `$User` PowerShell variable should be formatted as `"Domain\Username$"`. For local user accounts, `$User` PowerShell variable should be formatted as `"LocalMachineName\Username"`.
 
-   If you're using a Local User account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`. **Note**: You'll need to apply a local security policy to permit the Local User account to `Log on as a batch job`.
+   If you're using a local user account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`.
+
+   >[!Note]
+   >* You'll need to apply a local security policy to permit the local user account to `Log on as a batch job`.
 
 1. Run the provisioning command on the host machine.
 
@@ -48,22 +59,33 @@ To deploy a cache node programmatically, you'll need to use Azure CLI to get the
    ```
 
 1. Save the resulting output. These values will be passed as parameters within the provisioning command.
-1. Download and extract the [Connected Cache provisioning package for Windows](https://aka.ms/MCC-Ent-InstallScript-WSL) to your host machine. **Note**: The installer should be in a folder that isn't synced to OneDrive, as this will interfere with the installation process.
+1. Download and extract the [Connected Cache provisioning package for Windows](https://aka.ms/MCC-Ent-InstallScript-WSL) to your host machine.
+
+   >[!Note]
+   >* The provisioning package should be extracted to a directory that isn't synced to OneDrive, as the sychronization process will interfere with the installation. It is recommended to extract the provisioning package to the root directory of the host machine (e.g. C:\mccInstaller)
+
 1. Open a PowerShell window *as administrator* on the host machine, then change directory to the extracted provisioning package.
+
+   >[!Note]
+   >* If you are deploying your cache node to a host machine that uses a TLS-inspecting proxy (e.g. ZScaler), ensure that you've [configured the proxy settings](mcc-ent-create-resource-and-cache.md#proxy-settings) for your cache node, then place the proxy certificate file (.pem) in the extracted provisioning package directory and add `-proxyTlsCertificatePath "path/to/pem/file"` to the provisioning command.
+
 1. Set the Execution Policy to *Unrestricted* to allow the provisioning scripts to run.
-1. Create a `$User` environment variable containing the username of the account you intend to designate as the Connected Cache runtime account. 
+1. Create a `$User` PowerShell variable containing the username of the account you intend to designate as the Connected Cache runtime account.
 
-    For gMSAs, the value should be formatted as `"Domain\Username$"`. For Local User accounts, `$User` should be formatted as `"LocalMachineName\Username"`.
+    For gMSAs, the `$User` PowerShell variable should be formatted as `"Domain\Username$"`. For local user accounts, the `$User` PowerShell variable should be formatted as `"LocalMachineName\Username"`.
 
-   If you're using a Local User account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`. **Note**: You'll need to apply a local security policy to permit the Local User account to `Log on as a batch job`.
+   If you're using a local user account as the Connected Cache runtime account, you'll also need to create a [PSCredential Object](/dotnet/api/system.management.automation.pscredential) named `$myLocalAccountCredential`.
 
-1. Replace the values in the following provisioning command before running it on the host machine. **Note**:  `-mccLocalAccountCredential $myLocalAccountCredential` is only needed if you're using a Local User account as the Connected Cache runtime account.
+   >[!Note]
+   >* You'll need to apply a local security policy to permit the local user account to `Log on as a batch job`.
+
+1. Replace the values in the following provisioning command before running it on the host machine.
 
    ```powershell-interactive
    ./provisionmcconwsl.ps1 -installationFolder c:\mccwsl01 -customerid [enter mccResourceId here] -cachenodeid [enter cacheNodeId here] -customerkey [enter customerKey here] -registrationkey [enter registration key] -cacheDrives "/var/mcc,enter drive size"  -shouldUseProxy [enter true if present, enter false if not] -proxyurl "http://[enter proxy host name]:[enter port]"  -mccRunTimeAccount $User -mccLocalAccountCredential $myLocalAccountCredential
    ```
 
---- 
+---
 
 ## Steps to point Windows client devices at Connected Cache node
 
diff --git a/windows/deployment/do/mcc-ent-monitoring.md b/windows/deployment/do/mcc-ent-monitoring.md
index 9a4894896e..98c00bdcf4 100644
--- a/windows/deployment/do/mcc-ent-monitoring.md
+++ b/windows/deployment/do/mcc-ent-monitoring.md
@@ -18,25 +18,25 @@ ms.date: 10/30/2024
 
 Tracking the status and performance of your Connected Cache node is essential to making sure you're getting the most out of the service.
 
-For basic monitoring, navigate to the **Overview** tab. Here you'll be able to view a collection of predefined metrics and charts. All the monitoring in this section will function right after your Connected Cache node has been deployed.
+For basic monitoring, navigate to the **Overview** tab. Here you can view a collection of predefined metrics and charts. All the monitoring in this section will function right after your Connected Cache node has been deployed. You can view more details about each cache node by navigating to the **Cache Nodes** section under the **Cache Node Management** tab. This page displays cache node information such as Status, Host machine OS, Software Version, and Cache Node ID.
 
-For advanced monitoring, navigate to the **Metrics** section under the **Monitoring** tab. Here you'll be able to access more sampled metrics (hits, misses, inbound traffic) and specify different aggregations (count, avg, min, max, sum). You can then use this data to create customized charts and configure alerts.
+For advanced monitoring, navigate to the **Metrics** section under the **Monitoring** tab. Here you can access more sampled metrics (hits, misses, inbound traffic) and specify different aggregations (count, avg, min, max, sum). You can then use this data to create customized charts and configure alerts.
 
-Between the two monitoring sections, you'll be able to gather essential insights into the health, performance, and efficiency of your Connected Cache nodes.
+Using the two monitoring sections, you can gather essential insights into the health, performance, and efficiency of your Connected Cache nodes.
 
 ## Basic Monitoring
 
 ### Cache node summary
 
-Below are the metrics you'll find in the **Cache Node Summary** dashboard, along with their descriptions. This dashboard only reflects data received from cache nodes in the last 24 hours.
+Below are the metrics found in the **Cache Node Summary** dashboard, along with their descriptions. This dashboard only reflects data received from cache nodes in the last 24 hours.
 
 ![Screenshot of cache node summary in the Azure portal interface.](../images/mcc-ent-cache-node-summary.png)
 
 | Metric | Description |
 | --- | --- |
-| Healthy nodes | Your Connected Cache node will periodically send heartbeat messages to the Connected Cache service. If the Connected Cache service has received a heartbeat message from your Connected Cache node in the last 24 hours, the node will be labeled as healthy. |
-| Unhealthy nodes | If the Connected Cache service hasn't received a heartbeat message from your Connected Cache node in the last 24 hours, the node will be labeled as unhealthy. |
-| Max in | The maximum ingress in Megabits per second (Mbps) that your node has pulled from CDN endpoints in the last 24 hours. |
+| Healthy nodes | Your Connected Cache node will periodically send heartbeat messages to the Connected Cache service. If the Connected Cache service has received a heartbeat message from your Connected Cache node in the last 24 hours, the node is labeled as healthy. |
+| Unhealthy nodes | If the Connected Cache service hasn't received a heartbeat message from your Connected Cache node in the last 24 hours, the node is labeled as unhealthy. |
+| Max in | The maximum ingress in Megabits per second (Mbps) that your node has pulled from Content Delivery Network (CDN) endpoints in the last 24 hours. |
 | Max out | The minimum egress in Mbps that your node has sent to Windows devices in its network over the last 24 hours. |
 | Average in | The average ingress in Mbps that your node has pulled from CDN endpoints in the last 24 hours. |
 | Average out | The average egress in Mbps that your node has sent to Windows devices in its network over the last 24 hours. |
@@ -65,6 +65,20 @@ This chart displays the volume of each supported content type in bytes (B) that
 
 The content types displayed in the chart each have a distinct color and are sorted in descending order of volume. The bar chart is stacked such that you can visually compare total volume being delivered at different points in time.
 
+### Cache node details
+
+The **Cache Nodes** section under the **Cache Node Management** tab displays cache node information such as Status, Host machine OS, Software Version, and Cache Node ID.
+
+![Screenshot of cache node details in the Azure portal interface.](../images/mcc-ent-cache-node-details.png)
+
+| Metric | Description |
+| --- | --- |
+| Cache node name | The user-defined name of the cache node. |
+| Status | The heartbeat status of the cache node. |
+| OS | The host machine OS that this cache node is compatible with. |
+| Software version | The version number of the cache node's Connected Cache container. |
+| Cache node ID | The unique identifier of the cache node. |
+
 ## Advanced Monitoring
 
 To expand upon the metrics shown in the Overview tab, navigate to the **Metrics** tab in the left side toolbar of Azure portal.
@@ -79,13 +93,13 @@ Listed below are the metrics you can access in this section:
 
 ### Customizable Dashboards
 
-Once you select the charts you would like to track, you can save them to a personalized dashboard. You can configure the chart title, filters, range, legend, and more. You can also use this personalized dashboard to set up alerts that will notify you if your Connected Cache node dips in performance.
+Once you select the charts you would like to track, you can save them to a personalized dashboard. You can configure the chart title, filters, range, legend, and more. You can also use this personalized dashboard to set up alerts that notify you if your Connected Cache node dips in performance.
 
 Some example scenarios where you would want to set up a custom alert:
 
 - My Connected Cache node is being shown as unhealthy and I want to know exactly when it stopped egressing last
 - A new Microsoft Word update was released last night and I want to know if my Connected Cache node is helping deliver this content to my Windows devices
 
-## Additional Metrics
+## Client-Side Metrics
 
 Your Connected Cache node can keep track of how much content has been sent to requesting Windows devices, but the node can't track whether the content was successfully received by the device. For more information on accessing client-side data from your Windows devices, see [Monitor Delivery Optimization](waas-delivery-optimization-monitor.md).
diff --git a/windows/deployment/do/mcc-ent-troubleshooting.md b/windows/deployment/do/mcc-ent-troubleshooting.md
index 0f5b02bc00..c814c909f2 100644
--- a/windows/deployment/do/mcc-ent-troubleshooting.md
+++ b/windows/deployment/do/mcc-ent-troubleshooting.md
@@ -19,6 +19,18 @@ ms.date: 10/30/2024
 
 This article contains instructions on how to troubleshoot different issues you may encounter while using Connected Cache. These issues are categorized by the task in which they may be encountered.
 
+## Known issues
+
+This section describes known issues with the latest release of Microsoft Connected Cache for Enterprise and Education. See the [Release Notes page](mcc-ent-release-notes.md) for more details on the fixes included in the latest release.
+
+### Cache node monitoring chart in the Azure portal user interface displays incorrect information
+
+### Script provisionmcconwsl.ps1 fails when executed on a Windows 11 host machine configured to use Japanese language
+
+In the Connected Cache installation script (provisionmcconwsl.ps1), the check processing is executed until the value of the last execution code (Last Result) of the installation task becomes 0 in the following processing. However, in Japanese OS, the return value is null because "Last Result" is displayed, and an exception occurs.
+
+As a temporary workaround, the above error doesn't occur by changing the language setting of the local administrator user from Japanese to English and then executing the script.
+
 ## Steps to obtain an Azure subscription ID
 
 <!--Using include file, get-azure-subscription.md, do/mcc-isp.md for shared content-->
@@ -38,7 +50,7 @@ If you're encountering a validation error, check that you have filled out all re
 
 If your configuration doesn't appear to be taking effect, check that you have selected the **Save** option at the top of the configuration page in the Azure portal user interface.
 
-If you have changed the proxy configuration, you will need to re-provision the Connected Cache software on the host machine for the proxy configuration to take effect.
+If you have changed the proxy configuration, you'll need to re-provision the Connected Cache software on the host machine for the proxy configuration to take effect.
 
 ## Troubleshooting cache nodes created during early preview
 
@@ -50,7 +62,7 @@ As such, we strongly recommend you [recreate your existing resources in Azure](m
 
 ### Collecting Windows-hosted installation logs
 
-[Deploying a Connected Cache node to a Windows host machine](mcc-ent-deploy-to-windows.md) involves running a series of PowerShell scripts contained within the Windows provisioning package. These scripts will attempt to write log files to the installation directory specified in the provisioning command (`C:\mccwsl01\InstallLogs` by default).
+[Deploying a Connected Cache node to a Windows host machine](mcc-ent-deploy-to-windows.md) involves running a series of PowerShell scripts contained within the Windows provisioning package. These scripts attempt to write log files to the installation directory specified in the provisioning command (`C:\mccwsl01\InstallLogs` by default).
 
 There are three types of installation log files:
 
@@ -60,9 +72,19 @@ There are three types of installation log files:
 
 The Registered Task Transcript is usually the most useful for diagnosing the installation issue.
 
-### WSL2 fails to install with message "A specified logon session does not exist"
+### Collecting other Windows-hosted logs
 
-If you are encountering this failure message when attempting to run the PowerShell command `wsl.exe --install --no-distribution` on your Windows host machine, verify that you are logged on as a local administrator and running the command from an elevated PowerShell window.
+Once the cache node has been successfully installed on the Windows host machine, it will periodically write log files to the installation directory (`C:\mccwsl01\` by default).
+
+You can expect to see the following types of log files:
+
+1. **WSL_Mcc_Monitor_FromRegisteredTask_Transcript**: This log file records the output of the "MCC_Monitor_Task" scheduled task that is responsible for ensuring that the Connected Cache continues running.
+1. **WSL_Mcc_UserUninstall_Transcript**: This log file records the output of the "uninstallmcconwsl.ps1" script that the user can run to uninstall MCC software from the host machine.
+1. **WSL_Mcc_Uninstall_FromRegisteredTask_Transcript**: This log file records the output of the "MCC_Uninstall_Task" scheduled task that is responsible for uninstalling the MCC software from the host machine when called by the "uninstallmcconwsl.ps1" script.
+
+### WSL2 fails to install with message "A specified logon session doesn't exist"
+
+If you're encountering this failure message when attempting to run the PowerShell command `wsl.exe --install --no-distribution` on your Windows host machine, verify that you're logged on as a local administrator and running the command from an elevated PowerShell window.
 
 ### Updating the WSL2 kernel
 
@@ -94,6 +116,20 @@ You can use Task Scheduler on the host machine to check the status of this sched
 > [!Note]
 > If the password of the runtime account changes, you'll need to update the user in all of the Connected Cache scheduled tasks in order for the Connected Cache node to continue functioning properly.
 
+### Cache node successfully deployed but not serving requests
+
+If your cache node isn't responding to requests outside of localhost, it may be because the host machine's port forwarding rules weren't correctly set during Connected Cache installation.
+
+To check your host machine's port forwarding rules, use the following PowerShell command.
+
+`netsh interface portproxy show v4tov4`
+
+If you don't see any port forwarding rules for port 80 to 0.0.0.0, you can run the following command from an elevated PowerShell instance to set the proper forwarding to WSL.
+
+`netsh interface portproxy add v4tov4 listenport=80 listenaddress=0.0.0.0 connectport=80 connectaddress=<WSL IP Address>`
+
+You can retrieve the WSL IP Address from the `wslip.txt` file that should be present in the installation directory you specified in the Connected Cache provisioning command ("c:\mccwsl01" by default).
+
 ## Troubleshooting cache node deployment to Linux host machine
 
 [Deploying a Connected Cache node to a Linux host machine](mcc-ent-deploy-to-linux.md) involves running a series of Bash scripts contained within the Linux provisioning package.
@@ -106,6 +142,31 @@ If it shows the **edgeAgent** and **edgeHub** containers but doesn't show **MCC*
 
 You can also reboot the IoT Edge runtime using `sudo systemctl restart iotedge`.
 
+## Generating cache node diagnostic support bundle
+
+You can generate a support bundle with detailed diagnostic information by running the `collectMccDiagnostics.sh` script included in the installation package.
+
+For Windows host machines, you'll need to do the following:
+
+1. Launch a PowerShell process as the account specified as the runtime account during the Connected Cache install
+1. Change directory to the "MccScripts" directory within the extracted Connected Cache provisioning package and verify the presence of `collectmccdiagnostics.sh`
+1. Run `wsl bash collectmccdiagnostics.sh` to generate the diagnostic support bundle
+1. Once the script has completed, note the console output describing the location of the diagnostic support bundle
+
+    For example, "Successfully zipped package, please send file created at /etc/mccdiagnostics/support_bundle_2024_12_03__11_05_39__AM.tar.gz"
+
+1. Run the `wsl cp` command to copy the support bundle from the location within the Ubuntu distribution to the Windows host OS
+
+    For example, `wsl cp /etc/mccdiagnostics/support_bundle_2024_12_03__11_05_39__AM.tar.gz /mnt/c/mccwsl01/SupportBundles`
+
+For Linux host machines, you'll need to do the following:
+
+1. Change directory to the "MccScripts" directory within the extracted Connected Cache provisioning package and verify the presence of `collectmccdiagnostics.sh`
+1. Run `collectmccdiagnostics.sh` to generate the diagnostic support bundle
+1. Once the script has completed, note the console output describing the location of the diagnostic support bundle
+
+    For example, "Successfully zipped package, please send file created at /etc/mccdiagnostics/support_bundle_2024_12_03__11_05_39__AM.tar.gz"
+
 ## Troubleshooting cache node monitoring
 
 Connected Cache node status and performance can be [monitored using the Azure portal user interface](mcc-ent-monitoring.md).
@@ -116,4 +177,4 @@ If the issue persists, check that you have configured the Timespan and Cache nod
 
 ## Diagnose and Solve
 
-You can also use the **Diagnose and solve problems** functionality provided by the Azure portal interface. This tab within the Microsoft Connected Cache Azure resource will walk you through a few prompts to help narrow down the solution to your issue.
+You can also use the **Diagnose and solve problems** functionality provided by the Azure portal interface. This tab within the Microsoft Connected Cache Azure resource walks you through a few prompts to help narrow down the solution to your issue.
diff --git a/windows/deployment/images/mcc-ent-cache-node-details.png b/windows/deployment/images/mcc-ent-cache-node-details.png
new file mode 100644
index 0000000000..f73bd2e006
Binary files /dev/null and b/windows/deployment/images/mcc-ent-cache-node-details.png differ
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index ecd4861cbb..51a6fb4e62 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR)
 ms.service: windows-client
 author: frankroj
 ms.author: frankroj
-ms.date: 11/16/2023
+ms.date: 11/26/2024
 manager: aaroncz
 ms.localizationpriority: high
 ms.topic: how-to
@@ -29,10 +29,10 @@ See the following video for a detailed description and demonstration of MBR2GPT.
 
 > [!VIDEO https://www.youtube-nocookie.com/embed/hfJep4hmg9o]
 
-You can use MBR2GPT to:
+MBR2GPT can be used to:
 
-- Convert any attached MBR-formatted system disk to the GPT partition format. You can't use the tool to convert non-system disks from MBR to GPT.
-- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them.
+- Convert any attached MBR-formatted system disk to the GPT partition format. The tool can't be used to convert non-system disks from MBR to GPT.
+- Convert an MBR disk with BitLocker-encrypted volumes as long as protection is suspended. To resume BitLocker after conversion, the existing protectors need to be deleted and then recreated.
 - Convert an operating system disk from MBR to GPT using Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT).
 
 Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to a currently supported version of Windows, then perform the MBR to GPT conversion.
@@ -41,7 +41,7 @@ Offline conversion of system disks with earlier versions of Windows installed, s
 >
 > After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
 >
-> Make sure that your device supports UEFI before attempting to convert the disk.
+> Make sure the device supports UEFI before attempting to convert the disk.
 
 ## Disk Prerequisites
 
@@ -93,7 +93,7 @@ MBR2GPT: Validation completed successfully
 
 In the following example:
 
-1. The current disk partition layout is displayed prior to conversion using DiskPart - three partitions are present on the MBR disk (disk 0):
+1. Using DiskPart the current disk partition layout is displayed before the conversion. Three partitions are present on the MBR disk (disk 0):
 
     - A system reserved partition.
     - A Windows partition.
@@ -110,7 +110,7 @@ In the following example:
 
 1. The OS volume is selected again. The detail displays that the OS volume is converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
 
-As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly.
+As noted in the output from the MBR2GPT tool, changes to the computer firmware need to be made so that the new EFI system partition boots properly.
 
 <br>
 <details>
@@ -267,7 +267,7 @@ If the existing MBR system partition isn't reused for the EFI system partition,
 
 > [!IMPORTANT]
 >
-> If the existing MBR system partition is not reused for the EFI system partition, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter.
+> If the existing MBR system partition isn't reused for the EFI system partition, it might be assigned a drive letter. If this small partition isn't going to be used, its drive letter must be manually hidden.
 
 ### Partition type mapping and partition attributes
 
@@ -290,11 +290,11 @@ For more information about partition types, see:
 
 ### Persisting drive letter assignments
 
-The conversion tool attempts to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error is displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter.
+The conversion tool attempts to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error is displayed at the console and in the log, so that correct assignment of the drive letter can be manually performed.
 
 > [!IMPORTANT]
 >
-> This code runs after the layout conversion has taken place, so the operation cannot be undone at this stage.
+> This code runs after the layout conversion takes place, so the operation can't be undone at this stage.
 
 The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It then iterates through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry it does the following:
 
@@ -398,7 +398,7 @@ The partition type can be determined in one of three ways:
 
