diff --git a/.openpublishing.redirection.education.json b/.openpublishing.redirection.education.json
index e27a545a00..77b49e134c 100644
--- a/.openpublishing.redirection.education.json
+++ b/.openpublishing.redirection.education.json
@@ -234,6 +234,78 @@
       "source_path": "education/windows/configure-windows-for-education.md",
       "redirect_url": "/education/windows",
       "redirect_document_id": false
+    },
+
+
+    {
+      "source_path": "education/windows/tutorial-school-deployment/configure-device-apps.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/configure-device-apps",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/configure-device-settings.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/configure-device-settings",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/configure-devices-overview.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/configure-devices-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/enroll-autopilot.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-autopilot",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/enroll-entra-join.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-entra-join",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/enroll-overview.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/enroll-package.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/enroll-package",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/index.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/introduction",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/manage-overview.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/manage-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/manage-surface-devices.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/manage-surface-devices",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/reset-wipe.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/reset-wipe",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/set-up-microsoft-entra-id",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/set-up-microsoft-intune.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/set-up-microsoft-intune",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "education/windows/tutorial-school-deployment/troubleshoot-overview.md",
+      "redirect_url": "/mem/intune/industry/education/tutorial-school-deployment/troubleshoot-overview",
+      "redirect_document_id": false
     }
   ]
 }
\ No newline at end of file
diff --git a/.openpublishing.redirection.windows-configuration.json b/.openpublishing.redirection.windows-configuration.json
index d92acf14b2..f89a157d6b 100644
--- a/.openpublishing.redirection.windows-configuration.json
+++ b/.openpublishing.redirection.windows-configuration.json
@@ -462,7 +462,12 @@
     },
     {
       "source_path": "windows/configuration/windows-spotlight.md",
-      "redirect_url": "/windows/configuration/lock-screen/windows-spotlight",
+      "redirect_url": "/windows/configuration/windows-spotlight/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/configuration/lock-screen/windows-spotlight.md",
+      "redirect_url": "/windows/configuration/windows-spotlight",
       "redirect_document_id": false
     },
     {
diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json
index 9a07d9ac68..471c829ed5 100644
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@@ -9169,6 +9169,16 @@
       "source_path": "windows/security/threat-protection/security-policy-settings/user-rights-assignment.md",
       "redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/cloud-security/index.md",
+      "redirect_url": "/windows/security/cloud-services",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md",
+      "redirect_url": "/windows/security/identity-protection/hello-for-business/dual-enrollment",
+      "redirect_document_id": false
     }
   ]
 }
diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md
index 88685f15ae..042df87a74 100644
--- a/education/windows/change-home-to-edu.md
+++ b/education/windows/change-home-to-edu.md
@@ -215,14 +215,6 @@ A multiple activation key activates either individual computers or a group of co
 
 | Scenario | Ownership | MAK | KMS | AD based activation | Subscription Activation |
 |-|-|:-:|:-:|:-:|:-:|
-| **Workplace join (add work or school account)** | Personal (or student-owned) | X | | | |
-| **Microsoft Entra join** | Organization | X | X | | X |
-| **Microsoft Entra hybrid join** | Organization | X | X | X | X |
-
-## Related links
-
-- [Windows 10 edition upgrade (Windows 10)](/windows/deployment/upgrade/windows-10-edition-upgrades)
-- [Windows 10/11 Subscription Activation](/windows/deployment/windows-10-subscription-activation)
-- [Equip Your Students with Windows 11 Education - Kivuto](https://kivuto.com/windows-11-student-use-benefit/)
-- [Upgrade Windows Home to Windows Pro (microsoft.com)](https://support.microsoft.com/windows/upgrade-windows-home-to-windows-pro-ef34d520-e73f-3198-c525-d1a218cc2818)
-- [Partner Center: Upgrade Education customers from Windows 10 Home to Windows 10 Education](/partner-center/upgrade-windows-to-education)
+| **Workplace join (add work or school account)** | Personal (or student-owned) | ✅ | | | |
+| **Microsoft Entra join** | Organization | ✅ | ✅ | | ✅ |
+| **Microsoft Entra hybrid join** | Organization | ✅ | ✅ | ✅ | ✅ |
diff --git a/education/windows/index.yml b/education/windows/index.yml
index d14d00dd63..942a90b16b 100644
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@@ -63,10 +63,8 @@ productDirectory:
     - title: Learn how to manage Windows devices
       imageSrc: /media/common/i_management.svg
       links:
-        - url: tutorial-school-deployment/manage-overview.md
+        - url: /mem/intune/industry/education/tutorial-school-deployment/manage-overview
           text: Manage devices with Microsoft Intune
-        - url: tutorial-school-deployment/manage-surface-devices.md
-          text: Management functionalities for Surface devices
         - url: /education/windows/get-minecraft-for-education
           text: Get and deploy Minecraft Education
         - url: /windows/client-management
diff --git a/education/windows/toc.yml b/education/windows/toc.yml
index 667c2ddc07..62e4c0d85c 100644
--- a/education/windows/toc.yml
+++ b/education/windows/toc.yml
@@ -4,8 +4,6 @@ items:
 - name: Tutorials
   expanded: true
   items:
-  - name: Deploy and manage Windows devices in a school
-    href: tutorial-school-deployment/toc.yml
   - name: Deploy applications to Windows 11 SE
     href: tutorial-deploy-apps-winse/toc.yml
 - name: Concepts
diff --git a/education/windows/tutorial-school-deployment/configure-device-apps.md b/education/windows/tutorial-school-deployment/configure-device-apps.md
deleted file mode 100644
index 25171ff770..0000000000
--- a/education/windows/tutorial-school-deployment/configure-device-apps.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-title: Configure applications with Microsoft Intune
-description: Learn how to configure applications with Microsoft Intune in preparation for device deployment.
-ms.date: 01/16/2024
-ms.topic: tutorial
----
-
-# Configure applications with Microsoft Intune
-
-With Intune for Education, school IT administrators have access to diverse applications to help students unlock their learning potential. This section discusses tools and resources for adding apps to Intune for Education.
-
-Applications can be assigned to groups:
-
-- If you target apps to a **group of users**, the apps will be installed on any managed devices that the users sign into
-- If you target apps to a **group of devices**, the apps will be installed on those devices and available to any user who signs in
-
-> [!div class="checklist"]
->In this section you will:
->
-> - Add apps to Intune for Education
-> - Assign apps to groups
-> - Review some considerations for Windows 11 SE devices
-
-## Add apps to Intune for Education
-
-Intune for Education supports the deployment of two types of Windows applications: **web apps** and **desktop apps**.
-
-:::image type="content" source="./images/intune-education-apps.png" alt-text="Intune for Education - Apps" lightbox="./images/intune-education-apps.png" border="true":::
-
-### Desktop apps
-
-The addition of desktop applications to Intune should be carried out by repackaging the apps, and defining the commands to silently install them. The process is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
-
-### Web apps
-
-To create web applications in Intune for Education:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Apps**
-1. Select **New app** > **New web app**
-1. Provide a URL for the web app, a name and, optionally, an icon and description
-1. Select **Save**
-
-For more information, see [Add web apps][INT-2].
-
-## Assign apps to groups
-
-To assign applications to a group of users or devices:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Groups** > Pick a group to manage
-1. Select **Apps**
-1. Select either **Web apps** or **Windows apps**
-1. Select the apps you want to assign to the group > Save
-
-## Considerations for Windows 11 SE
-
-Windows 11 SE prevents the installation and execution of third party applications with a technology called **Windows Defender Application Control** (WDAC).
-WDAC applies an *allowlist* policy, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the E Mode policy.
-
-To learn more about which apps are supported in Windows 11 SE, and how to deploy them, see the tutorial [Deploy applications to Windows 11 SE with Intune][EDU-1].
-
-## Next steps
-
-With the applications configured, you can now deploy students' and teachers' devices.
-
-> [!div class="nextstepaction"]
-> [Next: Deploy devices >](enroll-overview.md)
-
-<!-- Reference links in article -->
-
-[EDU-1]: ../tutorial-deploy-apps-winse/index.md
-
-[MEM-1]: /mem/intune/apps/apps-win32-add
-
-[INT-1]: /intune-education/express-configuration-intune-edu
-[INT-2]: /intune-education/add-web-apps-edu
\ No newline at end of file
diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md
deleted file mode 100644
index 5733d483e9..0000000000
--- a/education/windows/tutorial-school-deployment/configure-device-settings.md
+++ /dev/null
@@ -1,133 +0,0 @@
----
-title: Configure and secure devices with Microsoft Intune
-description: Learn how to configure policies with Microsoft Intune in preparation for device deployment.
-ms.date: 01/16/2024
-ms.topic: tutorial
-ms.collection: essentials-manage
----
-
-# Configure and secure devices with Microsoft Intune
-
-With Intune for Education, you can configure settings for devices in the school, to ensure that they comply with specific policies.
-For example, you may need to secure your devices, ensuring that they are kept up to date. Or you may need to configure all the devices with the same look and feel.
-
-Settings can be assigned to groups:
-
-- If you target settings to a **group of users**, those settings will apply, regardless of what managed devices the targeted users sign in to
-- If you target settings to a **group of devices**, those settings will apply regardless of who is using the devices
-
-There are two ways to manage settings in Intune for Education:
-
-- **Express Configuration.** This option is used to configure a selection of settings that are commonly used in school environments
-- **Group settings.** This option is used to configure all settings that are offered by Intune for Education
-
-> [!NOTE]
-> Express Configuration is ideal when you are getting started. Settings are pre-configured to Microsoft-recommended values, but can be changed to fit your school's needs. It is recommended to use Express Configuration to initially set up your Windows devices.
-
-
-> [!div class="checklist"]
->In this section you will:
->
-> - Configure settings with Express Configuration
-> - Configure group settings
-> - Create Windows Update policies
-> - Configure security policies
-
-## Configure settings with Express Configuration
-
-With Express Configuration, you can get Intune for Education up and running in just a few steps. You can select a group of devices or users, select applications to distribute, and choose settings from the most commonly used in schools.
-
-> [!TIP]
-> To learn more, and practice step-by-step Express Configuration in Intune for Education, try <a href="https://www.microsoft.com/en-us/education/interactive-demos/deploy-apps-and-policies" target="_blank"><u>this interactive demo</u></a>.
-
-## Configure group settings
-
-Groups are used to manage users and devices with similar management needs, allowing you to apply changes to many devices or users at once. To review the available group settings:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Groups** > Pick a group to manage
-1. Select **Windows device settings**
-1. Expand the different categories and review information about individual settings
-
-Settings that are commonly configured for student devices include:
-
-- Wallpaper and lock screen background. See: [Lock screen and desktop][INT-7]
-- Wi-Fi connections. See: [Add Wi-Fi profiles][INT-8]
-- Enablement of the integrated testing and assessment solution *Take a Test*. See: [Add Take a Test profile][INT-9]
-
-For more information, see [Windows device settings in Intune for Education][INT-3].
-
-## Create Windows Update policies
-
-It is important to keep Windows devices up to date with the latest security updates. You can create Windows Update policies using Intune for Education.
-
-To create a Windows Update policy:
-
-1. Select **Groups** > Pick a group to manage
-1. Select **Windows device settings**
-1. Expand the category **Update and upgrade**
-1. Configure the required settings as needed
-
-For more information, see [Updates and upgrade][INT-6].
-
-> [!NOTE]
-> If you require a more complex Windows Update policy, you can create it in Microsoft Intune. For more information:
-> - [<u>What is Windows Update for Business?</u>][WIN-1]
-> - [<u>Manage Windows software updates in Intune</u>][MEM-1]
-
-## Configure security policies
-
-It is critical to ensure that the devices you manage are secured using the different security technologies available in Windows.
-Intune for Education provides different settings to secure devices.
-
-To create a security policy:
-
-1. Select **Groups** > Pick a group to manage
-1. Select **Windows device settings**
-1. Expand the category **Security**
-1. Configure the required settings as needed, including
-    - Windows Defender
-    - Windows Encryption
-    - Windows SmartScreen
-
-For more information, see [Security][INT-4].
-
-> [!NOTE]
-> If you require more sophisticated security policies, you can create them in Microsoft Intune. For more information:
-> - [<u>Antivirus</u>][MEM-2]
-> - [<u>Disk encryption</u>][MEM-3]
-> - [<u>Firewall</u>][MEM-4]
-> - [<u>Endpoint detection and response</u>][MEM-5]
-> - [<u>Attack surface reduction</u>][MEM-6]
-> - [<u>Account protection</u>][MEM-7]
-
----
-
-## Next steps
-
-With the Intune service configured, you can configure policies and applications to deploy to your students' and teachers' devices.
-
-> [!div class="nextstepaction"]
-> [Next: Configure applications >](configure-device-apps.md)
-
-<!-- Reference links in article -->
-
-[EDU-1]: /education/windows/windows-11-se-overview
-
-[INT-2]: /intune-education/express-configuration-intune-edu
-[INT-3]: /intune-education/all-edu-settings-windows
-[INT-4]: /intune-education/all-edu-settings-windows#security
-[INT-6]: /intune-education/all-edu-settings-windows#updates-and-upgrade
-[INT-7]: /intune-education/all-edu-settings-windows#lock-screen-and-desktop
-[INT-8]: /intune-education/add-wi-fi-profile
-[INT-9]: /intune-education/take-a-test-profiles
-
-[WIN-1]: /windows/deployment/update/waas-manage-updates-wufb
-
-[MEM-1]: /mem/intune/protect/windows-update-for-business-configure
-[MEM-2]: /mem/intune/protect/endpoint-security-antivirus-policy
-[MEM-3]: /mem/intune/protect/encrypt-devices
-[MEM-4]: /mem/intune/protect/endpoint-security-firewall-policy
-[MEM-5]: /mem/intune/protect/endpoint-security-edr-policy
-[MEM-6]: /mem/intune/protect/endpoint-security-asr-policy
-[MEM-7]: /mem/intune/protect/endpoint-security-account-protection-policy
\ No newline at end of file
diff --git a/education/windows/tutorial-school-deployment/configure-devices-overview.md b/education/windows/tutorial-school-deployment/configure-devices-overview.md
deleted file mode 100644
index 27ad5f3a8d..0000000000
--- a/education/windows/tutorial-school-deployment/configure-devices-overview.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: Configure devices with Microsoft Intune
-description: Learn how to configure policies and applications in preparation for device deployment.
-ms.date: 11/09/2023
-ms.topic: tutorial
-ms.collection: essentials-manage
----
-
-# Configure settings and applications with Microsoft Intune
-
-Before distributing devices to your users, you must ensure that the devices will be configured with the required policies, settings, and applications as they get enrolled in Intune.
-Microsoft Intune uses Microsoft Entra groups to assign policies and applications to devices.
-With Microsoft Intune for Education, you can conveniently create groups and assign policies and applications to them.
-
-
-> [!div class="checklist"]
->In this section you will:
->
-> - Create groups
-> - Create and assign policies to groups
-> - Create and assign applications to groups
-
-## Create groups
-
-By organizing devices, students, classrooms, or learning curricula into groups, you can provide students with the resources and configurations they need.
-
-By default, Intune for Education creates two default groups: *All devices* and *All users*.
-Two additional groups are pre-created if you use **Microsoft School Data Sync (SDS)**: *All teachers* and *All students*. SDS can also be configured to automatically create and maintain groups of students and teachers for each school.
-
-:::image type="content" source="./images/intune-education-groups.png" alt-text="Intune for Education - Groups blade" border="true":::
-
-Beyond the defaults, groups can be customized to suit various needs. For example, if you have both *Windows 10* and *Windows 11 SE* devices in your school, you can create groups, such as *Windows 10 devices* and *Windows 11 SE devices*, to assign different policies and applications to.
-
-Two group types can be created:
-
-- **Assigned groups** are used when you want to manually add users or devices to a group
-- **Dynamic groups** reference rules that you create to assign students or devices to groups, which automate the membership's maintenance of those groups
-
-> [!TIP]
-> If you target applications and policies to a *device dynamic group*, they will be applied to the devices as soon as they are enrolled in Intune, before users signs in. This can be useful in bulk enrollment scenarios, where devices are enrolled without requiring users to sign in. Devices can be configured and prepared in advance, before distribution.
-
-For more information, see:
-
-- [Create groups in Intune for Education][EDU-1]
-- [Manually add or remove users and devices to an existing assigned group][EDU-2]
-- [Edit dynamic group rules to accommodate for new devices, locations, or school years][EDU-3]
-
-________________________________________________________
-
-## Next steps
-
-With the groups created, you can configure policies and applications to deploy to your groups.
-
-> [!div class="nextstepaction"]
-> [Next: Configure policies >](configure-device-settings.md)
-
-<!-- Reference links in article -->
-
-[EDU-1]: /intune-education/create-groups
-[EDU-2]: /intune-education/edit-groups-intune-for-edu
-[EDU-3]: /intune-education/edit-groups-intune-for-edu#edit-dynamic-group-rules
diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md
deleted file mode 100644
index 23985289cf..0000000000
--- a/education/windows/tutorial-school-deployment/enroll-autopilot.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-title: Enrollment in Intune with Windows Autopilot
-description: Learn how to join Microsoft Entra ID and enroll in Intune using Windows Autopilot.
-ms.date: 01/16/2024
-ms.topic: tutorial
----
-
-# Windows Autopilot
-
-Windows Autopilot is designed to simplify all parts of Windows devices lifecycle, from initial deployment through end of life. Using cloud-based services, Windows Autopilot can reduce the overall costs for deploying, managing, and retiring devices.
-
-Traditionally, IT pros spend a significant amount of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new, simplified approach. Devices don't need to be reimaged, rather they can be deployed with the OEM image, and customized using cloud-based services.
-
-From the user's perspective, it only takes a few simple operations to make their device ready to use. The only interaction required from the end user is to set their language and regional settings, connect to a network, and verify their credentials. Everything beyond that is automated.
-
-## Prerequisites
-
-Before setting up Windows Autopilot, consider these prerequisites:
-
-- **Software requirements.** Ensure your school and devices meet the [software, networking, licensing, and configuration requirements][WIN-1] for Windows Autopilot
-- **Devices ordered and registered.** Ensure your school IT administrator or Microsoft partner has ordered the devices from an original equipment manufacturer (OEM) and registered them for the Autopilot deployment service. To connect with a partner, you can use the [Microsoft Partner Center][MSFT-1] and work with them to register your devices
-- **Networking requirements.** Ensure students know to connect to the school network during OOBE setup. For more information on managing devices behind firewalls and proxy servers, see [Network endpoints for Microsoft Intune][MEM-1]
-
-> [!NOTE]
-> Where not explicitly specified, both HTTPS (443) and HTTP (80) must be accessible. If you are auto-enrolling your devices into Microsoft Intune or deploying Microsoft Office, follow the networking guidelines for [<u>Microsoft Intune</u>][INT-1] and [<u>Microsoft 365</u>][M365-1].
-
-## Register devices to Windows Autopilot
-
-Before deployment, devices must be registered in the Windows Autopilot service. Each device's unique hardware identity (known as a *hardware hash*) must be uploaded to the Autopilot service. In this way, the Autopilot service can recognize which tenant devices belong to, and which OOBE experience it should present. There are three main ways to register devices to Autopilot:
-
-- **OEM registration process.** When you purchase devices from an OEM or Reseller, that company can automatically register devices to Windows Autopilot and associate them to your tenant. Before this registration can happen, a *Global Administrator* must grant the OEM/Reseller permissions to register devices. For more information, see [OEM registration][MEM-2]
-    > [!NOTE]
-    > For **Microsoft Surface registration**, collect the details shown in this [<u>documentation table</u>][SURF-1] and follow the instruction to submit the request form to Microsoft Support.
-- **Cloud Solution Provider (CSP) registration process.** As with OEMs, CSP partners must be granted permission to register devices for a school. For more information, see [Partner registration][MEM-5]
-    > [!TIP]
-    > Try the <a href="https://cloudpartners.transform.microsoft.com/resources/autopilot-in-edu-setup-english" target="_blank"><u>Microsoft Partner Center clickable demo</u></a>, which provides detailed steps to establish a partner relationship and register devices.
-- **Manual registration.** To manually register a device, you must first capture its hardware hash. Once this process has been completed, the hardware hash can be uploaded to the Windows Autopilot service using [Microsoft Intune][MEM-6]
-    > [!IMPORTANT]
-    > **Windows 11 SE** devices do not support the use of Windows PowerShell or Microsoft Configuration Manager to capture hardware hashes. Hardware hashes can only be captured manually. We recommend working with an OEM, partner, or device reseller to register devices.
-
-## Create groups for Autopilot devices
-
-**Windows Autopilot deployment profiles** determine the Autopilot *deployment mode* and define the out-of-box experience of your devices. A device group is required to assign a Windows Autopilot deployment profile to the devices.
-For this task, it's recommended to create dynamic device groups using Autopilot attributes.
-
-Here are the steps for creating a dynamic group for the devices that have an assigned Autopilot group tag:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Groups** > **Create group**
-1. Specify a **Group name** and select **Dynamic**
-1. Under **Rules**, select **I want to manage: Devices** and use the clause **Where: Device group tag starts with**, specifying the required tag value
-1. Select **Create group**
-    :::image type="content" source="./images/intune-education-autopilot-group.png" alt-text="Intune for Education - creation of a dynamic group for Autopilot devices" border="true":::
-
-More advanced dynamic membership rules can be created from Microsoft Intune admin center. For more information, see [Create an Autopilot device group using Intune][MEM-3].
-
-> [!TIP]