 #### Windows PowerShell
 
-You can enter the following command at a Windows PowerShell prompt to display the disk number and partition type:
+The following command can be entered at a Windows PowerShell prompt to display the disk number and partition type:
 
 ```powershell
 Get-Disk | ft -Auto
@@ -417,7 +417,7 @@ Number Friendly Name      Serial Number        HealthStatus OperationalStatus To
 
 #### Disk Management tool
 
-You can view the partition type of a disk by using the Disk Management tool:
+The partition type of a disk can be viewed by using the Disk Management tool:
 
 1. Right-click on the Start Menu and select **Disk Management**. Alternatively, right-click on the Start Menu and select **Run**. In the **Run** dialog box that appears, enter `diskmgmt.msc` and then select **OK**.
 
diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md
index 9984fc897b..d91a00bbc2 100644
--- a/windows/deployment/update/optional-content.md
+++ b/windows/deployment/update/optional-content.md
@@ -70,9 +70,9 @@ Most commercial organizations understand the pain points outlined above, and dis
 
 Windows Update for Business solves the optional content problem. Optional content is published and available for acquisition by Windows Setup from a nearby Microsoft content delivery network and acquired using the Unified Update Platform. Optional content migration and acquisition scenarios just work when the device is connected to an update service that uses the Unified Update Platform, such as Windows Update or Windows Update for Business. If for some reason a language pack fails to install during the update, the update will automatically roll back.
 
-The [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens.
+The [Unified Update Platform](https://blogs.windows.com/windows-insider/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens.
 
-Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) and the [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002).
+Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/blog/windows-itpro-blog/upgrading-windows-10-devices-with-installation-media-different-than-the-original/746126).
 
 
 ### Option 2: Use WSUS with UUP Integration
@@ -115,7 +115,7 @@ You can customize the Windows image in these ways:
 - Adding or removing languages
 - Adding or removing Features on Demand
 
-The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and the [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
+The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/blog/windows-itpro-blog/updating-windows-10-media-with-dynamic-update-packages/982477). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
 
 
 ### Option 5: Install language features during deployment
@@ -151,11 +151,9 @@ For more information about the Unified Update Platform and the approaches outlin
 - [/DynamicUpdate](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate)
 - [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source)
 - [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions)
-- [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/)
+- [Unified Update Platform](https://blogs.windows.com/windows-insider/2016/11/03/introducing-unified-update-platform-uup/)
 - [Updating Windows installation media with Dynamic Update packages](media-dynamic-update.md)
-- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) 
-- [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073)  
-- [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002)
+- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
 
 ## Sample scripts
 
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index 30052f5291..a011e4c21c 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -68,6 +68,8 @@
               href: manage/windows-autopatch-windows-update-policies.md
             - name: Programmatic controls for expedited Windows quality updates
               href: manage/windows-autopatch-windows-quality-update-programmatic-controls.md
+            - name: Hotpatch updates
+              href: manage/windows-autopatch-hotpatch-updates.md
         - name: Driver and firmware updates
           href: manage/windows-autopatch-manage-driver-and-firmware-updates.md
           items:
@@ -116,6 +118,8 @@
                   href: monitor/windows-autopatch-windows-quality-update-trending-report.md
                 - name: Reliability report
                   href: monitor/windows-autopatch-reliability-report.md
+                - name: Hotpatch quality update report
+                  href: monitor/windows-autopatch-hotpatch-quality-update-report.md
             - name: Windows feature and quality update device alerts
               href: monitor/windows-autopatch-device-alerts.md
         - name: Policy health and remediation
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
index c5f450553f..c4a299bb50 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
@@ -36,7 +36,7 @@ Device readiness in Windows Autopatch is divided into two different scenarios:
 
 ### Device readiness checks available for each scenario
 
-| Required device readiness (prerequisite checks) before device registration (powered by Intune Graph API)  | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension) |
+| Required device readiness (prerequisite checks) before device registration (powered by Intune Graph API)  | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker) |
 | ----- | ----- |
 | <ul><li>Windows OS (build, architecture, and edition)</li></li><li>Managed by either Intune or ConfigMgr co-management</li><li>ConfigMgr co-management workloads</li><li>Last communication with Intune</li><li>Personal or non-Windows devices</li></ul> | <ul><li>Windows OS (build, architecture, and edition)</li><li>Windows updates & Office Group Policy Object (GPO) versus Intune mobile device management (MDM) policy conflict</li><li>Bind network endpoints (Microsoft Defender, Microsoft Teams, Microsoft Edge, Microsoft Office)</li><li>Internet connectivity</li></ul> |
 
@@ -66,7 +66,7 @@ A healthy or active device in Windows Autopatch is:
 - Actively sending data
 - Passes all post-device registration readiness checks
 
-The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** is a subcomponent of the overall Windows Autopatch service.
+The post-device registration readiness checks are powered by the **Microsoft Cloud Managed Desktop Extension**. It's installed right after devices are successfully registered with Windows Autopatch. The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** has the Device Readiness Check Plugin. The Device Readiness Check Plugin is responsible for performing the readiness checks and reporting the results back to the service. The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** are subcomponents of the overall Windows Autopatch service.
 
 The following list of post-device registration readiness checks is performed in Windows Autopatch:
 
@@ -90,8 +90,8 @@ See the following diagram for the post-device registration readiness checks work
 | Step | Description |
 | ----- | ----- |
 | **Steps 1-7** | For more information, see the [Device registration overview diagram](windows-autopatch-device-registration-overview.md).|
-| **Step 8: Perform readiness checks** |<ol><li>Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.</li><li>The Microsoft Cloud Managed Desktop Extension agent performs readiness checks against devices in the **Ready** tab every 24 hours.</li></ol> |
-| **Step 9: Check readiness status** |<ol><li>The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.</li><li>The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch's service.</li></ol>|
+| **Step 8: Perform readiness checks** |<ol><li>Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.</li><li>The Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker agents perform readiness checks against devices in the **Ready** tab every 24 hours.</li></ol> |
+| **Step 9: Check readiness status** |<ol><li>The Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker service evaluates the readiness results gathered by its agent.</li><li>The readiness results are sent from the Microsoft Cloud Managed Desktop Extension and Windows Autopatch Client Broker service component to the Device Readiness component within the Windows Autopatch's service.</li></ol>|
 | **Step 10: Add devices to the Not ready** | When devices don't pass one or more readiness checks, even if they're registered with Windows Autopatch, they're added to the **Not ready** tab so IT admins can remediate devices based on Windows Autopatch recommendations. |
 | **Step 11: IT admin understands what the issue is and remediates** | The IT admin checks and remediates issues in the Devices blade (**Not ready** tab). It can take up to 24 hours for devices to show in the **Ready** tab. |
 
@@ -99,7 +99,7 @@ See the following diagram for the post-device registration readiness checks work
 
 | Question | Answer |
 | ----- | ----- |
-| **How frequent are the post-device registration readiness checks performed?** |<ul><li>The **Microsoft Cloud Managed Desktop Extension** agent collects device readiness statuses when it runs (once a day).</li><li>Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.</li><li>The readiness results are sent over to the **Microsoft Cloud Managed Desktop Extension service**.</li><li>The **Microsoft Cloud Managed Desktop Extension** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).</li></ul>|
+| **How frequent are the post-device registration readiness checks performed?** |<ul><li>The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** agents collect device readiness statuses when it runs (once a day).</li><li>Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.</li><li>The readiness results are sent over to **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** service.</li><li>The **Microsoft Cloud Managed Desktop Extension** and **Windows Autopatch Client Broker** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).</li></ul>|
 | **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices don't meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch provides information about the failure and how to potentially remediate devices.<p>Once devices are remediated, it can take up to **24 hours** to appear in the **Ready** tab.</p>|
 
 ## Additional resources
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
new file mode 100644
index 0000000000..f59aeefc45
--- /dev/null
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
@@ -0,0 +1,78 @@
+---
+title: Hotpatch updates
+description: Use Hotpatch updates to receive security updates without restarting your device
+ms.date: 11/19/2024
+ms.service: windows-client
+ms.subservice: autopatch
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: aaroncz
+ms.reviewer: adnich
+ms.collection:
+  - highpri
+  - tier1
+---
+
+# Hotpatch updates (public preview)
+
+[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
+
+> [!IMPORTANT]
+> This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
+
+Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that can be installed without requiring you to restart the device. Hotpatch updates are designed to reduce downtime and disruptions. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.
+
+## Key benefits
+
+- Hotpatch updates streamline the installation process and enhance compliance efficiency.
+- No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
+- The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.
+
+## Eligible devices
+
+To benefit from Hotpatch updates, devices must meet the following prerequisites:
+
+- Operating System: Devices must be running Windows 11 24H2 or later.
+- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates.
+- Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
+
+## Ineligible devices
+
+Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases.  
+
+LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant.
+
+> [!NOTE]
+> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings.
+
+## Release cycles
+
+For more information about the release calendar for Hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).  
+
+- Baseline Release Months: January, April, July, October
+- Hotpatch Release Months: February, March, May, June, August, September, November, December
+
+## Enroll devices to receive Hotpatch updates
+
+> [!NOTE]
+> If you're using Autopatch groups and want your devices to receive Hotpatch updates, you must create a Hotpatch policy and assign devices to it.  Turning on Hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group.
+
+**To enroll devices to receive Hotpatch updates:**
+
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** from the left navigation menu.
+1. Under the **Manage updates** section, select **Windows updates**.
+1. Go to the **Quality updates** tab.
+1. Select **Create**, and select **Windows quality update policy (preview)**.
+1. Under the **Basics** section, enter a name for your new policy and select Next.
+1. Under the **Settings** section, set **"When available, apply without restarting the device ("hotpatch")** to **Allow**. Then, select **Next**.
+1. Select the appropriate Scope tags or leave as Default and select **Next**.
+1. Assign the devices to the policy and select **Next**.
+1. Review the policy and select **Create**.
+
+These steps ensure that targeted devices, which are [eligible](#eligible-devices) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU).
+
+> [!NOTE]
+> Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices.  Deferral and active hour settings will still apply.
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md
index 3d2d33db5d..b5259a8275 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-feature-update-overview.md
@@ -1,7 +1,7 @@
 ---
 title: Windows feature updates overview
 description: This article explains how Windows feature updates are managed
-ms.date: 10/30/2024
+ms.date: 11/20/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: overview
@@ -120,6 +120,9 @@ For more information about Windows feature update policies that are created for
 
 ## Pause and resume a release
 
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused and Pause status columns from being displayed** in reporting. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
 > [!IMPORTANT]
 > **Pausing or resuming an update can take up to eight hours to be applied to devices**. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates. For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
 
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md
index 656f94452c..ed17d7438c 100644
--- a/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-windows-quality-update-overview.md
@@ -1,7 +1,7 @@
 ---
 title: Windows quality updates overview
 description: This article explains how Windows quality updates are managed
-ms.date: 10/30/2024
+ms.date: 11/20/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: conceptual
@@ -66,6 +66,9 @@ For the deployment rings that pass quality updates deferral date, the OOB releas
 
 ## Pause and resume a release
 
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused and Pause status columns from being displayed** in reporting. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
 The service-level pause is driven by the various software update deployment-related signals. Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
 
 If Windows Autopatch detects a significant issue with a release, we might decide to pause that release.
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md
new file mode 100644
index 0000000000..afa0dfe072
--- /dev/null
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md
@@ -0,0 +1,67 @@
+---
+title: Hotpatch quality update report
+description: Use the Hotpatch quality update report to view the current update statuses for all devices that receive Hotpatch updates
+ms.date: 11/19/2024
+ms.service: windows-client
+ms.subservice: autopatch
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: aaroncz
+ms.reviewer: adnich
+ms.collection:
+  - highpri
+  - tier1
+---
+
+# Hotpatch quality update report (public preview)
+
+[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
+
+> [!IMPORTANT]
+> This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
+
+The Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. For more information about Hotpatching, see [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md).
+
+**To view the Hotpatch quality update status report:**
+
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**.
+1. Select the **Reports** tab.
+1. Select **Hotpatch quality updates (preview)**.
+
+> [!NOTE]
+> The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
+
+## Report information
+
+The Hotpatch quality update report provides a visual representation of the update status trend for all devices over the last 90 days.
+
+### Default columns
+
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
+The following information is available as default columns in the Hotpatch quality update report:
+
+| Column name | Description |
+| ----- | ----- |
+| Quality update policy | The name of the policy. |
+| Device name | Total number of devices in the policy. |
+| Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
+| Hotpatched | Total devices that successfully received a Hotpatch update. |
+| Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
+| In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). |
+| % with the latest quality update | Percent of [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices on the most current Windows release and its build number |
+| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
+| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| By percentage | Select **By percentage** to show your trending graphs and indicators by percentage. |
+| By device count | Select **By device count** to show your trending graphs and indicators by numeric value. |
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md
index 4219401d76..c70e5b8f7a 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-status-report.md
@@ -1,7 +1,7 @@
 ---
 title: Feature update status report
-description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
-ms.date: 09/16/2024
+description: Provides a per device view of the current Windows OS upgrade status for all Intune devices.
+ms.date: 11/20/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: how-to
@@ -19,7 +19,7 @@ ms.collection:
 
 [!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
 
-The Feature update status report provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
+The Feature update status report provides a per device view of the current Windows OS upgrade status for all Intune devices.
 
 **To view the Feature update status report:**
 
@@ -32,6 +32,9 @@ The Feature update status report provides a per device view of the current Windo
 
 ### Default columns
 
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
 The following information is available as default columns in the Feature update status report:
 
 | Column name | Description |
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md
index 4e65d5e28b..3df6e2730f 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-feature-update-summary-dashboard.md
@@ -1,7 +1,7 @@
 ---
 title: Windows feature update summary dashboard
-description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.
-ms.date: 09/16/2024
+description: Provides a broader view of the current Windows OS upgrade status for all Intune devices.
+ms.date: 11/20/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: how-to
@@ -19,7 +19,7 @@ ms.collection:
 
 [!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
 
-The Summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch.
+The Summary dashboard provides a broader view of the current Windows OS update status for all Intune devices.
 
 The first part of the Summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused.
 
@@ -31,6 +31,9 @@ The first part of the Summary dashboard provides you with an all-devices trend r
 
 ## Report information
 
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
 The following information is available in the Summary dashboard:
 
 | Column name | Description |
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
index b2b2d8bf42..4b2f2596df 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
@@ -1,7 +1,7 @@
 ---
 title: Windows quality and feature update reports overview
 description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch.
-ms.date: 09/16/2024
+ms.date: 11/20/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: overview
@@ -27,7 +27,7 @@ The Windows quality reports provide you with information about:
 - Device update health
 - Device update alerts
 
-Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch.
+Together, these reports provide insight into the quality update state and compliance of Intune devices.
 
 The Windows quality report types are organized into the following focus areas:
 
@@ -61,7 +61,7 @@ Users with the following permissions can access the reports:
 
 ## About data latency
 
-The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 48 hours.
+The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately four hours.
 
 ## Windows quality and feature update statuses
 
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md
index bcd381e6d1..abde6947cc 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md
@@ -1,7 +1,7 @@
 ---
 title: Quality update status report
-description: Provides a per device view of the current update status for all Windows Autopatch managed devices.
-ms.date: 09/16/2024
+description: Provides a per device view of the current update status for all Intune devices.
+ms.date: 11/20/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: how-to
@@ -19,7 +19,7 @@ ms.collection:
 
 [!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
 
-The Quality update status report provides a per device view of the current update status for all Windows Autopatch managed devices.
+The Quality update status report provides a per device view of the current update status for all Intune devices.
 
 **To view the Quality update status report:**
 
@@ -29,12 +29,15 @@ The Quality update status report provides a per device view of the current updat
 1. Select **Quality update status**.
 
 > [!NOTE]
-> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
+> The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
 
 ## Report information
 
 ### Default columns
 
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Pause status column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
 The following information is available as default columns in the Quality update status report:
 
 | Column name | Description |
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
index c145b09b4c..52bb8e8d65 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
@@ -1,7 +1,7 @@
 ---
 title: Windows quality update summary dashboard
-description: Provides a summary view of the current update status for all Windows Autopatch managed devices.
-ms.date: 09/16/2024
+description: Provides a summary view of the current update status for all Intune devices.
+ms.date: 11/20/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: how-to
@@ -19,7 +19,7 @@ ms.collection:
 
 [!INCLUDE [windows-autopatch-enterprise-e3-f3-licenses](../includes/windows-autopatch-enterprise-e3-f3-licenses.md)]
 
-The Summary dashboard provides a summary view of the current update status for all Windows Autopatch managed devices.
+The Summary dashboard provides a summary view of the current update status for all Intune devices.
 
 **To view the current update status for all your enrolled devices:**
 
@@ -27,10 +27,13 @@ The Summary dashboard provides a summary view of the current update status for a
 1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**.
 
 > [!NOTE]
-> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
+> The data in this report is refreshed every four hours with data received by your managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
 
 ## Report information
 
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
 The following information is available in the Summary dashboard:
 
 | Column name | Description |
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index 386ec22830..97d26c798d 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -1,7 +1,7 @@
 ---
 title: What is Windows Autopatch?
 description: Details what the service is and shortcuts to articles.
-ms.date: 09/27/2024
+ms.date: 11/20/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: overview
@@ -49,7 +49,9 @@ The goal of Windows Autopatch is to deliver software updates to registered devic
 | [Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md) | With Windows Autopatch, you can manage Windows quality update profiles for Windows 10 and later devices. You can expedite a specific Windows quality update using targeted policies. |
 | [Windows feature updates](../manage/windows-autopatch-windows-feature-update-overview.md) | Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. |
 | [Driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md) | You can manage and control your driver and firmware updates with Windows Autopatch.|
+| [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md) | Install [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) without requiring you to restart the device. |
 | [Intune reports](/mem/intune/fundamentals/reports) | Use Intune reports to monitor the health and activity of endpoints in your organization.|
+| [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) | Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. |
 
 > [!IMPORTANT]
 > Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities).
@@ -70,7 +72,7 @@ In addition to the features included in [Business Premium and A3+ licenses](#bus
 | [Microsoft Edge updates](../manage/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
 | [Microsoft Teams updates](../manage/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
 | [Policy health and remediation](../monitor/windows-autopatch-policy-health-and-remediation.md) | When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch raises alerts and detailed recommended actions to ensure healthy operation of the service. |
-| Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate Windows Autopatch managed devices that are Not up to Date and resolve any device alerts to bring Windows Autopatch managed devices back into compliance. |
+| Enhanced [Windows quality and feature update reports](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md) and [device alerts](../monitor/windows-autopatch-device-alerts.md) | Using Windows quality and feature update reports, you can monitor and remediate managed devices that are Not up to Date and resolve any device alerts to bring managed devices back into compliance. |
 | [Submit support requests](../manage/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team | When you activate additional Autopatch features, you can submit, manage, and edit support requests. |
 
 ## Communications
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md
index 822866ede9..a39b3238a9 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-made-at-feature-activation.md
@@ -87,7 +87,7 @@ The following groups target Windows Autopatch configurations to devices and mana
 ## Microsoft Edge update policies
 
 > [!IMPORTANT]
-> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).</p>
+> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update Microsoft Edge, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-edge.md#allow-or-block-microsoft-edge-updates).</p>
 
 - Windows Autopatch - Edge Update Channel Stable
 - Windows Autopatch - Edge Update Channel Beta
@@ -100,7 +100,7 @@ The following groups target Windows Autopatch configurations to devices and mana
 ## Driver updates for Windows 10 and later
 
 > [!IMPORTANT]
-> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update Microsoft Office, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).</p>
+> By default, these policies are not deployed. You can opt-in to deploy these policies when you [activate Windows Autopatch features](../prepare/windows-autopatch-feature-activation.md).<p>To update drivers and firmware, you must [create at least one Autopatch group](../manage/windows-autopatch-manage-autopatch-groups.md) and the toggle the must be set to [**Allow**](../manage/windows-autopatch-manage-autopatch-groups.md#create-an-autopatch-group).</p>
 
 - Windows Autopatch - Driver Update Policy [Test]
 - Windows Autopatch - Driver Update Policy [First]
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
index f7ca1e60c8..815d13a816 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
@@ -1,7 +1,7 @@
 ---
 title: What's new 2024
 description: This article lists the 2024 feature releases and any corresponding Message center post numbers.
-ms.date: 09/27/2024
+ms.date: 11/19/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: whats-new
@@ -21,6 +21,14 @@ This article lists new and updated feature releases, and service releases, with
 
 Minor corrections such as typos, style, or formatting issues aren't listed.
 
+## November 2024
+
+### November feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| Hotpatch | <ul><li>[Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md)</li><li>[Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md)</li></ul> |
+
 ## September 2024
 
 ### September feature releases or updates
diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md
index 4948af5cf1..f2db0b2d7a 100644
--- a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md
+++ b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md
@@ -139,22 +139,22 @@ The Microsoft Root certificates can be allowed and denied in policy using 'WellK
 | 0| None | N/A |
 | 1| Unknown | N/A |
 | 2 | Self-Signed | N/A |
-| 3 | Microsoft Authenticode(tm) Root Authority  | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100DF08BAE33F6E649BF589AF28964A078F1B2E8B3E1DFCB88069A3A1CEDBDFB08E6C8976294FCA603539AD7232E00BAE293D4C16D94B3C9DDAC5D3D109C92C6FA6C2605345DD4BD155CD031CD2595624F3E578D807CCD8B31F903FC01A71501D2DA712086D7CB0866CC7BA853207E1616FAF03C56DE5D6A18F36F6C10BD13E69974872C97FA4C8C24A4C7EA1D194A6D7DCEB05462EB818B4571D8649DB694A2C21F55E0F542D5A43A97A7E6A8E504D2557A1BF1B1505437B2C058DBD3D038C93227D63EA0A5705060ADB6198652D4749A8E7E656755CB8640863A9304066B2F9B6E334E86730E1430B87FFC9BE72105E23F09BA74865BF09887BCD72BC2E799B7B0203010001` |
-| 4 | Microsoft Product Root 1997 | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100A902BDC170E63BF24E1B289F97785E30EAA2A98D255FF8FE954CA3B7FE9DA2203E7C51A29BA28F60326BD1426479EEAC76C954DAF2EB9C861C8F9F8466B3C56B7A6223D61D3CDE0F0192E896C4BF2D669A9A682699D03A2CBF0CB55826C146E70A3E38962CA92839A8EC498342E3840FBB9A6C5561AC827CA1602D774CE999B4643B9A501C310824149FA9E7912B18E63D986314605805659F1D375287F7A7EF9402C61BD3BF5545B38980BF3AEC54944EAEFDA77A6D744EAF18CC96092821005790606937BB4B12073C56FF5BFBA4660A08A6D2815657EFB63B5E16817704DAF6BEAE8095FEB0CD7FD6A71A725C3CCABCF008A32230B30685C9B320771385DF0203010001` |
-| 5 | Microsoft Product Root 2001 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F35DFA8067D45AA7A90C2C9020D035083C7584CDB707899C89DADECEC360FA91685A9E94712918767CC2E0C82576940E58FA043436E6DFAFF780BAE9580B2B93E59D05E3772291F734643C22911D5EE10990BC14FEFC755819E179B70792A3AE885908D89F07CA0358FC68296D32D7D2A8CB4BFCE10B48324FE6EBB8AD4FE45C6F139499DB95D575DBA81AB79491B4775BF5480C8F6A797D1470047D6DAF90F5DA70D847B7BF9B2F6CE705B7E11160AC7991147CC5D6A6E4E17ED5C37EE592D23C00B53682DE79E16DF3B56EF89F33C9CB527D739836DB8BA16BA295979BA3DEC24D26FF0696672506C8E7ACE4EE1233953199C835084E34CA7953D5B5BE6332594036C0A54E044D3DDB5B0733E458BFEF3F5364D842593557FD0F457C24044D9ED6387411972290CE684474926FD54B6FB086E3C73642A0D0FCC1C05AF9A361B9304771960A16B091C04295EF107F286AE32A1FB1E4CD033F777104C720FC490F1D4588A4D7CB7E88AD8E2DEC45DBC45104C92AFCEC869E9A11975BDECE5388E6E2B7FDAC95C22840DBEF0490DF813339D9B245A5238706A5558931BB062D600E41187D1F2EB597CB11EB15D524A594EF151489FD4B73FA325BFCD13300F95962700732EA2EAB402D7BCADD21671B30998F16AA23A841D1B06E119B36C4DE40749CE15865C1601E7A5B38C88FBB04267CD41640E5B66B6CAA86FD00BFCEC1350203010001`|
-| 6 | Microsoft Product Root 2010 | `30820222300D06092A864886F70D01010105000382020F003082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
-| 7 | Microsoft Standard Root 2011 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100B28041AA35384D13723268224DB8B2F1FFD552BC6CC7F5D24A8C36EED1C25C7E8C8AAEAF13286FC073E33ACED025A85A3A6DEFA8B859AB132368CD0C2987D16F805C8F447F5D90015258AC51C55F2A87DCDCD80A1DC103B97BB056E8A3DE6461C29EF8F37CB9EC0DB554FE4CB6654F88F09C48990C420B097C315917790678288D893A4C0325BE716A5C0BE78460A49922E3D2AF84A4A7FBD198ED0CA9DE9489E10EA0DCC0CE993DEA0852BB5679E41F84BA1EB8B4C4495C4F314B87DDDD0567269980E07111A3B8A541E2A453B9F73229830C13BF365E04B34B43472F6BE2911ED3984FDD4207C8E81D12FC99A96B3E927EC8D6693AFC64BDB6099DCAFD0C0BA29B77604B0394A4306912D6422DC1414CCADCAAFD8F5B83469AD9FCB1D1E3B3C97F487ACD24F0418F5C74D0ACB010200649B7C72D21C857E3D086F30368FBD0CE71C189994A64016CFDEC3091CF413C92C7E5BA861D6184C75F833962AEB4922F47F30BF855EBA01F59D0BB749B1ED076E6F2E906D710E8FA64DE69C635968802F046B83F27996FCB71892935F7481602358FD5797C4D02CF5FEB8A834F457188F9A90D4E72E9C29C07CF491B4E040E63518C5ED800C1552CB6C6E0C2654EC93439F59CB3C47EE8616E135F15C45FD97EED1DCEEE44ECCB2E86B1EC38F670EDAB5C13C1D90F0DC780B255ED34F7AC9BE4C3DAE7473CA6B58F31DFC54BAFEBF10203010001`|
-| 8 | Microsoft Code Verification Root 2006 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100BD77C91C7F157838C50743215AFBE4CC3BC65531FC2189B1BCE7019CFB90BE20115576A74D02E7B2F42E8DEFB2874656CA47CEC8C363E308034B9606B9702244E64B7B443F75B7B8A62B910841EF4B0759D6A4199DF6CBA4BB8E02654DCADE0FB49022F1B56B5C22F6CAF938AA280B062D3C198DB7355F83EDDD65738446929F44E2894A8CD598A76D3DE819CB44AD180BEA5C5F7C0BC39A936844F3B6BF979930723F2859D070C8055778F54A82340A24C17AB064A53A6E12D5036138BB0E2DFD859CD648756A1CB2A2E891FAB7E4F53C5FFDC940ACC7A042F574D8B9DBD7FE73771AE0C4B709B1059A6DE35E8038757852B612D379AE43F765A7D1166469858F783AB894BF4512625A4D8748D6F819BC590106F51ADB60299F013F6E73F9FD8045CE95D78AF6920CC173402C6DAA32A6F17F30F890F1AE4527B9B40E3002BDC60EEC3C8C5BB63485CF140B0C500DA9E259912EA80139F42C15630480B840DF62F7FEB74C13A82CA966133862FC4070627B7577D52B8E1BA599E5B9B7C7ADEA01A0257B5846525654A2C9922B581D4851C01FFE3700D1E2AB10C2A959E942996E8FB51E4766741E98765757045EBD2F8593D50E0B9F2E7B2664A78612095063E7D1C78E7E0E3B07E7BBE4CD1A40D47ABA05594AD6D0EEDC965E224A271C45E3DEDAB2E9D343FDE96FC0C97D1FFD9F909C862008CC74DC40A729B3AB58656BB10203010001`|
+| 3 | Microsoft Authenticode(tm) Root Authority  | `3082010A0282010100DF08BAE33F6E649BF589AF28964A078F1B2E8B3E1DFCB88069A3A1CEDBDFB08E6C8976294FCA603539AD7232E00BAE293D4C16D94B3C9DDAC5D3D109C92C6FA6C2605345DD4BD155CD031CD2595624F3E578D807CCD8B31F903FC01A71501D2DA712086D7CB0866CC7BA853207E1616FAF03C56DE5D6A18F36F6C10BD13E69974872C97FA4C8C24A4C7EA1D194A6D7DCEB05462EB818B4571D8649DB694A2C21F55E0F542D5A43A97A7E6A8E504D2557A1BF1B1505437B2C058DBD3D038C93227D63EA0A5705060ADB6198652D4749A8E7E656755CB8640863A9304066B2F9B6E334E86730E1430B87FFC9BE72105E23F09BA74865BF09887BCD72BC2E799B7B0203010001` |
+| 4 | Microsoft Product Root 1997 | `3082010A0282010100A902BDC170E63BF24E1B289F97785E30EAA2A98D255FF8FE954CA3B7FE9DA2203E7C51A29BA28F60326BD1426479EEAC76C954DAF2EB9C861C8F9F8466B3C56B7A6223D61D3CDE0F0192E896C4BF2D669A9A682699D03A2CBF0CB55826C146E70A3E38962CA92839A8EC498342E3840FBB9A6C5561AC827CA1602D774CE999B4643B9A501C310824149FA9E7912B18E63D986314605805659F1D375287F7A7EF9402C61BD3BF5545B38980BF3AEC54944EAEFDA77A6D744EAF18CC96092821005790606937BB4B12073C56FF5BFBA4660A08A6D2815657EFB63B5E16817704DAF6BEAE8095FEB0CD7FD6A71A725C3CCABCF008A32230B30685C9B320771385DF0203010001` |
+| 5 | Microsoft Product Root 2001 | `3082020A0282020100F35DFA8067D45AA7A90C2C9020D035083C7584CDB707899C89DADECEC360FA91685A9E94712918767CC2E0C82576940E58FA043436E6DFAFF780BAE9580B2B93E59D05E3772291F734643C22911D5EE10990BC14FEFC755819E179B70792A3AE885908D89F07CA0358FC68296D32D7D2A8CB4BFCE10B48324FE6EBB8AD4FE45C6F139499DB95D575DBA81AB79491B4775BF5480C8F6A797D1470047D6DAF90F5DA70D847B7BF9B2F6CE705B7E11160AC7991147CC5D6A6E4E17ED5C37EE592D23C00B53682DE79E16DF3B56EF89F33C9CB527D739836DB8BA16BA295979BA3DEC24D26FF0696672506C8E7ACE4EE1233953199C835084E34CA7953D5B5BE6332594036C0A54E044D3DDB5B0733E458BFEF3F5364D842593557FD0F457C24044D9ED6387411972290CE684474926FD54B6FB086E3C73642A0D0FCC1C05AF9A361B9304771960A16B091C04295EF107F286AE32A1FB1E4CD033F777104C720FC490F1D4588A4D7CB7E88AD8E2DEC45DBC45104C92AFCEC869E9A11975BDECE5388E6E2B7FDAC95C22840DBEF0490DF813339D9B245A5238706A5558931BB062D600E41187D1F2EB597CB11EB15D524A594EF151489FD4B73FA325BFCD13300F95962700732EA2EAB402D7BCADD21671B30998F16AA23A841D1B06E119B36C4DE40749CE15865C1601E7A5B38C88FBB04267CD41640E5B66B6CAA86FD00BFCEC1350203010001`|
+| 6 | Microsoft Product Root 2010 | `3082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
+| 7 | Microsoft Standard Root 2011 | `3082020A0282020100B28041AA35384D13723268224DB8B2F1FFD552BC6CC7F5D24A8C36EED1C25C7E8C8AAEAF13286FC073E33ACED025A85A3A6DEFA8B859AB132368CD0C2987D16F805C8F447F5D90015258AC51C55F2A87DCDCD80A1DC103B97BB056E8A3DE6461C29EF8F37CB9EC0DB554FE4CB6654F88F09C48990C420B097C315917790678288D893A4C0325BE716A5C0BE78460A49922E3D2AF84A4A7FBD198ED0CA9DE9489E10EA0DCC0CE993DEA0852BB5679E41F84BA1EB8B4C4495C4F314B87DDDD0567269980E07111A3B8A541E2A453B9F73229830C13BF365E04B34B43472F6BE2911ED3984FDD4207C8E81D12FC99A96B3E927EC8D6693AFC64BDB6099DCAFD0C0BA29B77604B0394A4306912D6422DC1414CCADCAAFD8F5B83469AD9FCB1D1E3B3C97F487ACD24F0418F5C74D0ACB010200649B7C72D21C857E3D086F30368FBD0CE71C189994A64016CFDEC3091CF413C92C7E5BA861D6184C75F833962AEB4922F47F30BF855EBA01F59D0BB749B1ED076E6F2E906D710E8FA64DE69C635968802F046B83F27996FCB71892935F7481602358FD5797C4D02CF5FEB8A834F457188F9A90D4E72E9C29C07CF491B4E040E63518C5ED800C1552CB6C6E0C2654EC93439F59CB3C47EE8616E135F15C45FD97EED1DCEEE44ECCB2E86B1EC38F670EDAB5C13C1D90F0DC780B255ED34F7AC9BE4C3DAE7473CA6B58F31DFC54BAFEBF10203010001`|
+| 8 | Microsoft Code Verification Root 2006 | `3082020A0282020100BD77C91C7F157838C50743215AFBE4CC3BC65531FC2189B1BCE7019CFB90BE20115576A74D02E7B2F42E8DEFB2874656CA47CEC8C363E308034B9606B9702244E64B7B443F75B7B8A62B910841EF4B0759D6A4199DF6CBA4BB8E02654DCADE0FB49022F1B56B5C22F6CAF938AA280B062D3C198DB7355F83EDDD65738446929F44E2894A8CD598A76D3DE819CB44AD180BEA5C5F7C0BC39A936844F3B6BF979930723F2859D070C8055778F54A82340A24C17AB064A53A6E12D5036138BB0E2DFD859CD648756A1CB2A2E891FAB7E4F53C5FFDC940ACC7A042F574D8B9DBD7FE73771AE0C4B709B1059A6DE35E8038757852B612D379AE43F765A7D1166469858F783AB894BF4512625A4D8748D6F819BC590106F51ADB60299F013F6E73F9FD8045CE95D78AF6920CC173402C6DAA32A6F17F30F890F1AE4527B9B40E3002BDC60EEC3C8C5BB63485CF140B0C500DA9E259912EA80139F42C15630480B840DF62F7FEB74C13A82CA966133862FC4070627B7577D52B8E1BA599E5B9B7C7ADEA01A0257B5846525654A2C9922B581D4851C01FFE3700D1E2AB10C2A959E942996E8FB51E4766741E98765757045EBD2F8593D50E0B9F2E7B2664A78612095063E7D1C78E7E0E3B07E7BBE4CD1A40D47ABA05594AD6D0EEDC965E224A271C45E3DEDAB2E9D343FDE96FC0C97D1FFD9F909C862008CC74DC40A729B3AB58656BB10203010001`|
 | 9 | Microsoft Test Root 1999 | `3081DF300D06092A864886F70D01010105000381CD003081C90281C100A9AA83586DB5D30C4B5B8090E5C30F280C7E3D3C24C52956638CEEC7834AD88C25D30ED312B7E1867274A78BFB0F05E965C19BD856C293F0FBE95A48857D95AADF0186B733334656CB5B7AC4AFA096533AE9FB3B78C1430CC76E1C2FD155F119B23FF8D6A0C724953BC845256F453A464FD2278BC75075C6805E0D9978617739C1B30F9D129CC4BB327BB24B26AA4EC032B02A1321BEED24F47D0DEAAA8A7AD28B4D97B54D64BAFB46DD696F9A0ECC5377AA6EAE20D6219869D946B96432D4170203010001`|
-| 0A | Microsoft Test Root 2010 | `30820222300D06092A864886F70D01010105000382020F003082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
-| 0B | Microsoft DMD Test Root 2005 | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100BCACAFF12BE9877F310994630F483012C16BEA7E0EFC58B8C890F3C7719F41B5BB29E3834735BF42DE7A9CC16D125094061E721B6FF8C0207FDF6DAD840F08BB9A3F93589D931F05B640AB878C7FAA4F033D7DFA6B3BBCFBE0C426B0173EB67ECC9D089875667A34AF189B3D2CCEFCD943599197F3933255B7DA328ADADE6826C30C6F7EAB434CF5C00A22FD5B47A7A9964617529FBB3B1D850A90CD818105342BCA43C29075574D6151C0D6D2648C412107BE5C824A4F9451087522B9AEB94828F7C78606040B7011F0CDCDA079D3CE9CC5367C579BB6DF5B83BE616BE258D2D9858D7EE1A446574661F9DF4F82B9AC8FD2DFEF6082EC1272BF14D20ACCAF3F0203010001`|
-| 0C | Microsoft DMDRoot 2005 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100BCFD36D32F1C7CBAC60458F2AB30A3F17DD4B983EF72DB009CCFE65F0CF144BE62225D2F77507CD68539FE7AAE991EC8B3F9C73CC0228DC7A7F9ED87E841ACE42DF2804E148BB4F5250B948D6FB42982CFE69EFDF79FE5B828B7366B2F6D00A449BF78814FA8069433D0D55720A8728BFED7F5632C8D44E960FE2FF539B625069E04C34D952ED52205304A4122610D5A24F0DF636C7FD8D2F69EF35E76E7B4BDBB9589F20AD44E73BD917E46103D2749427489C4E8AAA3A7407785A27F4626CCC6C0CBC3F2B88121A3BB68F3E2E57EF47C7107EBC10AF5DC038C510BE9C71373C1349EABD28E665811A57441CBD2D9E47480F089CB459896D7DB0815A598446CE223785693BC122A854CC29FD15917A1161025FAE7BD141A56F44E396FF563A256C50B7C9FD6F0B068151C6B367171F83983762354F755BC16E30CBC218BDE6DE9EB943D5440C3D320B0AF96BBE7C3B89DFBEEDC9B7153830D9A9FA6B3D216ACEAC8801D8D24243C8291463C497290BA698FBA7A30DDF6A6F13D68E537ED1A43528F19D71A52528CD80FB26428A5ABA70E04A267AA650B666FF696B2905FA5ECAE9BB3B984536DBC5FBE647036E6EE1DD17EB58AE4A137E8DB3E8FC2FDEAE9E35F74B494FCA0206E8FD396146BFBF56AD8122636955F1C7516AD18E50C9AC53774EC0CC367044FD6DAA68096D1263713BD7A0F21892B33B3189B3B37FDE451170203010001`|
-| 0D | Microsoft DMD Preview Root 2005 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100C3FF519F7576E65C5B6C6EBBB50760626E065740611131724066A5CE94519D702061FCE3C43A49BB6690D5BF94AFEB506B90F3AE5432F01A8AB0EFB064A7CC5EDCEDA6F8DA0FF0430A84B65AC746A1B4D8108CB74924F5FC6F7A4CD1232433E2554EC9778248C08FFDA9F89C189C5A23C608E68CD5C917954E424FA35F3F3649012BA2A1EC4C84FFC182E9B1F2E83773BAA7795AF85A421FDC904665DCE74FC8B3B9501C267F2B7E96790F170EC951E88BEC1E9D425C2DE4907722E6E8411265380A79D128255E67B79B393F76372FB388204E365FF7E952218B5D694CF0146BFFEAD4E8A5E82364E7AACE73E8F5DF25753A0446802321AFC923C322B2631D7B6364FA95FEE16191EBCD2F8755C61DF17B44DABD736FFEE5846569785AE835D35A893968487BB49890DA9FC166E87D5672EA9F73647A2BD0B4F340F0037226F6A0C500B721CC4B9B5E1756A1DA9B45B3B61E300DFFC85F13590147A57AB51950628FFD18ABA29A7CC5EF83CD5A1F00FDC8E854A5B9AEC755B5C572196A370D15A5736C1B9C772DA34B88C338E69044581C54F2EE23048ABAB7D5FEEF22C037163DCFE6D4E35CB088C5AFCA850ADF675CDB5E063412B262A912D0A1E25984BC5FEBFF0194F49A8B388DFD3C5EC02C31062B35D56F04BD1B3F29CE55113785FFAA000778EF5D080E911FF3432187AF0AD7786141429523F274EA749383187A47CF0203010001`|
-| 0E | Microsoft Flight Root 2014 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100C20F7F6D49BB39F04D943FE8FB4DC5EB3BE1285AB9892A467EA5C333271D82893FEB33A1876AEAE882B9DAC39D77D135C0CB833672A6571912BC15E2C83C7B83623414D5ABB6DE368BA15A71A65196A70633B3221D146253C2A5AF9A40CABE2C485499E72A9368A769190B99693BC1B2ACAE94DC5FAB7E02CADE3CA774A68C10A0E5AEB69C35EF838B10E5972ABA916B9A6A4595D9D054718E653FC48A53CA1E38470AE9D04184A5DA1E66016504E6505B7735F5B42E29320CC6BF5F61EE3220B77C39F911FAFF605EFEC669F46F1E1DED1D06E7651E9A112E6344065F31431733E9A32682D44B83124FD2A126032548E13ABD84F58AD5B46E1AE871200E45530167ADE31E6BE8B2E4ABFDF53B8EBA67AF5984CC5C75D09DAA5C72C42636A2AC324C6AB1F8331744D2A77D70EEEB70949ABCEABA1C104B635B38DDD2254504B2F0B35A7C0B0A8E21406437114D96694533E493839EF9B3B51C2B0571EA6DCCE748B6B6DE805010CA4938B35905704EBD9E880222586489EB40DAB12D2D6A40885D23C33ED0F5D5B7908A28543962A2C5C6B1BF74CD8695F9456BCCF207EAAC5CD336F7A27AB5B472532A063EC337945858B14A71BB5CCD9CB2AF109AD943363E528519E7422891118C8CE7BBDFE6C855087375F3960D86B7D2E506B2C08A54A86177207D6CD1FEBA68F3454AAF1184EB867D2F04F354EA20FFD5DB3D250270870203010001`|
-| 0F | Microsoft Third Party Marketplace Root | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F0AD5E8240052D682459CBDE0AE884CC48B93B1DB08B52250E1214C410153A84BE81E075E6BA0EF861E36B1DCE9D1EDF9F283336DA8332C8A1A1ED594AE28C600C6A82B19A09A25C222E39ED92F681017AFF91689085A39C8A97837112946E32D71527E6670B7FE57A02FB90FFF049001ACF300C7BFFE94EA806FD2231166DDE496D96AA91261603419B1614EE98B85B4BD3F12FDB7E30FC79A668124A86773CECE533C3DFEA815519AD085E65D3DEAFBD5E741326839CCE585648E08AA76992ED72DB6782C2E6384ECF5F2BA03BD3C38B9A9A17125554A6647394F85356F21DE1BBD9CE92E2275B7DC4569CEB57FC0D9EE4A27A5999BD23C4656C906D08B25E871A6EA7D1F0EA0532857806504996988928566B0D29793567B8629FA3CFEF8563F8BE16DCED94047C6D610F9B78341E824CDD2A1C8F6D80B6DD7A051F84EDD855D711EB8793179F9A4D0E2874AAAC094F0E08BFFE59BF66EEE2F3511C178E3E3E5B7F2478A31CF4CAC2D619FDE8EBED4F94A55F34C49CE254BA48838B6444D3423B156AC60A6810242A227F4BB079D6DEE5E317199098063AEB5981A64EF496233FA28DCC76C8194EBD68553CD8FD8F844439894D1061951AE89CCCAFF14D38AE821C631CBF68EA45A236B6886A042C6BCB66D4C741090DADF3B0B498127369278E60E606ECEE8A6F30E55DDB56F0F02B523CA73B2A1A7EC0FF03C5ECE029DF0203010001`|
+| 0A | Microsoft Test Root 2010 | `3082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
+| 0B | Microsoft DMD Test Root 2005 | `3082010A0282010100BCACAFF12BE9877F310994630F483012C16BEA7E0EFC58B8C890F3C7719F41B5BB29E3834735BF42DE7A9CC16D125094061E721B6FF8C0207FDF6DAD840F08BB9A3F93589D931F05B640AB878C7FAA4F033D7DFA6B3BBCFBE0C426B0173EB67ECC9D089875667A34AF189B3D2CCEFCD943599197F3933255B7DA328ADADE6826C30C6F7EAB434CF5C00A22FD5B47A7A9964617529FBB3B1D850A90CD818105342BCA43C29075574D6151C0D6D2648C412107BE5C824A4F9451087522B9AEB94828F7C78606040B7011F0CDCDA079D3CE9CC5367C579BB6DF5B83BE616BE258D2D9858D7EE1A446574661F9DF4F82B9AC8FD2DFEF6082EC1272BF14D20ACCAF3F0203010001`|
+| 0C | Microsoft DMDRoot 2005 | `3082020A0282020100BCFD36D32F1C7CBAC60458F2AB30A3F17DD4B983EF72DB009CCFE65F0CF144BE62225D2F77507CD68539FE7AAE991EC8B3F9C73CC0228DC7A7F9ED87E841ACE42DF2804E148BB4F5250B948D6FB42982CFE69EFDF79FE5B828B7366B2F6D00A449BF78814FA8069433D0D55720A8728BFED7F5632C8D44E960FE2FF539B625069E04C34D952ED52205304A4122610D5A24F0DF636C7FD8D2F69EF35E76E7B4BDBB9589F20AD44E73BD917E46103D2749427489C4E8AAA3A7407785A27F4626CCC6C0CBC3F2B88121A3BB68F3E2E57EF47C7107EBC10AF5DC038C510BE9C71373C1349EABD28E665811A57441CBD2D9E47480F089CB459896D7DB0815A598446CE223785693BC122A854CC29FD15917A1161025FAE7BD141A56F44E396FF563A256C50B7C9FD6F0B068151C6B367171F83983762354F755BC16E30CBC218BDE6DE9EB943D5440C3D320B0AF96BBE7C3B89DFBEEDC9B7153830D9A9FA6B3D216ACEAC8801D8D24243C8291463C497290BA698FBA7A30DDF6A6F13D68E537ED1A43528F19D71A52528CD80FB26428A5ABA70E04A267AA650B666FF696B2905FA5ECAE9BB3B984536DBC5FBE647036E6EE1DD17EB58AE4A137E8DB3E8FC2FDEAE9E35F74B494FCA0206E8FD396146BFBF56AD8122636955F1C7516AD18E50C9AC53774EC0CC367044FD6DAA68096D1263713BD7A0F21892B33B3189B3B37FDE451170203010001`|
+| 0D | Microsoft DMD Preview Root 2005 | `3082020A0282020100C3FF519F7576E65C5B6C6EBBB50760626E065740611131724066A5CE94519D702061FCE3C43A49BB6690D5BF94AFEB506B90F3AE5432F01A8AB0EFB064A7CC5EDCEDA6F8DA0FF0430A84B65AC746A1B4D8108CB74924F5FC6F7A4CD1232433E2554EC9778248C08FFDA9F89C189C5A23C608E68CD5C917954E424FA35F3F3649012BA2A1EC4C84FFC182E9B1F2E83773BAA7795AF85A421FDC904665DCE74FC8B3B9501C267F2B7E96790F170EC951E88BEC1E9D425C2DE4907722E6E8411265380A79D128255E67B79B393F76372FB388204E365FF7E952218B5D694CF0146BFFEAD4E8A5E82364E7AACE73E8F5DF25753A0446802321AFC923C322B2631D7B6364FA95FEE16191EBCD2F8755C61DF17B44DABD736FFEE5846569785AE835D35A893968487BB49890DA9FC166E87D5672EA9F73647A2BD0B4F340F0037226F6A0C500B721CC4B9B5E1756A1DA9B45B3B61E300DFFC85F13590147A57AB51950628FFD18ABA29A7CC5EF83CD5A1F00FDC8E854A5B9AEC755B5C572196A370D15A5736C1B9C772DA34B88C338E69044581C54F2EE23048ABAB7D5FEEF22C037163DCFE6D4E35CB088C5AFCA850ADF675CDB5E063412B262A912D0A1E25984BC5FEBFF0194F49A8B388DFD3C5EC02C31062B35D56F04BD1B3F29CE55113785FFAA000778EF5D080E911FF3432187AF0AD7786141429523F274EA749383187A47CF0203010001`|
+| 0E | Microsoft Flight Root 2014 | `3082020A0282020100C20F7F6D49BB39F04D943FE8FB4DC5EB3BE1285AB9892A467EA5C333271D82893FEB33A1876AEAE882B9DAC39D77D135C0CB833672A6571912BC15E2C83C7B83623414D5ABB6DE368BA15A71A65196A70633B3221D146253C2A5AF9A40CABE2C485499E72A9368A769190B99693BC1B2ACAE94DC5FAB7E02CADE3CA774A68C10A0E5AEB69C35EF838B10E5972ABA916B9A6A4595D9D054718E653FC48A53CA1E38470AE9D04184A5DA1E66016504E6505B7735F5B42E29320CC6BF5F61EE3220B77C39F911FAFF605EFEC669F46F1E1DED1D06E7651E9A112E6344065F31431733E9A32682D44B83124FD2A126032548E13ABD84F58AD5B46E1AE871200E45530167ADE31E6BE8B2E4ABFDF53B8EBA67AF5984CC5C75D09DAA5C72C42636A2AC324C6AB1F8331744D2A77D70EEEB70949ABCEABA1C104B635B38DDD2254504B2F0B35A7C0B0A8E21406437114D96694533E493839EF9B3B51C2B0571EA6DCCE748B6B6DE805010CA4938B35905704EBD9E880222586489EB40DAB12D2D6A40885D23C33ED0F5D5B7908A28543962A2C5C6B1BF74CD8695F9456BCCF207EAAC5CD336F7A27AB5B472532A063EC337945858B14A71BB5CCD9CB2AF109AD943363E528519E7422891118C8CE7BBDFE6C855087375F3960D86B7D2E506B2C08A54A86177207D6CD1FEBA68F3454AAF1184EB867D2F04F354EA20FFD5DB3D250270870203010001`|
+| 0F | Microsoft Third Party Marketplace Root | `3082020A0282020100F0AD5E8240052D682459CBDE0AE884CC48B93B1DB08B52250E1214C410153A84BE81E075E6BA0EF861E36B1DCE9D1EDF9F283336DA8332C8A1A1ED594AE28C600C6A82B19A09A25C222E39ED92F681017AFF91689085A39C8A97837112946E32D71527E6670B7FE57A02FB90FFF049001ACF300C7BFFE94EA806FD2231166DDE496D96AA91261603419B1614EE98B85B4BD3F12FDB7E30FC79A668124A86773CECE533C3DFEA815519AD085E65D3DEAFBD5E741326839CCE585648E08AA76992ED72DB6782C2E6384ECF5F2BA03BD3C38B9A9A17125554A6647394F85356F21DE1BBD9CE92E2275B7DC4569CEB57FC0D9EE4A27A5999BD23C4656C906D08B25E871A6EA7D1F0EA0532857806504996988928566B0D29793567B8629FA3CFEF8563F8BE16DCED94047C6D610F9B78341E824CDD2A1C8F6D80B6DD7A051F84EDD855D711EB8793179F9A4D0E2874AAAC094F0E08BFFE59BF66EEE2F3511C178E3E3E5B7F2478A31CF4CAC2D619FDE8EBED4F94A55F34C49CE254BA48838B6444D3423B156AC60A6810242A227F4BB079D6DEE5E317199098063AEB5981A64EF496233FA28DCC76C8194EBD68553CD8FD8F844439894D1061951AE89CCCAFF14D38AE821C631CBF68EA45A236B6886A042C6BCB66D4C741090DADF3B0B498127369278E60E606ECEE8A6F30E55DDB56F0F02B523CA73B2A1A7EC0FF03C5ECE029DF0203010001`|
 | 14 | Microsoft Trusted Root Store | N/A |
-| 15 | Microsoft OEM Root Certificate Authority 2017 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F8DB3BE3FCDCEBA78508F59D89CEF3CE3B0FDA78135D682B2FA6977DA8111D685C2CAE4B190FC07E19EC30DA6079E1B9F728EAC5ACFAB79E824700F7015B1BD58112F57A43DCAF44179E179A9D40A8C05BD52F4155144E35C65A40C7D2D6216D4636B678E8311DF6812BC64A05354A5035A1A3783779702E7FB3D48E44B51A71E50F9F0DB4C261A91A664C6F88DC62DCEF19631FB43549D953AC564FAD2C9500C9EDCD351ABB2EFD1DDEFAC282E4CCAE8936D80AA4F28739F1A2E1D5735EA68723962540EAC1850E0619C2867A89584F4FFD372A05B4510BF6122F55A721FFB5B44C609D6160A8453A014F28F1545F78510D322020B06E6FEF9E248173B7D6DA3721C40E674ED45A000B390210BEF3D2C4B5E210144830E3E3049B70429F71A1C8128A333EBA664AF1B216C690D598CFFC160A18D609A2CAAF28BC0DDFE57C81BF0D93A320DAE44FF8E3AB00101D52C4A0049811ECFA872EC5765267A17911AA6D857060F821768C1120CE6FB778C1ED0DA2A3DC3C24B1F371630C174EF80A7EDA331B35A19A87CAA9DCC0DC1889BAF5A1B117899E8C4D70FFDC333ACF78A2BA37BC04A7D376660718B16DD69FE58D0F515680EB16A72E4D4F0233D132C561CFCB2FC0ADE8708AD0A2B50184DB995F8218CF49830367BD7E3A10A72919810D77101BAB42E54A021D45FC048F2C2C3A59A442E3F0E99EA3369537A1AA9D9DA7B90203010001`|
-| 16 | Microsoft Identity Verification Root Certificate Authority 2020 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100B3912A07830667FD9E9DE0C7C0B7A4E642047F0FA6DB5FFBD55AD745A0FB770BF080F3A66D5A4D7953D8A08684574520C7A254FBC7A2BF8AC76E35F3A215C42F4EE34A8596490DFFBE99D814F6BC2707EE429B2BF50B9206E4FD691365A89172F29884EB833D0EE4D771124821CB0DEDF64749B79BF9C9C717B6844FFFB8AC9AD773674985E386BD3740D02586D4DEB5C26D626AD5A978BC2D6F49F9E56C1414FD14C7D3651637DECB6EBC5E298DFD629B152CD605E6B9893233A362C7D7D6526708C42EF4562B9E0B87CCECA7B4A6AAEB05CD1957A53A0B04271C91679E2D622D2F1EBEDAC020CB0419CA33FB89BE98E272A07235BE79E19C836FE46D176F90F33D008675388ED0E0499ABBDBD3F830CAD55788684D72D3BF6D7F71D8FDBD0DAE926448B75B6F7926B5CD9B952184D1EF0F323D7B578CF345074C7CE05E180E35768B6D9ECB3674AB05F8E0735D3256946797250AC6353D9497E7C1448B80FDC1F8F47419E530F606FB21573E061C8B6B158627497B8293CA59E87547E83F38F4C75379A0B6B4E25C51EFBD5F38C113E6780C955A2EC5405928CC0F24C0ECBA0977239938A6B61CDAC7BA20B6D737D87F37AF08E33B71DB6E731B7D9972B0E486335974B516007B506DC68613DAFDC439823D24009A60DABA94C005512C34AC50991387BBB30580B24D30025CB826835DB46373EFAE23954F6028BE37D55BA50203010001`|
+| 15 | Microsoft OEM Root Certificate Authority 2017 | `3082020A0282020100F8DB3BE3FCDCEBA78508F59D89CEF3CE3B0FDA78135D682B2FA6977DA8111D685C2CAE4B190FC07E19EC30DA6079E1B9F728EAC5ACFAB79E824700F7015B1BD58112F57A43DCAF44179E179A9D40A8C05BD52F4155144E35C65A40C7D2D6216D4636B678E8311DF6812BC64A05354A5035A1A3783779702E7FB3D48E44B51A71E50F9F0DB4C261A91A664C6F88DC62DCEF19631FB43549D953AC564FAD2C9500C9EDCD351ABB2EFD1DDEFAC282E4CCAE8936D80AA4F28739F1A2E1D5735EA68723962540EAC1850E0619C2867A89584F4FFD372A05B4510BF6122F55A721FFB5B44C609D6160A8453A014F28F1545F78510D322020B06E6FEF9E248173B7D6DA3721C40E674ED45A000B390210BEF3D2C4B5E210144830E3E3049B70429F71A1C8128A333EBA664AF1B216C690D598CFFC160A18D609A2CAAF28BC0DDFE57C81BF0D93A320DAE44FF8E3AB00101D52C4A0049811ECFA872EC5765267A17911AA6D857060F821768C1120CE6FB778C1ED0DA2A3DC3C24B1F371630C174EF80A7EDA331B35A19A87CAA9DCC0DC1889BAF5A1B117899E8C4D70FFDC333ACF78A2BA37BC04A7D376660718B16DD69FE58D0F515680EB16A72E4D4F0233D132C561CFCB2FC0ADE8708AD0A2B50184DB995F8218CF49830367BD7E3A10A72919810D77101BAB42E54A021D45FC048F2C2C3A59A442E3F0E99EA3369537A1AA9D9DA7B90203010001`|
+| 16 | Microsoft Identity Verification Root Certificate Authority 2020 | `3082020A0282020100B3912A07830667FD9E9DE0C7C0B7A4E642047F0FA6DB5FFBD55AD745A0FB770BF080F3A66D5A4D7953D8A08684574520C7A254FBC7A2BF8AC76E35F3A215C42F4EE34A8596490DFFBE99D814F6BC2707EE429B2BF50B9206E4FD691365A89172F29884EB833D0EE4D771124821CB0DEDF64749B79BF9C9C717B6844FFFB8AC9AD773674985E386BD3740D02586D4DEB5C26D626AD5A978BC2D6F49F9E56C1414FD14C7D3651637DECB6EBC5E298DFD629B152CD605E6B9893233A362C7D7D6526708C42EF4562B9E0B87CCECA7B4A6AAEB05CD1957A53A0B04271C91679E2D622D2F1EBEDAC020CB0419CA33FB89BE98E272A07235BE79E19C836FE46D176F90F33D008675388ED0E0499ABBDBD3F830CAD55788684D72D3BF6D7F71D8FDBD0DAE926448B75B6F7926B5CD9B952184D1EF0F323D7B578CF345074C7CE05E180E35768B6D9ECB3674AB05F8E0735D3256946797250AC6353D9497E7C1448B80FDC1F8F47419E530F606FB21573E061C8B6B158627497B8293CA59E87547E83F38F4C75379A0B6B4E25C51EFBD5F38C113E6780C955A2EC5405928CC0F24C0ECBA0977239938A6B61CDAC7BA20B6D737D87F37AF08E33B71DB6E731B7D9972B0E486335974B516007B506DC68613DAFDC439823D24009A60DABA94C005512C34AC50991387BBB30580B24D30025CB826835DB46373EFAE23954F6028BE37D55BA50203010001`|
 
 For well-known roots, the TBS hashes for the certificates are baked into the code for App Control for Business. For example, they don't need to be listed as TBS hashes in the policy file.
 
diff --git a/windows/security/book/application-security-application-and-driver-control.md b/windows/security/book/application-security-application-and-driver-control.md
index 6435037d78..9efc2c0f96 100644
--- a/windows/security/book/application-security-application-and-driver-control.md
+++ b/windows/security/book/application-security-application-and-driver-control.md
@@ -1,6 +1,6 @@
 ---
-title: Application and driver control
-description: Windows 11 security book - Application and driver control.
+title: Windows 11 security book - Application and driver control
+description: Application and driver control.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md
index 6bc9c40284..67465c5c5e 100644
--- a/windows/security/book/application-security-application-isolation.md
+++ b/windows/security/book/application-security-application-isolation.md
@@ -1,6 +1,6 @@
 ---
-title: Application isolation
-description: Windows 11 security book - Application isolation.
+title: Windows 11 security book - Application isolation
+description: Application isolation.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
@@ -29,9 +29,9 @@ The first factor relates to implementing methods to manage access to files and p
 
 [!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Win32 app isolation][LINK-4]
+- [Win32 app isolation overview][LINK-4]
 - [Application Capability Profiler (ACP)][LINK-5]
-- [Learn how to adopt Win32 app isolation with Visual Studio][LINK-6]
+- [Packaging a Win32 app isolation application with Visual Studio][LINK-6]
 - [Sandboxing Python with Win32 app isolation][LINK-7]
 
 ## App containers
@@ -86,9 +86,9 @@ A **Virtualization-based security enclave** is a software-based trusted executio
 
 [LINK-1]: /windows/win32/secauthz/implementing-an-appcontainer
 [LINK-2]: /windows/win32/secauthz/access-control-lists
-[LINK-4]: https://github.com/microsoft/win32-app-isolation
-[LINK-5]: https://github.com/microsoft/win32-app-isolation/blob/main/docs/profiler/application-capability-profiler.md
-[LINK-6]: https://github.com/microsoft/win32-app-isolation/blob/main/docs/packaging/packaging-with-visual-studio.md
+[LINK-4]: /windows/win32/secauthz/app-isolation-overview
+[LINK-5]: /windows/win32/secauthz/app-isolation-capability-profiler
+[LINK-6]: /windows/win32/secauthz/app-isolation-packaging-with-vs
 [LINK-7]: https://blogs.windows.com/windowsdeveloper/2024/03/06/sandboxing-python-with-win32-app-isolation/
 [LINK-8]: /windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations
 [LINK-9]: /windows/security/threat-protection/windows-sandbox/windows-sandbox-overview
diff --git a/windows/security/book/application-security.md b/windows/security/book/application-security.md
index 450a054437..da054a7d5d 100644
--- a/windows/security/book/application-security.md
+++ b/windows/security/book/application-security.md
@@ -1,6 +1,6 @@
 ---
-title: Application security
-description: Windows 11 security book - Application security chapter.
+title: Windows 11 security book - Application security
+description: Application security chapter.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/cloud-services-protect-your-personal-information.md b/windows/security/book/cloud-services-protect-your-personal-information.md
index 855a3e1e34..36707a697b 100644
--- a/windows/security/book/cloud-services-protect-your-personal-information.md
+++ b/windows/security/book/cloud-services-protect-your-personal-information.md
@@ -1,6 +1,6 @@
 ---
-title: Cloud services - Protect your personal information
-description: Windows 11 security book - Cloud services chapter - Protect your personal information.
+title: Windows 11 security book - Cloud services - Protect your personal information
+description: Cloud services chapter - Protect your personal information.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md
index ebef206291..033200a8f1 100644
--- a/windows/security/book/cloud-services-protect-your-work-information.md
+++ b/windows/security/book/cloud-services-protect-your-work-information.md
@@ -1,6 +1,6 @@
 ---
-title: Cloud services - Protect your work information
-description: Windows 11 security book - Cloud services chapter - Protect your work information.
+title: Windows 11 security book - Cloud services - Protect your work information
+description: Cloud services chapter - Protect your work information.
 ms.topic: overview
 ms.date: 11/04/2024
 ---
@@ -9,16 +9,9 @@ ms.date: 11/04/2024
 
 :::image type="content" source="images/cloud-security.png" alt-text="Diagram containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
 
-## Microsoft Entra ID
+## :::image type="icon" source="images/microsoft-entra-id.svg" border="false"::: Microsoft Entra ID
 
-:::row:::
-    :::column span="1":::
-:::image type="content" source="images/microsoft-entra-id.png" alt-text="Logo of Microsoft Entra ID." border="false":::
-    :::column-end:::
-    :::column span="3":::
-        Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
-    :::column-end:::
-:::row-end:::
+Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
 
 Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. For the most seamless and delightful end to end single sign-on (SSO) experience, we recommend users configure Windows Hello for Business during the out of box experience for easy passwordless sign-in to Entra ID .
 
@@ -58,14 +51,7 @@ Every Windows device has a built-in local administrator account that must be sec
 
 ### Microsoft Entra Private Access
 
-:::row:::
-    :::column span="1":::
-:::image type="content" source="images/microsoft-entra-private-access.png" alt-text="Logo of Microsoft Entra Private Access." border="false":::
-    :::column-end:::
-    :::column span="3":::
-        Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need.
-    :::column-end:::
-:::row-end:::
+Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need.
 
 [!INCLUDE [learn-more](includes/learn-more.md)]
 
@@ -73,14 +59,7 @@ Every Windows device has a built-in local administrator account that must be sec
 
 ### Microsoft Entra Internet Access
 
-:::row:::
-    :::column span="1":::
-:::image type="content" source="images/microsoft-entra-internet-access.png" alt-text="Logo of Microsoft Entra Internet Access." border="false":::
-    :::column-end:::
-    :::column span="3":::
-        Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs.
-    :::column-end:::
-:::row-end:::
+Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs.
 
 > [!NOTE]
 > Both Microsoft Entra Private Access and Microsoft Entra Internet Access requires Microsoft Entra ID and Microsoft Entra Joined devices for deployment. The two solutions use the Global Secure Access client for Windows, which secures and controls the features.
@@ -99,16 +78,9 @@ Available to any organization with a Microsoft Entra ID Premium<sup>[\[4\]](conc
 
 - [Enterprise State Roaming in Microsoft Entra ID][LINK-7]
 
-## Azure Attestation service
+## :::image type="icon" source="images/azure-attestation.svg" border="false"::: Azure Attestation service
 
-:::row:::
-    :::column span="1":::
-:::image type="content" source="images/azure-attestation.png" alt-text="Logo of Azure Attestation service." border="false":::
-    :::column-end:::
-    :::column span="3":::
-        Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> integrates with Azure Attestation service to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>[\[4\]](conclusion.md#footnote4)</sup> Conditional Access.
-    :::column-end:::
-:::row-end:::
+Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> integrates with Azure Attestation service to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>[\[4\]](conclusion.md#footnote4)</sup> Conditional Access.
 
 **Attestation policies are configured in the Azure Attestation service which can then:**
 
@@ -122,16 +94,9 @@ Once this verification is complete, the attestation service returns a signed rep
 
 - [Azure Attestation overview][LINK-8]
 
-## Microsoft Defender for Endpoint
+## :::image type="icon" source="images/defender-for-endpoint.svg" border="false"::: Microsoft Defender for Endpoint
 
-:::row:::
-    :::column span="1":::
-:::image type="content" source="images/defender-for-endpoint.png" alt-text="Logo of Microsoft Defender for Endpoint." border="false":::
-    :::column-end:::
-    :::column span="3":::
-        Microsoft Defender for Endpoint<sup>[\[4\]](conclusion.md#footnote4)</sup> is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents.
-    :::column-end:::
-:::row-end:::
+Microsoft Defender for Endpoint<sup>[\[4\]](conclusion.md#footnote4)</sup> is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents.
 
 Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents:
 
@@ -177,16 +142,9 @@ Windows 11 supports the Remote Wipe configuration service provider (CSP) so that
 
 - [Remote wipe CSP][LINK-10]
 
-## Microsoft Intune
+## :::image type="icon" source="images/microsoft-intune.svg" border="false"::: Microsoft Intune
 
-:::row:::
-    :::column span="1":::
-:::image type="content" source="images/microsoft-intune.png" alt-text="Logo of Microsoft Intune." border="false":::
-    :::column-end:::
-    :::column span="3":::
-        Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
-    :::column-end:::
-:::row-end:::
+Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
 
 Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access.
 
@@ -212,14 +170,7 @@ With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certif
 
 ### Microsoft Cloud PKI
 
-:::row:::
-    :::column span="1":::
-:::image type="content" source="images/microsoft-cloud-pki.png" alt-text="Logo of Microsoft Cloud PKI." border="false":::
-    :::column-end:::
-    :::column span="3":::
-        Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite<sup>[\[4\]](conclusion.md#footnote4)</sup> that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune.
-    :::column-end:::
-:::row-end:::
+Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite<sup>[\[4\]](conclusion.md#footnote4)</sup> that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune.
 
 Key features include:
 
@@ -236,14 +187,7 @@ With Microsoft Cloud PKI, organizations can accelerate their digital transformat
 
 ### Endpoint Privilege Management (EPM)
 
-:::row:::
-    :::column span="1":::
-:::image type="content" source="images/endpoint-privilege-management.png" alt-text="Logo of Endpoint Privilege Management." border="false":::
-    :::column-end:::
-    :::column span="3":::
-        Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive.
-    :::column-end:::
-:::row-end:::
+Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive.
 
 [!INCLUDE [learn-more](includes/learn-more.md)]
 
@@ -342,8 +286,6 @@ There's a lot more to learn about Windows Autopatch: this [Forrester Consulting
 - [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows-ITPro-blog/label-name/Windows%20Autopatch)
 - [Windows Autopatch community](https://techcommunity.microsoft.com/t5/windows-autopatch/bd-p/Windows-Autopatch)
 
-<!--
-
 ## :::image type="icon" source="images/soon-button-title.svg" border="false"::: Windows Hotpatch
 
 Windows Hotpatch is a feature designed to enhance security and minimize disruptions. With Windows Hotpatch, organizations can apply critical security updates without requiring a system restart, reducing the time to adopt a security update by 60% from the moment the update is offered. Hotpatch updates streamline the installation process, enhance compliance efficiency, and provide a per-policy level view of update statuses for all devices.
@@ -354,18 +296,9 @@ By utilizing hotpatching through Windows Autopatch, the number of system restart
 
 - [Windows Autopatch documentation](/windows/deployment/windows-autopatch/)
 
--->
+## :::image type="icon" source="images/onedrive.svg" border="false"::: OneDrive for work or school
 
-## OneDrive for work or school
-
-:::row:::
-    :::column span="1":::
-:::image type="content" source="images/onedrive.png" alt-text="Logo of Onedrive." border="false":::
-    :::column-end:::
-    :::column span="3":::
-        OneDrive for work or school is a cloud storage service that allows users to store, share, and collaborate on files. It's a part of Microsoft 365 and is designed to help organizations protect their data and comply with regulations. OneDrive for work or school is protected both in transit and at rest.
-    :::column-end:::
-:::row-end:::
+OneDrive for work or school is a cloud storage service that allows users to store, share, and collaborate on files. It's a part of Microsoft 365 and is designed to help organizations protect their data and comply with regulations. OneDrive for work or school is protected both in transit and at rest.
 
 When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access.
 
@@ -382,16 +315,9 @@ There are several ways that OneDrive for work or school is protected at rest:
 
 - [How OneDrive safeguards data in the cloud](https://support.microsoft.com/topic/23c6ea94-3608-48d7-8bf0-80e142edd1e1)
 
-## Universal Print
+## :::image type="icon" source="images/universal-print.svg" border="false"::: Universal Print
 
-:::row:::
-    :::column span="1":::
-:::image type="content" source="images/universal-print.png" alt-text="Logo of Universal Print." border="false":::
-    :::column-end:::
-    :::column span="3":::
-       Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models][LINK-23]. It also supports existing printers by using the connector software that comes with Universal Print.
-    :::column-end:::
-:::row-end:::
+Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models][LINK-23]. It also supports existing printers by using the connector software that comes with Universal Print.
 
 Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices don't need to be on the same local network as the printers or the Universal Print connector.
 
diff --git a/windows/security/book/cloud-services.md b/windows/security/book/cloud-services.md
index 4b525daacc..cd8be85df1 100644
--- a/windows/security/book/cloud-services.md
+++ b/windows/security/book/cloud-services.md
@@ -1,6 +1,6 @@
 ---
-title: Cloud services
-description: Windows 11 security book - Cloud services chapter.
+title: Windows 11 security book - Cloud services
+description: Cloud services chapter.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/conclusion.md b/windows/security/book/conclusion.md
index 5b7f232d1e..7a9d69992d 100644
--- a/windows/security/book/conclusion.md
+++ b/windows/security/book/conclusion.md
@@ -1,5 +1,5 @@
 ---
-title: Conclusion
+title: Windows 11 security book - Conclusion
 description: Windows 11 security book conclusion.
 ms.topic: overview
 ms.date: 11/18/2024
@@ -22,11 +22,8 @@ New:
 - [VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)
 - [Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)
 - [Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)
-- [Windows protected print](operating-system-security-system-security.md#-windows-protected-print)
-
-<!--
 - [Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch)
--->
+- [Windows protected print](operating-system-security-system-security.md#-windows-protected-print)
 
 Enhanced:
 
@@ -35,7 +32,7 @@ Enhanced:
 - [Device encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
 - [Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
 - [Passkeys](identity-protection-passwordless-sign-in.md#passkeys)
-- [Personal data encryption (PDE)](operating-system-security-encryption-and-data-protection.md#personal-data-encryption-pde)
+- [Personal data encryption](operating-system-security-encryption-and-data-protection.md#personal-data-encryption)
 - [Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
 - [Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
 - [Windows Hello PIN](identity-protection-passwordless-sign-in.md#windows-hello-pin)
diff --git a/windows/security/book/features-index.md b/windows/security/book/features-index.md
index 07952503aa..09081404bf 100644
--- a/windows/security/book/features-index.md
+++ b/windows/security/book/features-index.md
@@ -1,5 +1,5 @@
 ---
-title: Features index
+title: Windows 11 security book - Features index
 description: Windows security book features index.
 ms.topic: overview
 ms.date: 11/18/2024
@@ -7,8 +7,4 @@ ms.date: 11/18/2024
 
 # Features index
 
-[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)<br>[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)<br>[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)<br>[Administrator protection](application-security-application-and-driver-control.md#-administrator-protection)<br>[App containers](application-security-application-isolation.md#app-containers)<br>[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)<br>[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)<br>[Azure Attestation service](cloud-services-protect-your-work-information.md#azure-attestation-service)<br>[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)<br>[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)<br>[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)<br>[Certificates](operating-system-security-system-security.md#certificates)<br>[Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management)<br>[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)<br>[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)<br>[Config Refresh](operating-system-security-system-security.md#-config-refresh)<br>[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)<br>[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)<br>[Cryptography](operating-system-security-system-security.md#cryptography)<br>[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)<br>[Device Health Attestation](operating-system-security-system-security.md#device-health-attestation)<br>[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)<br>[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)<br>[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)<br>[Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen)<br>[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)<br>[Exploit Protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)<br>[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)<br>[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)<br>[FIDO2](identity-protection-passwordless-sign-in.md#fido2)<br>[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)<br>[Kernel direct memory access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)<br>[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)<br>[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)<br>[Microsoft account](cloud-services-protect-your-personal-information.md#microsoft-account)<br>[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)<br>[Microsoft Cloud PKI](cloud-services-protect-your-work-information.md#microsoft-cloud-pki)<br>[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)<br>[Microsoft Defender for Endpoint](cloud-services-protect-your-work-information.md#microsoft-defender-for-endpoint)<br>[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)<br>[Microsoft Entra ID](cloud-services-protect-your-work-information.md#microsoft-entra-id)<br>[Microsoft Intune](cloud-services-protect-your-work-information.md#microsoft-intune)<br>[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)<br>[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)<br>[Microsoft Privacy Dashboard](privacy-controls.md#microsoft-privacy-dashboard)<br>[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)<br>[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)<br>[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)<br>[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)<br>[OneDrive for work or school](cloud-services-protect-your-work-information.md#onedrive-for-work-or-school)<br>[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)<br>[Personal Data Encryption (PDE)](operating-system-security-encryption-and-data-protection.md#personal-data-encryption-pde)<br>[Personal Vault](cloud-services-protect-your-personal-information.md#personal-vault)<br>[Privacy resource usage](privacy-controls.md#privacy-resource-usage)<br>[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)<br>[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)<br>[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)<br>[Rust for Windows](operating-system-security-system-security.md#-rust-for-windows)<br>[Secure Future Initiative (SFI)](security-foundation-offensive-research.md#secure-future-initiative-sfi)<br>[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)<br>[Secured-core PC and Edge Secured-Core](hardware-security-silicon-assisted-security.md#secured-core-pc-and-edge-secured-core)<br>[Security baselines](cloud-services-protect-your-work-information.md#security-baselines)<br>[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)<br>[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)<br>[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)<br>[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)<br>[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)<br>[Token protection (preview)](identity-protection-advanced-credential-protection.md#token-protection-preview)<br>[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)<br>[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)<br>[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)<br>[Trusted Signing](application-security-application-and-driver-control.md#-trusted-signing)<br>[Universal Print](cloud-services-protect-your-work-information.md#universal-print)<br>[VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)<br>[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)<br>[Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)<br>[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)<br>[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)<br>[Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)<br>[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)<br>[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)<br>[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)<br>[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)<br>[Windows Firewall](operating-system-security-network-security.md#windows-firewall)<br>[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)<br>[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)<br>[Windows Insider and Microsoft Bug Bounty Programs](security-foundation-offensive-research.md#windows-insider-and-microsoft-bug-bounty-programs)<br>[Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)<br>[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)<br>[Windows protected print](operating-system-security-system-security.md#-windows-protected-print)<br>[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)<br>[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)<br>[Windows security](operating-system-security-system-security.md#windows-security)<br>[Windows Software Development Kit (SDK)](security-foundation-secure-supply-chain.md#windows-software-development-kit-sdk)<br>[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)<br>[Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business)
-
-<!--
-[Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch)<br>
--->
\ No newline at end of file