-> You can use these dynamic groups not only to assign Autopilot profiles, but also to target applications and settings.
-
-## Create Autopilot deployment profiles
-
-For Autopilot devices to offer a customized OOBE experience, you must create **Windows Autopilot deployment profiles** and assign them to a group containing the devices.
-A deployment profile is a collection of settings that determine the behavior of the device during OOBE. Among other settings, a deployment profile specifies a **deployment mode**, which can either be:
-
-1. **User-driven:** devices with this profile are associated with the user enrolling the device. User credentials are required to complete the Microsoft Entra join process during OOBE
-1. **Self-deploying:** devices with this profile aren't associated with the user enrolling the device. User credentials aren't required to complete the Microsoft Entra join process. Rather, the device is joined automatically and, for this reason, specific hardware requirements must be met to use this mode
-
-To create an Autopilot deployment profile:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Groups** > Select a group from the list
-1. Select **Windows device settings**
-1. Expand the **Enrolment** category
-1. From **Configure Autopilot deployment profile for device** select **User-driven**
-1. Ensure that **User account type** is configured as **Standard**
-1. Select **Save**
-
-While Intune for Education offers simple options for Autopilot configurations, more advanced deployment profiles can be created from Microsoft Intune admin center. For more information, see [Windows Autopilot deployment profiles][MEM-4].
-
-### Configure an Enrollment Status Page
-
-An Enrollment Status Page (ESP) is a greeting page displayed to users while enrolling or signing in for the first time to Windows devices. The ESP displays provisioning progress, showing applications and profiles installation status.
-
-:::image type="content" source="./images/win11-oobe-esp.gif" alt-text="Windows OOBE - enrollment status page animation." border="false":::
-
-> [!NOTE]
-> Some Windows Autopilot deployment profiles **require** the ESP to be configured.
-
-To deploy the ESP to devices, you need to create an ESP profile in Microsoft Intune.
-
-> [!TIP]
-> While testing the deployment process, you can configure the ESP to:
-> - allow the reset of the devices in case the installation fails
-> - allow the use of the  device if installation error occurs
->
-> This enables you to troubleshoot the installation process in case any issues arise and to easily reset the OS. You can turn these settings off once you are done testing.
-
-For more information, see [Set up the Enrollment Status Page][MEM-3].
-
-> [!CAUTION]
-> The Enrollment Status Page (ESP) is compatible with Windows 11 SE. However, due to the E Mode policy, devices may not complete the enrollment. For more information, see [Enrollment Status Page][EDU-3].
-
-### Autopilot end-user experience
-
-Once configuration is complete and devices are distributed, students and teachers are able to complete the out-of-box experience with Autopilot. They can set up their devices at home, at school, or wherever there's a reliable Internet connection.
-When a Windows device is turned on for the first time, the end-user experience with Windows Autopilot is as follows:
-
-1. Identify the language and region
-1. Select the keyboard layout and decide on the option for a second keyboard layout
-1. Connect to the internet: if connecting through Wi-Fi, the user will be prompted to connect to a wireless network. If the device is connected through an ethernet cable, Windows will skip this step
-1. Apply updates: the device will look for and apply required updates
-1. Windows will detect if the device has an Autopilot profile assigned to it. If so, it will proceed with the customized OOBE experience. If the Autopilot profile specifies a naming convention for the device, the device will be renamed, and a reboot will occur
-1. The user authenticates to Microsoft Entra ID, using the school account
-1. The device joins Microsoft Entra ID, enrolls in Intune and all the settings and applications are configured
-
-> [!NOTE]
-> Some of these steps may be skipped, depending on the Autopilot profile configuration and if the device is using a wired connection.
-
-:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
-
-________________________________________________________
-## Next steps
-
-With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
-
-> [!div class="nextstepaction"]
-> [Next: Manage devices >](manage-overview.md)
-
-<!-- Reference links in article -->
-
-[MEM-1]: /mem/intune/fundamentals/intune-endpoints
-[MEM-2]: /mem/autopilot/oem-registration
-[MEM-3]: /mem/autopilot/enrollment-autopilot#create-an-autopilot-device-group-using-intune
-[MEM-4]: /mem/autopilot/profiles
-[MEM-5]: /mem/autopilot/partner-registration
-[MEM-6]: /mem/autopilot/add-devices
-
-[WIN-1]: /windows/deployment/windows-autopilot/windows-autopilot-requirements
-
-[MSFT-1]: https://partner.microsoft.com/
-
-[INT-1]: /intune/network-bandwidth-use
-
-[M365-1]: https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
-
-[EDU-3]: ../tutorial-deploy-apps-winse/considerations.md#enrollment-status-page
-
-[SURF-1]: /surface/surface-autopilot-registration-support
diff --git a/education/windows/tutorial-school-deployment/enroll-entra-join.md b/education/windows/tutorial-school-deployment/enroll-entra-join.md
deleted file mode 100644
index e599fca7ac..0000000000
--- a/education/windows/tutorial-school-deployment/enroll-entra-join.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Enrollment in Intune with standard out-of-box experience (OOBE)
-description: Learn how to join devices to Microsoft Entra ID from OOBE and automatically get them enrolled in Intune.
-ms.date: 11/09/2023
-ms.topic: tutorial
----
-
-# Automatic Intune enrollment via Microsoft Entra join
-
-If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Microsoft Entra tenant, and automatically enroll it in Intune.
-With this process, no advance preparation is needed:
-
-1. Follow the on-screen prompts for region selection, keyboard selection, and network connection
-1. Wait for updates. If any updates are available, they'll be installed at this time
-  :::image type="content" source="./images/win11-oobe-updates.png" alt-text="Windows 11 OOBE - updates page" border="true":::
-1. When prompted, select **Set up for work or school** and authenticate using your school's Microsoft Entra account
-  :::image type="content" source="./images/win11-oobe-auth.png" alt-text="Windows 11 OOBE - authentication page" border="true":::
-1. The device will join Microsoft Entra ID and automatically enroll in Intune. All settings defined in Intune will be applied to the device
-
-> [!IMPORTANT]
-> If you configured enrollment restrictions in Intune blocking personal Windows devices, this process will not complete. You will need to use a different enrollment method, or ensure that the devices are registered in Autopilot.
-
-:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
-
----
-
-## Next steps
-
-With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
-
-> [!div class="nextstepaction"]
-> [Next: Manage devices >](manage-overview.md)
diff --git a/education/windows/tutorial-school-deployment/enroll-overview.md b/education/windows/tutorial-school-deployment/enroll-overview.md
deleted file mode 100644
index 8410be0db9..0000000000
--- a/education/windows/tutorial-school-deployment/enroll-overview.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-title: Device enrollment overview
-description: Learn about the different options to enroll Windows devices in Microsoft Intune
-ms.date: 11/09/2023
-ms.topic: overview
----
-
-# Device enrollment overview
-
-There are three main methods for joining Windows devices to Microsoft Entra ID and getting them enrolled and managed by Intune:
-
-- **Automatic Intune enrollment via Microsoft Entra join** happens when a user first turns on a device that is in out-of-box experience (OOBE), and selects the option to join Microsoft Entra ID. In this scenario, the user can customize certain Windows functionalities before reaching the desktop, and becomes a local administrator of the device. This option isn't an ideal enrollment method for education devices
-- **Bulk enrollment with provisioning packages.** Provisioning packages are files that can be used to set up Windows devices, and can include information to connect to Wi-Fi networks and to join a Microsoft Entra tenant. Provisioning packages can be created using either **Set Up School PCs** or **Windows Configuration Designer** applications. These files can be applied during or after the out-of-box experience
-- **Enrollment via Windows Autopilot.** Windows Autopilot is a collection of cloud services to configure the out-of-box experience, enabling light-touch or zero-touch deployment scenarios. Windows Autopilot simplifies the Windows device lifecycle, from initial deployment to end of life, for OEMs, resellers, IT administrators and end users
-
-## Choose the enrollment method
-
-**Windows Autopilot** and the **Set up School PCs** app are usually the most efficient options for school environments.
-This [table][INT-1] describes the ideal scenarios for using either option. It's recommended to review the table when planning your enrollment and deployment strategies.
-
-:::image type="content" source="./images/enroll.png" alt-text="The device lifecycle for Intune-managed devices - enrollment" border="false":::
-
-Select one of the following options to learn the next steps about the enrollment method you chose:
-> [!div class="op_single_selector"]
-> - [Automatic Intune enrollment via Microsoft Entra join](enroll-entra-join.md)
-> - [Bulk enrollment with provisioning packages](enroll-package.md)
-> - [Enroll devices with Windows Autopilot](enroll-autopilot.md)
-
-<!-- Reference links in article -->
-
-[INT-1]: /intune-education/add-devices-windows#when-to-use-set-up-school-pcs-vs-windows-autopilot
diff --git a/education/windows/tutorial-school-deployment/enroll-package.md b/education/windows/tutorial-school-deployment/enroll-package.md
deleted file mode 100644
index 22f7c70443..0000000000
--- a/education/windows/tutorial-school-deployment/enroll-package.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-title: Enrollment of Windows devices with provisioning packages
-description: Learn about how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer.
-ms.date: 11/09/2023
-ms.topic: tutorial
----
-
-# Enrollment with provisioning packages
-
-Enrolling devices with provisioning packages is an efficient way to deploy a large number of Windows devices. Some of the benefits of provisioning packages are:
-
-- There are no particular hardware dependencies on the devices to complete the enrollment process
-- Devices don't need to be registered in advance
-- Enrollment is a simple task: just open a provisioning package and the process is automated
-
-You can create provisioning packages using either **Set Up School PCs** or **Windows Configuration Designer** applications, which are described in the following sections.
-
-## Set up School PCs
-
-With Set up School PCs, you can create a package containing the most common device configurations that students need, and enroll devices in Intune. The package is saved on a USB stick, which can then be plugged into devices during OOBE. Applications and settings will be automatically applied to the devices, including the Microsoft Entra join and Intune enrollment process.
-
-### Create a provisioning package
-
-The Set Up School PCs app guides you through configuration choices for school-owned devices.
-
-:::image type="content" source="./images/supcs-win11se.png" alt-text="Configure device settings in Set Up School PCs app" border="false":::
-
-> [!CAUTION]
-> If you are creating a provisioning package for **Windows 11 SE** devices, ensure to select the correct *OS version* in the *Configure device settings* page.
-
-Set Up School PCs will configure many settings, allowing you to optimize devices for shared use and other scenarios.
-
-For more information on prerequisites, configuration, and recommendations, see [Use the Set Up School PCs app][EDU-1].
-
-> [!TIP]
-> To learn more and practice with Set up School PCs, try the <a href="https://www.microsoft.com/en-us/education/interactive-demos/enroll-devices-at-scale" target="_blank"><u>Set Up School PCs demo</u></a>, which provides detailed steps to create a provisioning package and deploy a device.
-## Windows Configuration Designer
-
-Windows Configuration Designer is especially useful in scenarios where a school needs to provision packages for both bring-you-own devices and school-owned devices. Differently from Set Up School PCs, Windows Configuration Designer doesn't offer a guided experience, and allows granular customizations, including the possibility to embed scripts in the package.
-
-:::image type="content" source="./images/wcd.png" alt-text="Set up device page in Windows Configuration Designer" border="false":::
-
-For more information, see [Install Windows Configuration Designer][WIN-1], which provides details about the app, its provisioning process, and considerations for its use.
-
-## Enroll devices with the provisioning package
-
-To provision Windows devices with provisioning packages, insert the USB stick containing the package during the out-of-box experience. The devices will read the content of the package, join Microsoft Entra ID and automatically enroll in Intune.
-All settings defined in the package and in Intune will be applied to the device, and the device will be ready to use.
-
-:::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false":::
-
----
-
-## Next steps
-
-With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
-
-> [!div class="nextstepaction"]
-> [Next: Manage devices >](manage-overview.md)
-
-<!-- Reference links in article -->
-
-[EDU-1]: /education/windows/use-set-up-school-pcs-app
-
-[WIN-1]: /windows/configuration/provisioning-packages/provisioning-install-icd
diff --git a/education/windows/tutorial-school-deployment/images/advanced-support.png b/education/windows/tutorial-school-deployment/images/advanced-support.png
deleted file mode 100644
index d7655d1616..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/advanced-support.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/device-lifecycle.png b/education/windows/tutorial-school-deployment/images/device-lifecycle.png
deleted file mode 100644
index ab14cdb9f0..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/device-lifecycle.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png b/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png
deleted file mode 100644
index 3386f7673a..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/dfci-profile-expanded.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/dfci-profile.png b/education/windows/tutorial-school-deployment/images/dfci-profile.png
deleted file mode 100644
index d77dc06f3d..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/dfci-profile.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/enroll.png b/education/windows/tutorial-school-deployment/images/enroll.png
deleted file mode 100644
index 352cda9509..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/enroll.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png b/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png
deleted file mode 100644
index 69b22745a6..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/enrollment-restrictions.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png b/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png
deleted file mode 100644
index 3f031053d5..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/entra-assign-licenses.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/entra-branding.png b/education/windows/tutorial-school-deployment/images/entra-branding.png
deleted file mode 100644
index 7201c7386d..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/entra-branding.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/entra-device-settings.png b/education/windows/tutorial-school-deployment/images/entra-device-settings.png
deleted file mode 100644
index ef18b7391f..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/entra-device-settings.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/entra-tenant-name.png b/education/windows/tutorial-school-deployment/images/entra-tenant-name.png
deleted file mode 100644
index 4cf21148d1..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/entra-tenant-name.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/intune-diagnostics.png b/education/windows/tutorial-school-deployment/images/intune-diagnostics.png
deleted file mode 100644
index 20b05ad9d7..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/intune-diagnostics.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/intune-education-apps.png b/education/windows/tutorial-school-deployment/images/intune-education-apps.png
deleted file mode 100644
index ca344cf5cf..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/intune-education-apps.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png b/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png
deleted file mode 100644
index 75543684ca..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/intune-education-autopilot-group.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/intune-education-groups.png b/education/windows/tutorial-school-deployment/images/intune-education-groups.png
deleted file mode 100644
index 87f4546e88..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/intune-education-groups.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/intune-education-portal.png b/education/windows/tutorial-school-deployment/images/intune-education-portal.png
deleted file mode 100644
index 6bcc9f9375..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/intune-education-portal.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/inventory-reporting.png b/education/windows/tutorial-school-deployment/images/inventory-reporting.png
deleted file mode 100644
index 39c904e205..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/inventory-reporting.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/m365-admin-center.png b/education/windows/tutorial-school-deployment/images/m365-admin-center.png
deleted file mode 100644
index d471b441dd..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/m365-admin-center.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/protect-manage.png b/education/windows/tutorial-school-deployment/images/protect-manage.png
deleted file mode 100644
index 7ee7040a46..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/protect-manage.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/remote-actions.png b/education/windows/tutorial-school-deployment/images/remote-actions.png
deleted file mode 100644
index cfbd12f2da..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/remote-actions.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/retire.png b/education/windows/tutorial-school-deployment/images/retire.png
deleted file mode 100644
index c079cfeaac..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/retire.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/supcs-win11se.png b/education/windows/tutorial-school-deployment/images/supcs-win11se.png
deleted file mode 100644
index 700ff6d87f..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/supcs-win11se.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png b/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png
deleted file mode 100644
index 339bd90904..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/surface-management-portal-expanded.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/surface-management-portal.png b/education/windows/tutorial-school-deployment/images/surface-management-portal.png
deleted file mode 100644
index a1b7dd37ab..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/surface-management-portal.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/wcd.png b/education/windows/tutorial-school-deployment/images/wcd.png
deleted file mode 100644
index fba5be741f..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/wcd.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/whfb-disable.png b/education/windows/tutorial-school-deployment/images/whfb-disable.png
deleted file mode 100644
index 97177965e3..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/whfb-disable.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png b/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png
deleted file mode 100644
index 0ec380619e..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/win11-autopilot-reset.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/win11-login-screen.png b/education/windows/tutorial-school-deployment/images/win11-login-screen.png
deleted file mode 100644
index 438dda11bc..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/win11-login-screen.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png b/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png