+[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)<br>[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)<br>[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)<br>[Administrator protection](application-security-application-and-driver-control.md#-administrator-protection)<br>[App containers](application-security-application-isolation.md#app-containers)<br>[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)<br>[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)<br>[Azure Attestation service](cloud-services-protect-your-work-information.md#-azure-attestation-service)<br>[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)<br>[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)<br>[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)<br>[Certificates](operating-system-security-system-security.md#certificates)<br>[Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management)<br>[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)<br>[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)<br>[Config Refresh](operating-system-security-system-security.md#-config-refresh)<br>[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)<br>[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)<br>[Cryptography](operating-system-security-system-security.md#cryptography)<br>[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)<br>[Device Health Attestation](operating-system-security-system-security.md#device-health-attestation)<br>[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)<br>[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)<br>[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)<br>[Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen)<br>[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)<br>[Exploit Protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)<br>[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)<br>[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)<br>[FIDO2](identity-protection-passwordless-sign-in.md#fido2)<br>[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)<br>[Kernel direct memory access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)<br>[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)<br>[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)<br>[Microsoft account](cloud-services-protect-your-personal-information.md#microsoft-account)<br>[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)<br>[Microsoft Cloud PKI](cloud-services-protect-your-work-information.md#microsoft-cloud-pki)<br>[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)<br>[Microsoft Defender for Endpoint](cloud-services-protect-your-work-information.md#-microsoft-defender-for-endpoint)<br>[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)<br>[Microsoft Entra ID](cloud-services-protect-your-work-information.md#-microsoft-entra-id)<br>[Microsoft Intune](cloud-services-protect-your-work-information.md#-microsoft-intune)<br>[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)<br>[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)<br>[Microsoft Privacy Dashboard](privacy-controls.md#microsoft-privacy-dashboard)<br>[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)<br>[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)<br>[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)<br>[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)<br>[OneDrive for work or school](cloud-services-protect-your-work-information.md#-onedrive-for-work-or-school)<br>[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)<br>[Personal Data Encryption](operating-system-security-encryption-and-data-protection.md#personal-data-encryption)<br>[Personal Vault](cloud-services-protect-your-personal-information.md#personal-vault)<br>[Privacy resource usage](privacy-controls.md#privacy-resource-usage)<br>[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)<br>[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)<br>[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)<br>[Rust for Windows](operating-system-security-system-security.md#-rust-for-windows)<br>[Secure Future Initiative (SFI)](security-foundation-offensive-research.md#secure-future-initiative-sfi)<br>[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)<br>[Secured-core PC and Edge Secured-Core](hardware-security-silicon-assisted-security.md#secured-core-pc-and-edge-secured-core)<br>[Security baselines](cloud-services-protect-your-work-information.md#security-baselines)<br>[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)<br>[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)<br>[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)<br>[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)<br>[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)<br>[Token protection (preview)](identity-protection-advanced-credential-protection.md#token-protection-preview)<br>[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)<br>[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)<br>[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)<br>[Trusted Signing](application-security-application-and-driver-control.md#-trusted-signing)<br>[Universal Print](cloud-services-protect-your-work-information.md#-universal-print)<br>[VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)<br>[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)<br>[Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)<br>[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)<br>[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)<br>[Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)<br>[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)<br>[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)<br>[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)<br>[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)<br>[Windows Firewall](operating-system-security-network-security.md#windows-firewall)<br>[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)<br>[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)<br>[Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch)<br>[Windows Insider and Microsoft Bug Bounty Programs](security-foundation-offensive-research.md#windows-insider-and-microsoft-bug-bounty-programs)<br>[Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)<br>[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)<br>[Windows protected print](operating-system-security-system-security.md#-windows-protected-print)<br>[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)<br>[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)<br>[Windows Security](operating-system-security-system-security.md#windows-security)<br>[Windows Software Development Kit (SDK)](security-foundation-secure-supply-chain.md#windows-software-development-kit-sdk)<br>[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)<br>[Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business)
\ No newline at end of file
diff --git a/windows/security/book/hardware-security-hardware-root-of-trust.md b/windows/security/book/hardware-security-hardware-root-of-trust.md
index fb31256cfc..1b2345a22b 100644
--- a/windows/security/book/hardware-security-hardware-root-of-trust.md
+++ b/windows/security/book/hardware-security-hardware-root-of-trust.md
@@ -1,6 +1,6 @@
 ---
-title: Hardware root-of-trust
-description: Windows 11 security book - Hardware root-of-trust.
+title: Windows 11 security book - Hardware root-of-trust
+description: Hardware root-of-trust.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/hardware-security-silicon-assisted-security.md b/windows/security/book/hardware-security-silicon-assisted-security.md
index 96baea25d3..da7cf92de1 100644
--- a/windows/security/book/hardware-security-silicon-assisted-security.md
+++ b/windows/security/book/hardware-security-silicon-assisted-security.md
@@ -1,6 +1,6 @@
 ---
-title: Silicon assisted security
-description: Windows 11 security book - Silicon assisted security.
+title: Windows 11 security book - Silicon assisted security
+description: Silicon assisted security.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
@@ -42,16 +42,16 @@ With new installs of Windows 11, OS support for VBS and HVCI is turned on by def
 
 - [Enable virtualization-based protection of code integrity][LINK-2]
 
+### :::image type="icon" source="images/new-button-title.svg" border="false"::: Hypervisor-enforced Paging Translation (HVPT)
+
+Hypervisor-enforced Paging Translation (HVPT) is a security enhancement to enforce the integrity of guest virtual address to guest physical address translations. HVPT helps protect critical system data from write-what-where attacks where the attacker can write an arbitrary value to an arbitrary location often as the result of a buffer overflow. HVPT helps to protect page tables that configure critical system data structures.
+
 ### Hardware-enforced stack protection
 
 Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack.
 
 Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called *stack smashing*. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate *shadow stack* for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support.
 
-[!INCLUDE [new-24h2](includes/new-24h2.md)]
-
-Hypervisor-Enforced Paging Translation (HVPT) - formerly HLAT - is a security feature designed to safeguard linear address translations from tampering. It ensures the integrity of sensitive system structures, protecting them from write-what-where attacks.
-
 [!INCLUDE [learn-more](includes/learn-more.md)]
 
 - [Understanding Hardware-enforced Stack Protection][LINK-3]
diff --git a/windows/security/book/hardware-security.md b/windows/security/book/hardware-security.md
index f9acd73d1e..7d1f8669b1 100644
--- a/windows/security/book/hardware-security.md
+++ b/windows/security/book/hardware-security.md
@@ -1,6 +1,6 @@
 ---
-title: Hardware security
-description: Windows 11 security book - Hardware security chapter.
+title: Windows 11 security book - Hardware security
+description: Hardware security chapter.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md
index 7194409637..0e35e41bc8 100644
--- a/windows/security/book/identity-protection-advanced-credential-protection.md
+++ b/windows/security/book/identity-protection-advanced-credential-protection.md
@@ -1,6 +1,6 @@
 ---
-title: Identity protection - Advanced credential protection
-description: Windows 11 security book - Identity protection chapter.
+title: Windows 11 security book - Advanced credential protection
+description: Identity protection chapter - Advanced credential protection.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md
index a8a6104572..5187c49058 100644
--- a/windows/security/book/identity-protection-passwordless-sign-in.md
+++ b/windows/security/book/identity-protection-passwordless-sign-in.md
@@ -1,6 +1,6 @@
 ---
-title: Identity protection - Passwordless sign-in
-description: Windows 11 security book - Identity protection chapter.
+title: Windows 11 security book - Passwordless sign-in
+description: Identity protection chapter - Passwordless sign-in.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/identity-protection.md b/windows/security/book/identity-protection.md
index 03248b2db3..41d1b6bca6 100644
--- a/windows/security/book/identity-protection.md
+++ b/windows/security/book/identity-protection.md
@@ -1,6 +1,6 @@
 ---
-title: Identity protection
-description: Windows 11 security book - Identity protection chapter.
+title: Windows 11 security book - Identity protection
+description: Identity protection chapter.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
@@ -9,7 +9,7 @@ ms.date: 11/18/2024
 
 :::image type="content" source="images/identity-protection-cover.png" alt-text="Cover of the identity protection chapter." border="false":::
 
-Employes are increasingly targets for cyberattacks in organizations, making identity protection a priority. Weak or reused passwords, password spraying, social engineering, and phishing are just a few of the risks businesses face today. 
+Employes are increasingly targets for cyberattacks in organizations, making identity protection a priority. Weak or reused passwords, password spraying, social engineering, and phishing are just a few of the risks businesses face today.
 
 Identity protection in Windows 11 continuously evolves to provide organizations with the latest defenses, including Windows Hello for Business passwordless and Windows Hello Enhanced Sign-in Security (ESS). By leveraging these powerful identity safeguards, organizations of all sizes can reduce the risk of credential theft and unauthorized access to devices, data, and other company resources.
 
diff --git a/windows/security/book/images/azure-attestation.png b/windows/security/book/images/azure-attestation.png
deleted file mode 100644
index 0f2aa5aa89..0000000000
Binary files a/windows/security/book/images/azure-attestation.png and /dev/null differ
diff --git a/windows/security/book/images/azure-attestation.svg b/windows/security/book/images/azure-attestation.svg
new file mode 100644
index 0000000000..c4df2e11d2
--- /dev/null
+++ b/windows/security/book/images/azure-attestation.svg
@@ -0,0 +1,20 @@
+<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M40.4071 14.9238C40.4071 23.516 30.0194 30.4344 27.7622 31.8367C27.6329 31.9175 27.4835 31.9603 27.331 31.9603C27.1787 31.9603 27.0293 31.9175 26.9 31.8367C24.6427 30.4344 14.2551 23.516 14.2551 14.9238V4.58328C14.256 4.36919 14.3403 4.16388 14.4902 4.01099C14.6401 3.85807 14.8436 3.76964 15.0577 3.76446C23.1373 3.54525 21.2768 0 27.331 0C33.3854 0 31.525 3.54525 39.6044 3.76446C39.8185 3.76964 40.0222 3.85807 40.172 4.01099C40.3219 4.16388 40.4062 4.36919 40.4071 4.58328V14.9238Z" fill="url(#paint0_linear_1073_1117)"/>
+<path d="M39.322 15.0107C39.322 22.891 29.7969 29.2352 27.7279 30.5214C27.6094 30.5951 27.4725 30.6341 27.3331 30.6341C27.1934 30.6341 27.0565 30.5951 26.938 30.5214C24.8674 29.2352 15.344 22.891 15.344 15.0107V5.52891C15.344 5.33247 15.421 5.14387 15.5585 5.00365C15.696 4.8634 15.8831 4.78271 16.0795 4.77892C23.4852 4.57783 21.7787 1.32605 27.3311 1.32605C32.8836 1.32605 31.1773 4.5869 38.5865 4.77892C38.7829 4.78271 38.97 4.8634 39.1075 5.00365C39.245 5.14387 39.322 5.33247 39.322 5.52891V15.0107Z" fill="url(#paint1_linear_1073_1117)"/>
+<path d="M33.1681 18.0669H21.4942C21.1656 18.0669 20.8504 18.1974 20.6181 18.4298C20.3857 18.6622 20.2551 18.9774 20.2551 19.306V20.8422C20.2551 20.897 20.2769 20.9495 20.3156 20.9883C20.3543 21.027 20.4069 21.0487 20.4616 21.0487H34.2007C34.2278 21.0487 34.2545 21.0434 34.2797 21.033C34.3048 21.0226 34.3276 21.0074 34.3468 20.9883C34.3657 20.9691 34.381 20.9463 34.3913 20.9213C34.4017 20.8962 34.4072 20.8693 34.4072 20.8422V19.306C34.4072 18.9774 34.2766 18.6622 34.0442 18.4298C33.8118 18.1974 33.4967 18.0669 33.1681 18.0669Z" fill="white"/>
+<path d="M33.1173 22.5795H21.545C21.506 22.5795 21.4687 22.5951 21.4412 22.6225C21.4137 22.6501 21.3982 22.6874 21.3982 22.7262V23.5017C21.3982 23.7357 21.4911 23.9601 21.6566 24.1254C21.8221 24.2909 22.0464 24.3838 22.2804 24.3838H32.3817C32.6159 24.3838 32.8401 24.2909 33.0056 24.1254C33.1711 23.9601 33.264 23.7357 33.264 23.5017V22.7262C33.264 22.6874 33.2486 22.6501 33.221 22.6225C33.1936 22.5951 33.1561 22.5795 33.1173 22.5795Z" fill="white"/>
+<path d="M30.0194 11.3205C30.8364 10.1339 31.4089 10.3586 30.9435 7.61766C30.4778 4.87673 27.429 4.90028 27.2423 4.90028C27.0558 4.90028 24.0068 4.8713 23.5413 7.61766C23.0757 10.364 23.6481 10.1339 24.4634 11.3205C24.9897 12.9829 25.2413 14.7201 25.2079 16.4636H29.2768C29.2435 14.7203 29.4944 12.9832 30.0194 11.3205Z" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear_1073_1117" x1="27.331" y1="-1.57607" x2="27.331" y2="34.976" gradientUnits="userSpaceOnUse">
+<stop stop-color="#5E9624"/>
+<stop offset="0.316" stop-color="#619A25"/>
+<stop offset="0.659" stop-color="#69A728"/>
+<stop offset="0.999" stop-color="#76BC2D"/>
+</linearGradient>
+<linearGradient id="paint1_linear_1073_1117" x1="27.3311" y1="31.9" x2="27.3311" y2="-2.07428" gradientUnits="userSpaceOnUse">
+<stop stop-color="#5E9624"/>
+<stop offset="0.546" stop-color="#6DAD2A"/>
+<stop offset="0.999" stop-color="#76BC2D"/>
+</linearGradient>
+</defs>
+</svg>
diff --git a/windows/security/book/images/chip-to-cloud.png b/windows/security/book/images/chip-to-cloud.png
index bc834fb534..e26a786101 100644
Binary files a/windows/security/book/images/chip-to-cloud.png and b/windows/security/book/images/chip-to-cloud.png differ
diff --git a/windows/security/book/images/defender-for-endpoint.png b/windows/security/book/images/defender-for-endpoint.png
deleted file mode 100644
index 5436972929..0000000000
Binary files a/windows/security/book/images/defender-for-endpoint.png and /dev/null differ
diff --git a/windows/security/book/images/defender-for-endpoint.svg b/windows/security/book/images/defender-for-endpoint.svg
new file mode 100644
index 0000000000..bf135a593b
--- /dev/null
+++ b/windows/security/book/images/defender-for-endpoint.svg
@@ -0,0 +1,3 @@
+<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M24.4142 0.0289066C24.3901 0.0679141 24.2085 0.123152 23.7306 0.236588C23.308 0.336841 22.6 0.558601 22.3695 0.66289C22.0204 0.820714 21.6905 0.988041 21.6796 1.0127C21.673 1.0275 21.6512 1.0396 21.6311 1.0396C21.611 1.0396 21.2682 1.25751 20.8693 1.52383C20.4704 1.79016 20.1354 2.00806 20.1247 2.00806C20.1141 2.00806 19.985 2.07944 19.8379 2.1667C19.5605 2.33106 18.6374 2.78588 18.4181 2.86623C18.3492 2.89143 18.2607 2.92507 18.2213 2.94093C17.8402 3.09497 16.8548 3.41601 16.5578 3.48281C16.489 3.49833 16.3521 3.52953 16.2537 3.55222C15.8616 3.64244 15.7697 3.661 15.2699 3.75084C14.9846 3.80215 14.6063 3.85863 14.4292 3.87648C13.4722 3.97261 12.7361 4.02372 11.612 4.07188L11.0485 4.096L11.0483 7.36528C11.0482 9.25109 11.063 10.7864 11.0834 10.9932C11.1028 11.1905 11.1356 11.5698 11.1562 11.8362C11.1769 12.1025 11.2086 12.4172 11.2269 12.5356C11.2451 12.654 11.2855 12.9445 11.3168 13.1812C11.3767 13.6358 11.4268 13.9488 11.4775 14.1856C11.4944 14.2645 11.5354 14.4582 11.5687 14.616C11.6839 15.1626 11.8735 15.9146 12.0208 16.4094C12.1186 16.7379 12.4736 17.8239 12.5132 17.916C12.5302 17.9554 12.6206 18.1895 12.7141 18.4361C12.8755 18.8618 12.9262 18.9834 13.1453 19.4673C13.1966 19.5807 13.2712 19.7462 13.3112 19.8349C13.4193 20.0755 13.8528 20.9436 13.9469 21.1083C13.992 21.1872 14.0856 21.3567 14.155 21.4849C14.2244 21.6132 14.3508 21.8272 14.4358 21.9605C14.5207 22.0939 14.5902 22.2106 14.5902 22.2197C14.5902 22.3607 15.9477 24.2428 16.6863 25.1255C17.3822 25.9575 18.5523 27.1698 19.1447 27.6725C19.1681 27.6926 19.3076 27.8135 19.4547 27.9415C19.8802 28.3121 19.8752 28.3079 20.2605 28.6157C20.637 28.9165 20.5972 28.8861 21.0475 29.2175C21.264 29.3769 21.6181 29.6249 21.8346 29.7691C22.051 29.9129 22.2717 30.061 22.3251 30.0979C22.3784 30.135 22.4301 30.1652 22.4401 30.1652C22.45 30.1652 22.5954 30.2539 22.7631 30.3625C22.9309 30.4711 23.0752 30.5598 23.084 30.5598C23.0927 30.5598 23.1774 30.6066 23.2721 30.6639C23.6614 30.8996 24.6616 31.4125 25.4658 31.7888C26.0605 32.0671 26.1303 32.068 26.682 31.8051C26.9082 31.6974 27.2545 31.5328 27.4511 31.4397C28.8293 30.7869 29.3528 30.4938 30.4015 29.7876C31.4063 29.1114 32.8635 27.9848 33.3003 27.5467C33.3102 27.537 33.4148 27.4412 33.5329 27.334C33.9361 26.9674 34.5699 26.3386 34.9102 25.9674C35.0971 25.7635 35.2885 25.5552 35.3355 25.5047C35.3825 25.4539 35.6323 25.1538 35.8907 24.8377C36.3687 24.2529 36.572 23.981 37.0648 23.2666C37.2168 23.0462 37.3579 22.8465 37.3779 22.8226C37.398 22.7988 37.4144 22.771 37.4144 22.761C37.4144 22.7509 37.5059 22.601 37.6178 22.4278C38.0579 21.7457 39.203 19.5736 39.203 19.4209C39.203 19.413 39.2417 19.3214 39.2887 19.2173C39.3357 19.1131 39.4098 18.9391 39.4533 18.8306C39.4968 18.7221 39.5491 18.593 39.5694 18.5437C39.6349 18.3839 39.661 18.3149 39.7576 18.0415C39.8099 17.8935 39.8671 17.7402 39.8843 17.7007C39.9017 17.6613 39.966 17.4676 40.0271 17.2703C40.2182 16.6542 40.2496 16.555 40.2771 16.4812C40.312 16.3883 40.3581 16.2195 40.4939 15.6921C40.5546 15.4553 40.6192 15.2052 40.6375 15.1361C40.6556 15.0671 40.7126 14.8088 40.7638 14.5622C40.8152 14.3156 40.8715 14.0493 40.8889 13.9704C40.9063 13.8915 40.9363 13.7462 40.9558 13.6475C40.975 13.5489 41.0317 13.2745 41.0818 13.0378C41.1317 12.801 41.1868 12.5186 41.2043 12.4101C41.2217 12.3016 41.2464 10.3767 41.2594 8.1327L41.2828 4.05259L40.4844 4.05162C39.4601 4.05036 38.8521 4.01161 37.7363 3.87639C37.4049 3.83614 36.6532 3.7062 36.4844 3.65992C36.4155 3.641 36.2142 3.59115 36.037 3.549C35.5032 3.42201 34.6229 3.13748 34.2126 2.95923C34.1537 2.93358 34.0332 2.88534 33.9453 2.85206C33.7882 2.79252 32.8849 2.35043 32.6744 2.23C32.6152 2.19629 32.4705 2.11325 32.3524 2.04546C32.2343 1.97767 31.9364 1.79339 31.6905 1.63583C31.2267 1.33884 30.691 1.0257 30.4741 0.924822C29.9886 0.69894 29.8078 0.626483 29.3729 0.483547C28.7404 0.275595 28.717 0.26878 28.3992 0.197491C28.145 0.140549 28.0322 0.103693 27.8898 0.0310588C27.8115 -0.00893523 24.4389 -0.0109977 24.4142 0.0289066ZM27.1112 2.02681C28.0487 2.12383 28.8194 2.31815 29.4545 2.61758C29.5726 2.67317 29.7255 2.74419 29.7944 2.77522C29.8632 2.80633 29.9678 2.86067 30.027 2.89609C30.0859 2.93142 30.2148 3.00683 30.3132 3.06359C30.4114 3.12035 30.6396 3.26124 30.8202 3.37655C31.0007 3.49197 31.1591 3.5863 31.1724 3.5863C31.1856 3.5863 31.2412 3.61823 31.296 3.65731C31.424 3.74879 32.5318 4.3051 32.8353 4.43039C32.9633 4.48311 33.1328 4.55574 33.2122 4.59171C33.2914 4.62766 33.4605 4.69169 33.5878 4.73401C33.7149 4.77634 33.8513 4.82531 33.8906 4.84279C33.9908 4.88735 34.496 5.05181 34.7314 5.11665C34.8396 5.14642 34.9764 5.18462 35.0353 5.20148C35.3597 5.29439 35.4432 5.31591 35.5899 5.3446C35.6784 5.36199 35.8636 5.40171 36.0013 5.43292C36.3215 5.50557 36.5552 5.55121 36.8242 5.59371C36.9423 5.61245 37.1434 5.64465 37.2713 5.66543C37.6395 5.72518 38.4379 5.81583 38.8168 5.84093C39.0077 5.85366 39.1816 5.88182 39.2035 5.90363C39.2556 5.95597 39.2306 9.65954 39.1719 10.5807C39.1342 11.1755 39.0686 11.8497 38.989 12.4639C38.9735 12.5822 38.9506 12.7679 38.9376 12.8764C38.9248 12.9849 38.8989 13.1543 38.8802 13.253C38.8614 13.3516 38.8213 13.5695 38.791 13.7372C38.7608 13.9049 38.7211 14.1067 38.7027 14.1856C38.599 14.6363 38.4077 15.4179 38.3823 15.4948C38.3662 15.5441 38.3322 15.6571 38.3073 15.7459C38.1047 16.4617 37.6229 17.7737 37.327 18.4165C37.257 18.5682 37.1998 18.7001 37.1998 18.7094C37.1998 18.7798 36.3727 20.352 36.1454 20.7137C36.0834 20.8124 36.0236 20.9173 36.0123 20.9469C36.0011 20.9765 35.8532 21.2075 35.6837 21.4602C35.514 21.7129 35.3752 21.9261 35.3752 21.9341C35.3752 21.942 35.3068 22.0438 35.2231 22.1601C35.1397 22.2766 34.9682 22.5152 34.8422 22.6907C34.7164 22.8659 34.5344 23.1062 34.4375 23.2245C34.3408 23.343 34.2426 23.4639 34.2192 23.4935C34.025 23.7396 33.8793 23.917 33.8191 23.9806C33.7798 24.0223 33.6439 24.1759 33.5172 24.322C33.272 24.6047 32.2577 25.6285 32.0483 25.8048C31.9794 25.8628 31.8022 26.0171 31.6548 26.1478C31.5072 26.2784 31.2335 26.5051 31.0466 26.6514C30.8597 26.7977 30.6985 26.9268 30.6888 26.938C30.6109 27.0279 28.8633 28.1924 28.8064 28.1924C28.7951 28.1924 28.7432 28.2222 28.6909 28.2586C28.5925 28.3273 28.3595 28.4553 27.7195 28.7927C26.157 29.6166 26.1766 29.6091 25.8714 29.5025C25.7233 29.4506 24.8609 29.0194 24.5892 28.8614C24.5104 28.8155 24.3656 28.7327 24.2672 28.6775C24.1688 28.6221 24.0192 28.5378 23.9345 28.4902C23.8498 28.4423 23.5961 28.2831 23.3706 28.1364C23.1453 27.9896 22.9534 27.8696 22.9445 27.8696C22.9212 27.8696 22.2409 27.3907 21.9287 27.1543C21.7836 27.0446 21.6219 26.9226 21.5693 26.8831C21.4509 26.7944 20.9467 26.3883 20.9223 26.362C20.9125 26.3514 20.7193 26.1795 20.493 25.98C19.0792 24.7331 17.8999 23.3691 16.8205 21.7317C16.5777 21.3633 16.3789 21.0511 16.3789 21.0378C16.3789 21.0244 16.3333 20.9462 16.2776 20.8637C16.222 20.7812 16.1105 20.5927 16.0301 20.4447C15.9496 20.2968 15.826 20.0708 15.7553 19.9426C15.5251 19.5248 15.0807 18.599 14.8946 18.1491C14.7873 17.8901 14.7327 17.7613 14.6509 17.5752C14.6204 17.5061 14.5611 17.3528 14.5188 17.2344C14.4766 17.1161 14.4286 16.9869 14.4121 16.9475C14.2462 16.5493 13.9053 15.4971 13.8021 15.0644C13.7856 14.9953 13.7542 14.8743 13.7323 14.7953C13.6484 14.4927 13.4991 13.8045 13.4133 13.3247C13.3726 13.0971 13.243 12.164 13.1966 11.7644C13.0948 10.8872 12.9877 6.80159 13.0568 6.43035C13.1155 6.11569 13.2396 6.05641 13.982 5.9889C14.4044 5.95043 14.8695 5.89806 15.091 5.86388C15.6695 5.77494 15.7474 5.7606 16.5757 5.5921C16.8044 5.54564 16.982 5.50089 17.3449 5.39849C17.5318 5.34577 17.725 5.29457 17.7741 5.2847C17.8233 5.27484 17.8958 5.25277 17.9351 5.23564C17.9745 5.21852 18.1757 5.1465 18.3823 5.07558C18.5889 5.00473 18.8787 4.89642 19.0263 4.83507C19.1738 4.77365 19.3509 4.70047 19.4198 4.6726C19.8854 4.48364 20.9195 3.93216 21.5155 3.55491C22.6399 2.84328 22.9381 2.67756 23.4623 2.47311C24.0807 2.23188 24.8461 2.04653 25.2449 2.04124C25.3565 2.03981 25.5203 2.02573 25.6088 2.00986C25.8763 1.96215 26.5617 1.96987 27.1112 2.02681ZM25.5015 4.03672C25.4523 4.04507 25.2751 4.07009 25.108 4.09231C24.1615 4.21839 23.8641 4.33964 21.2801 5.6527C20.1896 6.20679 19.8233 6.38175 19.2946 6.60118C19.0978 6.68286 18.8563 6.78608 18.758 6.83065C18.6596 6.87512 18.4905 6.93906 18.3823 6.9726C18.2741 7.00615 18.1576 7.04883 18.1234 7.06748C18.0892 7.08621 18.0367 7.10146 18.0067 7.10146C17.9766 7.10146 17.9241 7.11742 17.89 7.13688C17.8304 7.17096 17.5821 7.24063 16.7546 7.45549C16.6759 7.47593 16.4344 7.5343 16.218 7.58524C16.0015 7.63617 15.7681 7.6924 15.6992 7.71024C15.6304 7.72809 15.4855 7.76521 15.3773 7.79284L15.1805 7.84296L15.1851 9.04152C15.1876 9.7007 15.2091 10.4579 15.2329 10.7242C15.2568 10.9905 15.2893 11.3618 15.3054 11.5492C15.3213 11.7366 15.3509 11.9868 15.371 12.1052C15.3912 12.2235 15.435 12.4899 15.4685 12.697C15.5625 13.2791 15.5964 13.4537 15.7155 13.9704C15.7473 14.1085 15.7878 14.2941 15.8052 14.3829C15.8227 14.4716 15.8601 14.6169 15.8882 14.7057C15.9163 14.7945 15.9596 14.9397 15.9844 15.0285C16.0092 15.1173 16.0427 15.2303 16.0588 15.2796C16.0749 15.3289 16.1139 15.4661 16.1454 15.5845C16.177 15.7028 16.2167 15.832 16.2336 15.8714C16.2505 15.9109 16.2838 15.9996 16.3074 16.0687C16.331 16.1378 16.3632 16.2265 16.3788 16.266C16.3944 16.3054 16.4342 16.4184 16.4674 16.5171C16.5005 16.6157 16.5424 16.7327 16.5606 16.7771C16.5787 16.8215 16.608 16.8941 16.6257 16.9385C16.9008 17.6305 17.003 17.8598 17.3177 18.4899C17.5129 18.8808 17.6269 19.0964 17.8157 19.4314C17.8519 19.4955 17.915 19.6085 17.9561 19.6825C18.0401 19.834 18.2868 20.2331 18.3875 20.3805C18.424 20.434 18.4539 20.4862 18.4539 20.4966C18.4539 20.5071 18.4767 20.5441 18.5045 20.5788C18.5323 20.6136 18.6937 20.8482 18.8632 21.1C19.0326 21.3519 19.1941 21.586 19.2221 21.6201C19.2501 21.6543 19.3986 21.8449 19.5521 22.0438C19.8786 22.4667 20.0491 22.6737 20.2999 22.9511C20.4003 23.0621 20.5371 23.2168 20.604 23.2947C21.39 24.2127 22.9969 25.5777 24.3208 26.4519C25.477 27.2155 25.8259 27.4033 26.087 27.4033C26.3095 27.4033 26.3073 27.4044 26.9682 26.9892C27.2141 26.8348 27.6087 26.5878 27.8448 26.4408C28.5678 25.9904 29.4845 25.3378 29.9175 24.9651C31.4917 23.6109 32.5336 22.4408 33.7357 20.6779C34.0096 20.276 34.1488 20.0471 34.5869 19.279C34.7579 18.9788 35.2606 17.9503 35.4284 17.5573C35.4535 17.4981 35.5083 17.3732 35.55 17.2796C35.5917 17.1862 35.6257 17.0999 35.6257 17.0878C35.6257 17.0758 35.648 17.0151 35.6753 16.9529C35.8155 16.6335 36.1884 15.5569 36.323 15.0823C36.3568 14.9639 36.397 14.8267 36.4122 14.7774C36.4826 14.5521 36.6779 13.7599 36.7351 13.4682C36.7582 13.3498 36.7916 13.1804 36.8092 13.0916C36.8664 12.801 36.943 12.2913 36.9842 11.9258C37.0063 11.7286 37.0394 11.4622 37.0575 11.334C37.1509 10.6755 37.1844 7.91183 37.1003 7.81023C37.0749 7.77984 37.0107 7.74585 36.9571 7.73464C36.9037 7.72352 36.7874 7.69913 36.6989 7.68038C36.6104 7.66164 36.393 7.62066 36.216 7.58928C36.0388 7.55798 35.7651 7.4987 35.6078 7.45755C35.4504 7.41639 35.2653 7.36914 35.1964 7.35245C34.9234 7.28653 34.5176 7.17339 34.4273 7.13796C34.3878 7.12263 34.1625 7.04845 33.9264 6.97322C33.6902 6.89799 33.4731 6.82428 33.4435 6.80923C33.4139 6.79424 33.261 6.73847 33.1036 6.68529C32.8362 6.5948 32.7556 6.56263 32.3612 6.38875C32.2776 6.35189 32.169 6.3093 32.1198 6.29414C32.0706 6.27897 31.9499 6.23029 31.8514 6.18591C31.753 6.14151 31.5921 6.06923 31.4937 6.02529C31.1126 5.85501 30.8093 5.70884 29.6655 5.14337C28.2101 4.42375 28.1478 4.39766 27.4065 4.19535C26.9691 4.07592 25.8304 3.98113 25.5015 4.03672ZM29.6386 10.0252C29.6501 10.0551 29.6439 10.0995 29.6249 10.1239C29.6059 10.1483 29.5132 10.3135 29.419 10.4911C29.1215 11.0513 28.9979 11.2791 28.9712 11.3161C28.9571 11.3358 28.8525 11.5295 28.7384 11.7465C28.6245 11.9635 28.4912 12.2137 28.442 12.3025C28.393 12.3912 28.3113 12.5446 28.2606 12.6432C28.2098 12.7418 28.16 12.8306 28.1494 12.8405C28.139 12.8504 28.0814 12.9553 28.0214 13.0736C27.9613 13.192 27.8353 13.4301 27.7415 13.6027L27.5705 13.9166H29.5413C30.8789 13.9166 31.5116 13.9285 31.5116 13.9538C31.5116 13.987 29.498 16.0269 24.6199 20.9359C22.551 23.0177 22.5533 23.0177 23.6687 20.911C23.7576 20.7433 23.9667 20.3398 24.1333 20.0143C24.4685 19.3599 24.8995 18.5273 25.1171 18.1132C25.4179 17.5408 25.6445 17.0899 25.6445 17.0641C25.6445 17.0493 24.9683 17.0372 24.1421 17.0372C22.889 17.0372 22.6395 17.0289 22.6395 16.9877C22.6395 16.9457 23.3556 15.5057 25.581 11.0727C26.0285 10.1813 26.0866 10.099 26.3183 10.0275C26.5739 9.94865 29.6086 9.94659 29.6386 10.0252Z" fill="#4474D4"/>
+</svg>
diff --git a/windows/security/book/images/endpoint-privilege-management.png b/windows/security/book/images/endpoint-privilege-management.png
deleted file mode 100644
index 1b57dded9f..0000000000
Binary files a/windows/security/book/images/endpoint-privilege-management.png and /dev/null differ
diff --git a/windows/security/book/images/hardware-on.png b/windows/security/book/images/hardware-on.png
index 23664c4c63..79dbe2aee5 100644
Binary files a/windows/security/book/images/hardware-on.png and b/windows/security/book/images/hardware-on.png differ
diff --git a/windows/security/book/images/hardware.png b/windows/security/book/images/hardware.png
index 834b6c5dca..a16761650c 100644
Binary files a/windows/security/book/images/hardware.png and b/windows/security/book/images/hardware.png differ
diff --git a/windows/security/book/images/microsoft-cloud-pki.png b/windows/security/book/images/microsoft-cloud-pki.png
deleted file mode 100644
index 15b14c6e7a..0000000000
Binary files a/windows/security/book/images/microsoft-cloud-pki.png and /dev/null differ
diff --git a/windows/security/book/images/microsoft-entra-id.png b/windows/security/book/images/microsoft-entra-id.png
deleted file mode 100644
index 4158a866f3..0000000000
Binary files a/windows/security/book/images/microsoft-entra-id.png and /dev/null differ
diff --git a/windows/security/book/images/microsoft-entra-id.svg b/windows/security/book/images/microsoft-entra-id.svg
new file mode 100644
index 0000000000..5cb2cfe7be
--- /dev/null
+++ b/windows/security/book/images/microsoft-entra-id.svg
@@ -0,0 +1,8 @@
+<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M15.5281 26.0077C16.3103 26.4912 17.6105 27.0288 18.9854 27.0288C20.2372 27.0288 21.4004 26.669 22.364 26.0558C22.364 26.0558 22.3661 26.0558 22.3681 26.0537L26.0067 23.7999V31.9379C25.4302 31.9379 24.8497 31.7819 24.3458 31.4702L15.5281 26.0077Z" fill="#225086"/>
+<path d="M23.7177 1.00992L8.76318 17.8619C7.60869 19.1647 7.90977 21.1327 9.40723 22.0669C9.40723 22.0669 14.9424 25.523 15.6403 25.9593C16.414 26.4412 17.7001 26.9772 19.06 26.9772C20.2982 26.9772 21.4487 26.6185 22.4018 26.007C22.4018 26.007 22.4038 26.007 22.4058 26.0051L26.0049 23.7582L17.3033 18.3241L26.0068 8.51563V0C25.1615 0 24.316 0.336642 23.7177 1.00992Z" fill="#66DDFF"/>
+<path d="M17.2561 18.3555L17.3604 18.4193L26.005 23.8002H26.0068V8.52995L26.005 8.52795L17.2561 18.3555Z" fill="#CBF8FF"/>
+<path d="M42.6063 22.1159C44.1041 21.1798 44.4052 19.2079 43.2506 17.9026L33.436 6.82337C32.6443 6.45413 31.7566 6.24255 30.8175 6.24255C28.9726 6.24255 27.3231 7.03893 26.2263 8.29034L26.009 8.53584L34.7125 18.3636L26.0068 23.8084V31.9376C26.5793 31.9376 27.1496 31.7821 27.6483 31.4707L42.6063 22.1139V22.1159Z" fill="#074793"/>
+<path d="M26.009 0V8.52788L26.2292 8.28252C27.3402 7.03177 29.0108 6.23583 30.8791 6.23583C31.8327 6.23583 32.7297 6.44928 33.5316 6.81633L28.322 1.01337C27.7178 0.339122 26.8614 0.00199492 26.0068 0.00199492L26.009 0Z" fill="#0294E4"/>
+<path d="M34.7578 18.356L26.0068 8.52795V23.8002L34.7578 18.356Z" fill="#96BCC2"/>
+</svg>
diff --git a/windows/security/book/images/microsoft-entra-internet-access.png b/windows/security/book/images/microsoft-entra-internet-access.png
deleted file mode 100644
index bb05dbfefd..0000000000
Binary files a/windows/security/book/images/microsoft-entra-internet-access.png and /dev/null differ
diff --git a/windows/security/book/images/microsoft-entra-private-access.png b/windows/security/book/images/microsoft-entra-private-access.png
deleted file mode 100644
index 6dbecc415b..0000000000
Binary files a/windows/security/book/images/microsoft-entra-private-access.png and /dev/null differ
diff --git a/windows/security/book/images/microsoft-intune.png b/windows/security/book/images/microsoft-intune.png
deleted file mode 100644
index 9e70c4f99c..0000000000
Binary files a/windows/security/book/images/microsoft-intune.png and /dev/null differ
diff --git a/windows/security/book/images/microsoft-intune.svg b/windows/security/book/images/microsoft-intune.svg
new file mode 100644
index 0000000000..714722c739
--- /dev/null
+++ b/windows/security/book/images/microsoft-intune.svg
@@ -0,0 +1,23 @@
+<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M39.9806 0.0206299H10.8709C10.3008 0.0206299 9.83862 0.482788 9.83862 1.05289V19.7574C9.83862 20.3275 10.3008 20.7897 10.8709 20.7897H39.9806C40.5506 20.7897 41.0128 20.3275 41.0128 19.7574V1.05289C41.0128 0.482788 40.5506 0.0206299 39.9806 0.0206299Z" fill="url(#paint0_linear_1073_1098)"/>
+<path d="M38.7007 1.75488H12.1511C11.8318 1.75488 11.573 2.01369 11.573 2.33295V18.4981C11.573 18.8174 11.8318 19.0762 12.1511 19.0762H38.7007C39.02 19.0762 39.2788 18.8174 39.2788 18.4981V2.33295C39.2788 2.01369 39.02 1.75488 38.7007 1.75488Z" fill="white"/>
+<path d="M31.6814 27.0865C28.5846 26.6117 28.4607 24.382 28.4814 20.8929H22.2878C22.2878 24.4852 22.1639 26.7149 19.0878 27.0865C18.6698 27.1495 18.2874 27.358 18.008 27.6751C17.7285 27.9926 17.5699 28.398 17.5601 28.8207H33.1265C33.1165 28.4109 32.9683 28.0168 32.7059 27.702C32.4437 27.3871 32.0824 27.1701 31.6814 27.0865Z" fill="url(#paint1_linear_1073_1098)"/>
+<path d="M44.2541 9.62062H30.0502C29.8149 8.4621 29.1573 7.43231 28.2059 6.73102C27.2541 6.02971 26.0758 5.70692 24.8995 5.82522C23.7232 5.94351 22.6328 6.49448 21.8398 7.37126C21.0468 8.24803 20.6077 9.38811 20.6077 10.5703C20.6077 11.7525 21.0468 12.8926 21.8398 13.7693C22.6328 14.6461 23.7232 15.1971 24.8995 15.3154C26.0758 15.4337 27.2541 15.1109 28.2059 14.4096C29.1573 13.7083 29.8149 12.6785 30.0502 11.52H31.5161V31.298C31.5161 31.4787 31.5878 31.6521 31.7155 31.7799C31.8433 31.9076 32.0167 31.9793 32.1973 31.9793H44.2335C44.4141 31.9793 44.5875 31.9076 44.7153 31.7799C44.843 31.6521 44.9148 31.4787 44.9148 31.298V10.3019C44.9148 10.1248 44.8459 9.95451 44.7225 9.82733C44.5991 9.70013 44.4311 9.62599 44.2541 9.62062Z" fill="#32BEDD"/>
+<path d="M43.4284 11.4994H33.0439C32.9071 11.4994 32.7961 11.6103 32.7961 11.7471V29.2129C32.7961 29.3497 32.9071 29.4607 33.0439 29.4607H43.4284C43.5652 29.4607 43.6761 29.3497 43.6761 29.2129V11.7471C43.6761 11.6103 43.5652 11.4994 43.4284 11.4994Z" fill="white"/>
+<path opacity="0.9" d="M25.4258 13.6671C27.0906 13.6671 28.44 12.3176 28.44 10.6529C28.44 8.98817 27.0906 7.63867 25.4258 7.63867C23.7611 7.63867 22.4116 8.98817 22.4116 10.6529C22.4116 12.3176 23.7611 13.6671 25.4258 13.6671Z" fill="url(#paint2_linear_1073_1098)"/>
+<path d="M39.5264 19.7575L37.2142 17.4452C37.1956 17.4285 37.1726 17.4177 37.1479 17.4144C37.1231 17.411 37.098 17.4151 37.0756 17.4263C37.0534 17.4374 37.0348 17.4551 37.023 17.4769C37.0108 17.4987 37.0054 17.5236 37.0077 17.5484V18.9523C37.0077 18.9852 36.9946 19.0167 36.9713 19.0399C36.9481 19.0631 36.9166 19.0762 36.8839 19.0762H31.5161V20.7897H36.8839C36.9166 20.7897 36.9481 20.8028 36.9713 20.826C36.9946 20.8492 37.0077 20.8808 37.0077 20.9136V22.3381C37.0191 22.3552 37.0343 22.3691 37.0524 22.3788C37.0704 22.3885 37.0906 22.3935 37.1109 22.3935C37.1313 22.3935 37.1515 22.3885 37.1695 22.3788C37.1876 22.3691 37.2028 22.3552 37.2142 22.3381L39.5264 20.1291C39.5528 20.1058 39.5739 20.0772 39.5884 20.0452C39.6028 20.0132 39.6103 19.9784 39.6103 19.9433C39.6103 19.9081 39.6028 19.8734 39.5884 19.8413C39.5739 19.8093 39.5528 19.7807 39.5264 19.7575Z" fill="#0078D4"/>
+<defs>
+<linearGradient id="paint0_linear_1073_1098" x1="25.4257" y1="20.7897" x2="25.4257" y2="0.0206299" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0078D4"/>
+<stop offset="0.82" stop-color="#5EA0EF"/>
+</linearGradient>
+<linearGradient id="paint1_linear_1073_1098" x1="25.4259" y1="28.8207" x2="25.4259" y2="20.7897" gradientUnits="userSpaceOnUse">
+<stop stop-color="#1490DF"/>
+<stop offset="0.98" stop-color="#1F56A3"/>
+</linearGradient>
+<linearGradient id="paint2_linear_1073_1098" x1="25.4258" y1="13.6671" x2="25.4258" y2="7.61803" gradientUnits="userSpaceOnUse">
+<stop stop-color="#D2EBFF"/>
+<stop offset="1" stop-color="#F0FFFD"/>
+</linearGradient>
+</defs>
+</svg>
diff --git a/windows/security/book/images/onedrive.png b/windows/security/book/images/onedrive.png
deleted file mode 100644
index 187abfefe1..0000000000
Binary files a/windows/security/book/images/onedrive.png and /dev/null differ
diff --git a/windows/security/book/images/onedrive.svg b/windows/security/book/images/onedrive.svg
new file mode 100644
index 0000000000..6f9ac42e61
--- /dev/null
+++ b/windows/security/book/images/onedrive.svg
@@ -0,0 +1,29 @@
+<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_1073_1093)">
+<path d="M20.2792 8.87548L30.8995 15.2131L37.2289 12.5609C38.477 12.024 39.8555 11.723 41.2991 11.723C41.5357 11.723 41.764 11.7311 41.9927 11.7474C40.247 4.93787 34.056 -0.0980225 26.6821 -0.0980225C21.1602 -0.0980225 16.3068 2.72499 13.4846 6.99618C13.5417 6.99618 13.5907 6.99618 13.6477 6.99618C16.0866 6.99618 18.3624 7.68771 20.2873 8.87548H20.2792Z" fill="url(#paint0_linear_1073_1093)"/>
+<path d="M20.2792 8.87555C18.346 7.68775 16.0785 6.99622 13.6396 6.99622C13.5825 6.99622 13.5335 6.99622 13.4764 6.99622C6.56762 7.0857 0.996582 12.6911 0.996582 19.6064C0.996582 22.2911 1.83671 24.7725 3.26416 26.8145L12.6281 22.8851L16.7881 21.1359L26.0543 17.2471L30.8911 15.2132L20.271 8.86743L20.2792 8.87555Z" fill="url(#paint1_linear_1073_1093)"/>
+<path d="M41.9924 11.7474C41.7637 11.7312 41.5354 11.723 41.2988 11.723C39.8552 11.723 38.4767 12.024 37.2287 12.561L30.8992 15.2132L32.7343 16.3115L38.7457 19.9074L41.3722 21.4776L50.3449 26.839C51.128 25.3908 51.5766 23.7393 51.5766 21.9739C51.5766 16.5474 47.3432 12.1135 42.0004 11.7556L41.9924 11.7474Z" fill="url(#paint2_linear_1073_1093)"/>
+<path d="M41.3724 21.4693L38.7459 19.8992L32.7345 16.3032L30.8994 15.205L26.0622 17.2388L16.7962 21.1277L12.6362 22.8768L3.27222 26.8063C5.55612 30.0687 9.34904 32.2082 13.6476 32.2082H41.3073C45.2142 32.2082 48.6158 30.028 50.3531 26.8226L41.3808 21.4612L41.3724 21.4693Z" fill="url(#paint3_linear_1073_1093)"/>
+</g>
+<defs>
+<linearGradient id="paint0_linear_1073_1093" x1="-90.6774" y1="-2.38413" x2="-83.2674" y2="10.4949" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0572C0"/>
+<stop offset="0.88" stop-color="#0364B8"/>
+</linearGradient>
+<linearGradient id="paint1_linear_1073_1093" x1="-100.539" y1="3.35148" x2="-94.0795" y2="14.5525" gradientUnits="userSpaceOnUse">
+<stop stop-color="#1885D9"/>
+<stop offset="0.89" stop-color="#107AD5"/>
+</linearGradient>
+<linearGradient id="paint2_linear_1073_1093" x1="-79.3805" y1="6.08505" x2="-72.0599" y2="18.7931" gradientUnits="userSpaceOnUse">
+<stop stop-color="#138EDE"/>
+<stop offset="0.94" stop-color="#0D7AD5"/>
+</linearGradient>
+<linearGradient id="paint3_linear_1073_1093" x1="-91.8931" y1="10.0877" x2="-82.6222" y2="26.1845" gradientUnits="userSpaceOnUse">
+<stop offset="0.1" stop-color="#29A9EA"/>
+<stop offset="0.79" stop-color="#1C94E3"/>
+</linearGradient>
+<clipPath id="clip0_1073_1093">
+<rect width="54" height="32" fill="white"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/windows/security/book/images/operating-system-on.png b/windows/security/book/images/operating-system-on.png
index d4ef8fb04d..524c7ac372 100644
Binary files a/windows/security/book/images/operating-system-on.png and b/windows/security/book/images/operating-system-on.png differ
diff --git a/windows/security/book/images/universal-print.png b/windows/security/book/images/universal-print.png
deleted file mode 100644
index c7fb73b046..0000000000
Binary files a/windows/security/book/images/universal-print.png and /dev/null differ
diff --git a/windows/security/book/images/universal-print.svg b/windows/security/book/images/universal-print.svg
new file mode 100644
index 0000000000..3c5d0761a2
--- /dev/null
+++ b/windows/security/book/images/universal-print.svg
@@ -0,0 +1,24 @@
+<svg width="54" height="34" viewBox="0 0 54 34" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M45.0294 19.3174C45.0294 17.5547 42.4462 16.975 41.4523 15.6175C40.0841 13.7492 39.9367 11.3573 37.4359 10.95C37.3114 8.06581 36.0494 5.34673 33.924 3.38225C31.7986 1.4178 28.9808 0.36629 26.0813 0.455709C23.739 0.412525 21.4407 1.09418 19.5041 2.40658C17.5676 3.71896 16.0882 5.59733 15.2703 7.7823C12.7912 8.08221 10.5023 9.2565 8.81872 11.0921C7.13516 12.9278 6.16846 15.3032 6.09399 17.7874C6.20281 20.5757 7.41775 23.2073 9.4726 25.1056C11.5274 27.0041 14.2546 28.0144 17.0566 27.9154C17.3836 27.9154 17.7062 27.9004 18.0223 27.8745H35.7774C35.9356 27.8724 36.0928 27.8494 36.2451 27.8055C38.5259 27.7892 40.7126 26.8976 42.349 25.3161C43.9856 23.7348 44.9457 21.5859 45.0294 19.3174Z" fill="url(#paint0_linear_1073_1040)"/>
+<path d="M41.9117 11.6353H23.3384C22.9795 11.6353 22.6887 11.9247 22.6887 12.2817V18.9166C22.6887 19.2736 22.9795 19.5631 23.3384 19.5631H41.9117C42.2706 19.5631 42.5613 19.2736 42.5613 18.9166V12.2817C42.5613 11.9247 42.2706 11.6353 41.9117 11.6353Z" fill="#005BA1"/>
+<path d="M39.9517 6.66406H25.2997C24.9409 6.66406 24.6501 6.9535 24.6501 7.31053V17.9772C24.6501 18.3342 24.9409 18.6237 25.2997 18.6237H39.9517C40.3106 18.6237 40.6013 18.3342 40.6013 17.9772V7.31053C40.6013 6.9535 40.3106 6.66406 39.9517 6.66406Z" fill="url(#paint1_linear_1073_1040)"/>
+<path d="M21.4803 15.1414H43.7693C44.1138 15.1414 44.4443 15.2776 44.6881 15.5201C44.9315 15.7625 45.0685 16.0914 45.0685 16.4343V29.579H20.1833V16.4343C20.1833 16.0918 20.3199 15.7632 20.5631 15.5208C20.8063 15.2784 21.1361 15.1419 21.4803 15.1414Z" fill="#5EA0EF"/>
+<path d="M45.0685 27.8832H20.1833V30.0812H45.0685V27.8832Z" fill="#0078D4"/>
+<path d="M41.1838 24.0302H24.059C23.7002 24.0302 23.4094 24.3195 23.4094 24.6766V25.9522C23.4094 26.3093 23.7002 26.5987 24.059 26.5987H41.1838C41.5426 26.5987 41.8334 26.3093 41.8334 25.9522V24.6766C41.8334 24.3195 41.5426 24.0302 41.1838 24.0302Z" fill="#83B9F9"/>