deleted file mode 100644
index 5ebb6a9f14..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/win11-oobe-auth.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif b/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif
deleted file mode 100644
index fa2e4c3aeb..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/win11-oobe-esp.gif and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif b/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif
deleted file mode 100644
index 2defd5c1ce..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/win11-oobe-ppkg.gif and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png b/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png
deleted file mode 100644
index 51bbc39c9f..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/win11-oobe-updates.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/images/win11-wipe.png b/education/windows/tutorial-school-deployment/images/win11-wipe.png
deleted file mode 100644
index 027afae172..0000000000
Binary files a/education/windows/tutorial-school-deployment/images/win11-wipe.png and /dev/null differ
diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md
deleted file mode 100644
index c72273b7aa..0000000000
--- a/education/windows/tutorial-school-deployment/index.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: Introduction to the tutorial deploy and manage Windows devices in a school
-description: Introduction to deployment and management of Windows devices in education environments.
-ms.date: 11/09/2023
-ms.topic: tutorial
-ms.collection: essentials-get-started
----
-
-# Tutorial: deploy and manage Windows devices in a school
-
-This guide introduces the tools and services available from Microsoft to deploy, configure and manage Windows devices in an education environment.
-
-## Audience and user requirements
-
-This tutorial is intended for education professionals responsible for deploying and managing Windows devices, including:  
-
-- School leaders
-- IT administrators
-- Teachers
-- Microsoft partners
-
-This content provides a comprehensive path for schools to deploy and manage new Windows devices with Microsoft Intune. It includes step-by-step information how to manage devices throughout their lifecycle, and specific guidance for **Windows 11 SE** and **Surface devices**.
-
-> [!NOTE]
-> Depending on your school setup scenario, you may not need to implement all steps.
-
-## Device lifecycle management
-
-Historically, school IT administrators and educators have struggled to find an easy-to-use, flexible, and secure way to manage the lifecycle of the devices in their schools. In response, Microsoft has developed integrated suites of products for streamlined, cost-effective device lifecycle management.
-
-Microsoft 365 Education provides tools and services that enable simplified management of all devices through Microsoft Intune services. With Microsoft's solutions, IT administrators have the flexibility to support diverse scenarios, including school-owned devices and bring-your-own devices.
-Microsoft Intune services include:
-
-- [Microsoft Intune][MEM-1]
-- [Microsoft Intune for Education][INT-1]
-- [Configuration Manager][MEM-2]
-- [Desktop Analytics][MEM-3]
-- [Windows Autopilot][MEM-4]
-- [Surface Management Portal][MEM-5]
-
-These services are part of the Microsoft 365 stack to help secure access, protect data, and manage risk.
-
-## Why Intune for Education?
-
-Windows devices can be managed with Intune for Education, enabling simplified management of multiple devices from a single point.
-From enrollment, through configuration and protection, to resetting, Intune for Education helps school IT administrators manage and optimize the devices throughout their lifecycle:
-
-:::image type="content" source="./images/device-lifecycle.png" alt-text="The device lifecycle for Intune-managed devices" border="false":::
-
-- **Enroll:** to enable remote device management, devices must be enrolled in Intune with an account in your Microsoft Entra tenant. Some enrollment methods require an IT administrator to initiate enrollment, while others require students to complete the initial device setup process. This document discusses the facets of various device enrollment methodologies
-- **Configure:** once the devices are enrolled in Intune, applications and settings will be applied, as defined by the IT administrator
-- **Protect and manage:** in addition to its configuration capabilities, Intune for Education helps protect devices from unauthorized access or malicious attacks. For example, adding an extra layer of authentication with Windows Hello can make devices more secure. Policies are available that let you control settings for Windows Firewall, Endpoint Protection, and software updates
-- **Retire:** when it's time to repurpose a device, Intune for Education offers several options, including resetting the device, removing it from management, or wiping school data. In this document, we cover different device return and exchange scenarios
-
-## Four pillars of modern device management
-
-In the remainder of this document, we'll discuss the key concepts and benefits of modern device management with Microsoft 365 solutions for education. The guidance is organized around the four main pillars of modern device management:
-
-- **Identity management:** setting up and configuring the identity system, with Microsoft 365 Education and Microsoft Entra ID, as the foundation for user identity and authentication
-- **Initial setup:** setting up the Intune for Education environment for managing devices, including configuring settings, deploying applications, and defining updates cadence  
-- **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education
-- **Device reset:** Resetting managed devices with Intune for Education
-
----
-
-## Next steps
-
-Let's begin with the creation and configuration of your Microsoft Entra tenant and Intune environment.
-
-> [!div class="nextstepaction"]
-> [Next: Set up Microsoft Entra ID >](set-up-microsoft-entra-id.md)
-
-<!-- Reference links in article -->
-
-[MEM-1]: /mem/intune/fundamentals/what-is-intune
-[MEM-2]: /mem/configmgr/core/understand/introduction
-[MEM-3]: /mem/configmgr/desktop-analytics/overview
-[MEM-4]: /mem/autopilot/windows-autopilot
-[MEM-5]: /mem/autopilot/dfci-management
-
-[INT-1]: /intune-education/what-is-intune-for-education
diff --git a/education/windows/tutorial-school-deployment/manage-overview.md b/education/windows/tutorial-school-deployment/manage-overview.md
deleted file mode 100644
index 0a51b174b9..0000000000
--- a/education/windows/tutorial-school-deployment/manage-overview.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Manage devices with Microsoft Intune
-description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting.
-ms.date: 11/09/2023
-ms.topic: tutorial
----
-
-# Manage devices with Microsoft Intune
-
-Microsoft Intune offers a streamlined remote device management experience throughout the school year. IT administrators can optimize device settings, deploy new applications, updates, ensuring that security and privacy are maintained.
-
-:::image type="content" source="./images/protect-manage.png" alt-text="The device lifecycle for Intune-managed devices - protect and manage devices" border="false":::
-
-## Remote device management
-
-With Intune for Education, there are several ways to manage students' devices. Groups can be created to organize devices and students, to facilitate remote management. You can determine which applications students have access to, and fine tune device settings and restrictions. You can also monitor which devices students sign in to, and troubleshoot devices remotely.
-
-### Remote actions
-
-Intune fo Education allows you to perform actions on devices without having to sign in to the devices. For example, you can send a command to a device to restart or to turn off, or you can locate a device.
-
-:::image type="content" source="./images/remote-actions.png" alt-text="Remote actions available in Intune for Education when selecting a Windows device" lightbox="./images/remote-actions.png" border="true":::
-
-With bulk actions, remote actions can be performed on multiple devices at once.
-
-To learn more about remote actions in Intune for Education, see [Remote actions][EDU-1].
-
-## Remote assistance
-
-With devices managed by Intune for Education, you can remotely assist students and teachers that are having issues with their devices.
-
-For more information, see [Remote assistance for managed devices - Intune for Education][EDU-2].
-
-## Device inventory and reporting
-
-With Intune for Education, it's possible view and report on current devices, applications, settings, and overall health. You can also download reports to review or share offline.
-
-Here are the steps for generating reports in Intune for Education:
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Reports**
-1. Select between one of the report types:
-    - Device inventory
-    - Device actions
-    - Application inventory
-    - Settings errors
-    - Windows Defender
-    - Autopilot deployment
-1. If needed, use the search box to find specific devices, applications, and settings
-1. To download a report, select **Download**. The report will download as a comma-separated value (CSV) file, which you can view and modify in a spreadsheet app like Microsoft Excel.
-    :::image type="content" source="./images/inventory-reporting.png" alt-text="Reporting options available in Intune for Education when selecting the reports blade" border="true":::
-
-To learn more about reports in Intune for Education, see [Reports in Intune for Education][EDU-3].
-
-<!-- Reference links in article -->
-
-[EDU-1]: /intune-education/edu-device-remote-actions
-[EDU-2]: /intune-education/remote-assist-mobile-devices
-[EDU-3]: /intune-education/what-are-reports
diff --git a/education/windows/tutorial-school-deployment/manage-surface-devices.md b/education/windows/tutorial-school-deployment/manage-surface-devices.md
deleted file mode 100644
index 028dc739c7..0000000000
--- a/education/windows/tutorial-school-deployment/manage-surface-devices.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Management functionalities for Surface devices
-description: Learn about the management capabilities offered to Surface devices, including firmware management and the Surface Management Portal.
-ms.date: 11/09/2023
-ms.topic: tutorial
-appliesto: 
-  - ✅ <b>Surface devices</b>
----
-
-# Management functionalities for Surface devices
-
-Microsoft Surface devices offer advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them.
-
-## Manage device firmware for Surface devices
-
-Surface devices use a Unified Extensible Firmware Interface (UEFI) setting that allows you to enable or disable built-in hardware components, protect UEFI settings from being changed, and adjust device boot configuration. With [Device Firmware Configuration Interface profiles built into Intune][INT-1], Surface UEFI management extends the modern management capabilities to the hardware level. Windows can pass management commands from Intune to UEFI for Autopilot-deployed devices.
-
-DFCI supports zero-touch provisioning, eliminates BIOS passwords, and provides control of security settings for boot options, cameras and microphones, built-in peripherals, and more. For more information, see [Manage DFCI on Surface devices][SURF-1] and [Manage DFCI with Windows Autopilot][MEM-1], which includes a list of requirements to use DFCI.
-
-:::image type="content" source="./images/dfci-profile.png" alt-text="Creation of a DFCI profile from Microsoft Intune" lightbox="./images/dfci-profile-expanded.png" border="true":::
-
-## Microsoft Surface Management Portal
-
-Located in the Microsoft Intune admin center, the Microsoft Surface Management Portal enables you to self-serve, manage, and monitor your school's Intune-managed Surface devices at scale. Get insights into device compliance, support activity, warranty coverage, and more.
-
-When Surface devices are enrolled in cloud management and users sign in for the first time, information automatically flows into the Surface Management Portal, giving you a single pane of glass for Surface-specific administration activities.
-
-To access and use the Surface Management Portal:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. Select **All services** > **Surface Management Portal**
-    :::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Intune" lightbox="./images/surface-management-portal-expanded.png" border="true":::
-1. To obtain insights for all your Surface devices, select **Monitor**
-    - Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here
-1. To obtain details on each insights category, select **View report**
-    - This dashboard displays diagnostic information that you can customize and export
-1. To obtain the device's warranty information, select **Device warranty and coverage**
-1. To review a list of support requests and their status, select **Support requests**
-
-<!-- Reference links in article -->
-
-[INT-1]: /intune/configuration/device-firmware-configuration-interface-windows
-[MEM-1]: /mem/autopilot/dfci-management
-[SURF-1]: /surface/surface-manage-dfci-guide
diff --git a/education/windows/tutorial-school-deployment/reset-wipe.md b/education/windows/tutorial-school-deployment/reset-wipe.md
deleted file mode 100644
index 9646537bac..0000000000
--- a/education/windows/tutorial-school-deployment/reset-wipe.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: Reset and wipe Windows devices
-description: Learn about the reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices.
-ms.date: 11/09/2023
-ms.topic: tutorial
----
-
-# Device reset options
-
-There are different scenarios that require a device to be reset, for example:
-
-- The device isn't responding to commands
-- The device is lost or stolen
-- It's the end of the life of the device
-- It's the end of the school year and you want to prepare the device for a new school year
-- The device has hardware problems and you want to send it to the service center
-
-:::image type="content" source="./images/retire.png" alt-text="The device lifecycle for Intune-managed devices - retirement" border="false":::
-
-Intune for Education provides two device reset functionalities that enable IT administrators to remotely execute them:
-
-- **Factory reset** (also known as **wipe**) is used to wipe all data and settings from the device, returning it to the default factory settings
-- **Autopilot reset** is used to return the device to a fully configured or known IT-approved state
-
-## Factory reset (wipe)
-
-A factory reset, or a wipe, reverts a device to the original settings when it was purchased. All settings, applications and data installed on the device after purchase are removed. The device is also removed from Intune management.
-
-Once the wipe is completed, the device will be in out-of-box experience.
-
-Here are the steps to perform a factory reset from Intune for Education: 
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Devices**
-1. Select the device you want to reset > **Factory reset**
-1. Select **Factory reset** to confirm the action
-
-:::image type="content" source="./images/win11-wipe.png" alt-text="Three screenshots showing the device being wiped, ending up in OOBE" lightbox="./images/win11-wipe.png" border="false":::
-
-Consider using factory reset in the following example scenarios:
-
-- The device isn't working properly, and you want to reset it without reimaging it
-- It's the end of school year and you want to prepare the device for a new school year
-- You need to reassign the device to a different student, and you want to reset the device to its original settings
-- You're returning a device to the service center, and you want to remove all data and settings from the device
-
-> [!TIP]
-> Consider that once the device is wiped, the new user will go through OOBE. This option may be ideal if the device is also registered in Autopilot to make the OOBE experience seamless, or if you plan to use a provisioning package to re-enroll the device.
-
-## Autopilot Reset
-
-Autopilot Reset is ideal when all data on a device needs to be wiped, but the device remains enrolled in your tenant.
-
-Once the Autopilot reset action is completed, the device will ask to chose region and keyboard layout, then it will display the sign-in screen.
-
-Here are the steps to perform an Autopilot reset from Intune for Education: 
-
-1. Sign in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank"><b>Intune for Education portal</b></a>
-1. Select **Devices**
-1. Select the device you want to reset > **Autopilot reset**
-1. Select **Autopilot reset** to confirm the action
-
-:::image type="content" source="./images/win11-autopilot-reset.png" alt-text="Three screenshots showing the device being wiped, ending up in the login screen" border="false":::
-
-Consider using Autopilot reset in the following example scenarios:
-
-- The device isn't working properly, and you want to reset it without reimaging it
-- It's the end of school year and you want to prepare the device for a new school year
-- You need to reassign the device to a different student, and you want to reset the device to without requiring the student to go through OOBE
-
-> [!TIP]
-> Consider that the end user will **not** go through OOBE, and the association of the user to  the device in Intune doesn't change. For this reason, this option may be ideal for devices that have been enrolled in Intune as *shared devices* (for example, a device that was enrolled with a provisioning package or using Autopilot self-deploying mode).
-
-## Wiping and deleting a device
-
-There are scenarios that require a device to be deleted from your tenant, for example:
-
-- The device is lost or stolen
-- It's the end of the life of the device
-- The device has been replaced with a new device or has its motherboard replaced
-
-> [!IMPORTANT]
-> The following actions should only be performed for devices that are no longer going to be used in your tenant.
-
- To completely remove a device, you need to perform the following actions:
-
-1. If possible, perform a **factory reset (wipe)** of the device. If the device can't be wiped, delete the device from Intune using [these steps][MEM-1]
-1. If the device is registered in Autopilot, delete the Autopilot object using [these steps][MEM-2]
-1. Delete the device from Microsoft Entra ID using [these steps][MEM-3]
-
-## Autopilot considerations for a motherboard replacement scenario
-
-Repairing Autopilot-enrolled devices can be complex, as OEM requirements must be balanced with Autopilot requirements. If a motherboard replacement is needed on an Autopilot device, it's suggested the following process:
-
-1. Deregister the device from Autopilot
-1. Replace the motherboard
-1. Capture a new device ID (4K HH)
-1. Re-register the device with Autopilot
-    > [!IMPORTANT]
-    > For DFCI management, the device must be re-registered by a partner or OEM. Self-registration of devices is not supported with DFCI management.
-1. Reset the device
-1. Return the device
-
-For more information, see [Autopilot motherboard replacement scenario guidance][MEM-4].
-
-<!-- Reference links in article -->
-
-[MEM-1]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
-[MEM-2]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
-[MEM-3]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal
-[MEM-4]: /mem/autopilot/autopilot-mbr
diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md b/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md
deleted file mode 100644
index 845d66a892..0000000000
--- a/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md
+++ /dev/null
@@ -1,173 +0,0 @@
----
-title: Set up Microsoft Entra ID
-description: Learn how to create and prepare your Microsoft Entra tenant for an education environment.
-ms.date: 01/16/2024
-ms.topic: tutorial
-appliesto:
----
-
-# Set up Microsoft Entra ID
-
-The Microsoft platform for education simplifies the management of Windows devices with Intune for Education and Microsoft 365 Education. The first, fundamental step, is to configure the identity infrastructure to manage user access and permissions for your school.
-
-Microsoft Entra ID, which is included with the Microsoft 365 Education subscription, provides authentication and authorization to any Microsoft cloud services. Identity objects are defined in Microsoft Entra ID for human identities, like students and teachers, as well as non-human identities, like devices, services, and applications. Once users get Microsoft 365 licenses assigned, they'll be able to consume services and access resources within the tenant. With Microsoft 365 Education, you can manage identities for your teachers and students, assign licenses to devices and users, and create groups for the classrooms.
-
-> [!div class="checklist"]
->In this section you will:
->
-> - Set up a Microsoft 365 Education tenant
-> - Add users, create groups, and assign licenses
-> - Configure school branding
-> - Enable bulk enrollment
-
-## Create a Microsoft 365 tenant