+<path d="M40.8354 19.854C41.1763 19.854 41.4524 19.579 41.4524 19.2399C41.4524 18.9007 41.1763 18.6257 40.8354 18.6257C40.4947 18.6257 40.2183 18.9007 40.2183 19.2399C40.2183 19.579 40.4947 19.854 40.8354 19.854Z" fill="#C3F1FF"/>
+<path d="M24.6503 24.4762H40.6015V32.7142C40.6015 32.8857 40.5331 33.0501 40.4113 33.1714C40.2894 33.2927 40.1241 33.3607 39.9519 33.3607H25.2975C25.1253 33.3607 24.9603 33.2927 24.8384 33.1714C24.7165 33.0501 24.6479 32.8857 24.6479 32.7142V24.4762H24.6503Z" fill="url(#paint2_linear_1073_1040)"/>
+<defs>
+<linearGradient id="paint0_linear_1073_1040" x1="25.5617" y1="27.9198" x2="25.5617" y2="0.455711" gradientUnits="userSpaceOnUse">
+<stop stop-color="#773ADC"/>
+<stop offset="0.817" stop-color="#A67AF4"/>
+</linearGradient>
+<linearGradient id="paint1_linear_1073_1040" x1="32.6246" y1="6.66406" x2="32.6246" y2="18.6258" gradientUnits="userSpaceOnUse">
+<stop stop-color="#C3F1FF"/>
+<stop offset="0.999" stop-color="#9CEBFF"/>
+</linearGradient>
+<linearGradient id="paint2_linear_1073_1040" x1="32.6247" y1="33.3607" x2="32.6247" y2="24.4762" gradientUnits="userSpaceOnUse">
+<stop stop-color="#C3F1FF"/>
+<stop offset="0.999" stop-color="#9CEBFF"/>
+</linearGradient>
+</defs>
+</svg>
diff --git a/windows/security/book/images/windows-security.svg b/windows/security/book/images/windows-security.svg
new file mode 100644
index 0000000000..7882c89525
--- /dev/null
+++ b/windows/security/book/images/windows-security.svg
@@ -0,0 +1,24 @@
+<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M27.2766 31.8354L24.929 22.8553L27.2766 15.5891L34.1895 12.573L41.2977 15.5891C40.1238 22.2385 35.1676 27.2426 27.7332 31.7667C27.6028 31.7667 27.4724 31.8354 27.2766 31.8354Z" fill="url(#paint0_linear_1073_1125)"/>
+<path d="M27.2764 15.5232V31.838C27.0809 31.838 26.9505 31.7693 26.7547 31.7007C19.3203 27.1765 14.4293 22.1724 13.1902 15.5232L19.9725 13.1925L27.2764 15.5232Z" fill="url(#paint1_linear_1073_1125)"/>
+<path d="M27.2766 0.441528C29.2983 0.441528 31.059 1.05849 32.4286 2.08673C34.6459 3.66336 36.211 4.48593 40.7109 4.55448C41.2326 4.55448 41.689 5.03432 41.689 5.58272V12.3691C41.689 13.4659 41.5585 14.4941 41.4281 15.5224H27.2766L24.929 7.84483L27.2766 0.441528Z" fill="url(#paint2_linear_1073_1125)"/>
+<path d="M13.192 15.5222C12.9964 14.494 12.9312 13.3972 12.9312 12.369V5.58259C12.9312 5.0342 13.3224 4.55436 13.9094 4.55436C18.4092 4.48581 19.9743 3.66323 22.1916 2.0866C23.4959 1.05837 25.322 0.441406 27.3435 0.441406V15.5222H13.192Z" fill="url(#paint3_linear_1073_1125)"/>
+<defs>
+<linearGradient id="paint0_linear_1073_1125" x1="35.9702" y1="26.7136" x2="28.672" y2="14.6876" gradientUnits="userSpaceOnUse">
+<stop stop-color="#114A8B"/>
+<stop offset="1" stop-color="#0C59A4"/>
+</linearGradient>
+<linearGradient id="paint1_linear_1073_1125" x1="28.3417" y1="31.1801" x2="17.3341" y2="13.0417" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0669BC"/>
+<stop offset="1" stop-color="#0078D4"/>
+</linearGradient>
+<linearGradient id="paint2_linear_1073_1125" x1="38.2769" y1="17.3893" x2="27.8054" y2="0.134459" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0078D4"/>
+<stop offset="1" stop-color="#1493DF"/>
+</linearGradient>
+<linearGradient id="paint3_linear_1073_1125" x1="25.1143" y1="16.8492" x2="16.575" y2="2.77815" gradientUnits="userSpaceOnUse">
+<stop stop-color="#28AFEA"/>
+<stop offset="1" stop-color="#3CCBF4"/>
+</linearGradient>
+</defs>
+</svg>
diff --git a/windows/security/book/index.md b/windows/security/book/index.md
index 350e25f172..3ee48c98ad 100644
--- a/windows/security/book/index.md
+++ b/windows/security/book/index.md
@@ -1,6 +1,6 @@
 ---
-title: Windows security book introduction
-description: Windows security book introduction
+title: Windows 11 security book - Windows security book introduction
+description: Windows 11 security book introduction.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md
index 5476fd2870..d9ab85a02b 100644
--- a/windows/security/book/operating-system-security-encryption-and-data-protection.md
+++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md
@@ -1,6 +1,6 @@
 ---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Encryption and data protection
+description: Operating System security chapter - Encryption and data protection.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
@@ -64,21 +64,21 @@ Encrypted hard drives enable:
 
 - [Encrypted hard drive](../operating-system-security/data-protection/encrypted-hard-drive.md)
 
-## Personal Data Encryption (PDE)
+## Personal Data Encryption
 
-Personal Data Encryption (PDE) is a user-authenticated encryption mechanism designed to protect user's content. PDE uses Windows Hello for Business as its modern authentication scheme, with PIN or biometric authentication methods. The encryption keys used by PDE are securely stored within the Windows Hello container. When a user signs in with Windows Hello, the container is unlocked, making the keys available to decrypt the user's content.
+Personal Data Encryption is a user-authenticated encryption mechanism designed to protect user's content. Personal Data Encryption uses Windows Hello for Business as its modern authentication scheme, with PIN or biometric authentication methods. The encryption keys used by Personal Data Encryption are securely stored within the Windows Hello container. When a user signs in with Windows Hello, the container is unlocked, making the keys available to decrypt the user's content.
 
-The initial release of PDE in Windows 11, version 22H2, introduced a set of public APIs that applications can adopt to safeguard content.
+The initial release of Personal Data Encryption in Windows 11, version 22H2, introduced a set of public APIs that applications can adopt to safeguard content.
 
 [!INCLUDE [new-24h2](includes/new-24h2.md)]
 
-PDE is further enhanced with *PDE for known folders*, which extends protection to the Windows folders: Documents, Pictures, and Desktop.
+Personal Data Encryption is further enhanced with *Personal Data Encryption for known folders*, which extends protection to the Windows folders: Documents, Pictures, and Desktop.
 
-:::image type="content" source="images/pde.png" alt-text="Screenshot of files encrypted with PDE showing a padlock." border="false":::
+:::image type="content" source="images/pde.png" alt-text="Screenshot of files encrypted with Personal Data Encryption showing a padlock." border="false":::
 
 [!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Personal Data Encryption (PDE)](../operating-system-security/data-protection/personal-data-encryption/index.md)
+- [Personal Data Encryption](../operating-system-security/data-protection/personal-data-encryption/index.md)
 
 ## Email encryption
 
diff --git a/windows/security/book/operating-system-security-network-security.md b/windows/security/book/operating-system-security-network-security.md
index 5be1a004aa..fff427b5b2 100644
--- a/windows/security/book/operating-system-security-network-security.md
+++ b/windows/security/book/operating-system-security-network-security.md
@@ -1,6 +1,6 @@
 ---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Network security
+description: Operating System security chapter - Network security.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/operating-system-security-system-security.md b/windows/security/book/operating-system-security-system-security.md
index 649ebdbe4b..dd056f219e 100644
--- a/windows/security/book/operating-system-security-system-security.md
+++ b/windows/security/book/operating-system-security-system-security.md
@@ -1,6 +1,6 @@
 ---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - System security
+description: Operating System security chapter - System security.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
@@ -139,7 +139,7 @@ Config Refresh can also be paused for a configurable period of time, after which
         Windows allows you to restrict functionality to specific applications using built-in features, making it ideal for public-facing or shared devices like kiosks. You can set up Windows as a kiosk either locally on the device, or through a cloud-based device management solution like Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>. Kiosk mode can be configured to run a single app, multiple apps, or a full-screen web browser. You can also configure the device to automatically sign in and launch the designated kiosk app at startup.
     :::column-end:::
     :::column span="2":::
-:::image type="content" source="images/kiosk.png" alt-text="Screenshot of the Windows Security app." border="false" lightbox="images/kiosk.png" :::
+:::image type="content" source="images/kiosk.png" alt-text="Screenshot of a Windows kiosk." border="false" lightbox="images/kiosk.png" :::
     :::column-end:::
 :::row-end:::
 
diff --git a/windows/security/book/operating-system-security-virus-and-threat-protection.md b/windows/security/book/operating-system-security-virus-and-threat-protection.md
index 44eb24d2c9..cb69b30617 100644
--- a/windows/security/book/operating-system-security-virus-and-threat-protection.md
+++ b/windows/security/book/operating-system-security-virus-and-threat-protection.md
@@ -1,11 +1,11 @@
 ---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Virus and threat protection
+description: Operating System security chapter - Virus and threat protection.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
 
-# Virus and threat protection
+# Virus and threat protection in Windows 11
 
 :::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
 
diff --git a/windows/security/book/operating-system-security.md b/windows/security/book/operating-system-security.md
index cd1f79d3e9..17141c211b 100644
--- a/windows/security/book/operating-system-security.md
+++ b/windows/security/book/operating-system-security.md
@@ -1,6 +1,6 @@
 ---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Operating System security
+description: Operating System security chapter.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/privacy-controls.md b/windows/security/book/privacy-controls.md
index 21377d5d8a..9aa5d2bd86 100644
--- a/windows/security/book/privacy-controls.md
+++ b/windows/security/book/privacy-controls.md
@@ -1,6 +1,6 @@
 ---
-title: Privacy
-description: Windows 11 security book - Privacy chapter.
+title: Windows 11 security book - Privacy controls
+description: Privacy chapter - Privacy controls.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/privacy.md b/windows/security/book/privacy.md
index ef5c623ebb..d4acb2ffed 100644
--- a/windows/security/book/privacy.md
+++ b/windows/security/book/privacy.md
@@ -1,6 +1,6 @@
 ---
-title: Privacy
-description: Windows 11 security book - Privacy chapter.
+title: Windows 11 security book - Privacy
+description: Privacy chapter.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/security-foundation-certification.md b/windows/security/book/security-foundation-certification.md
index d83dfb1231..1f8c8c878d 100644
--- a/windows/security/book/security-foundation-certification.md
+++ b/windows/security/book/security-foundation-certification.md
@@ -1,6 +1,6 @@
 ---
-title: Security foundation
-description: Windows 11 security book - Security foundation chapter.
+title: Windows 11 security book - Certification
+description: Security foundation chapter - Certification.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/security-foundation-offensive-research.md b/windows/security/book/security-foundation-offensive-research.md
index 4a1fdf3bbf..f40f549653 100644
--- a/windows/security/book/security-foundation-offensive-research.md
+++ b/windows/security/book/security-foundation-offensive-research.md
@@ -1,6 +1,6 @@
 ---
-title: Security foundation
-description: Windows 11 security book - Security foundation chapter.
+title: Windows 11 security book - Secure Future Initiative and offensive research
+description: Security foundation chapter - Secure Future Initiative and offensive research.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/security-foundation-secure-supply-chain.md b/windows/security/book/security-foundation-secure-supply-chain.md
index 9cfdaec1f9..9e638bfbc5 100644
--- a/windows/security/book/security-foundation-secure-supply-chain.md
+++ b/windows/security/book/security-foundation-secure-supply-chain.md
@@ -1,6 +1,6 @@
 ---
-title: Secure supply chain
-description: Windows 11 security book - Security foundation chapter - Secure supply chain.
+title: Windows 11 security book - Secure supply chain
+description: Security foundation chapter - Secure supply chain.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
diff --git a/windows/security/book/security-foundation.md b/windows/security/book/security-foundation.md
index 2a370ff6d5..2748af0a55 100644
--- a/windows/security/book/security-foundation.md
+++ b/windows/security/book/security-foundation.md
@@ -1,14 +1,14 @@
 ---
-title: Security foundation
-description: Windows 11 security book - Security foundation chapter.
+title: Windows 11 security book - Security foundation
+description: Security foundation chapter.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
 
-# Security foundation
+# Security foundation in Windows 11
 
 :::image type="content" source="images/security-foundation-cover.png" alt-text="Cover of the security foundation chapter." border="false":::
 
-Microsoft is committed to continuously investing in improving the development process, building highly secure-by-design software, and addressing security compliance requirements. Security and privacy considerations informed by offensive research are built into each phase of our product design and software development process. Microsoft’s security foundation includes not only our development and certification processes, but also our end-to-end supply chain. The comprehensive Windows 11 security foundation also reflects our deep commitment to principles of security by design and security by default.
+Microsoft is committed to continuously investing in improving the development process, building highly secure-by-design software, and addressing security compliance requirements. Security and privacy considerations informed by offensive research are built into each phase of our product design and software development process. Microsoft's security foundation includes not only our development and certification processes, but also our end-to-end supply chain. The comprehensive Windows 11 security foundation also reflects our deep commitment to principles of security by design and security by default.
 
 :::image type="content" source="images/security-foundation-on.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false":::
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index b7d4db82be..e0cd0064c8 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -150,7 +150,7 @@
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
         ],
         "book/**/*.md": [
-          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
+          "<a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
         ],
         "hardware-security/**/*.md": [
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
@@ -251,7 +251,7 @@
         "security-foundations/certification/**/*.md": "paoloma"
       },
       "ms.collection": {
-        "book/*.md": "tier3",
+        "book/*.md": "tier1",
         "identity-protection/hello-for-business/*.md": "tier1",
         "information-protection/pluton/*.md": "tier1",
         "information-protection/tpm/*.md": "tier1",
@@ -259,9 +259,6 @@
         "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
         "security-foundations/certification/**/*.md": "tier3",
         "threat-protection/auditing/*.md": "tier3"
-      },
-      "ROBOTS": {
-        "book/*.md": "NOINDEX"
       }
     },
     "template": [],
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index 55551c53ca..59d5e97382 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -1,8 +1,8 @@
 ---
-title: Enterprise certificate pinning
+title: Enterprise Certificate Pinning In Windows
 description: Enterprise certificate pinning is a Windows feature for remembering, or pinning, a root issuing certificate authority, or end-entity certificate to a domain name.
 ms.topic: concept-article
-ms.date: 03/12/2024
+ms.date: 12/02/2024
 ---
 
 # Enterprise certificate pinning overview
diff --git a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
index 553251974a..f2c4e29919 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
@@ -1,7 +1,7 @@
 ---
 title: Windows Hello for Business cloud-only deployment guide
 description: Learn how to deploy Windows Hello for Business in a cloud-only deployment scenario.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ms.topic: tutorial
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
index 9b2e6325b4..e4312d8684 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
@@ -1,7 +1,7 @@
 ---
 title: Windows Hello for Business cloud Kerberos trust deployment guide
 description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ms.topic: tutorial
 ---
 
@@ -169,8 +169,8 @@ If you deployed Windows Hello for Business using the key trust model, and want t
 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings)
 1. For Microsoft Entra joined devices, sign out and sign in to the device using Windows Hello for Business
 
-> [!NOTE]
-> For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
+  > [!NOTE]
+  > For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
 
 ## Migrate from certificate trust deployment model to cloud Kerberos trust
 
@@ -179,11 +179,11 @@ If you deployed Windows Hello for Business using the key trust model, and want t
 
 If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps:
 
-1. Disable the certificate trust policy
-1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings)
-1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context
-1. Sign out and sign back in
-1. Provision Windows Hello for Business using a method of your choice
+1. Disable the certificate trust policy.
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings).
+1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context.
+1. Sign out and sign back in.
+1. Provision Windows Hello for Business using a method of your choice.
 
 > [!NOTE]
 > For Microsoft Entra hybrid joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC.
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
index c97ec8cde9..742939bf9d 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
@@ -1,7 +1,7 @@
 ---
 title: Configure and enroll in Windows Hello for Business in a hybrid key trust model
 description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ms.topic: tutorial
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
index 2b775003f0..ce6526f4a7 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
@@ -1,7 +1,7 @@
 ---
 title: Windows Hello for Business hybrid key trust deployment guide
 description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ms.topic: tutorial
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
index 6adbe43c94..11af1ac31c 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
@@ -1,5 +1,5 @@
 ---
-ms.date: 06/23/2024
+ms.date: 11/22/2024
 ms.topic: include
 ---
 
@@ -19,3 +19,6 @@ Windows Hello for Business requires users perform multifactor authentication (MF
 For information on available non-Microsoft authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)
 
 Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
+
+> [!TIP]
+> When you validate the AD FS configuration, verify if you need to update the configuration of user agent strings to support Windows Integrated Authentication (WIA). For more information, see [Change WIASupportedUserAgent settings](/windows-server/identity/ad-fs/operations/configure-ad-fs-browser-wia#change-wiasupporteduseragent-settings).
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
index 7446d01e92..73dd0d6cbf 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
@@ -33,14 +33,14 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
 
 Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
 
-1. Open the **Certification Authority** management console
-1. Expand the parent node from the navigation pane
-1. Select **Certificate Templates** in the navigation pane
-1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
-1. In the **Enable Certificates Templates** window, select the *WHFB Enrollment Agent* template you created in the previous step. Select **OK** to publish the selected certificate templates to the certification authority
-1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
-   - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
-1. Close the console
+1. Open the **Certification Authority** management console.
+1. Expand the parent node from the navigation pane.
+1. Select **Certificate Templates** in the navigation pane.
+1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue.
+1. In the **Enable Certificates Templates** window, select the *WHFB Enrollment Agent* template you created in the previous step. Select **OK** to publish the selected certificate templates to the certification authority.
+1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list.
+   - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation.
+1. Close the console.
 
 ## Configure the certificate registration authority
 
@@ -55,7 +55,7 @@ Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplat
    ```
 
 >[!NOTE]
-> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA.
+> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (_certtmpl.msc_). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA.
 
 ### Enrollment agent certificate lifecycle management
 
@@ -89,18 +89,18 @@ For detailed information about the certificate, use `Certutil -q -v <certificate
 > [!div class="checklist"]
 > Before you continue with the deployment, validate your deployment progress by reviewing the following items:
 >
-> - Configure an enrollment agent certificate template
-> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template
-> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance
-> - Confirm you properly configured the Windows Hello for Business authentication certificate template
-> - Confirm all certificate templates were properly published to the appropriate issuing certificate authorities
-> - Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template
-> - Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet
-> Confirm you restarted the AD FS service
-> - Confirm you properly configured load-balancing (hardware or software)
-> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address
-> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server
-> - Confirm you have deployed a MFA solution for AD FS
+> - Configure an enrollment agent certificate template.
+> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template.
+> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance.
+> - Confirm you properly configured the Windows Hello for Business authentication certificate template.
+> - Confirm all certificate templates were properly published to the appropriate issuing certificate authorities.
+> - Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template.
+> - Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet.
+> - Confirm you restarted the AD FS service.
+> - Confirm you properly configured load-balancing (hardware or software).
+> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address.
+> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server.
+> - Confirm you have deployed a MFA solution for AD FS.
 
 > [!div class="nextstepaction"]
 > [Next: configure and enroll in Windows Hello for Business >](on-premises-cert-trust-enroll.md)
diff --git a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
index d9e217575b..123d35b434 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
@@ -1,7 +1,7 @@
 ---
 title: Configure Active Directory Federation Services in an on-premises key trust model
 description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business key trust model.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ms.topic: tutorial
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
index 0aeded8941..efbea47423 100644
--- a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
@@ -1,7 +1,7 @@
 ---
 title: Prepare users to provision and use Windows Hello for Business
 description: Learn how to prepare users to enroll and to use Windows Hello for Business.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ms.topic: end-user-help
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/dual-enrollment.md b/windows/security/identity-protection/hello-for-business/dual-enrollment.md
index 7dd1507298..0d5f859326 100644
--- a/windows/security/identity-protection/hello-for-business/dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/dual-enrollment.md
@@ -1,7 +1,7 @@
 ---
 title: Dual enrollment
 description: Learn how to configure Windows Hello for Business dual enrollment and how to configure Active Directory to support Domain Administrator enrollment.
-ms.date: 05/06/2024
+ms.date: 11/22/2024
 ms.topic: how-to
 ---
 
@@ -40,7 +40,7 @@ Active Directory Domain Services uses `AdminSDHolder` to secure privileged users
 
 Sign in to a domain controller or management workstation with access equivalent to *domain administrator*.
 
-1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object
+1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object.
 
     ```cmd
     dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink
@@ -52,21 +52,21 @@ Sign in to a domain controller or management workstation with access equivalent
     dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink
     ```
 
-1. To trigger security descriptor propagation, open `ldp.exe`
-1. Select **Connection** and select **Connect...**  Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK**
-1. Select **Connection** and select **Bind...**  Select **OK** to bind as the currently signed-in user
-1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List**
-1. Select **Run** to start the task
-1. Close LDP
+1. To trigger security descriptor propagation, open `ldp.exe`.
+1. Select **Connection** and select **Connect...**  Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK**.
+1. Select **Connection** and select **Bind...**  Select **OK** to bind as the currently signed-in user.
+1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List**.
+1. Select **Run** to start the task.
+1. Close LDP.
 
 ### Configure dual enrollment with group policy
 
 You configure Windows to support dual enrollment using the computer configuration portion of a Group Policy object:
 
-1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users
-1. Edit the Group Policy object from step 1
+1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
+1. Edit the Group Policy object from step 1.
 1. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**
-1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC
-1. Restart computers targeted by this Group Policy object
+1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
+1. Restart computers targeted by this Group Policy object.
 
-The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the nonprivileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
+   The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the nonprivileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index e6b79420ad..aaed7b870d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -1,7 +1,7 @@
 ---
 title: Windows Hello for Business known deployment issues
 description: This article is a troubleshooting guide for known Windows Hello for Business deployment issues.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ms.topic: troubleshooting
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index ef8e864841..8524027332 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -2,7 +2,7 @@
 title: Windows Hello errors during PIN creation
 description: Learn about the Windows Hello error codes that might happen during PIN creation.
 ms.topic: troubleshooting
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ---
 
 # Windows Hello errors during PIN creation
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index e1845d9363..b0fc5d6b30 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -1,7 +1,7 @@
 ---
 title: Dynamic lock
 description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: how-to
 ---
 
@@ -19,33 +19,61 @@ You can configure Windows devices to use the **dynamic lock** using a Group Poli
 1. Enable the **Configure dynamic lock factors** policy setting located under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
 1. Close the Group Policy Management Editor to save the Group Policy object.
 
-The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
+   The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
 
-```xml
-<rule schemaVersion="1.0">
-  <signal type="bluetooth" scenario="Dynamic Lock" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
-</rule>
-```
+    ```xml
+     <rule schemaVersion="1.0">
+     <signal type="bluetooth" scenario="Dynamic Lock" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
+     </rule>
+    ```
 
->[!IMPORTANT]
->Microsoft recommends using the default values for this policy settings.  Measurements are relative based on the varying conditions of each environment.  Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.
+  >[!IMPORTANT]
+  >Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.
 
-For this policy setting, the `type` and `scenario` attribute values are static and can't change. The `classofDevice` is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table:
+  For this policy setting, the `type` and `scenario` attribute values are static and can't change. The `classofDevice` is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table:
 
-|Description|Value|
-|:-------------|:-------:|
-|Miscellaneous|0|
-|Computer|256|
-|Phone|512|
-|LAN/Network Access Point|768|
-|Audio/Video|1024|
-|Peripheral|1280|
-|Imaging|1536|
-|Wearable|1792|
-|Toy|2048|
-|Health|2304|
-|Uncategorized|7936|
+  |Description|Value|
+  |:-------------|:-------:|
+  |Miscellaneous|0|
+  |Computer|256|
+  |Phone|512|
+  |LAN/Network Access Point|768|
+  |Audio/Video|1024|
+  |Peripheral|1280|
+  |Imaging|1536|
+  |Wearable|1792|
+  |Toy|2048|
+  |Health|2304|
+  |Uncategorized|7936|
 
-The `rssiMin` attribute value signal indicates the strength needed for the device to be considered *in-range*.  The default value of `-10` enables a user to move about an average size office or cubicle without triggering Windows to lock the device.  The `rssiMaxDelta` has a default value of `-10`, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
+  The `rssiMin` attribute value signal indicates the strength needed for the device to be considered *in-range*. The default value of `-10` enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The `rssiMaxDelta` has a default value of `-10`, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
 
-RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
+  RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
+
+## Configure Dynamic lock with Microsoft Intune
+
+To configure Dynamic lock using Microsoft Intune, follow these steps:
+
+1. Open the Microsoft Intune admin center and navigate to Devices > Windows > Configuration policies.
+1. Create a new policy:
+   - Platform: Windows 10 and later
+   - Profile type: Templates - Custom
+   - Select Create
+1. Configure the profile:
+   - Name: Provide a name for the profile.
+   - Description: (Optional) Add a description.
+1. Add OMA-URI settings:
+   - Enable Dynamic lock:
+     - Name: Enable Dynamic lock
+     - Description: (Optional) This setting enables Dynamic lock
+     - OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DynamicLock/DynamicLock
+     - Data type: Boolean
+     - Value: True
+   - Define the Dynamic lock signal rule:
+     - Name: Dynamic lock Signal Rule
+     - Description: (Optional) This setting configures Dynamic lock values
+     - OMA-URI: ./Device/Vendor/MSFT/PassportForWork/DynamicLock/Plugins
+     - Data type: String
+     - Value: `<rule schemaVersion="1.0"><signal type="bluetooth" scenario="Dynamic Lock" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/></rule>`
+1. Assign the profile to the appropriate groups.
+ 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 3d2908e78a..613da4d993 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -1,7 +1,7 @@
 ---
 title: Use Certificates to enable SSO for Microsoft Entra join devices
 description: If you want to use certificates for on-premises single-sign on for Microsoft Entra joined devices, then follow these additional steps.
-ms.date: 04/24/2024
+ms.date: 11/22/2024
 ms.topic: how-to
 ---
 
@@ -62,21 +62,21 @@ To include the on-premises distinguished name in the certificate's subject, Micr
 
 Sign-in to computer running Microsoft Entra Connect with access equivalent to *local administrator*.
 
-1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder
-1. In the **Synchronization Service Manager**, select **Help** and then select **About**
-1. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version
+1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder.
+1. In the **Synchronization Service Manager**, select **Help** and then select **About**.
+1. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version.
 
 ### Verify the onPremisesDistinguishedName attribute is synchronized
 
 The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph.
 
-1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer)
-1. Select **Sign in to Graph Explorer** and provide Microsoft Entra ID credentials
+1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
+1. Select **Sign in to Graph Explorer** and provide Microsoft Entra ID credentials.
 
    > [!NOTE]
    > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted
 1. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent
-1. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query**
+1. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query**.
 
    > [!NOTE]
    > Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios.
@@ -91,7 +91,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
    GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName
    ```
 
-1. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**
+1. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**.
 
    #### Response
    <!-- {
@@ -119,23 +119,23 @@ The deployment uses the **NDES Servers** security group to assign the NDES servi
 
 Sign-in to a domain controller or management workstation with access equivalent to *domain administrator*.
 
-1. Open **Active Directory Users and Computers**
-1. Expand the domain node from the navigation pane
-1. Right-click the **Users** container. Hover over **New** and select **Group**
-1. Type **NDES Servers** in the **Group Name** text box
-1. Select **OK**
+1. Open **Active Directory Users and Computers**.
+1. Expand the domain node from the navigation pane.
+1. Right-click the **Users** container. Hover over **New** and select **Group**.
+1. Type **NDES Servers** in the **Group Name** text box.
+1. Select **OK**.
 
 ### Add the NDES server to the NDES Servers global security group
 
 Sign-in to a domain controller or management workstation with access equivalent to *domain administrator*.
 
-1. Open **Active Directory Users and Computers**
-1. Expand the domain node from the navigation pane
-1. Select **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Select **Add to a group**
-1. Type **NDES Servers** in **Enter the object names to select**. Select **OK**. Select **OK** on the **Active Directory Domain Services** success dialog
+1. Open **Active Directory Users and Computers**.
+1. Expand the domain node from the navigation pane.
+1. Select **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Select **Add to a group**.
+1. Type **NDES Servers** in **Enter the object names to select**. Select **OK**. Select **OK** on the **Active Directory Domain Services** success dialog.
 
-> [!NOTE]
-> For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
+   > [!NOTE]
+   > For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
 
 ### Create the NDES Service Account
 
@@ -143,10 +143,10 @@ The Network Device Enrollment Services (NDES) role runs under a service account.
 
 Sign-in to a domain controller or management workstation with access equivalent to *domain administrator*.
 
-1. In the navigation pane, expand the node that has your domain name. Select **Users**
-1. Right-click the **Users** container. Hover over **New** and then select **User**. Type **NDESSvc** in  **Full Name** and **User logon name**. Select **Next**
-1. Type a secure password in **Password**. Confirm the secure password in **Confirm Password**. Clear **User must change password at next logon**. Select **Next**
-1. Select **Finish**
+1. In the navigation pane, expand the node that has your domain name. Select **Users**.
+1. Right-click the **Users** container. Hover over **New** and then select **User**. Type **NDESSvc** in  **Full Name** and **User logon name**. Select **Next**.
+1. Type a secure password in **Password**. Confirm the secure password in **Confirm Password**. Clear **User must change password at next logon**. Select **Next**.
+1. Select **Finish**.
 
 > [!IMPORTANT]
 > Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires.
@@ -159,16 +159,16 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv
 
 1. Start the **Group Policy Management Console** (gpmc.msc)
 
-1. Expand the domain and select the **Group Policy Object** node in the navigation pane
-1. Right-click **Group Policy object** and select **New**
-1. Type **NDES Service Rights** in the name box and select **OK**
-1. In the content pane, right-click the **NDES Service Rights** Group Policy object and select **Edit**
-1. In the navigation pane, expand **Policies** under **Computer Configuration**
-1. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**
-1. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and select **OK**. Select **Add User or Group...**. In the **Add User or Group** dialog box, select **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Select **OK** twice
-1. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and select **OK**. Select **Add User or Group...**. In the **Add User or Group** dialog box, select **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Select **OK** twice
-1. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and select **OK**. Select **Add User or Group...**. In the **Add User or Group** dialog box, select **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Select **OK** three times
-1. Close the **Group Policy Management Editor**
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+1. Right-click **Group Policy object** and select **New**.
+1. Type **NDES Service Rights** in the name box and select **OK**.
+1. In the content pane, right-click the **NDES Service Rights** Group Policy object and select **Edit**.
+1. In the navigation pane, expand **Policies** under **Computer Configuration**.
+1. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**.
+1. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and select **OK**. Select **Add User or Group...**. In the **Add User or Group** dialog box, select **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Select **OK** twice.
+1. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and select **OK**. Select **Add User or Group...**. In the **Add User or Group** dialog box, select **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Select **OK** twice.
+1. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and select **OK**. Select **Add User or Group...**. In the **Add User or Group** dialog box, select **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Select **OK** three times.
+1. Close the **Group Policy Management Editor**.
 
 ### Configure security for the NDES Service User Rights Group Policy object
 
@@ -176,11 +176,11 @@ The best way to deploy the **NDES Service User Rights** Group Policy object is t
 
 Sign-in to a domain controller or management workstation with access equivalent to *domain administrator*.
 