-
-If you don't already have a Microsoft 365 tenant, you'll need to create one.
-
-For more information, see [Create your Office 365 tenant account][M365-1]
-
-> [!TIP]
-> To learn more, and practice how to configure the Microsoft 365 tenant for your school, try <a href="https://www.microsoft.com/en-us/education/interactive-demos/set-up-Microsoft-365" target="_blank"><u>this interactive demo</u></a>.
-### Explore the Microsoft 365 admin center
-
-The **Microsoft 365 admin center** is the hub for all administrative consoles for the Microsoft 365 cloud. To access the <a href="https://entra.microsoft.com" target="_blank"><u>Microsoft Entra admin center</u></a>, sign in with the same global administrator account when you [created the Microsoft 365 tenant](#create-a-microsoft-365-tenant).
-
-From the Microsoft 365 admin center, you can access different administrative dashboards: Microsoft Entra ID, Microsoft Intune, Intune for Education, and others:
-
-:::image type="content" source="./images/m365-admin-center.png" alt-text="*All admin centers* page in *Microsoft 365 admin center*" lightbox="./images/m365-admin-center.png" border="true":::
-
-For more information, see [Overview of the Microsoft 365 admin center][M365-2].
-
-> [!NOTE]
-> Setting up your school's basic cloud infrastructure does not require you to complete the rest of the Microsoft 365 setup. For this reason, we will skip directly to adding students and teachers as users in the Microsoft 365 tenant.
-
-## Add users, create groups, and assign licenses
-
-With the Microsoft 365 tenant in place, it's time to add users, create groups, and assign licenses. All students and teachers need a user account before they can sign in and access the different Microsoft 365 services. There are multiple ways to do this, including using School Data Sync (SDS), synchronizing an on-premises Active Directory, manually, or a combination of the above.
-
-> [!NOTE]
-> Synchronizing your Student Information System (SIS) with School Data Sync is the preferred way to create students and teachers as users in a Microsoft 365 Education tenant. However, if you want to integrate an on-premises directory and synchronize accounts to the cloud, skip to [Microsoft Entra Connect Sync](#microsoft-entra-connect-sync) below.
-
-### School Data Sync
-
-School Data Sync (SDS) imports and synchronizes SIS data to create classes in Microsoft 365, such as Microsoft 365 groups and class teams in Microsoft Teams. SDS can be used to create new, cloud-only, identities or to evolve existing identities. Users evolve into *students* or *teachers* and are associated with a *grade*, *school*, and other education-specific attributes.
-
-For more information, see [Overview of School Data Sync][SDS-1].
-
-> [!TIP]
-> To learn more and practice with School Data Sync, follow the <a href="https://interactiveguides-schooldatasync.azurewebsites.net/" target="_blank"><u>Microsoft School Data Sync demo</u></a>, which provides detailed steps to access, configure, and deploy School Data Sync in your Microsoft 365 Education tenant.
-
-> [!NOTE]
-> You can perform a test deployment by cloning or downloading sample SDS CSV school data from the [<u>O365-EDU-Tools GitHub site</u>](https://github.com/OfficeDev/O365-EDU-Tools).
->
-> Remember that you should typically deploy test SDS data (users, groups, and so on) in a separate test tenant, not your school production environment.
-
-### Microsoft Entra Connect Sync
-
-To integrate an on-premises directory with Microsoft Entra ID, you can use **Microsoft Entra Connect** to synchronize users, groups, and other objects. Microsoft Entra Connect lets you configure the authentication method appropriate for your school, including:
-
-- [Password hash synchronization][AAD-1]
-- [Pass-through authentication][AAD-2]
-- [Federated authentication][AAD-3]
-
-For more information, see [Set up directory synchronization for Microsoft 365][O365-1].
-
-### Create users manually
-
-In addition to the above methods, you can manually add users and groups, and assign licenses through the Microsoft 365 admin center.
-
-There are two options for adding users manually, either individually or in bulk:
-
-1. To add students and teachers as users in Microsoft 365 Education *individually*:
-    - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-    - Select **Microsoft Entra ID** > **Users** > **All users** > **New user** > **Create new user**
-    For more information, see [Add users and assign licenses at the same time][M365-3].
-1. To add *multiple* users to Microsoft 365 Education:
-    - Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-    - Select **Microsoft Entra ID** > **Users** > **All users** > **Bulk operations** > **Bulk create**
-
-For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4].
-
-### Create groups
-
-Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups:
-
-1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Microsoft Entra ID** > **Groups** > **All groups** > **New group**
-1. On the **New group** page, select **Group type** > **Security**
-1. Provide a group name and add members, as needed
-1. Select **Next**
-
-For more information, see [Create a group in the Microsoft 365 admin center][M365-5].
-
-### Assign licenses
-
-The recommended way to assign licenses is through group-based licensing. With this method, Microsoft Entra ID ensures that licenses are assigned to all members of the group. Any new members who join the group are assigned the appropriate licenses, and when members leave, their licenses are removed.
-
-To assign a license to a group:
-
-1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Microsoft Entra ID** > **Show More** > **Billing** > **Licenses**
-1. Select the required products that you want to assign licenses for > **Assign**
-1. Add the groups to which the licenses should be assigned
-
-   :::image type="content" source="images/entra-assign-licenses.png" alt-text="Assign licenses from Microsoft Entra admin center." lightbox="images/entra-assign-licenses.png":::
-
-For more information, see [Group-based licensing using Microsoft Entra admin center][AAD-4].
-
-## Configure school branding
-
-Configuring your school branding enables a more familiar Autopilot experience to students and teachers. With a custom school branding, you can define a custom logo and a welcome message, which will appear during the Windows out-of-box experience.
-
-To configure your school's branding:
-
-1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Microsoft Entra ID** > **Show More** > **User experiences** > **Company branding**
-1. You can specify brand settings like background image, logo, username hint and a sign-in page text
-    :::image type="content" source="images/entra-branding.png" alt-text="Configure Microsoft Entra ID branding from Microsoft Entra admin center." lightbox="images/entra-branding.png":::
-1. To adjust the school tenant's name displayed during OOBE, select **Microsoft Entra ID** > **Overview** > **Properties**
-1. In the **Name** field, enter the school district or organization's name > **Save**
-    :::image type="content" alt-text="Configure Microsoft Entra tenant name from Microsoft Entra admin center." source="images/entra-tenant-name.png" lightbox="images/entra-tenant-name.png":::
-
-For more information, see [Add branding to your directory][AAD-5].
-
-## Enable bulk enrollment
-
-If you decide to enroll Windows devices using provisioning packages instead of Windows Autopilot, you must ensure that the provisioning packages can join Windows devices to the Microsoft Entra tenant.
-
-To allow provisioning packages to complete the Microsoft Entra join process:
-
-1. Sign in to the <a href="https://entra.microsoft.com" target="_blank"><b>Microsoft Entra admin center</b></a>
-1. Select **Microsoft Entra ID** > **Devices** > **Device Settings**
-1. Under **Users may join devices to Microsoft Entra ID**, select **All**
-    > [!NOTE]
-    > If it is required that only specific users can join devices to Microsoft Entra ID, select **Selected**. Ensure that the user account that will create provisioning packages is included in the list of users.
-1. Select Save
-    :::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png":::
-
----
-
-## Next steps
-
-With users and groups created, and licensed for Microsoft 365 Education, you can now configure Microsoft Intune.
-
-> [!div class="nextstepaction"]
-> [Next: Set up Microsoft Intune >](set-up-microsoft-intune.md)
-
-<!-- Reference links in article -->
-
-[AAD-1]: /azure/active-directory/hybrid/whatis-phs
-[AAD-2]: /azure/active-directory/hybrid/how-to-connect-pta
-[AAD-3]: /azure/active-directory/hybrid/how-to-connect-fed-whatis
-[AAD-4]: /azure/active-directory/enterprise-users/licensing-groups-assign
-[AAD-5]: /azure/active-directory/fundamentals/customize-branding
-
-[M365-1]: /microsoft-365/education/deploy/create-your-office-365-tenant
-[M365-2]: /microsoft-365/admin/admin-overview/admin-center-overview
-[M365-3]: /microsoft-365/admin/add-users/add-users
-[M365-4]: /microsoft-365/enterprise/add-several-users-at-the-same-time
-[M365-5]: /microsoft-365/admin/create-groups/create-groups
-
-[O365-1]: /office365/enterprise/set-up-directory-synchronization
-
-[SDS-1]: /schooldatasync/overview-of-school-data-sync
diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
deleted file mode 100644
index 1ee9608b0c..0000000000
--- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
+++ /dev/null
@@ -1,97 +0,0 @@
----
-title: Set up device management
-description: Learn how to configure the Intune service and set up the environment for education.
-ms.date: 01/16/2024
-ms.topic: tutorial
-appliesto:
----
-
-# Set up Microsoft Intune
-
-Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Intune is a collection of services that simplifies the management of devices at scale.
-
-The Microsoft Intune service can be managed in different ways, and one of them is **Intune for Education**, a web portal designed for education environments.
-
-:::image type="content" source="./images/intune-education-portal.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-education-portal.png" border="true":::
-
-**Intune for Education** supports the entire device lifecycle, from the enrollment phase through retirement. IT administrators can start managing classroom devices with bulk enrollment options and a streamlined deployment. At the end of the school year, IT admins can reset devices, ensuring they're ready for the next year.
-
-For more information, see [Intune for Education documentation][INT-1].
-
-> [!div class="checklist"]
->In this section you will:
->
-> - Review Intune's licensing prerequisites
-> - Configure the Intune service for education devices
-
-## Prerequisites
-
-Before configuring settings with Intune for Education, consider the following prerequisites:
-
-- **Intune subscription.** Microsoft Intune is licensed in three ways:
-  - As a standalone service
-  - As part of [Enterprise Mobility + Security][MSFT-1]
-  - As part of a [Microsoft 365 Education subscription][MSFT-2]
-- **Device platform.** Intune for Education can manage devices running a supported version of Windows 10, Windows 11, Windows 11 SE, iOS, and iPad OS
-
-For more information, see [Intune licensing][MEM-1] and [this comparison sheet][MSFT-3], which includes a table detailing the *Microsoft Modern Work Plan for Education*.
-
-## Configure the Intune service for education devices
-
-The Intune service can be configured in different ways, depending on the needs of your school. In this section, you'll configure the Intune service using settings commonly implemented by K-12 school districts.
-
-### Configure enrollment restrictions
-
-With enrollment restrictions, you can prevent certain types of devices from being enrolled and therefore managed by Intune. For example, you can prevent the enrollment of devices that are not owned by the school.
-
-To block personally owned Windows devices from enrolling:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** > **Enroll devices** > **Enrollment device platform restrictions**
-1. Select the **Windows restrictions** tab
-1. Select **Create restriction**
-1. On the **Basics** page, provide a name for the restriction and, optionally, a description > **Next**
-1. On the **Platform settings** page, in the **Personally owned devices** field, select **Block** > **Next**
-    :::image type="content" source="./images/enrollment-restrictions.png" alt-text="This screenshot is of the device enrollment restriction page in Microsoft Intune admin center." lightbox="./images/enrollment-restrictions.png":::
-1. Optionally, on the **Scope tags** page, add scope tags > **Next**
-1. On the **Assignments** page, select **Add groups**, and then use the search box to find and choose groups to which you want to apply the restriction > **Next**
-1. On the **Review + create** page, select **Create** to save the restriction
-
-For more information, see [Create a device platform restriction][MEM-2].
-
-### Disable Windows Hello for Business
-
-Windows Hello for Business is a biometric authentication feature that allows users to sign in to their devices using a PIN, password, or fingerprint. Windows Hello for Business is enabled by default on Windows devices, and to set it up, users must perform for multi-factor authentication (MFA). As a result, this feature may not be ideal for students, who may not have MFA enabled.
-It's suggested to disable Windows Hello for Business on Windows devices at the tenant level, and enabling it only for devices that need it, for example for teachers and staff devices.
-To disable Windows Hello for Business at the tenant level:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** > **Windows** > **Windows Enrollment**
-1. Select **Windows Hello for Business**
-1. Ensure that **Configure Windows Hello for Business** is set to **disabled**
-1. Select **Save**
-
-:::image type="content" source="./images/whfb-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." lightbox="./images/whfb-disable.png":::
-
-For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4].
-
----
-
-## Next steps
-
-With the Intune service configured, you can configure policies and applications in preparation to the deployment of students' and teachers' devices.
-
-> [!div class="nextstepaction"]
-> [Next: Configure devices >](configure-devices-overview.md)
-
-<!-- Reference links in article -->
-
-[MEM-1]: /mem/intune/fundamentals/licenses
-[MEM-2]: /mem/intune/enrollment/enrollment-restrictions-set
-[MEM-4]: /mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy
-
-[INT-1]: /intune-education/what-is-intune-for-education
-
-[MSFT-1]: https://www.microsoft.com/microsoft-365/enterprise-mobility-security
-[MSFT-2]: https://www.microsoft.com/licensing/product-licensing/microsoft-365-education
-[MSFT-3]: https://edudownloads.azureedge.net/msdownloads/Microsoft-Modern-Work-Plan-Comparison-Education_11-2021.pdf
\ No newline at end of file
diff --git a/education/windows/tutorial-school-deployment/toc.yml b/education/windows/tutorial-school-deployment/toc.yml
deleted file mode 100644
index 8abc013f68..0000000000
--- a/education/windows/tutorial-school-deployment/toc.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-items: 
-  - name: Introduction
-    href: index.md
-  - name: 1. Prepare your tenant
-    items:
-      - name: Set up Microsoft Entra ID
-        href: set-up-microsoft-entra-id.md
-      - name: Set up Microsoft Intune
-        href: set-up-microsoft-intune.md
-  - name: 2. Configure settings and applications
-    items:
-      - name: Overview
-        href: configure-devices-overview.md
-      - name: Configure policies
-        href: configure-device-settings.md
-      - name: Configure applications
-        href: configure-device-apps.md        
-  - name: 3. Deploy devices
-    items: 
-      - name: Overview
-        href: enroll-overview.md
-      - name: Enroll devices via Microsoft Entra join
-        href: enroll-entra-join.md
-      - name: Enroll devices with provisioning packages
-        href: enroll-package.md
-      - name: Enroll devices with Windows Autopilot
-        href: enroll-autopilot.md
-  - name: 4. Manage devices
-    items: 
-      - name: Overview
-        href: manage-overview.md
-      - name: Management functionalities for Surface devices
-        href: manage-surface-devices.md       
-      - name: Reset and wipe devices
-        href: reset-wipe.md
-  - name: 5. Troubleshoot and get help
-    href: troubleshoot-overview.md
-    
diff --git a/education/windows/tutorial-school-deployment/troubleshoot-overview.md b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
deleted file mode 100644
index 0d59f1af56..0000000000
--- a/education/windows/tutorial-school-deployment/troubleshoot-overview.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-title: Troubleshoot Windows devices
-description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services.
-ms.date: 11/09/2023
-ms.topic: tutorial
----
-
-# Troubleshoot Windows devices
-
-Microsoft Intune provides many tools that can help you troubleshoot Windows devices.
-Here's a collection of resources to help you troubleshoot Windows devices managed by Intune:
-
-- [Troubleshooting device enrollment in Intune][MEM-2]
-- [Troubleshooting Windows Autopilot][MEM-9]
-- [Troubleshoot Windows Wi-Fi profiles][MEM-6]
-- [Troubleshooting policies and profiles in Microsoft Intune][MEM-5]
-- [Troubleshooting BitLocker with the Intune encryption report][MEM-4]
-- [Troubleshooting CSP custom settings][MEM-8]
-- [Troubleshooting Win32 app installations with Intune][MEM-7]
-- [Troubleshooting device actions in Intune][MEM-3]
-- [**Collect diagnostics**][MEM-10] is a remote action that lets you collect and download Windows device logs without interrupting the user
-  :::image type="content" source="./images/intune-diagnostics.png" alt-text="Intune for Education dashboard" lightbox="./images/intune-diagnostics.png" border="true":::
-
-## How to contact Microsoft Support
-
-Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
-
-Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices:
-
-- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-- Select **Troubleshooting + support** > **Help and support**
-    :::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Intune." lightbox="images/advanced-support.png":::
-- Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365
-- Above **How can we help?**, select one of three icons to open different panes: *Find solutions*, *Contact support*, or *Service requests*
-- In the **Find solutions** pane, use the text box to specify a few details about your issue. The console may offer suggestions based on what you've entered. Depending on the presence of specific keywords, the console provides help like:
-  - Run diagnostics: start automated tests and investigations of your tenant from the console to reveal known issues. When you run a diagnostic, you may receive mitigation steps to help with resolution
-  - View insights: find links to documentation that provides context and background specific to the product area or actions you've described
-  - Recommended articles: browse suggested troubleshooting topics and other content related to your issue
-- If needed, use the *Contact support* pane to file an online support ticket
-  > [!IMPORTANT]
-  > When opening a case, be sure to include as many details as possible in the *Description* field. Such information includes: timestamp and date, device ID, device model, serial number, OS version, and any other details relevant to the issue.
-- To review your case history, select the **Service requests** pane. Active cases are at the top of the list, with closed issues also available for review
-
-For more information, see [Microsoft Intune support page][MEM-1]
-
-<!-- Reference links in article -->
-[MEM-1]: /mem/get-support
-[MEM-2]: /troubleshoot/mem/intune/troubleshoot-device-enrollment-in-intune
-[MEM-3]: /troubleshoot/mem/intune/troubleshoot-device-actions
-[MEM-4]: /troubleshoot/mem/intune/troubleshoot-bitlocker-admin-center
-[MEM-5]: /troubleshoot/mem/intune/troubleshoot-policies-in-microsoft-intune
-[MEM-6]: /troubleshoot/mem/intune/troubleshoot-wi-fi-profiles#troubleshoot-windows-wi-fi-profiles
-[MEM-7]: /troubleshoot/mem/intune/troubleshoot-win32-app-install
-[MEM-8]: /troubleshoot/mem/intune/troubleshoot-csp-custom-settings
-[MEM-9]: /mem/autopilot/troubleshooting
-[MEM-10]: /mem/intune/remote-actions/collect-diagnostics
diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md
index bea07c4d0b..1c973e2035 100644
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@@ -2,7 +2,7 @@
 title: Windows 11 SE settings list
 description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change.
 ms.topic: reference
-ms.date: 08/18/2023
+ms.date: 05/06/2024
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
 ms.collection:
diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
index cb1db35d6e..aeb7575b4c 100644
--- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
@@ -32,7 +32,7 @@ You can use Internet Information Services' (IIS) network load balancing (NLB) to
 
 Review the following articles to learn more about configuring IIS and NLB for computers running Windows Server operating systems:
 
-* [Achieving High Availability and Scalability - ARR and NLB](https://www.iis.net/learn/extensions/configuring-application-request-routing-arr/achieving-high-availability-and-scalability-arr-and-nlb) describes how to configure IIS 7.0.
+* [Achieving High Availability and Scalability - ARR and NLB](/iis/extensions/configuring-application-request-routing-arr/achieving-high-availability-and-scalability-arr-and-nlb) describes how to configure IIS 7.0.
 
 * [Network load balancing overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831698(v=ws.11)) will tell you more about how to configure Microsoft Windows Server.
 
@@ -88,13 +88,13 @@ Use the following steps to modify the connection string to include ```failover p
 3. Modify the **MANAGEMENT\_SQL\_CONNECTION\_STRING** value with the ```failover partner = <server2>``` value.
 4. Restart management service using the IIS console.
   > [!NOTE]
-   >Database Mirroring is on the list of [deprecated database engine features in SQL Server 2012](<https://msdn.microsoft.com/library/ms143729(v=sql.110).aspx>) due to the **AlwaysOn** feature available starting with Microsoft SQL Server 2012.
+   >Database Mirroring is on the list of [deprecated database engine features in SQL Server 2012](/previous-versions/sql/sql-server-2012/ms143729(v=sql.110)) due to the **AlwaysOn** feature available starting with Microsoft SQL Server 2012.
 
-Click any of the following links for more information:
+For more information, see the following articles:
 
 * [Prepare a mirror database for mirroring (SQL Server)](/sql/database-engine/database-mirroring/prepare-a-mirror-database-for-mirroring-sql-server).
 * [Establish a database mirroring session using Windows Authentication (SQL Server Management Studio)](/sql/database-engine/database-mirroring/establish-database-mirroring-session-windows-authentication).
-* [Deprecated database engine features in SQL Server 2012](<https://msdn.microsoft.com/library/ms143729(v=sql.110).aspx>).
+* [Deprecated database engine features in SQL Server 2012](/previous-versions/sql/sql-server-2012/ms143729(v=sql.110)).
 
 ## Support for Microsoft SQL Server Always On configuration
 
diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md
index 24110d05f3..918fe88905 100644
--- a/windows/client-management/manage-windows-copilot.md
+++ b/windows/client-management/manage-windows-copilot.md
@@ -6,7 +6,9 @@ ms.subservice: windows-copilot
 ms.date: 03/21/2024
 ms.author: mstewart
 author: mestew
-ms.collection: windows-copilot
+ms.collection:
+  - windows-copilot
+  - magic-ai-copilot
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2 or later</a>
 ---
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
index 49d00a03bf..6542f4aa17 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
@@ -1,7 +1,7 @@
 ---
 title: Policies in Policy CSP supported by Group Policy
 description: Learn about the policies in Policy CSP supported by Group Policy.
-ms.date: 04/10/2024
+ms.date: 04/23/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -871,7 +871,6 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 ## WindowsAI
 
 - [TurnOffWindowsCopilot](policy-csp-windowsai.md)
-- [DisableAIDataAnalysis](policy-csp-windowsai.md)
 
 ## WindowsDefenderSecurityCenter
 
diff --git a/windows/client-management/mdm/policy-csp-windowsai.md b/windows/client-management/mdm/policy-csp-windowsai.md
index aa027def07..7f0e55df51 100644
--- a/windows/client-management/mdm/policy-csp-windowsai.md
+++ b/windows/client-management/mdm/policy-csp-windowsai.md
@@ -1,7 +1,7 @@
 ---
 title: WindowsAI Policy CSP
 description: Learn more about the WindowsAI Area in Policy CSP.
-ms.date: 01/31/2024
+ms.date: 04/23/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -9,74 +9,10 @@ ms.date: 01/31/2024
 <!-- WindowsAI-Begin -->
 # Policy CSP - WindowsAI
 
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
 <!-- WindowsAI-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- WindowsAI-Editable-End -->
 
-<!-- DisableAIDataAnalysis-Begin -->
-## DisableAIDataAnalysis
-
-<!-- DisableAIDataAnalysis-Applicability-Begin -->
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [99.9.9999] |
-<!-- DisableAIDataAnalysis-Applicability-End -->
-
-<!-- DisableAIDataAnalysis-OmaUri-Begin -->
-```User
-./User/Vendor/MSFT/Policy/Config/WindowsAI/DisableAIDataAnalysis
-```
-<!-- DisableAIDataAnalysis-OmaUri-End -->
-
-<!-- DisableAIDataAnalysis-Description-Begin -->
-<!-- Description-Source-DDF -->
-This policy setting allows you to prevent Windows AI from using and analyzing user patterns and data.
-
-- If you enable this policy setting, Windows AI won't be able to take advantage of historical user patterns.
-
-- If you disable or don't configure this policy setting, Windows AI will be able to assist users by considering their historical behaviors and data.
-<!-- DisableAIDataAnalysis-Description-End -->
-
-<!-- DisableAIDataAnalysis-Editable-Begin -->
-<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-<!-- DisableAIDataAnalysis-Editable-End -->
-
-<!-- DisableAIDataAnalysis-DFProperties-Begin -->
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value  | 0 |
-<!-- DisableAIDataAnalysis-DFProperties-End -->
-
-<!-- DisableAIDataAnalysis-AllowedValues-Begin -->
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 (Default) | Enable Data Analysis for Windows AI. |
-| 1 | Disable Data Analysis for Windows AI. |
-<!-- DisableAIDataAnalysis-AllowedValues-End -->
-
-<!-- DisableAIDataAnalysis-GpMapping-Begin -->
-**Group policy mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | DisableAIDataAnalysis |
-| Path | WindowsAI > AT > WindowsComponents > WindowsAI |
-<!-- DisableAIDataAnalysis-GpMapping-End -->
-
-<!-- DisableAIDataAnalysis-Examples-Begin -->
-<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
-<!-- DisableAIDataAnalysis-Examples-End -->
-
-<!-- DisableAIDataAnalysis-End -->
-
 <!-- TurnOffWindowsCopilot-Begin -->
 ## TurnOffWindowsCopilot
 