-1. Start the **Group Policy Management Console** (gpmc.msc)
-1. Expand the domain and select the **Group Policy Object** node in the navigation pane
-1. Double-click the **NDES Service User Rights** Group Policy object
-1. In the **Security Filtering** section of the content pane, select **Add**. Type **NDES Servers** or the name of the security group you previously created and select **OK**
-1. Select the **Delegation** tab. Select **Authenticated Users** and select **Advanced**
+1. Start the **Group Policy Management Console** (gpmc.msc).
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+1. Double-click the **NDES Service User Rights** Group Policy object.
+1. In the **Security Filtering** section of the content pane, select **Add**. Type **NDES Servers** or the name of the security group you previously created and select **OK**.
+1. Select the **Delegation** tab. Select **Authenticated Users** and select **Advanced**.
 1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK**
 
 ### Deploy the NDES Service User Rights Group Policy object
@@ -228,20 +228,20 @@ NDES uses a server authentication certificate to authenticate the server endpoin
 
 Sign-in to the issuing certificate authority or management workstations with *Domain Admin* equivalent credentials.
 
-1. Open the **Certificate Authority** management console
-1. Right-click **Certificate Templates** and select **Manage**
-1. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and select **Duplicate Template**
-1. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs
+1. Open the **Certificate Authority** management console.
+1. Right-click **Certificate Templates** and select **Manage**.
+1. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and select **Duplicate Template**.
+1. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
 
    > [!NOTE]
-   > If you use different template names, you'll need to remember and substitute these names in different portions of the lab
-1. On the **Subject** tab, select **Supply in the request**
-1. On the **Cryptography** tab, validate the **Minimum key size** is **2048**
-1. On the **Security** tab, select **Add**
-1. Select **Object Types**, then in the window that appears, choose **Computers** and select **OK**
-1. Type **NDES server** in the **Enter the object names to select** text box and select **OK**
-1. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes aren't already cleared. Select **OK**
-1. Select on the **Apply** to save changes and close the console
+   > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+1. On the **Subject** tab, select **Supply in the request**.
+1. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
+1. On the **Security** tab, select **Add**.
+1. Select **Object Types**, then in the window that appears, choose **Computers** and select **OK**.
+1. Type **NDES server** in the **Enter the object names to select** text box and select **OK**.
+1. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes aren't already cleared. Select **OK**.
+1. Select on the **Apply** to save changes and close the console.
 
 ### Create a Microsoft Entra joined Windows Hello for Business authentication certificate template
 
@@ -249,21 +249,21 @@ During Windows Hello for Business provisioning,  Windows requests an authenticat
 
 Sign in a certificate authority or management workstations with *Domain Admin equivalent* credentials.
 
-1. Open the **Certificate Authority** management console
-1. Right-click **Certificate Templates** and select **Manage**
-1. Right-click the **Smartcard Logon** template and choose **Duplicate Template**
-1. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list
-1. On the **General** tab, type **ENTRA JOINED WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs
+1. Open the **Certificate Authority** management console.
+1. Right-click **Certificate Templates** and select **Manage**.
+1. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
+1. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list.
+1. On the **General** tab, type **ENTRA JOINED WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
 
    > [!NOTE]
    > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment
-1. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list
-1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**
-1. On the **Subject** tab, select **Supply in the request**
-1. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**
-1. On the **Security** tab, select **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and select **OK**
-1. Select  **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes aren't already cleared. Select **OK**
-1. Close the console
+1. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
+1. On the **Subject** tab, select **Supply in the request**.
+1. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**.
+1. On the **Security** tab, select **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and select **OK**.
+1. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes aren't already cleared. Select **OK**.
+1. Close the console.
 
 ### Publish certificate templates
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index 59a927977d..83225fbf4b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -1,7 +1,7 @@
 ---
 title: Configure single sign-on (SSO) for Microsoft Entra joined devices
 description: Learn how to configure single sign-on to on-premises resources for Microsoft Entra joined devices, using Windows Hello for Business.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: how-to
 ---
 
@@ -150,14 +150,16 @@ The web server is ready to host the CRL distribution point. Now, configure the i
 1. In the navigation pane, right-click the name of the certificate authority and select **Properties**
 1. Select **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list
 1. On the **Extensions** tab, select **Add**. Type <b>http://crl.[domainname]/cdp/</b> in **location**. For example, `<http://crl.corp.contoso.com/cdp/>` or `<http://crl.contoso.com/cdp/>` (don't forget the trailing forward slash)
-    ![CDP New Location dialog box.](images/aadj/cdp-extension-new-location.png)
-1. Select **\<CaName>** from the **Variable** list and select **Insert**. Select **\<CRLNameSuffix>** from the **Variable** list and select **Insert**. Select **\<DeltaCRLAllowed>** from the **Variable** list and select **Insert**
-1. Type **.crl** at the end of the text in **Location**. Select **OK**
-1. Select the CDP you just created
+
+   ![CDP New Location dialog box.](images/aadj/cdp-extension-new-location.png)
+1. Select **\<CaName>** from the **Variable** list and select **Insert**. Select **\<CRLNameSuffix>** from the **Variable** list and select **Insert**. Select **\<DeltaCRLAllowed>** from the **Variable** list and select **Insert**.
+1. Type **.crl** at the end of the text in **Location**. Select **OK**.
+1. Select the CDP you just created.
+
     ![CDP complete http.](images/aadj/cdp-extension-complete-http.png)
-1. Select **Include in CRLs. Clients use this to find Delta CRL locations**
-1. Select **Include in the CDP extension of issued certificates**
-1. Select **Apply** save your selections. Select **No** when ask to restart the service
+1. Select **Include in CRLs. Clients use this to find Delta CRL locations**.
+1. Select **Include in the CDP extension of issued certificates**.
+1. Select **Apply** save your selections. Select **No** when ask to restart the service.
 
 > [!NOTE]
 > Optionally, you can remove unused CRL distribution points and publishing locations.
@@ -170,7 +172,8 @@ The web server is ready to host the CRL distribution point. Now, configure the i
 1. On the **Extensions** tab, select **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (don't forget the trailing backwards slash)
 1. Select **\<CaName>** from the **Variable** list and select **Insert**. Select **\<CRLNameSuffix>** from the **Variable** list and select **Insert**. Select **\<DeltaCRLAllowed>** from the **Variable** list and select **Insert**
 1. Type **.crl** at the end of the text in **Location**. Select **OK**
-1. Select the CDP you just created
+1. Select the CDP you just created.
+
     ![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png)
 1. Select **Publish CRLs to this location**
 1. Select **Publish Delta CRLs to this location**
@@ -178,10 +181,10 @@ The web server is ready to host the CRL distribution point. Now, configure the i
 
 #### Publish a new CRL
 
-1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**
+1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
 1. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and select **Publish**
-    ![Publish a New CRL.](images/aadj/publish-new-crl.png)
-1. In the **Publish CRL** dialog box, select **New CRL** and select **OK**
+    ![Publish a New CRL.](images/aadj/publish-new-crl.png).
+1. In the **Publish CRL** dialog box, select **New CRL** and select **OK**.
 
 #### Validate CDP Publishing
 
diff --git a/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
index 8e1d1411a3..2d52ce35bd 100644
--- a/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
@@ -1,7 +1,7 @@
 ---
 title: How Windows Hello for Business authentication works
 description: Learn about the Windows Hello for Business authentication flows.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: reference
 ---
 # Windows Hello for Business authentication
@@ -19,11 +19,11 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to LSASS. LSASS passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
 |B | The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.|
 |C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. Microsoft Entra ID then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
 |D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
-|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|E | The Cloud AP provider returns a successful authentication response to LSASS. LSASS caches the PRT, and informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
 
 ## Microsoft Entra join authentication to Active Directory using cloud Kerberos trust
 
@@ -31,7 +31,7 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller.
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in LSASS, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller.
 |B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Microsoft Entra ID from a previous Microsoft Entra authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.|
 
 ## Microsoft Entra join authentication to Active Directory using a key
@@ -40,9 +40,9 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in LSASS, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
 |B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to LSASS, where it's cached and used for subsequent service ticket requests.|
 
 > [!NOTE]
 > You might have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Microsoft Entra joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
@@ -53,9 +53,9 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in LSASS, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
 |B | The Kerberos provider sends the signed preauthentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to LSASS, where it's cached and used for subsequent service ticket requests.|
 
 > [!NOTE]
 > You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
@@ -66,11 +66,11 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to LSASS. LSASS queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, LSASS passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.
 |B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Microsoft Entra ID.
 |C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Microsoft Entra Kerberos and returns them to Cloud AP.
-|D | Cloud AP  receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.
-|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After locating an active domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|D | Cloud AP  receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to LSASS. LSASS caches the PRT and the Partial TGT.
+|E | The Kerberos security support provider, hosted in LSASS, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After locating an active domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to LSASS, where it's cached and used for subsequent service ticket requests. LSASS informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
 
 ## Microsoft Entra hybrid join authentication using a key
 
@@ -78,13 +78,13 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to LSASS. LSASS passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
 |B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
-|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
-|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.|
-|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+|D | After passing this criteria, Kerberos returns the TGT to LSASS, where it's cached and used for subsequent service ticket requests.|
+|E | LSASS informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|F | While Windows loads the user's desktop, LSASS passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.|
+|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to LSASS. LSASS caches the PRT.|
 
 > [!IMPORTANT]
 > In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
@@ -95,13 +95,13 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
 
 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to LSASS. LSASS passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
 |B | The Kerberos provider sends the signed preauthentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
-|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
-|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.|
-|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+|D | After passing this criteria, Kerberos returns the TGT to LSASS, where it's cached and used for subsequent service ticket requests.|
+|E | LSASS informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|F | While Windows loads the user's desktop, LSASS passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.|
+|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to LSASS. LSASS caches the PRT.|
 
 > [!IMPORTANT]
-> In the above deployment model, a **newly provisioned** user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller.
+> In this deployment model, a **newly provisioned** user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller.
diff --git a/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
index b066524e2f..fcc17cd4d5 100644
--- a/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
@@ -1,7 +1,7 @@
 ---
 title: How Windows Hello for Business provisioning works
 description: Learn about the provisioning flows for Windows Hello for Business.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: reference
 appliesto:
 ---
diff --git a/windows/security/identity-protection/hello-for-business/how-it-works.md b/windows/security/identity-protection/hello-for-business/how-it-works.md
index 659f4a0e25..e9dcd47589 100644
--- a/windows/security/identity-protection/hello-for-business/how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@@ -1,7 +1,7 @@
 ---
 title: How Windows Hello for Business works
 description: Learn how Windows Hello for Business works, and how it can help you protect your organization.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: concept-article
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md
index e838ad5167..e51ecfc56e 100644
--- a/windows/security/identity-protection/hello-for-business/index.md
+++ b/windows/security/identity-protection/hello-for-business/index.md
@@ -2,7 +2,7 @@
 title: Windows Hello for Business overview
 description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.
 ms.topic: overview
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ---
 
 # Windows Hello for Business
@@ -15,13 +15,15 @@ ms.date: 04/23/2024
 
 The following table lists the main authentication and security differences between Windows Hello and Windows Hello for business:
 
-||Windows Hello for Business|Windows Hello|
+||Windows Hello|Windows Hello for Business|
 |-|-|-|
-|**Authentication**|Users can authenticate to:<br>- A Microsoft Entra ID account<br>- An Active Directory account<br>- Identity provider (IdP) or relying party (RP) services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication.|Users can authenticate to:<br>- A Microsoft account<br>- Identity provider (IdP) or relying party (RP) services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication.|
-|**Security**|It uses **key-based** or **certificate-based** authentication. There's no symmetric secret (password) which can be stolen from a server or phished from a user and used remotely.<br>Enhanced security is available on devices with a Trusted Platform Module (TPM).|Users can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on the account type. This configuration isn't backed by asymmetric (public/private key) or certificate-based authentication.|
+|**Authentication**|Users can authenticate to:<br>- A Microsoft account (MSA)<br>- Identity providers (IdPs) that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication|Users can authenticate to:<br>- A Microsoft Entra ID account<br>- An Active Directory account<br>- Identity provider (IdP) or relying party (RP) services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication|
+|**Security**|It uses **key-based** authentication.<br>There's no symmetric secret (password) which can be stolen from a server or phished from a user and used remotely. |It uses **key-based** or **certificate-based** authentication.<br>There's no symmetric secret (password) which can be stolen from a server or phished from a user and used remotely.|
+
+Windows Hello can also be used with local accounts for convenient sign-ins, instead of entering a password. This configuration isn't backed by asymmetric (public/private) key, so it doesn't offer the same level of security as key-based or certificate-based authentication that is available with MSA or Microsoft Entra accounts. In all other aspects, using Windows Hello with a local account is like using it with MSA or Entra ID. For enhanced security, it's recommended to use Windows Hello with a Microsoft account (MSA) or identity providers (IdPs) that support FIDO2 authentication.
 
 > [!NOTE]
-> FIDO2 (Fast Identity Online) authentication is an open standard for passwordless authentication. It allows users to sign in to their devices and apps using biometric authentication or a physical security key, without the need for a traditional password. FIDO2 support in Windows Hello for Business provides an additional layer of security and convenience for users, while also reducing the risk of password-related attacks.
+> FIDO2 (Fast Identity Online) authentication is an open standard for passwordless authentication. It allows users to sign in to their devices and apps using biometric authentication or a physical security key, without the need for a traditional password. FIDO2 support in Windows Hello and Windows Hello for Business provides an additional layer of security and convenience for users, while also reducing the risk of password-related attacks.
 
 ## Benefits
 
@@ -52,7 +54,7 @@ On devices that support Windows Hello, an easy biometric gesture unlocks users'
 
 - **Facial recognition**: this type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors offer external cameras that incorporate this technology, and many laptop manufacturers incorporate it into their devices
 - **Fingerprint recognition**: this type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Most existing fingerprint readers work with Windows, whether they're external or integrated into laptops or USB keyboards
-- **Iris Recognition**: this type of biometric recognition uses cameras to perform scan of your iris. HoloLens 2 is the first Microsoft device to introduce an Iris scanner
+- **Iris Recognition**: this type of biometric recognition uses cameras to perform scan of your iris
 
 Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data.
 
diff --git a/windows/security/identity-protection/hello-for-business/multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/multifactor-unlock.md
index b11627e5b7..426ed39d72 100644
--- a/windows/security/identity-protection/hello-for-business/multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/multifactor-unlock.md
@@ -1,7 +1,7 @@
 ---
 title: Multi-factor unlock
 description: Learn how to configure Windows Hello for Business multi-factor unlock by extending Windows Hello with trusted signals.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: how-to
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/pin-reset.md b/windows/security/identity-protection/hello-for-business/pin-reset.md
index aabf1fc5f2..37c48ea01c 100644
--- a/windows/security/identity-protection/hello-for-business/pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/pin-reset.md
@@ -1,7 +1,7 @@
 ---
 title: PIN reset
 description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN, and how to configure it.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: how-to
 ---
 
@@ -13,8 +13,8 @@ This article describes how *Microsoft PIN reset service* enables your users to r
 
 Windows Hello for Business provides the capability for users to reset forgotten PINs. There are two forms of PIN reset:
 
-- *Destructive PIN reset*: the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new sign in key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration
-- *Non-destructive PIN reset*: the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For nondestructive PIN reset, you must deploy the *Microsoft PIN reset service* and configure your clients' policy to enable the *PIN recovery* feature
+- *Destructive PIN reset*: The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new sign in key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration.
+- *Non-destructive PIN reset*: The user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For nondestructive PIN reset, you must deploy the *Microsoft PIN reset service* and configure your clients' policy to enable the *PIN recovery* feature.
 
 ## How nondestructive PIN reset works
 
diff --git a/windows/security/identity-protection/hello-for-business/policy-settings.md b/windows/security/identity-protection/hello-for-business/policy-settings.md
index 300d58e123..3a54d69597 100644
--- a/windows/security/identity-protection/hello-for-business/policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/policy-settings.md
@@ -2,7 +2,7 @@
 title: Windows Hello for Business policy settings
 description: Learn about the policy settings to configure Configure Windows Hello for Business.
 ms.topic: reference
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ---
 
 # Windows Hello for Business policy settings
diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
index d685983a32..234d305178 100644
--- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md
+++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
@@ -1,7 +1,7 @@
 ---
 title: WebAuthn APIs
 description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: how-to
 ---
 # WebAuthn APIs for passwordless authentication on Windows
diff --git a/windows/security/identity-protection/passwordless-experience/index.md b/windows/security/identity-protection/passwordless-experience/index.md
index 2301f86f81..cb555bfb78 100644
--- a/windows/security/identity-protection/passwordless-experience/index.md
+++ b/windows/security/identity-protection/passwordless-experience/index.md
@@ -1,9 +1,9 @@
 ---
-title: Windows passwordless experience
+title: Configure Windows Passwordless Experience With Intune
 description: Learn how Windows passwordless experience enables your organization to move away from passwords.
 ms.collection:
   - tier1
-ms.date: 03/12/2024
+ms.date: 12/02/2024
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 494d9a4978..f7dbf10cd7 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -2,7 +2,7 @@
 title: Remote Credential Guard
 description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device.
 ms.topic: how-to
-ms.date: 03/12/2024
+ms.date: 11/11/2024
 appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
diff --git a/windows/security/identity-protection/web-sign-in/index.md b/windows/security/identity-protection/web-sign-in/index.md
index 86e2b4b834..a48aa3c89d 100644
--- a/windows/security/identity-protection/web-sign-in/index.md
+++ b/windows/security/identity-protection/web-sign-in/index.md
@@ -1,7 +1,7 @@
 ---
-title: Web sign-in for Windows
+title: Use Web Sign-In To Enable Passwordless Sign-In In Windows
 description: Learn how Web sign-in in Windows works, key scenarios, and how to configure it.
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ms.topic: how-to
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 8465806881..43817f6227 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -62,7 +62,7 @@ landingContent:
             url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
           - text: BitLocker
             url: /windows/security/operating-system-security/data-protection/bitlocker/
-          - text: Personal Data Encryption (PDE)
+          - text: Personal Data Encryption
             url: /windows/security/operating-system-security/data-protection/personal-data-encryption
           - text: Windows security baselines
             url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
@@ -78,7 +78,7 @@ landingContent:
         links:
           - text: Configure BitLocker
             url: /windows/security/operating-system-security/data-protection/bitlocker/configure
-          - text: Configure PDE
+          - text: Configure Personal Data Encryption
             url: /windows/security/operating-system-security/data-protection/personal-data-encryption/configure
       - linkListType: whats-new
         links:
diff --git a/windows/security/licensing-and-edition-requirements.md b/windows/security/licensing-and-edition-requirements.md
index 34a527cefe..2e2dc3b457 100644
--- a/windows/security/licensing-and-edition-requirements.md
+++ b/windows/security/licensing-and-edition-requirements.md
@@ -1,8 +1,8 @@
 ---
-title: Windows security features licensing and edition requirements
+title: Windows Security Features Licensing And Edition Requirements
 description: Learn about Windows licensing and edition requirements for the features included in Windows.
 ms.topic: conceptual
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 appliesto:
 - ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 ms.author: paoloma
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
index 3e29796ff1..826ae7e556 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -2,7 +2,7 @@
 title: BCD settings and BitLocker
 description: Learn how BCD settings are used by BitLocker.
 ms.topic: reference
-ms.date: 06/18/2024
+ms.date: 12/05/2024
 ---
 
 # Boot Configuration Data settings and BitLocker
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/configure.md b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
index 7fbff47e8c..5ed1607787 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/configure.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
@@ -2,7 +2,7 @@
 title: Configure BitLocker
 description: Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).
 ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
 ---
 
 # Configure BitLocker
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
index 3eda5bed37..4e0d64f71a 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
@@ -2,7 +2,7 @@
 title: BitLocker countermeasures
 description: Learn about technologies and features to protect against attacks on the BitLocker encryption key.
 ms.topic: concept-article
-ms.date: 06/18/2024
+ms.date: 12/05/2024
 ---
 
 # BitLocker countermeasures
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
index 80b74ed970..131cf2f9c9 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
@@ -2,7 +2,7 @@
 title: Protect cluster shared volumes and storage area networks with BitLocker
 description: Learn how to protect cluster shared volumes (CSV) and storage area networks (SAN) with BitLocker.
 ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
 appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2025</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
index b2642afed9..fcbcadf1b9 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
@@ -3,7 +3,7 @@ metadata:
   title: BitLocker FAQ
   description: Learn more about BitLocker by reviewing the frequently asked questions.
   ms.topic: faq
-  ms.date: 06/18/2024
+  ms.date: 12/05/2024
 title: BitLocker FAQ
 summary: Learn more about BitLocker by reviewing the frequently asked questions.
 
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md
index 69d9822b91..2b1e13953b 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/index.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md
@@ -2,7 +2,7 @@
 title: BitLocker overview
 description: Learn about BitLocker practical applications and requirements.
 ms.topic: overview
-ms.date: 06/18/2024
+ms.date: 12/05/2024
 ---
 
 # BitLocker overview
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/install-server.md b/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
index 1e9c124e9c..687f2418cd 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
@@ -2,7 +2,7 @@
 title: Install BitLocker on Windows Server
 description: Learn how to install BitLocker on Windows Server.
 ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
 appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2025</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
index 39be442f55..ff99a2de31 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
@@ -2,12 +2,12 @@
 title: Network Unlock
 description: Learn how BitLocker Network Unlock works and how to configure it.
 ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
 ---
 
 # Network Unlock
 
-Network Unlock is a BitLocker *key protector* for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. Network Unlock requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by `TPM+PIN` protectors require a PIN to be entered when a device reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
+Network Unlock is a BitLocker *key protector* for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. Network Unlock requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by `TPM+PIN` protectors require a PIN to be entered when a device reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult for enterprises to roll out software patches to unattended desktops and remotely administered servers.
 
 Network Unlock allows BitLocker-enabled systems that have a `TPM+PIN` and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the `TPM+StartupKey` at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.
 
@@ -248,7 +248,7 @@ The following steps describe how to deploy the required group policy setting:
 
 By default, all clients with the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the Network Unlock clients can use to unlock.
 
-The configuration file, called `bde-network-unlock.ini`, must be located in the same directory as the Network Unlock provider DLL (`%windir%\System32\Nkpprov.dll`) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests.
+The configuration file called `bde-network-unlock.ini`, must be located in the same directory as the Network Unlock provider DLL (`%windir%\System32\Nkpprov.dll`) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests.
 
 The subnet policy configuration file must use a `[SUBNETS]` section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word `ENABLED` is disallowed for subnet names.
 
@@ -299,6 +299,8 @@ To update the certificates used by Network Unlock, administrators need to import
 Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include:
 
 - Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Verification can be done by checking that the firmware doesn't have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware doesn't appear to be in a BIOS-like mode
+- If client hardware is a Secure Core device, you may need to disable Secure Core functionality
+
 - All required roles and services are installed and started
 - Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** on the client computer
 - Group policy for Network Unlock is enabled and linked to the appropriate domains
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
index 645cf45add..2a6e018234 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
@@ -2,7 +2,7 @@
 title: BitLocker operations guide
 description: Learn how to use different tools to manage and operate BitLocker.
 ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
 ---
 
 # BitLocker operations guide
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
index c54ad2e21e..3c563aa624 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
@@ -2,7 +2,7 @@
 title: BitLocker planning guide
 description: Learn how to plan for a BitLocker deployment in your organization.
 ms.topic: concept-article
-ms.date: 06/18/2024
+ms.date: 12/05/2024
 ---
 
 # BitLocker planning guide
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
index aaadd7678e..842b2e94c9 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
@@ -2,7 +2,7 @@
 title: BitLocker preboot recovery screen
 description: Learn about the information displayed in the BitLocker preboot recovery screen, depending on configured policy settings and recovery keys status.
 ms.topic: concept-article
-ms.date: 06/19/2024
+ms.date: 12/05/2024
 ---
 
 # BitLocker preboot recovery screen
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
index 808550018a..3db9407c4b 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
@@ -2,7 +2,7 @@
 title: BitLocker recovery overview
 description: Learn about BitLocker recovery scenarios, recovery options, and how to determine root cause of failed automatic unlocks.
 ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 12/05/2024
 ---
 
 # BitLocker recovery overview
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
index a3cded5a34..421165a49b 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
@@ -2,7 +2,7 @@
 title: BitLocker recovery process
 description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive.
 ms.topic: how-to
-ms.date: 07/18/2024
+ms.date: 12/05/2024
 ---
 
 # BitLocker recovery process
@@ -26,6 +26,9 @@ A recovery key can't be stored in any of the following locations:
 - The root directory of a nonremovable drive
 - An encrypted volume
 
+> [!WARNING]
+> A recovery key is sensitive information that allows users to unlock an encrypted drive and perform administrative tasks on the drive. For enhanced security, it's recommended to enable self-service in trusted environments only, or rely on helpdesk recovery.
+
 ### Self-recovery with recovery password
 
 If you have access to the recovery key, enter the 48-digits in the preboot recovery screen.
diff --git a/windows/security/operating-system-security/data-protection/configure-s-mime.md b/windows/security/operating-system-security/data-protection/configure-s-mime.md
index 7781de30a9..ef44453923 100644
--- a/windows/security/operating-system-security/data-protection/configure-s-mime.md
+++ b/windows/security/operating-system-security/data-protection/configure-s-mime.md
@@ -1,8 +1,8 @@
 ---
-title: Configure S/MIME for Windows
+title: Configure S/MIME For Windows
 description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. Learn how to configure S/MIME for Windows.
 ms.topic: how-to
-ms.date: 04/10/2024
+ms.date: 12/02/2024
 ---
 
 
@@ -68,4 +68,4 @@ When you receive a signed email, the app provides a feature to install correspon
 1. Select the digital signature icon in the reading pane
 1. Select **Install.**
 
-  :::image type="content" alt-text="Screenshot of the Windows Mail app, showing a message to install the sender's encryption certificate." source="images/install-cert.png":::
+    :::image type="content" alt-text="Screenshot of the Windows Mail app, showing a message to install the sender's encryption certificate." source="images/install-cert.png":::
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 34c2ed5f4a..c39add4606 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -1,42 +1,42 @@
 ---
-title: PDE settings and configuration
-description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
+title: Personal Data Encryption settings and configuration
+description: Learn about the available options to configure Personal Data Encryption (Personal Data Encryption) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
 ms.topic: how-to
 ms.date: 09/24/2024
 ---
 
-# PDE settings and configuration
+# Personal Data Encryption settings and configuration
 
-This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
+This article describes the Personal Data Encryption settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
 
 > [!NOTE]
-> PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
+> Personal Data Encryption can be configured using MDM policies. The content to be protected by Personal Data Encryption can be specified using [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable Personal Data Encryption or protect content using Personal Data Encryption.
 >
-> The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
+> The Personal Data Encryption APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the Personal Data Encryption APIs can't be used to protect content until the Personal Data Encryption policy has been enabled.
 
-## PDE settings
+## Personal Data Encryption settings
 
-The following table lists the required settings to enable PDE.
+The following table lists the required settings to enable Personal Data Encryption.
 
 | Setting name | Description |
 |-|-|
-|Enable Personal Data Encryption|PDE isn't enabled by default. Before PDE can be used, you must enable it.|
-|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with PDE. To use PDE, ARSO must be disabled.|
+|Enable Personal Data Encryption|Personal Data Encryption isn't enabled by default. Before Personal Data Encryption can be used, you must enable it.|
+|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption. To use Personal Data Encryption, ARSO must be disabled.|
 
-## PDE hardening recommendations
+## Personal Data Encryption hardening recommendations
 
-The following table lists the recommended settings to improve PDE's security.
+The following table lists the recommended settings to improve Personal Data Encryption's security.
 
 | Setting name | Description |
 |-|-|
-|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
-|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
-|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
-|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Microsoft Entra joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Microsoft Entra joined devices.|
+|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
+|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by Personal Data Encryption to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
+|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption to protect content to be exposed. For greatest security, disable hibernation.|
+|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Microsoft Entra joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by Personal Data Encryption to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Microsoft Entra joined devices.|
 
-## Configure PDE with Microsoft Intune
+## Configure Personal Data Encryption with Microsoft Intune
 
-If you use Microsoft Intune to manage your devices, you can configure PDE using a disk encryption policy, a settings catalog policy, or a custom profile.
+If you use Microsoft Intune to manage your devices, you can configure Personal Data Encryption using a disk encryption policy, a settings catalog policy, or a custom profile.
 
 ### Disk encryption policy
 
@@ -77,9 +77,9 @@ Content-Type: application/json
 { "id": "00-0000-0000-0000-000000000000", "name": "_MSLearn_PDE", "description": "", "platforms": "windows10", "technologies": "mdm", "roleScopeTagIds": [ "0" ], "settings": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "user_vendor_msft_pde_enablepersonaldataencryption_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_power_allowhibernate_0", "children": [] } } } ] }
 ```
 
-## Configure PDE with CSP
+## Configure Personal Data Encryption with CSP
 
-Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE CSP][CSP-2].
+Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [Personal Data Encryption CSP][CSP-2].
 
 |OMA-URI|Format|Value|
 |-|-|-|
@@ -91,13 +91,13 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE
 |`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`|
 |`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|`<disabled/>`|
 
-## Disable PDE
+## Disable Personal Data Encryption
 
-Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps.
+Once Personal Data Encryption is enabled, it isn't recommended to disable it. However if you need to disable Personal Data Encryption, you can do so using the following steps.
 
-### Disable PDE with a disk encryption policy
+### Disable Personal Data Encryption with a disk encryption policy
 
-To disable PDE devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
+To disable Personal Data Encryption devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
 
 - **Platform** > **Windows**
 - **Profile** > **Personal Data Encryption**
@@ -106,7 +106,7 @@ Provide a name, and select **Next**. In the **Configuration settings** page, sel
 
 Assign the policy to a group that contains as members the devices or users that you want to configure.
 
-### Disable PDE with a settings catalog policy in Intune
+### Disable Personal Data Encryption with a settings catalog policy in Intune
 
 [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
 
@@ -116,24 +116,24 @@ Assign the policy to a group that contains as members the devices or users that
 
 [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
 
-### Disable PDE with CSP
+### Disable Personal Data Encryption with CSP
 
-You can disable PDE with CSP using the following setting:
+You can disable Personal Data Encryption with CSP using the following setting:
 
 |OMA-URI|Format|Value|
 |-|-|-|
 |`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`0`|
 
-## Decrypt PDE-encrypted content
+## Decrypt encrypted content
 
-Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE-protected files can be manually decrypted using the following steps:
+Disabling Personal Data Encryption doesn't decrypt any Personal Data Encryption protected content. It only prevents the Personal Data Encryption API from being able to protect any additional content. Pprotected files can be manually decrypted using the following steps:
 
 1. Open the properties of the file
 1. Under the **General** tab, select **Advanced...**
 1. Uncheck the option **Encrypt contents to secure data**
 1. Select **OK**, and then **OK** again
 
-PDE-protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios:
+Protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios:
 
 - Decrypting a large number of files on a device
 - Decrypting files on multiple of devices
@@ -153,11 +153,11 @@ To decrypt files on a device using `cipher.exe`:
   ```
 
 > [!IMPORTANT]
-> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using PDE.
+> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using Personal Data Encryption.
 
 ## Next steps
 
-- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+- Review the [Personal Data Encryption FAQ](faq.yml)
 
 <!--links used in this document-->
 
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
index 8aeed21090..2be94a9a24 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
@@ -1,51 +1,51 @@
 ### YamlMime:FAQ
 
 metadata:
-  title: Frequently asked questions for Personal Data Encryption (PDE)
-  description: Answers to common questions regarding Personal Data Encryption (PDE).
+  title: Frequently asked questions for Personal Data Encryption
+  description: Answers to common questions regarding Personal Data Encryption.
   ms.topic: faq
   ms.date: 09/24/2024
 
-title: Frequently asked questions for Personal Data Encryption (PDE)
+title: Frequently asked questions for Personal Data Encryption
 summary: |
-  Here are some answers to common questions regarding Personal Data Encryption (PDE)
+  Here are some answers to common questions regarding Personal Data Encryption
 
 sections:
   - name: General
     questions:
-      - question: Can PDE encrypt entire volumes or drives?
+      - question: Can Personal Data Encryption encrypt entire volumes or drives?
         answer: |
-          No, PDE only encrypts specified files and content.
-      - question: How are files and content protected by PDE selected?
+          No, Personal Data Encryption only encrypts specified files and content.
+      - question: How are files and content protected by Personal Data Encryption selected?
         answer: |
-          [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using PDE.
-      - question: Can users manually encrypt and decrypt files with PDE?
+          [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using Personal Data Encryption.
+      - question: Can users manually encrypt and decrypt files with Personal Data Encryption?
         answer: |
-          Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content).
-      - question: Can PDE protected content be accessed after signing on via a Remote Desktop connection (RDP)?
+          Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt encrypted content](configure.md#decrypt-encrypted-content).
+      - question: Can Personal Data Encryption protected content be accessed after signing on via a Remote Desktop connection (RDP)?
         answer: |
-          No, it's not supported to access PDE-protected content over RDP.
-      - question: Can PDE protected content be accessed via a network share?
+          No, it's not supported to access protected content over RDP.
+      - question: Can Personal Data Encryption protected content be accessed via a network share?
         answer: |
-          No, PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
-      - question: What encryption method and strength does PDE use?
+          No, Personal Data Encryption protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
+      - question: What encryption method and strength does Personal Data Encryption use?
         answer: |
-          PDE uses AES-CBC with a 256-bit key to encrypt content.
+          Personal Data Encryption uses AES-CBC with a 256-bit key to encrypt content.
 
-  - name: PDE and other Windows features
+  - name: Personal Data Encryption and other Windows features
     questions:
-      - question: What is the relation between Windows Hello for Business and PDE?
+      - question: What is the relation between Windows Hello for Business and Personal Data Encryption?
         answer: |
-          During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to protect content.
-      - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
+          During user sign-on, Windows Hello for Business unlocks the keys that Personal Data Encryption uses to protect content.
+      - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their Personal Data Encryption protected content?
         answer: |
-          No, the keys used by PDE to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
-      - question: Can a file be protected with both PDE and EFS at the same time?
+          No, the keys used by Personal Data Encryption to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+      - question: Can a file be protected with both Personal Data Encryption and EFS at the same time?
         answer: |
-          No, PDE and EFS are mutually exclusive.
-      - question: Is PDE a replacement for BitLocker?
+          No, Personal Data Encryption and EFS are mutually exclusive.
+      - question: Is Personal Data Encryption a replacement for BitLocker?
         answer: |
           No, it's recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
       - question: Do I need to use OneDrive in Microsoft 365 as my backup provider?
         answer: |
-          No, PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
+          No, Personal Data Encryption doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by Personal Data Encryption to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index 7e28595993..03607ce506 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -1,104 +1,104 @@
 ---
-title: Personal Data Encryption (PDE)
+title: Personal Data Encryption
 description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
 ms.topic: how-to
 ms.date: 09/24/2024
 ---
 
-# Personal Data Encryption (PDE)
+# Personal Data Encryption
 
-Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides file-based data encryption capabilities to Windows.
+Starting in Windows 11, version 22H2, Personal Data Encryption is a security feature that provides file-based data encryption capabilities to Windows.
 
-PDE utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
+Personal Data Encryption utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
 When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs into the device.
 
 The use of Windows Hello for Business offers the following advantages:
 
 - It reduces the number of credentials to access encrypted content: users only need to sign-in with Windows Hello for Business
-- The accessibility features available when using Windows Hello for Business extend to PDE protected content
+- The accessibility features available when using Windows Hello for Business extend to Personal Data Encryption protected content
 
-PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.\
-Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business.
+Personal Data Encryption differs from BitLocker in that it encrypts files instead of whole volumes and disks. Personal Data Encryption occurs in addition to other encryption methods such as BitLocker.\
+Unlike BitLocker that releases data encryption keys at boot, Personal Data Encryption doesn't release data encryption keys until a user signs in using Windows Hello for Business.
 
 ## Prerequisites
 
-To use PDE, the following prerequisites must be met:
+To use Personal Data Encryption, the following prerequisites must be met:
 
 - Windows 11, version 22H2 and later
 - The devices must be [Microsoft Entra joined][AAD-1]. Domain-joined and Microsoft Entra hybrid joined devices aren't supported
 - Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
 
 > [!IMPORTANT]
-> If you sign in with a password or a [security key][AAD-2], you can't access PDE protected content.
+> If you sign in with a password or a [security key][AAD-2], you can't access Personal Data Encryption protected content.
 
 [!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
 
-## PDE protection levels
+## Personal Data Encryption protection levels
 
-PDE uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+Personal Data Encryption uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
 
 | Item | Level 1 | Level 2 |
 |---|---|---|
-| PDE protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
-| PDE protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
-| PDE protected data is accessible after user signs out of Windows | No | No |
-| PDE protected data is accessible when device is shut down | No | No |
-| PDE protected data is accessible via UNC paths | No | No |
-| PDE protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
-| PDE protected data is accessible via Remote Desktop session | No | No |
-| Decryption keys used by PDE discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
+| Protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
+| Protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
+| Protected data is accessible after user signs out of Windows | No | No |
+| Protected data is accessible when device is shut down | No | No |
+| Protected data is accessible via UNC paths | No | No |
+| Protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
+| Protected data is accessible via Remote Desktop session | No | No |
+| Decryption keys used by Personal Data Encryption discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
 
-## PDE protected content accessibility
+## Personal Data Encryption protected content accessibility
 
-When a file is protected with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access PDE protected content, they'll be denied access to the content.
+When a file is protected with Personal Data Encryption, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access Personal Data Encryption protected content, they'll be denied access to the content.
 
-Scenarios where a user will be denied access to PDE protected content include:
+Scenarios where a user will be denied access to Personal Data Encryption protected content include:
 
 - User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN
 - If protected via level 2 protection, when the device is locked
 - When trying to access content on the device remotely. For example, UNC network paths
 - Remote Desktop sessions
-- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content
+- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the Personal Data Encryption protected content
 
-## Differences between PDE and BitLocker
+## Differences between Personal Data Encryption and BitLocker
 
-PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. However there are differences between BitLocker and PDE and how they work. These differences are why using them together offers better security.
+Personal Data Encryption is meant to work alongside BitLocker. Personal Data Encryption isn't a replacement for BitLocker, nor is BitLocker a replacement for Personal Data Encryption. Using both features together provides better security than using either BitLocker or Personal Data Encryption alone. However there are differences between BitLocker and Personal Data Encryption and how they work. These differences are why using them together offers better security.
 
-| Item | PDE | BitLocker |
+| Item | Personal Data Encryption | BitLocker |
 |--|--|--|
 | Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
 | Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At shutdown |
 | Protected content | All files in protected folders | Entire volume/drive |
 | Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
 
-## Differences between PDE and EFS
+## Differences between Personal Data Encryption and EFS
 
-The main difference between protecting files with PDE instead of EFS is the method they use to protect the file. PDE uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.
+The main difference between protecting files with Personal Data Encryption instead of EFS is the method they use to protect the file. Personal Data Encryption uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.
 
-To see if a file is protected with PDE or with EFS:
+To see if a file is protected with Personal Data Encryption or with EFS:
 
 1. Open the properties of the file
 1. Under the **General** tab, select **Advanced...**
 1. In the **Advanced Attributes** windows, select **Details**
 
-For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
+For Personal Data Encryption protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
 
 For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
 
 Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
 
-## Recommendations for using PDE
+## Recommendations for using Personal Data Encryption
 
-The following are recommendations for using PDE:
+The following are recommendations for using Personal Data Encryption:
 
-- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
-- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
-- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible. After a destructive PIN reset, content protected with PDE must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
+- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although Personal Data Encryption works without BitLocker, it's recommended to enable BitLocker. Personal Data Encryption is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
+- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by Personal Data Encryption to protect content will be lost making any protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
+- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by Personal Data Encryption to protect content to be lost, making any content protected with Personal Data Encryption inaccessible. After a destructive PIN reset, content protected with Personal Data Encryption must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
 - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN
 
-## Windows out of box applications that support PDE
+## Windows out of box applications that support Personal Data Encryption
 
-Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE:
+Certain Windows applications support Personal Data Encryption out of the box. If Personal Data Encryption is enabled on a device, these applications will utilize Personal Data Encryption:
 
 | App name | Details |
 |-|-|
@@ -106,8 +106,8 @@ Certain Windows applications support PDE out of the box. If PDE is enabled on a
 
 ## Next steps
 
-- Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [PDE settings and configuration](configure.md)
-- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+- Learn about the available options to configure Personal Data Encryption and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [Personal Data Encryption settings and configuration](configure.md)
+- Review the [Personal Data Encryption FAQ](faq.yml)
 
 <!--links used in this document-->
 
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
index f526600bd4..ac20c878c3 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
@@ -1,7 +1,7 @@
 items:
-- name: PDE overview
+- name: Overview
   href: index.md
-- name: Configure PDE
+- name: Configure Personal Data Encryption
   href: configure.md
-- name: PDE frequently asked questions (FAQ)
+- name: Frequently asked questions (FAQ)
   href: faq.yml
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/toc.yml b/windows/security/operating-system-security/data-protection/toc.yml
index d77de4f59e..ee4a57ab27 100644
--- a/windows/security/operating-system-security/data-protection/toc.yml
+++ b/windows/security/operating-system-security/data-protection/toc.yml
@@ -3,7 +3,7 @@ items:
   href: bitlocker/toc.yml
 - name: Encrypted hard drives
   href: encrypted-hard-drive.md
-- name: Personal data encryption (PDE)
+- name: Personal data encryption
   href: personal-data-encryption/toc.yml
 - name: Email Encryption (S/MIME)
   href: configure-s-mime.md
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
index b1b37ca008..85561cf109 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md
@@ -32,19 +32,19 @@ netsh.exe advfirewall set allprofiles state on
 ### Control Windows Firewall behavior
 
 The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall console.
-The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting.
+The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and disallows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting.
 
 # [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
 
 ```powershell
-Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen True -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
+Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen False -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
 ```
 
 # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
 
 ```cmd
 netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
-netsh advfirewall set allprofiles settings inboundusernotification enable
+netsh advfirewall set allprofiles settings inboundusernotification disable
 netsh advfirewall set allprofiles settings unicastresponsetomulticast enable
 netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
 ```
@@ -53,19 +53,14 @@ netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFile
 
 ### Disable Windows Firewall
 
-Microsoft recommends that you don't disable Windows Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](https://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
-Disabling Windows Firewall can also cause problems, including:
+Microsoft recommends that you don't disable Windows Firewall because you lose other benefits, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, Windows Service Hardening, and [boot time filters][BTF]. Non-Microsoft firewall software can programmatically disable only the [rule types][FWRC] of Windows Firewall that need to be disabled for compatibility. You shouldn't disable the firewall yourself for this purpose. 
+If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the Services snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc). Stopping the Windows Firewall service isn't supported by Microsoft and can cause problems, including:
 
 - Start menu can stop working
 - Modern applications can fail to install or update
 - Activation of Windows via phone fails
 - Application or OS incompatibilities that depend on Windows Firewall
 
-Microsoft recommends disabling Windows Firewall only when installing a non-Microsoft firewall, and resetting Windows Firewall back to defaults when the non-Microsoft software is disabled or removed.
-If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the **Services** snap-in, the display name is Windows Firewall and the service name is MpsSvc).
-Stopping the Windows Firewall service isn't supported by Microsoft.
-Non-Microsoft firewall software can programmatically disable only the parts of Windows Firewall that need to be disabled for compatibility.
-You shouldn't disable the firewall yourself for this purpose.
 The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
 Use the following procedure to turn off the firewall, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**.
 For more information, see [Windows Firewall deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
@@ -569,3 +564,6 @@ netsh advfirewall firewall add rule name="Inbound Secure Bypass Rule" dir=in sec
 ```
 
 ---
+[BTF]: /windows/win32/fwp/basic-operation
+[MFWC]: /windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line
+[FWRC]: /windows/win32/api/icftypes/ne-icftypes-net_fw_rule_category
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure.md b/windows/security/operating-system-security/network-security/windows-firewall/configure.md
index b8e9d793fc..f6540ef8df 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/configure.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/configure.md
@@ -11,7 +11,7 @@ This article contains examples how to configure Windows Firewall rules using the
 
 ## Access the Windows Firewall with Advanced Security console
 
-If you're configuring devices joined to an Active Directory domain, to complete these procedures you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the domain. To access the *Windows Firewall with Advanced Security* console, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**.
+If you're configuring devices joined to an Active Directory domain, to complete these procedures you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the domain. To access the *Windows Firewall with Advanced Security* console, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**. Pay attention to the [Group policy processing considerations][GPPC] when using Group Policy.
 
 If you are configuring a single device, you must have administrative rights on the device. In which case, to access the *Windows Firewall with Advanced Security* console, select <kbd>START</kbd>, type `wf.msc`, and press <kbd>ENTER</kbd>.
 
@@ -176,3 +176,5 @@ Using the two rules configured as described in this topic helps to protect your
 1. On the **Action** page, select **Allow the connection**, and then select **Next**
 1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
 1. On the **Name** page, type a name and description for your rule, and then select **Finish**
+
+[GPPC]: /windows/security/operating-system-security/network-security/windows-firewall/tools#group-policy-processing-considerations
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/index.md b/windows/security/operating-system-security/network-security/windows-firewall/index.md
index 8952b535cf..4de85b91d4 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/index.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/index.md
@@ -73,6 +73,18 @@ The *public network* profile is designed with higher security in mind for public
 > [!TIP]
 > Use the PowerShell cmdlet `Get-NetConnectionProfile` to retrieve the active network category (`NetworkCategory`). Use the PowerShell cmdlet `Set-NetConnectionProfile` to switch the category between *private* and *public*.
 
+## Disable Windows Firewall
+
+Microsoft recommends that you don't disable Windows Firewall because you lose other benefits, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, Windows Service Hardening, and [boot time filters][BTF]. Non-Microsoft firewall software can programmatically disable only the [rule types][FWRC] of Windows Firewall that need to be disabled for compatibility. You shouldn't disable the firewall yourself for this purpose. 
+If disabling Windows Firewall is required, don't disable it by stopping the Windows Firewall service (in the Services snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc). Stopping the Windows Firewall service isn't supported by Microsoft and can cause problems, including:
+
+- Start menu can stop working
+- Modern applications can fail to install or update
+- Activation of Windows via phone fails
+- Application or OS incompatibilities that depend on Windows Firewall
+
+The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running. See [Manage Windows Firewall with the command line][MFWC] for detailed steps.
+
 ## Next steps
 
 > [!div class="nextstepaction"]
@@ -89,3 +101,6 @@ To provide feedback for Windows Firewall, open [**Feedback Hub**][FHUB] (<kbd>WI
 [FHUB]: feedback-hub:?tabid=2&newFeedback=true
 [NLA]: /windows/win32/winsock/network-location-awareness-service-provider-nla--2
 [CSP-1]: /windows/client-management/mdm/policy-csp-networklistmanager
+[BTF]: /windows/win32/fwp/basic-operation
+[MFWC]: /windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line
+[FWRC]: /windows/win32/api/icftypes/ne-icftypes-net_fw_rule_category
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/rules.md b/windows/security/operating-system-security/network-security/windows-firewall/rules.md
index 3daf29314e..64b6580098 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/rules.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/rules.md
@@ -30,11 +30,13 @@ When first installed, network applications and services issue a *listen call* sp
 
 :::row:::
   :::column span="2":::
-    If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network:
-
-    - If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic
-    - If the user isn't a local admin, they won't be prompted. In most cases, block rules are created
+  If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network:
+  
+- If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic
+- If the user isn't a local admin and they are prompted, block rules are created. It doesn't matter what option is selected
 
+To disable the notification prompt, you can use the [command line](/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line) or the **Windows Firewall with Advanced Security** console
+  
   :::column-end:::
   :::column span="2":::
     :::image type="content" source="images/uac.png" alt-text="Screenshot showing the User Account Control (UAC) prompt to allow Microsoft Teams." border="false":::
diff --git a/windows/security/security-foundations/certification/toc.yml b/windows/security/security-foundations/certification/toc.yml
index 33099035c3..98c1522666 100644
--- a/windows/security/security-foundations/certification/toc.yml
+++ b/windows/security/security-foundations/certification/toc.yml
@@ -9,6 +9,8 @@ items:
     href: validations/fips-140-windows10.md
   - name: Previous Windows releases
     href: validations/fips-140-windows-previous.md
+  - name: Windows Server 2022
+    href: validations/fips-140-windows-server-2022.md
   - name: Windows Server 2019
     href: validations/fips-140-windows-server-2019.md
   - name: Windows Server 2016
@@ -32,4 +34,4 @@ items:
   - name: Windows Server semi-annual releases
     href: validations/cc-windows-server-semi-annual.md
   - name: Previous Windows Server releases
-    href: validations/cc-windows-server-previous.md
\ No newline at end of file
+    href: validations/cc-windows-server-previous.md
diff --git a/windows/whats-new/ltsc/whats-new-windows-11-2024.md b/windows/whats-new/ltsc/whats-new-windows-11-2024.md
index 3fbb4a3529..2e098597d2 100644
--- a/windows/whats-new/ltsc/whats-new-windows-11-2024.md
+++ b/windows/whats-new/ltsc/whats-new-windows-11-2024.md
@@ -18,7 +18,7 @@ appliesto:
 This article lists some of the new and updated features and content that is of interest to IT Pros for Windows 11 Enterprise long-term servicing channel (LTSC) 2024, compared to Windows 10 Enterprise LTSC 2021. For a brief description of the LTSC servicing channel and associated support, see [Windows Enterprise LTSC](overview.md). <!--8891336-->
 
 
-Windows 11 Enterprise LTSC 2024 builds on Windows 10 Enterprise LTSC 2021, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities. 
+Windows 11 Enterprise LTSC 2024 builds on Windows 10 Enterprise LTSC 2021, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities.
 
 The Windows 11 Enterprise LTSC 2024 release includes the cumulative enhancements provided in Windows 11 versions 21H2, 22H2, 23H2, and 24H2. Details about these enhancements are provided below.
 
@@ -37,7 +37,7 @@ Windows 11 Enterprise LTSC 2024 was first available on October 1, 2024. Features
 