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index 553037a410..78f6dd37b7 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -1,7 +1,7 @@
 ---
 title: SurfaceHub CSP
 description: Learn more about the SurfaceHub CSP.
-ms.date: 01/18/2024
+ms.date: 04/22/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -65,6 +65,10 @@ The following list shows the SurfaceHub configuration service provider nodes:
   - [MOMAgent](#momagent)
     - [WorkspaceID](#momagentworkspaceid)
     - [WorkspaceKey](#momagentworkspacekey)
+  - [MOMAgentGovtCloud](#momagentgovtcloud)
+    - [AzureCloudIndexGovtCloud](#momagentgovtcloudazurecloudindexgovtcloud)
+    - [WorkspaceIDGovtCloud](#momagentgovtcloudworkspaceidgovtcloud)
+    - [WorkspaceKeyGovtCloud](#momagentgovtcloudworkspacekeygovtcloud)
   - [Properties](#properties)
     - [AllowAutoProxyAuth](#propertiesallowautoproxyauth)
     - [AllowSessionResume](#propertiesallowsessionresume)
@@ -2011,6 +2015,162 @@ Primary key for authenticating with workspace. Will always return an empty strin
 
 <!-- Device-MOMAgent-WorkspaceKey-End -->
 
+<!-- Device-MOMAgentGovtCloud-Begin -->
+## MOMAgentGovtCloud
+
+<!-- Device-MOMAgentGovtCloud-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045.4355] and later |
+<!-- Device-MOMAgentGovtCloud-Applicability-End -->
+
+<!-- Device-MOMAgentGovtCloud-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/SurfaceHub/MOMAgentGovtCloud
+```
+<!-- Device-MOMAgentGovtCloud-OmaUri-End -->
+
+<!-- Device-MOMAgentGovtCloud-Description-Begin -->
+<!-- Description-Source-Not-Found -->
+<!-- Device-MOMAgentGovtCloud-Description-End -->
+
+<!-- Device-MOMAgentGovtCloud-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-MOMAgentGovtCloud-Editable-End -->
+
+<!-- Device-MOMAgentGovtCloud-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `node` |
+| Access Type | Get |
+<!-- Device-MOMAgentGovtCloud-DFProperties-End -->
+
+<!-- Device-MOMAgentGovtCloud-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-MOMAgentGovtCloud-Examples-End -->
+
+<!-- Device-MOMAgentGovtCloud-End -->
+
+<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Begin -->
+### MOMAgentGovtCloud/AzureCloudIndexGovtCloud
+
+<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045.4355] and later |
+<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Applicability-End -->
+
+<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/SurfaceHub/MOMAgentGovtCloud/AzureCloudIndexGovtCloud
+```
+<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-OmaUri-End -->
+
+<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Description-Begin -->
+<!-- Description-Source-DDF -->
+Enum value for Azure Clouds supported for OMS tracking in SurfaceHub.
+<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Description-End -->
+
+<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Editable-End -->
+
+<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get, Replace |
+| Default Value  | 0 |
+<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-DFProperties-End -->
+
+<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-Examples-End -->
+
+<!-- Device-MOMAgentGovtCloud-AzureCloudIndexGovtCloud-End -->
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Begin -->
+### MOMAgentGovtCloud/WorkspaceIDGovtCloud
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045.4355] and later |
+<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Applicability-End -->
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/SurfaceHub/MOMAgentGovtCloud/WorkspaceIDGovtCloud
+```
+<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-OmaUri-End -->
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Description-Begin -->
+<!-- Description-Source-DDF -->
+GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data for Govt Clouds. Set this to an empty string to disable the MOM agent.
+<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Description-End -->
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Editable-End -->
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Get, Replace |
+<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-DFProperties-End -->
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-Examples-End -->
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceIDGovtCloud-End -->
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Begin -->
+### MOMAgentGovtCloud/WorkspaceKeyGovtCloud
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 22H2 [10.0.19045.4355] and later |
+<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Applicability-End -->
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-OmaUri-Begin -->
+```Device
+./Vendor/MSFT/SurfaceHub/MOMAgentGovtCloud/WorkspaceKeyGovtCloud
+```
+<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-OmaUri-End -->
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Description-Begin -->
+<!-- Description-Source-DDF -->
+Primary key for authenticating with workspace for Govt Clouds. Will always return an empty string.
+<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Description-End -->
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Editable-End -->
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Get, Replace |
+<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-DFProperties-End -->
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-Examples-End -->
+
+<!-- Device-MOMAgentGovtCloud-WorkspaceKeyGovtCloud-End -->
+
 <!-- Device-Properties-Begin -->
 ## Properties
 
diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md
index 4bfee13fce..3222bade2d 100644
--- a/windows/client-management/mdm/surfacehub-ddf-file.md
+++ b/windows/client-management/mdm/surfacehub-ddf-file.md
@@ -1,7 +1,7 @@
 ---
 title: SurfaceHub DDF file
 description: View the XML file containing the device description framework (DDF) for the SurfaceHub configuration service provider.
-ms.date: 01/18/2024
+ms.date: 04/22/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
@@ -12,11 +12,10 @@ The following XML file contains the device description framework (DDF) for the S
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN" "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"[]>
 <MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
   <VerDTD>1.2</VerDTD>
-  <MSFT:Diagnostics>
-  </MSFT:Diagnostics>
+  <MSFT:Diagnostics />
   <Node>
     <NodeName>SurfaceHub</NodeName>
     <Path>./Vendor/MSFT</Path>
@@ -86,8 +85,7 @@ The following XML file contains the device description framework (DDF) for the S
           <DFType>
             <MIME />
           </DFType>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
         </DFProperties>
       </Node>
       <Node>
@@ -110,8 +108,7 @@ The following XML file contains the device description framework (DDF) for the S
           <DFType>
             <MIME />
           </DFType>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
         </DFProperties>
       </Node>
       <Node>
@@ -134,8 +131,7 @@ The following XML file contains the device description framework (DDF) for the S
           <DFType>
             <MIME />
           </DFType>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
         </DFProperties>
       </Node>
       <Node>
@@ -158,8 +154,7 @@ The following XML file contains the device description framework (DDF) for the S
           <DFType>
             <MIME />
           </DFType>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
         </DFProperties>
       </Node>
       <Node>
@@ -203,8 +198,7 @@ The following XML file contains the device description framework (DDF) for the S
           <DFType>
             <MIME />
           </DFType>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
         </DFProperties>
       </Node>
       <Node>
@@ -227,8 +221,7 @@ The following XML file contains the device description framework (DDF) for the S
           <DFType>
             <MIME />
           </DFType>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
         </DFProperties>
       </Node>
       <Node>
@@ -251,8 +244,7 @@ The following XML file contains the device description framework (DDF) for the S
           <DFType>
             <MIME />
           </DFType>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
         </DFProperties>
       </Node>
       <Node>
@@ -534,8 +526,7 @@ The following XML file contains the device description framework (DDF) for the S
               <MSFT:OsBuildVersion>10.0.15063</MSFT:OsBuildVersion>
               <MSFT:CspVersion>1.0</MSFT:CspVersion>
             </MSFT:Applicability>
-            <MSFT:AllowedValues ValueType="None">
-            </MSFT:AllowedValues>
+            <MSFT:AllowedValues ValueType="None" />
           </DFProperties>
         </Node>
       </Node>
@@ -611,8 +602,7 @@ The following XML file contains the device description framework (DDF) for the S
             <DFType>
               <MIME />
             </DFType>
-            <MSFT:AllowedValues ValueType="None">
-            </MSFT:AllowedValues>
+            <MSFT:AllowedValues ValueType="None" />
           </DFProperties>
         </Node>
         <Node>
@@ -753,8 +743,7 @@ The following XML file contains the device description framework (DDF) for the S
             <DFType>
               <MIME />
             </DFType>
-            <MSFT:AllowedValues ValueType="None">
-            </MSFT:AllowedValues>
+            <MSFT:AllowedValues ValueType="None" />
           </DFProperties>
         </Node>
       </Node>
@@ -982,8 +971,7 @@ The following XML file contains the device description framework (DDF) for the S
             <DFType>
               <MIME />
             </DFType>
-            <MSFT:AllowedValues ValueType="None">
-            </MSFT:AllowedValues>
+            <MSFT:AllowedValues ValueType="None" />
           </DFProperties>
         </Node>
       </Node>
@@ -1028,8 +1016,7 @@ The following XML file contains the device description framework (DDF) for the S
           <DFType>
             <MIME />
           </DFType>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
         </DFProperties>
       </Node>
       <Node>
@@ -1522,8 +1509,7 @@ The following XML file contains the device description framework (DDF) for the S
             <MSFT:OsBuildVersion>10.0.15063, 10.0.14393.969</MSFT:OsBuildVersion>
             <MSFT:CspVersion>1.0</MSFT:CspVersion>
           </MSFT:Applicability>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
         </DFProperties>
       </Node>
       <Node>
@@ -1584,8 +1570,7 @@ The following XML file contains the device description framework (DDF) for the S
           <DFType>
             <MIME />
           </DFType>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
         </DFProperties>
       </Node>
     </Node>
@@ -1633,8 +1618,7 @@ The following XML file contains the device description framework (DDF) for the S
           <DFType>
             <MIME />
           </DFType>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
         </DFProperties>
       </Node>
       <Node>
@@ -1657,8 +1641,99 @@ The following XML file contains the device description framework (DDF) for the S
           <DFType>
             <MIME />
           </DFType>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
+        </DFProperties>
+      </Node>
+    </Node>
+    <Node>
+      <NodeName>MOMAgentGovtCloud</NodeName>
+      <DFProperties>
+        <AccessType>
+          <Get />
+        </AccessType>
+        <DFFormat>
+          <node />
+        </DFFormat>
+        <Occurrence>
+          <One />
+        </Occurrence>
+        <Scope>
+          <Permanent />
+        </Scope>
+        <DFType>
+          <DDFName />
+        </DFType>
+        <MSFT:Applicability>
+          <MSFT:OsBuildVersion>10.0.19045.4355</MSFT:OsBuildVersion>
+          <MSFT:CspVersion>1.0</MSFT:CspVersion>
+          <MSFT:EditionAllowList>0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;</MSFT:EditionAllowList>
+        </MSFT:Applicability>
+      </DFProperties>
+      <Node>
+        <NodeName>WorkspaceIDGovtCloud</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data for Govt Clouds. Set this to an empty string to disable the MOM agent.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME>text/plain</MIME>
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>WorkspaceKeyGovtCloud</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+            <Replace />
+          </AccessType>
+          <Description>Primary key for authenticating with workspace  for Govt Clouds.. Will always return an empty string.</Description>
+          <DFFormat>
+            <chr />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME>text/plain</MIME>
+          </DFType>
+        </DFProperties>
+      </Node>
+      <Node>
+        <NodeName>AzureCloudIndexGovtCloud</NodeName>
+        <DFProperties>
+          <AccessType>
+            <Get />
+            <Replace />
+          </AccessType>
+          <DefaultValue>0</DefaultValue>
+          <Description>Enum value for Azure Clouds supported for OMS tracking in SurfaceHub.</Description>
+          <DFFormat>
+            <int />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME>text/plain</MIME>
+          </DFType>
         </DFProperties>
       </Node>
     </Node>
@@ -1702,8 +1777,7 @@ The following XML file contains the device description framework (DDF) for the S
           <DFType>
             <MIME />
           </DFType>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
         </DFProperties>
       </Node>
       <Node>
@@ -1726,8 +1800,7 @@ The following XML file contains the device description framework (DDF) for the S
           <DFType>
             <MIME />
           </DFType>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
         </DFProperties>
       </Node>
     </Node>
@@ -1754,8 +1827,7 @@ The following XML file contains the device description framework (DDF) for the S
           <MSFT:OsBuildVersion>10.0.17134, 10.0.16299.64</MSFT:OsBuildVersion>
           <MSFT:CspVersion>1.0</MSFT:CspVersion>
         </MSFT:Applicability>
-        <MSFT:AllowedValues ValueType="None">
-        </MSFT:AllowedValues>
+        <MSFT:AllowedValues ValueType="None" />
       </DFProperties>
       <Node>
         <NodeName>LanProfile</NodeName>
@@ -1777,8 +1849,7 @@ The following XML file contains the device description framework (DDF) for the S
           <DFType>
             <MIME />
           </DFType>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
         </DFProperties>
       </Node>
       <Node>
@@ -1801,8 +1872,7 @@ The following XML file contains the device description framework (DDF) for the S
           <DFType>
             <MIME />
           </DFType>
-          <MSFT:AllowedValues ValueType="None">
-          </MSFT:AllowedValues>
+          <MSFT:AllowedValues ValueType="None" />
         </DFProperties>
       </Node>
     </Node>
diff --git a/windows/configuration/assigned-access/xsd.md b/windows/configuration/assigned-access/xsd.md
index 89519a3862..209c3fb81d 100644
--- a/windows/configuration/assigned-access/xsd.md
+++ b/windows/configuration/assigned-access/xsd.md
@@ -2,7 +2,7 @@
 title: Assigned Access XML Schema Definition (XSD)
 description: Assigned Access XSD reference article.
 ms.topic: reference
-ms.date: 02/15/2024
+ms.date: 04/08/2024
 ---
 
 # Assigned Access XML Schema Definition (XSD)
@@ -232,7 +232,7 @@ Here's the Assigned Access XSD for the features added in Windows 11:
 