 | Feature </br> [Release] | Description |
 | --- | --- |
-| **Windows accessibility** </br> [22H2][22H2] | Improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator.</br> For more information, see:</br>&nbsp;&nbsp;• [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/)</br>&nbsp;&nbsp;• [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554)</br>&nbsp;&nbsp;• [Accessibility information for IT professionals](/windows/configuration/windows-10-accessibility-for-itpros). |
+| **Windows accessibility** </br> [22H2][22H2] | Improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator.</br> For more information, see:</br>&nbsp;&nbsp;* [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/)</br>&nbsp;&nbsp;* [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554)</br>&nbsp;&nbsp;* [Accessibility information for IT professionals](/windows/configuration/windows-10-accessibility-for-itpros). |
 | **Braille displays**  </br> [23H2][23H2] <!--7579823-->        | Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience. We also added support for new braille displays and new braille input and output languages in Narrator. For more information, see [Accessibility information for IT professionals](/windows/configuration/windows-accessibility-for-ITPros). |
 | **Narrator improvements**  </br> [23H2][23H2] <!--kb5019509--> | Scripting functionality was added to Narrator. Narrator includes more natural voices. For more information, see [Complete guide to Narrator](https://support.microsoft.com/topic/e4397a0d-ef4f-b386-d8ae-c172f109bdb1).<!--8138352, 8138357--> |
 | **Bluetooth &#174; LE audio support for assistive devices** </br> [24H2][24H2] | Windows has taken a significant step forward in accessibility by supporting the use of assistive hearing devices equipped with the latest Bluetooth &#174; Low Energy Audio technology. For more information, see [Using hearing devices with your Windows 11 PC](https://support.microsoft.com/topic/fcb566e7-13c3-491a-ad5b-8219b098d647). |
@@ -95,15 +95,15 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
 | --- | --- |
 | **Windows Security app** </br> [21H2][21H2] | Windows Security app is an easy-to-use interface, and combines commonly used security features. For example, your get access to virus & threat protection, firewall & network protection, account protection, and more. For more information, see [the Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center). |
 | **Security baselines** </br> [21H2][21H2] | Security baselines include security settings that are already configured, and ready to be deployed to your devices. If you don't know where to start, or it's too time consuming to go through all the settings, then you should look at Security Baselines. For more information, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines). |
-| **Microsoft Defender Antivirus** </br> [21H2][21H2] | Microsoft Defender Antivirus helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If you use Intune to manage devices, then you can create policies based on threat levels in Microsoft Defender for Endpoint. For more information, see:</br>&nbsp;&nbsp;• [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)</br>&nbsp;&nbsp;• [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)</br>&nbsp;&nbsp;• [Enforce compliance for Microsoft Defender for Endpoint](/mem/intune/protect/advanced-threat-protection) |
+| **Microsoft Defender Antivirus** </br> [21H2][21H2] | Microsoft Defender Antivirus helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If you use Intune to manage devices, then you can create policies based on threat levels in Microsoft Defender for Endpoint. For more information, see:</br>&nbsp;&nbsp;* [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)</br>&nbsp;&nbsp;* [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)</br>&nbsp;&nbsp;* [Enforce compliance for Microsoft Defender for Endpoint](/mem/intune/protect/advanced-threat-protection) |
 | **Application Security** </br> [21H2][21H2] | The Application Security features help prevent unwanted or malicious code from running, isolate untrusted websites & untrusted Office files, protect against phishing or malware websites, and more. For more information, see  [Windows application security](/windows/security/apps). |
 | **Microsoft Pluton** </br> [22H2][22H2] | Pluton, designed by Microsoft and built by silicon partners,  is a secure crypto-processor built into the CPU. Pluton provides security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data, and encryption keys. Information is harder to be removed even if an attacker installed malware or has complete physical possession. For more information, see [Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor). |
-| **Enhanced Phishing Protection** </br> [22H2][22H2] | Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft passwords against phishing and unsafe usage. Enhanced Phishing Protection works alongside Windows security protections to help protect sign-in passwords. For more information, see:</br>&nbsp;&nbsp;• [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)</br>&nbsp;&nbsp;• [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog. |
+| **Enhanced Phishing Protection** </br> [22H2][22H2] | Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft passwords against phishing and unsafe usage. Enhanced Phishing Protection works alongside Windows security protections to help protect sign-in passwords. For more information, see:</br>&nbsp;&nbsp;* [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)</br>&nbsp;&nbsp;* [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog. |
 | **Smart App Control** </br> [22H2][22H2] | Smart App Control adds significant protection from malware, including new and emerging threats, by blocking apps that are malicious or untrusted. Smart App Control helps block unwanted apps that affect performance, display unexpected ads, offer extra software you didn't want, and other things you don't expect. For more information, see [Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control#wdac-and-smart-app-control). |
 | **Credential Guard** </br> [22H2][22H2] | Credential Guard, enabled by default, uses Virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks like pass the hash and pass the ticket. For more information, see [Configure Credential Guard](/windows/security/identity-protection/credential-guard/configure).|
 | **Malicious and vulnerable driver blocking** </br> [22H2][22H2] | The vulnerable driver blocklist is automatically enabled on devices when Smart App Control is enabled and for clean installs of Windows. For more information, see [recommended block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules#microsoft-vulnerable-driver-blocklist).|
 | **Security hardening and threat protection** </br> [22H2][22H2] | Enhanced support with Local Security Authority (LSA) to prevent code injection that could compromise credentials. For more information, see [Configuring Additional LSA Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json). |
-| **Personal Data Encryption (PDE)** </br> [22H2][22H2] | [Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/) is a security feature that provides file-based data encryption capabilities to Windows. PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user. |
+| **Personal Data Encryption** </br> [22H2][22H2] | [Personal Data Encryption](/windows/security/operating-system-security/data-protection/personal-data-encryption/) is a security feature that provides file-based data encryption capabilities to Windows. Personal Data Encryption utilizes Windows Hello for Business to link data encryption keys with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user. |
 | **Passkeys in Windows** </br> [23H2][23H2] <!--8138341--> | Windows provides a native experience for passkey management. You can use the Settings app to view and manage passkeys saved for apps or websites. For more information, see [Support for passkeys in Windows](/windows/security/identity-protection/passkeys). |
 | **Windows passwordless experience** </br> [23H2][23H2] <!--8138336--> | Windows passwordless experience is a security policy that promotes a user experience without passwords on [Microsoft Entra](https://www.microsoft.com/security/business/microsoft-entra?ef_id=_k_910ee369e9a812f6048b86296a6a402c_k_&OCID=AIDcmmdamuj0pc_SEM__k_910ee369e9a812f6048b86296a6a402c_k_&msclkid=910ee369e9a812f6048b86296a6a402c) joined devices. </br>When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords. For more information, see [Windows passwordless experience](/windows/security/identity-protection/passwordless-experience/). |
 | **Web sign-in for Windows** </br> [23H2][23H2] <!--8344016--> | You can enable a web-based sign-in experience on [Microsoft Entra](https://www.microsoft.com/security/business/microsoft-entra?ef_id=_k_910ee369e9a812f6048b86296a6a402c_k_&OCID=AIDcmmdamuj0pc_SEM__k_910ee369e9a812f6048b86296a6a402c_k_&msclkid=910ee369e9a812f6048b86296a6a402c) joined devices, unlocking new sign-in options, and capabilities. For more information, see [Web sign-in for Windows](/windows/security/identity-protection/web-sign-in). |
@@ -112,10 +112,10 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
 | **App Control for Business** </br> [24H2][24H2]<!--8223790--> | Customers can now use App Control for Business (formerly called Windows Defender Application Control) and its next-generation capabilities to protect their digital property from malicious code. With App Control for Business, IT teams can configure what runs in a business environment through Microsoft Intune or other MDMs in the admin console, including setting up Intune as a managed installer. For more information, see [Application Control for Windows](/windows/security/application-security/application-control/app-control-for-business/appcontrol).|
 | **Local Security Authority (LSA) protection enablement** </br> [24H2][24H2]| An audit occurs for incompatibilities with [LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection) for a period of time, starting with this upgrade. If incompatibilities aren't detected, LSA protection is automatically enabled. You can check and change the enablement state of LSA protection in the Windows Security application under the **Device Security** > **Core Isolation** page. In the event log, [LSA protection logs](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#identify-plug-ins-and-drivers-that-lsassexe-fails-to-load) whether programs are blocked from loading into LSA. |
 | **Rust in the Windows kernel** </br> [24H2][24H2] | There's a new implementation of [GDI region](/windows/win32/gdi/regions) in `win32kbase_rs.sys`. Since Rust offers advantages in reliability and security over traditional programs written in C/C++, you'll continue to see more use of it in the kernel. |
-| **SHA-3 support** </br> [24H2][24H2] | Support for the SHA-3 family of hash functions and SHA-3 derived functions (SHAKE, cSHAKE, KMAC) was added. The SHA-3 family of algorithms is the latest standardized hash functions by the National Institute of Standards and Technology (NIST). Support for these functions is enabled through the Windows [CNG](/windows/win32/seccng/cng-portal) library. | 
+| **SHA-3 support** </br> [24H2][24H2] | Support for the SHA-3 family of hash functions and SHA-3 derived functions (SHAKE, cSHAKE, KMAC) was added. The SHA-3 family of algorithms is the latest standardized hash functions by the National Institute of Standards and Technology (NIST). Support for these functions is enabled through the Windows [CNG](/windows/win32/seccng/cng-portal) library. |
 | **Windows Local Admin Password Solution (LAPS)** </br> [24H2][24H2] | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. Windows LAPS is the successor for the now deprecated legacy Microsoft LAPS product. For more information, see [What is Windows LAPS?](/windows-server/identity/laps/laps-overview)|
-| **Windows&nbsp;LAPS** </br> Automatic account management </br> [24H2][24H2] | [Windows Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview) has a new automatic account management feature. Admins can configure Windows LAPS to:</br>&nbsp;&nbsp;• Automatically create the managed local account</br>&nbsp;&nbsp;• Configure name of account</br>&nbsp;&nbsp;• Enable or disable the account</br>&nbsp;&nbsp;• Randomize the name of the account |
-| **Windows&nbsp;LAPS** </br> Policy improvements </br> [24H2][24H2]| &nbsp;&nbsp;• Added passphrase settings for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy </br> &nbsp;&nbsp;• Use [PassphraseLength](/windows/client-management/mdm/laps-csp#policiespassphraselength) to control the number of words in a new passphrase </br> &nbsp;&nbsp;• Added an improved readability setting for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy, which generates passwords without using characters that are easily confused with another character. For example, the number <kbd>0</kbd> and the letter <kbd>O</kbd> aren't used in the password since the characters can be confused. </br>&nbsp;&nbsp;• Added the `Reset the password, logoff the managed account, and terminate any remaining processes` setting to the [PostAuthenticationActions](/windows/client-management/mdm/laps-csp#policiespostauthenticationactions) policy. The event logging messages that are emitted during post-authentication-action execution were also expanded, to give insights into exactly what was done during the operation. |
+| **Windows&nbsp;LAPS** </br> Automatic account management </br> [24H2][24H2] | [Windows Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview) has a new automatic account management feature. Admins can configure Windows LAPS to:</br>&nbsp;&nbsp;* Automatically create the managed local account</br>&nbsp;&nbsp;* Configure name of account</br>&nbsp;&nbsp;* Enable or disable the account</br>&nbsp;&nbsp;* Randomize the name of the account |
+| **Windows&nbsp;LAPS** </br> Policy improvements </br> [24H2][24H2]| &nbsp;&nbsp;* Added passphrase settings for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy </br> &nbsp;&nbsp;* Use [PassphraseLength](/windows/client-management/mdm/laps-csp#policiespassphraselength) to control the number of words in a new passphrase </br> &nbsp;&nbsp;* Added an improved readability setting for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy, which generates passwords without using characters that are easily confused with another character. For example, the number <kbd>0</kbd> and the letter <kbd>O</kbd> aren't used in the password since the characters can be confused. </br>&nbsp;&nbsp;* Added the `Reset the password, logoff the managed account, and terminate any remaining processes` setting to the [PostAuthenticationActions](/windows/client-management/mdm/laps-csp#policiespostauthenticationactions) policy. The event logging messages that are emitted during post-authentication-action execution were also expanded, to give insights into exactly what was done during the operation. |
 | **Windows&nbsp;LAPS** </br> Image rollback detection </br> [24H2][24H2] | Image rollback detection was introduced for LAPS. LAPS can detect when a device was rolled back to a previous image. When a device is rolled back, the password in Active Directory might not match the password on the device that was rolled back. This new feature adds an Active Directory attribute, `msLAPS-CurrentPasswordVersion`, to the [Windows LAPS schema](/windows-server/identity/laps/laps-technical-reference#mslaps-currentpasswordversion). This attribute contains a random GUID that Windows LAPS writes every time a new password is persisted in Active Directory, followed by saving a local copy. During every processing cycle, the GUID stored in `msLAPS-CurrentPasswordVersion` is queried and compared to the locally persisted copy. If the GUIDs are different, the password is immediately rotated. To enable this feature, you need to run the latest version of the [Update-LapsADSchema PowerShell cmdlet](/powershell/module/laps/update-lapsadschema). |
 | **Windows protected print mode** </br> [24H2][24H2] | Windows protected print mode (WPP) enables a modern print stack which is designed to work exclusively with [Mopria certified printers](https://mopria.org/certified-products). For more information, see [What is Windows protected print mode (WPP)](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645) and [Windows Insider WPP announcement](https://blogs.windows.com/windows-insider/2023/12/13/announcing-windows-11-insider-preview-build-26016-canary-channel/). |
 | **SMB signing requirement changes** </br> [24H2][24H2] | [SMB signing is now required](/windows-server/storage/file-server/smb-signing) by default for all connections. SMB signing ensures every message contains a signature generated using session key and cipher suite. The client puts a hash of the entire message into the signature field of the SMB header. If anyone changes the message itself later on the wire, the hash won't match and SMB knows that someone tampered with the data. It also confirms to sender and receiver that they are who they say they are, breaking relay attacks. For more information about SMB signing being required by default, see [https://aka.ms/SMBSigningOBD](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-required-by-default-in-windows-insider/ba-p/3831704). |
@@ -123,8 +123,8 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
 | **SMB signing and encryption auditing** </br> [24H2][24H2] | Administrators can now [enable auditing](/windows-server/storage/file-server/smb-signing-overview#smb-signing-and-encryption-auditing) of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn't support SMB encryption or signing. The SMB signing and encryption auditing settings can be modified in Group Policy or through PowerShell. |
 | **SMB alternative client and server ports** </br> [24H2][24H2] | The SMB client now supports connecting to an SMB server over TCP, QUIC, or RDMA using [alternative network ports](/windows-server/storage/file-server/smb-ports) to the hardcoded defaults. However, you can only connect to alternative ports if the SMB server is configured to support listening on that port. Starting in [Windows Server Insider build 26040](https://techcommunity.microsoft.com/t5/windows-server-insiders/announcing-windows-server-preview-build-26040/m-p/4040858), the SMB server now supports listening on an alternative network port for SMB over QUIC. Windows Server doesn't support configuring alternative SMB server TCP ports, but some third parties do. For more information about this change, see [https://aka.ms/SMBAlternativePorts](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-alternative-ports-now-supported-in-windows-insider/ba-p/3974509). |
 | **SMB NTLM blocking exception list** </br> [24H2][24H2] |The SMB client now supports [blocking NTLM](/windows-server/storage/file-server/smb-ntlm-blocking) for remote outbound connections. With this new option, administrators can intentionally block Windows from offering NTLM via SMB and specify exceptions for NTLM usage. An attacker who tricks a user or application into sending NTLM challenge responses to a malicious server will no longer receive any NTLM data and can't brute force, crack, or pass hashes. This change adds a new level of protection for enterprises without a requirement to entirely disable NTLM usage in the OS. For more information about this change, see [https://aka.ms/SmbNtlmBlock](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-ntlm-blocking-now-supported-in-windows-insider/ba-p/3916206). |
-| **SMB dialect management** </br> [24H2][24H2] | The SMB server now supports controlling which [SMB 2 and 3 dialects](/windows-server/storage/file-server/manage-smb-dialects) it negotiates. With this new option, an administrator can remove specific SMB protocols from use in the organization, blocking older, less secure, and less capable Windows devices and third parties from connecting. For example, admins can specify to only use SMB 3.1.1, the most secure dialect of the protocol. For more information about this change, see [https://aka.ms/SmbDialectManage](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-dialect-management-now-supported-in-windows-insider/ba-p/3916368).| 
-| **SMB over QUIC client access control** </br> [24H2][24H2] | [SMB over QUIC](/windows-server/storage/file-server/smb-over-quic), which introduced an alternative to TCP and RDMA, supplies secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords. SMB over QUIC [client access control](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control) improves the existing SMB over QUIC feature. Administrators now have more options for SMB over QUIC such as: </br>&nbsp;&nbsp;• [Specifying which clients](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#grant-individual-clients) can access SMB over QUIC servers. This gives organizations more protection but doesn't change the Windows authentication used to make the SMB connection or the end user experience. </br>&nbsp;&nbsp;• [Disabling SMB over QUIC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#disable-smb-over-quic) for client with Group Policy and PowerShell </br>&nbsp;&nbsp;• [Auditing client connection events](/windows-server/storage/file-server/smb-over-quic#smb-over-quic-client-auditing) for SMB over QUIC </br></br> For more information about these changes, see [https://aka.ms/SmbOverQUICCAC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control). |
+| **SMB dialect management** </br> [24H2][24H2] | The SMB server now supports controlling which [SMB 2 and 3 dialects](/windows-server/storage/file-server/manage-smb-dialects) it negotiates. With this new option, an administrator can remove specific SMB protocols from use in the organization, blocking older, less secure, and less capable Windows devices and third parties from connecting. For example, admins can specify to only use SMB 3.1.1, the most secure dialect of the protocol. For more information about this change, see [https://aka.ms/SmbDialectManage](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-dialect-management-now-supported-in-windows-insider/ba-p/3916368).|
+| **SMB over QUIC client access control** </br> [24H2][24H2] | [SMB over QUIC](/windows-server/storage/file-server/smb-over-quic), which introduced an alternative to TCP and RDMA, supplies secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords. SMB over QUIC [client access control](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control) improves the existing SMB over QUIC feature. Administrators now have more options for SMB over QUIC such as: </br>&nbsp;&nbsp;* [Specifying which clients](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#grant-individual-clients) can access SMB over QUIC servers. This gives organizations more protection but doesn't change the Windows authentication used to make the SMB connection or the end user experience. </br>&nbsp;&nbsp;* [Disabling SMB over QUIC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#disable-smb-over-quic) for client with Group Policy and PowerShell </br>&nbsp;&nbsp;* [Auditing client connection events](/windows-server/storage/file-server/smb-over-quic#smb-over-quic-client-auditing) for SMB over QUIC </br></br> For more information about these changes, see [https://aka.ms/SmbOverQUICCAC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control). |
 | **SMB firewall rule changes** </br> [24H2][24H2] | The Windows Firewall [default behavior has changed](/windows-server/storage/file-server/smb-secure-traffic#updated-firewall-rules-preview). Previously, creating an SMB share automatically configured the firewall to enable the rules in the **File and Printer Sharing** group for the given firewall profiles. Now, Windows automatically configures the new **File and Printer Sharing (Restrictive)** group, which no longer contains inbound NetBIOS ports 137-139. </br></br> This change enforces a higher degree of default of network security and brings SMB firewall rules closer to the Windows Server **File Server** role behavior, which only opens the minimum ports needed to connect and manage sharing. Administrators can still configure the **File and Printer Sharing** group if necessary as well as modify this new firewall group, these are just default behaviors. For more information about this change, see [https://aka.ms/SMBfirewall](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-firewall-rule-changes-in-windows-insider/ba-p/3974496). For more information about SMB network security, see [Secure SMB Traffic in Windows Server](/windows-server/storage/file-server/smb-secure-traffic). |
 
 ## Servicing
@@ -132,7 +132,7 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
 
 | Feature </br> [Release] | Description |
 | --- | --- |
-| **Windows Updates and Delivery optimization** </br> [21H2][21H2] | Delivery optimization helps reduce bandwidth consumption. It shares the work of downloading the update packages with multiple devices in your deployment. Windows 11 updates are smaller, as they only pull down source files that are different. You can create policies that configure delivery optimization settings. For example, set the maximum upload and download bandwidth, set caching sizes, and more. For more information, see:</br>&nbsp;&nbsp;• [Delivery Optimization for Windows updates](/windows/deployment/update/waas-delivery-optimization)</br>&nbsp;&nbsp;• [Installation & updates](https://support.microsoft.com/topic/2f9c1819-310d-48a7-ac12-25191269903c#PickTab=Windows_11)</br>&nbsp;&nbsp;• [Manage updates in Windows](https://support.microsoft.com/topic/643e9ea7-3cf6-7da6-a25c-95d4f7f099fe)|
+| **Windows Updates and Delivery optimization** </br> [21H2][21H2] | Delivery optimization helps reduce bandwidth consumption. It shares the work of downloading the update packages with multiple devices in your deployment. Windows 11 updates are smaller, as they only pull down source files that are different. You can create policies that configure delivery optimization settings. For example, set the maximum upload and download bandwidth, set caching sizes, and more. For more information, see:</br>&nbsp;&nbsp;* [Delivery Optimization for Windows updates](/windows/deployment/update/waas-delivery-optimization)</br>&nbsp;&nbsp;* [Installation & updates](https://support.microsoft.com/topic/2f9c1819-310d-48a7-ac12-25191269903c#PickTab=Windows_11)</br>&nbsp;&nbsp;* [Manage updates in Windows](https://support.microsoft.com/topic/643e9ea7-3cf6-7da6-a25c-95d4f7f099fe)|
 | **Control Windows Update notifications** </br> [22H2][22H2] | You can now block user notifications for Windows Updates during active hours. This setting is especially useful for organizations that want to prevent Windows Update notifications from occurring during business hours. For more information, see [Control restart notifications](/windows/deployment/update/waas-restart#control-restart-notifications).|
 | **Organization name in update notifications** |The organization name now appears in the Windows Update notifications when Windows clients are associated with a Microsoft Entra ID tenant. For more information, see [Display organization name in Windows Update notifications](/windows/deployment/update/waas-wu-settings#bkmk_display-name). |
 | **Checkpoint cumulative updates** </br> [24H2][24H2] | Windows quality updates are provided as cumulative updates throughout the life cycle of a Windows release. Checkpoint cumulative updates introduce periodic baselines that reduce the size of future cumulative updates making the distribution of monthly quality updates more efficient. For more information, see [https://aka.ms/CheckpointCumulativeUpdates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-windows-11-checkpoint-cumulative-updates/ba-p/4182552). |
@@ -152,7 +152,7 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
 
 ## Features Removed
 
-Each version of Windows client adds new features and functionality. Occasionally, [features and functionality are removed](/windows/whats-new/removed-features), often because a newer option was added. For a list of features no longer in active development that might be removed in a future release, see [deprecated features](/windows/whats-new/deprecated-features). The following features are removed in Windows 11 Enterprise LTSC 2024: 
+Each version of Windows client adds new features and functionality. Occasionally, [features and functionality are removed](/windows/whats-new/removed-features), often because a newer option was added. For a list of features no longer in active development that might be removed in a future release, see [deprecated features](/windows/whats-new/deprecated-features). The following features are removed in Windows 11 Enterprise LTSC 2024:
 
 | Feature | Description |
 |---------|-------------|
@@ -170,5 +170,5 @@ Each version of Windows client adds new features and functionality. Occasionally
 
 [21H2]: ..\windows-11-overview.md
 [22H2]: ..\whats-new-windows-11-version-22H2.md
-[23H2]: ..\whats-new-windows-11-version-23h2.md 
+[23H2]: ..\whats-new-windows-11-version-23h2.md
 [24H2]: ..\whats-new-windows-11-version-24H2.md
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
index a76a1b6abb..3b1f47426d 100644
--- a/windows/whats-new/whats-new-windows-11-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -70,9 +70,9 @@ For more information, see [Configuring Additional LSA Protection](/windows-serve
 
 ## Personal Data Encryption
 <!--5963468 -->
-Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
+Personal Data Encryption is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. Personal Data Encryption differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. Personal Data Encryption occurs in addition to other encryption methods such as BitLocker.
 
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
+Personal Data Encryption utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With Personal Data Encryption, users only need to enter one set of credentials via Windows Hello for Business.
 
 For more information, see [Personal Data Encryption](/windows/security/information-protection/personal-data-encryption/overview-pde).
 
diff --git a/windows/whats-new/whats-new-windows-11-version-24h2.md b/windows/whats-new/whats-new-windows-11-version-24h2.md
index 5c492a24d8..a812a10180 100644
--- a/windows/whats-new/whats-new-windows-11-version-24h2.md
+++ b/windows/whats-new/whats-new-windows-11-version-24h2.md
@@ -18,7 +18,7 @@ appliesto:
 
 # What's new in Windows 11, version 24H2
 <!--8631988-->
-Windows 11, version 24H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 23H2. This article lists the new and updated features IT Pros should know. 
+Windows 11, version 24H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 23H2. This article lists the new and updated features IT Pros should know.
 
 >**Looking for consumer information?** See [Windows 11 2024 update](https://support.microsoft.com/topic/93c5c27c-f96e-43c2-a08e-5812d92f220d#windowsupdate=26100).
 
@@ -42,21 +42,21 @@ To learn more about the status of the update rollout, known issues, and new info
 
 There aren't any features under temporary enterprise control between Windows 11, version 23H2 and Windows 11, version 24H2. For a list of features that were under temporary enterprise control between Windows 11, version 22H2 and Windows 11, version 23H2, see, [Windows 11 features behind temporary enterprise feature control](temporary-enterprise-feature-control.md).
 <!--
-| Feature | KB article where the feature was introduced | 
+| Feature | KB article where the feature was introduced |
 |---|---|
-| PLACEHOLDER | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913)  | 
+| PLACEHOLDER | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913)  |
 -->
 
 
 ## Checkpoint cumulative updates
-<!--8769182--> 
+<!--8769182-->
 Microsoft is introducing checkpoint cumulative updates, a new servicing model that enables devices running Windows 11, version 24H2 or later to save time, bandwidth and hard drive space when getting features and security enhancements via the latest cumulative update. Previously, the cumulative updates contained all changes to the binaries since the last release to manufacturing (RTM) version. The size of the cumulative updates could grow large over time since RTM was used as the baseline for each update.
 
 With checkpoint cumulative updates, the update file level differentials are based on a previous cumulative update instead of the RTM release. Cumulative updates that serve as a checkpoint will be released periodically. Using a checkpoint rather than RTM means the subsequent update packages are smaller, which makes downloads and installations faster. Using a checkpoint also means that in order for a device to install the latest cumulative update, the installation of a prerequisite cumulative update might be required. For more information about checkpoint cumulative updates, see [https://aka.ms/CheckpointCumulativeUpdates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-windows-11-checkpoint-cumulative-updates/ba-p/4182552).
 
 ## Features exclusive to Copilot+ PCs in 24H2
 
-Copilot+ PCs are a new class of Windows 11 AI PCs that are powered by a neural processing unit (NPU) that can perform more than 40 trillion operations per second (TOPS). The following features are exclusive to [Copilot+ PCs](https://www.microsoft.com/windows/copilot-plus-pcs) in Windows 11, version 24H2: 
+Copilot+ PCs are a new class of Windows 11 AI PCs that are powered by a neural processing unit (NPU) that can perform more than 40 trillion operations per second (TOPS). The following features are exclusive to [Copilot+ PCs](https://www.microsoft.com/windows/copilot-plus-pcs) in Windows 11, version 24H2:
 
 - Live Captions allow you to translate audio and video content into English subtitles from 44 languages. For more information, see [Use live captions to better understand audio](https://support.microsoft.com/topic/b52da59c-14b8-4031-aeeb-f6a47e6055df).
 - Windows Studio Effects is the collective name of AI-powered video call and audio effects that are available on Copilot+ PCs and select Windows 11 devices with compatible NPUs. Windows Studio Effects automatically improves lighting and cancels noises during video calls. For more information, see [Windows Studio Effects](https://support.microsoft.com/topic/273c1fa8-2b3f-41b1-a587-7cc7a24b62d8).
@@ -80,7 +80,7 @@ The following changes were made for SMB signing and encryption:
 
 - **SMB client encryption**: SMB now supports [requiring encryption](/windows-server/storage/file-server/configure-smb-client-require-encryption) on all outbound SMB client connections. Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing, which allows both client and server requirements. With this new option, administrators can mandate that all destination servers use SMB 3 and encryption, and if missing those capabilities, the client won't connect. For more information about this change, see [https://aka.ms/SmbClientEncrypt](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-client-encryption-mandate-now-supported-in-windows-insider/ba-p/3964037).
 
-- **SMB signing and encryption auditing**: Administrators can now [enable auditing](/windows-server/storage/file-server/smb-signing-overview#smb-signing-and-encryption-auditing) of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn't support SMB encryption or signing. The SMB signing and encryption auditing settings can be modified in Group Policy or through PowerShell. 
+- **SMB signing and encryption auditing**: Administrators can now [enable auditing](/windows-server/storage/file-server/smb-signing-overview#smb-signing-and-encryption-auditing) of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn't support SMB encryption or signing. The SMB signing and encryption auditing settings can be modified in Group Policy or through PowerShell.
 
 #### SMB alternative client and server ports
 
@@ -104,7 +104,7 @@ For more information about this change, see [https://aka.ms/SmbDialectManage](ht
 
 [SMB over QUIC](/windows-server/storage/file-server/smb-over-quic), which introduced an alternative to TCP and RDMA, supplies secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords. SMB over QUIC [client access control](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control) improves the existing SMB over QUIC feature.
 
-Administrators now have more options for SMB over QUIC such as: 
+Administrators now have more options for SMB over QUIC such as:
 
 - [Specifying which clients](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#grant-individual-clients) can access SMB over QUIC servers. This gives organizations more protection but doesn't change the Windows authentication used to make the SMB connection or the end user experience.
 - [Disabling SMB over QUIC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#disable-smb-over-quic) for client with Group Policy and PowerShell
@@ -124,7 +124,7 @@ For more information about this change, see [https://aka.ms/SMBfirewall](https:/
 
 [LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection) helps protect against theft of secrets and credentials used for logon by preventing unauthorized code from running in the LSA process and by preventing dumping of process memory. An audit occurs for incompatibilities with LSA protection for a period of time, starting with this upgrade. If incompatibilities aren't detected, LSA protection is automatically enabled. You can check and change the enablement state of LSA protection in the Windows Security application under the **Device Security** > **Core Isolation** page. In the event log, LSA protection records whether programs are blocked from loading into LSA. If you would like to check if something was blocked, review the [logging](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#identify-plug-ins-and-drivers-that-lsassexe-fails-to-load).
 
- 
+
 ### Remote Mailslot protocol disabled by default
 
 [Remote Mailslot protocol](/openspecs/windows_protocols/ms-mail/47ac910f-1dec-4791-8486-9b3e8fd542da) was [deprecated](deprecated-features.md#deprecated-features) in November 2023 and is now disabled by default starting in Windows 11, version 24H2. For more information on Remote Mailslots, see [About Mailslots](/windows/win32/ipc/about-mailslots).
@@ -144,18 +144,18 @@ LAPS has the following policy improvements:
 - Added an improved readability setting for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy, which generates passwords without using characters that are easily confused with another character. For example, the zero and the letter O aren't used in the password since the characters can be confused.
 - Added the `Reset the password, logoff the managed account, and terminate any remaining processes` setting to the [PostAuthenticationActions](/windows/client-management/mdm/laps-csp#policiespostauthenticationactions) policy. The event logging messages that are emitted during post-authentication-action execution were also expanded, to give insights into exactly what was done during the operation.
 
-Image rollback detection was introduced for LAPS. LAPS can detect when a device was rolled back to a previous image. When a device is rolled back, the password in Active Directory might not match the password on the device that was rolled back. This new feature adds an Active Directory attribute, `msLAPS-CurrentPasswordVersion`, to the [Windows LAPS schema](/windows-server/identity/laps/laps-technical-reference#mslaps-currentpasswordversion). This attribute contains a random GUID that Windows LAPS writes every time a new password is persisted in Active Directory, followed by saving a local copy. During every processing cycle, the GUID stored in `msLAPS-CurrentPasswordVersion` is queried and compared to the locally persisted copy. If the GUIDs are different, the password is immediately rotated. To enable this feature, you need to run the latest version of the [Update-LapsADSchema PowerShell cmdlet](/powershell/module/laps/update-lapsadschema). 
+Image rollback detection was introduced for LAPS. LAPS can detect when a device was rolled back to a previous image. When a device is rolled back, the password in Active Directory might not match the password on the device that was rolled back. This new feature adds an Active Directory attribute, `msLAPS-CurrentPasswordVersion`, to the [Windows LAPS schema](/windows-server/identity/laps/laps-technical-reference#mslaps-currentpasswordversion). This attribute contains a random GUID that Windows LAPS writes every time a new password is persisted in Active Directory, followed by saving a local copy. During every processing cycle, the GUID stored in `msLAPS-CurrentPasswordVersion` is queried and compared to the locally persisted copy. If the GUIDs are different, the password is immediately rotated. To enable this feature, you need to run the latest version of the [Update-LapsADSchema PowerShell cmdlet](/powershell/module/laps/update-lapsadschema).
 
 ### Rust in the Windows kernel
 
 There's a new implementation of [GDI region](/windows/win32/gdi/regions) in `win32kbase_rs.sys`. Since Rust offers advantages in reliability and security over traditional programs written in C/C++, you'll continue to see more use of it in the kernel.
 
-### Personal Data Encryption (PDE) for folders
+### Personal Data Encryption for folders
 
-PDE for folders is a security feature where the contents of the known Windows folders (Documents, Desktop and Pictures) are protected using a user authenticated encryption mechanism. Windows Hello is the user authentication used to provide the keys for encrypting user data in the folders. PDE for folders can be [enabled from a policy in Intune](/mem/intune/protect/endpoint-security-disk-encryption-policy). IT admins can select all of the folders, or a subset, then apply the policy to a group of users in their organization.
-PDE for Folders settings is available on Intune under **Endpoint Security** > **Disk encryption**.
+Personal Data Encryption for folders is a security feature where the contents of the known Windows folders (Documents, Desktop and Pictures) are protected using a user authenticated encryption mechanism. Windows Hello is the user authentication used to provide the keys for encrypting user data in the folders. Personal Data Encryption for folders can be [enabled from a policy in Intune](/mem/intune/protect/endpoint-security-disk-encryption-policy). IT admins can select all of the folders, or a subset, then apply the policy to a group of users in their organization.
+Personal Data Encryption for Folders settings is available on Intune under **Endpoint Security** > **Disk encryption**.
 
-For more information about PDE, see [PDE overview](/windows/security/operating-system-security/data-protection/personal-data-encryption)
+For more information about Personal Data Encryption, see [Personal Data Encryption overview](/windows/security/operating-system-security/data-protection/personal-data-encryption)
 
 
 ### Windows protected print mode
@@ -184,7 +184,7 @@ Support  for Wi-Fi 7 was added for consumer access points. Wi-Fi 7, also known a
 
 ### Bluetooth &#174; LE audio support for assistive devices
 
-Customers who use these assistive hearing devices are now able to directly pair, stream audio, take calls, and control audio presets when they use an LE Audio-compatible PC. Users who have Bluetooth LE Audio capable assistive hearing devices can determine if their PC is LE Audio-compatible, set up, and manage their devices via **Settings** > **Accessibility** > **Hearing devices**. For more information, see [Using hearing devices with your Windows 11 PC](https://support.microsoft.com/topic/fcb566e7-13c3-491a-ad5b-8219b098d647).  
+Customers who use these assistive hearing devices are now able to directly pair, stream audio, take calls, and control audio presets when they use an LE Audio-compatible PC. Users who have Bluetooth LE Audio capable assistive hearing devices can determine if their PC is LE Audio-compatible, set up, and manage their devices via **Settings** > **Accessibility** > **Hearing devices**. For more information, see [Using hearing devices with your Windows 11 PC](https://support.microsoft.com/topic/fcb566e7-13c3-491a-ad5b-8219b098d647).
 
 ### Windows location improvements
 
@@ -213,7 +213,7 @@ In addition to the monthly cumulative update, optional updates are available to
 ### Remote Desktop Connection improvements
 
 Remote Desktop Connection has the following improvements:
-- The Remote Desktop Connection setup window (mstsc.exe) follows the text scaling settings under **Settings** > **Accessibility** > **Text size**. 
+- The Remote Desktop Connection setup window (mstsc.exe) follows the text scaling settings under **Settings** > **Accessibility** > **Text size**.
 - Remote Desktop Connection supports zoom options of 350, 400, 450, and 500%
 - Improvements to the connection bar design
 
@@ -223,11 +223,11 @@ Remote Desktop Connection has the following improvements:
 
 - **File Explorer**: The following changes were made to File Explorer context menu:
   - Support for creating 7-zip and TAR archives
-  - **Compress to** > **Additional options** allows you to compress individual files with gzip, BZip2, xz, or Zstandard 
+  - **Compress to** > **Additional options** allows you to compress individual files with gzip, BZip2, xz, or Zstandard
   - Labels were added to the context menu icons for actions like copy, paste, delete, and rename
 - **OOBE improvement**: when you need to connect to a network and there's no Wi-Fi drivers, you're given an *Install drivers* option to install drivers that are already downloaded
 - **Registry Editor**: The Registry Editor supports limiting a search to the currently selected key and its descendants
-- **Task Manager**: The Task Manager settings page has [Mica material](/windows/apps/design/style/mica) and a redesigned icon 
+- **Task Manager**: The Task Manager settings page has [Mica material](/windows/apps/design/style/mica) and a redesigned icon
 
 
 ### Developer APIs
diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md
index 40e15cb0a2..c50c610a28 100644
--- a/windows/whats-new/windows-licensing.md
+++ b/windows/whats-new/windows-licensing.md
@@ -1,5 +1,5 @@
 ---
-title: Windows commercial licensing overview
+title: Windows Commercial Licensing Overview
 description: Learn about products and use rights available through Windows commercial licensing.
 ms.subservice: itpro-security
 author: paolomatarazzo
@@ -8,7 +8,7 @@ manager: aaroncz
 ms.collection:
 - tier2
 ms.topic: overview
-ms.date: 02/29/2024
+ms.date: 12/02/2024
 appliesto:
 - ✅ <a href=/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 ms.service: windows-client
@@ -143,7 +143,7 @@ The following table lists the Windows 11 Enterprise features and their Windows e
 |**[Credential Guard][WIN-1]**|❌|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**|Yes|Yes|
 |**[Modern BitLocker Management][WIN-2]**|Yes|Yes|
-|**[Personal data encryption (PDE)][WIN-3]**|❌|Yes|
+|**[Personal Data Encryption][WIN-3]**|❌|Yes|
 |**[Direct Access][WINS-1]**|Yes|Yes|
 |**[Always On VPN][WINS-2]**|Yes|Yes|
 |**[Windows Experience customization][WIN-4]**|❌|Yes|