 ## Windows 11, version 21H2 additions
 
-Here's the Assigned Access XSD for the features added in Windows 10, version 21H2:
+Here's the Assigned Access XSD for the features added in Windows 11, version 21H2:
 
 ```xml
 <xs:schema
diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml
index 33f47997d5..fa1a297ecf 100644
--- a/windows/configuration/index.yml
+++ b/windows/configuration/index.yml
@@ -11,7 +11,7 @@ metadata:
   author: paolomatarazzo
   ms.author: paoloma
   manager: aaroncz
-  ms.date: 03/04/2024
+  ms.date: 04/25/2024
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
 
@@ -25,8 +25,8 @@ landingContent:
             url: start/index.md
           - text: Customize the Taskbar
             url: taskbar/index.md
-          - text: Configure the Lock Screen
-            url: lock-screen/windows-spotlight.md
+          - text: Configure Windows spotlight
+            url: windows-spotlight/index.md
           - text: Accessibility information for IT pros
             url: accessibility/index.md
       - linkListType: reference
@@ -34,7 +34,7 @@ landingContent:
           - text: Start policy settings
             url: start/policy-settings.md
 
-  - title: Configure a Windows kiosk
+  - title: Kiosks and restricted user experiences
     linkLists:
       - linkListType: concept
         links:
diff --git a/windows/configuration/lock-screen/images/funfacts.png b/windows/configuration/lock-screen/images/funfacts.png
deleted file mode 100644
index 71355ec370..0000000000
Binary files a/windows/configuration/lock-screen/images/funfacts.png and /dev/null differ
diff --git a/windows/configuration/lock-screen/images/lockscreen.png b/windows/configuration/lock-screen/images/lockscreen.png
deleted file mode 100644
index 68c64e15ec..0000000000
Binary files a/windows/configuration/lock-screen/images/lockscreen.png and /dev/null differ
diff --git a/windows/configuration/lock-screen/images/lockscreenpolicy.png b/windows/configuration/lock-screen/images/lockscreenpolicy.png
deleted file mode 100644
index 30b6a7ae9d..0000000000
Binary files a/windows/configuration/lock-screen/images/lockscreenpolicy.png and /dev/null differ
diff --git a/windows/configuration/lock-screen/images/spotlight.png b/windows/configuration/lock-screen/images/spotlight.png
deleted file mode 100644
index 515269740b..0000000000
Binary files a/windows/configuration/lock-screen/images/spotlight.png and /dev/null differ
diff --git a/windows/configuration/lock-screen/windows-spotlight.md b/windows/configuration/lock-screen/windows-spotlight.md
deleted file mode 100644
index faf68d1afa..0000000000
--- a/windows/configuration/lock-screen/windows-spotlight.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Configure Windows Spotlight
-description: Learn how to configure Windows Spotlight, a Windows lock screen feature that displays different images.
-ms.topic: how-to
-ms.date: 04/30/2018
----
-
-# Configure Windows Spotlight
-
-Windows Spotlight is a Windows feature that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10.
-
-For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps.
-
->[!NOTE]
->You can use the [Personalization CSP](/windows/client-management/mdm/personalization-csp) settings to set lock screen and desktop background images.
-
-## What does Windows Spotlight include?
-
-- **Background image**
-    The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. More images are downloaded on ongoing basis.
-    ![lock screen image.](images/lockscreen.png)
-- **Feature suggestions, fun facts, tips**
-    The lock screen background will occasionally make recommendations on how to enhance your productivity and enjoyment of Microsoft products including suggesting other relevant Microsoft products and services.
-    ![fun facts.](images/funfacts.png)
-
-## How do you turn off Windows Spotlight locally?
-
-To turn off Windows Spotlight locally, go to **Settings** &gt; **Personalization** &gt; **Lock screen** &gt; **Background** &gt; **Windows spotlight** &gt; select a different lock screen background
-
-![personalization background.](images/spotlight.png)
-
-## How do you disable Windows Spotlight for managed devices?
-
-Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mobile device management (MDM) settings to help you manage Windows Spotlight on enterprise computers.
-
->[!NOTE]
->These policies are in the **User Configuration \Policies\Administrative Templates\Windows Components\Cloud Content** path in the Group Policy Management Console, and in the **User Configuration \Administrative Templates\Windows Components\Cloud Content** path in the Local Group Policy Editor.
-
-| Group Policy | MDM | Description | Applies to |
-|--|--|--|--|
-| **Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later |
-| **Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later |
-| **Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later |
-| **Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 |
-| **Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 |
-| **Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience that helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 |
-| **Turn off the Windows Spotlight on Settings** | **Experience/Allow Windows Spotlight on Settings** | Turn off the Windows Spotlight in the Settings app. | Windows 10 Enterprise and Education, version 1803 |
-
- In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Force a specific default lock screen image** (Windows 10 Enterprise and Education).
-
- >[!TIP]
- >If you want to use a custom lock screen image that contains text, see [Resolution for custom lock screen image](#resolution-for-custom-lock-screen-image).
-
-![lockscreen policy details.](images/lockscreenpolicy.png)
-
-Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox isn't selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages.
-
-## Resolution for custom lock screen image
-
-A concern with custom lock screen images is how they'll appear on different screen sizes and resolutions.
-
-A custom lock screen image created in 16:9 aspect ratio (1600x900) will scale properly on devices using a 16:9 resolution, such as 1280x720 or 1920x1080. On devices using other aspect ratios, such as 4:3 (1024x768) or 16:10 (1280x800), height scales correctly and width is cropped to a size equal to the aspect ratio. The image will remain centered on the screen
-
-Lock screen images created at other aspect ratios may scale and center unpredictably on your device when changing aspect ratios.
-
-The recommendation for custom lock screen images that include text (such as a legal statement) is to create the lock screen image in 16:9 resolution with text contained in the 4:3 region, allowing the text to remain visible at any aspect ratio.
diff --git a/windows/configuration/taskbar/images/pin-add-11.png b/windows/configuration/taskbar/images/pin-add-11.png
index de84d0154c..867f27af43 100644
Binary files a/windows/configuration/taskbar/images/pin-add-11.png and b/windows/configuration/taskbar/images/pin-add-11.png differ
diff --git a/windows/configuration/taskbar/images/pin-layout-11.png b/windows/configuration/taskbar/images/pin-layout-11.png
index 717f210776..5df7a8bfda 100644
Binary files a/windows/configuration/taskbar/images/pin-layout-11.png and b/windows/configuration/taskbar/images/pin-layout-11.png differ
diff --git a/windows/configuration/taskbar/images/pin-remove-11.png b/windows/configuration/taskbar/images/pin-remove-11.png
index d815923516..736d4b2d11 100644
Binary files a/windows/configuration/taskbar/images/pin-remove-11.png and b/windows/configuration/taskbar/images/pin-remove-11.png differ
diff --git a/windows/configuration/taskbar/images/pin-replace-11.png b/windows/configuration/taskbar/images/pin-replace-11.png
index ce90eebcad..f758d145be 100644
Binary files a/windows/configuration/taskbar/images/pin-replace-11.png and b/windows/configuration/taskbar/images/pin-replace-11.png differ
diff --git a/windows/configuration/taskbar/images/taskbar-11.png b/windows/configuration/taskbar/images/taskbar-11.png
index accd2c6f8f..0e24fb2679 100644
Binary files a/windows/configuration/taskbar/images/taskbar-11.png and b/windows/configuration/taskbar/images/taskbar-11.png differ
diff --git a/windows/configuration/taskbar/images/taskbar-sections-11.png b/windows/configuration/taskbar/images/taskbar-sections-11.png
index 3e14e85b9d..68e6ce31c5 100644
Binary files a/windows/configuration/taskbar/images/taskbar-sections-11.png and b/windows/configuration/taskbar/images/taskbar-sections-11.png differ
diff --git a/windows/configuration/taskbar/includes/turn-off-windows-copilot.md b/windows/configuration/taskbar/includes/turn-off-windows-copilot.md
deleted file mode 100644
index 69b9f7fd71..0000000000
--- a/windows/configuration/taskbar/includes/turn-off-windows-copilot.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 04/11/2024
-ms.topic: include
----
-
-### Turn off Windows Copilot
-
-This policy setting allows you to turn off Windows Copilot.
-
-- If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either
-- If you disable or don't configure this policy setting, users can use Copilot, if available
-
-|  | Path |
-|--|--|
-| **CSP** | `./User/Vendor/MSFT/Policy/Config/WindowsAI/`[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) |
-| **GPO** | **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Copilot** |
diff --git a/windows/configuration/taskbar/index.md b/windows/configuration/taskbar/index.md
index 04b5c9de37..68edd41929 100644
--- a/windows/configuration/taskbar/index.md
+++ b/windows/configuration/taskbar/index.md
@@ -1,6 +1,6 @@
 ---
 title: Configure the Windows taskbar
-description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file.
+description: Learn how to configure the Windows taskbar to provide quick access to the tools and applications that users need most.
 ms.topic: how-to
 ms.date: 04/17/2024
 appliesto:
@@ -47,10 +47,9 @@ Let's review the components of the Windows taskbar by dividing it into three are
     1. Pinned and running apps
 1. The *right area* contains:
     1. The system tray, which displays icons like the pen menu, touch keyboard, virtual touchpad, and any application icons that are running in the background like OneDrive, Teams, or antivirus software
-    1. Quick Actions
+    1. Quick actions
     1. Calendar
-    1. Action Center
-    1. Copilot
+    1. Notifications
 
 :::image type="content" source="images/taskbar-sections-11.png" alt-text="Screenshot of the Windows 11 taskbar with the three areas highlighted." border="false" lightbox="./images/taskbar-sections-11.png":::
 
@@ -72,8 +71,7 @@ Let's review the components of the Windows taskbar by dividing it into two areas
     - News and interests
     - The system tray, which displays icons like the pen menu, touch keyboard, virtual touchpad, power, network, volume, and any application icons that are running in the background like OneDrive, Teams, or antivirus software
     - Calendar
-    - Action center
-    - Copilot
+    - Notifications and actions
 
 :::image type="content" source="images/taskbar-sections-10.png" alt-text="Screenshot of the Windows 11 taskbar with the two areas highlighted." border="false" lightbox="./images/taskbar-sections-10.png":::
 
diff --git a/windows/configuration/taskbar/policy-settings.md b/windows/configuration/taskbar/policy-settings.md
index cf9fa4a5ea..72ca73538b 100644
--- a/windows/configuration/taskbar/policy-settings.md
+++ b/windows/configuration/taskbar/policy-settings.md
@@ -37,7 +37,6 @@ Select one of the tabs to see the list of available settings:
 |[Show additional calendar](#show-additional-calendar)|❌|✅|
 |[Simplify Quick Settings Layout](#simplify-quick-settings-layout)|✅|✅|
 |[Turn off automatic promotion of notification icons to the taskbar](#turn-off-automatic-promotion-of-notification-icons-to-the-taskbar)|❌|✅|
-|[Turn off Windows Copilot](#turn-off-windows-copilot)|✅|✅|
 
 ::: zone-end
 
@@ -62,7 +61,6 @@ Select one of the tabs to see the list of available settings:
 |[Show additional calendar](#show-additional-calendar)|❌|✅|
 |[Turn off automatic promotion of notification icons to the taskbar](#turn-off-automatic-promotion-of-notification-icons-to-the-taskbar)|❌|✅|
 |[Turn off notification area cleanup](#turn-off-notification-area-cleanup)|❌|✅|
-|[Turn off Windows Copilot](#turn-off-windows-copilot)|✅|✅|
 
 ::: zone-end
 
@@ -109,8 +107,6 @@ Select one of the tabs to see the list of available settings:
 [!INCLUDE [turn-off-notification-area-cleanup](includes/turn-off-notification-area-cleanup.md)]
 ::: zone-end
 
-[!INCLUDE [turn-off-windows-copilot](includes/turn-off-windows-copilot.md)]
-
 #### [:::image type="icon" source="../images/icons/touch.svg"::: **Taskbar behaviors**](#tab/actions)
 
 ::: zone pivot="windows-11"
diff --git a/windows/configuration/toc.yml b/windows/configuration/toc.yml
index 6feefd28bf..27cec371e7 100644
--- a/windows/configuration/toc.yml
+++ b/windows/configuration/toc.yml
@@ -7,8 +7,8 @@ items:
   href: start/toc.yml
 - name: Taskbar
   href: taskbar/toc.yml
-- name: Spotlight
-  href: lock-screen/windows-spotlight.md
+- name: Windows spotlight
+  href: windows-spotlight/index.md
 - name: Microsoft Store
   href: store/toc.yml
 - name: Cellular settings
diff --git a/windows/configuration/windows-spotlight/images/contoso-lockscreen-10.png b/windows/configuration/windows-spotlight/images/contoso-lockscreen-10.png
new file mode 100644
index 0000000000..7b3015dd39
Binary files /dev/null and b/windows/configuration/windows-spotlight/images/contoso-lockscreen-10.png differ
diff --git a/windows/configuration/windows-spotlight/images/contoso-lockscreen-11.png b/windows/configuration/windows-spotlight/images/contoso-lockscreen-11.png
new file mode 100644
index 0000000000..a4bc816c78
Binary files /dev/null and b/windows/configuration/windows-spotlight/images/contoso-lockscreen-11.png differ
diff --git a/windows/configuration/windows-spotlight/images/lockscreen-10.png b/windows/configuration/windows-spotlight/images/lockscreen-10.png
new file mode 100644
index 0000000000..243ca18f67
Binary files /dev/null and b/windows/configuration/windows-spotlight/images/lockscreen-10.png differ
diff --git a/windows/configuration/windows-spotlight/images/lockscreen-11.png b/windows/configuration/windows-spotlight/images/lockscreen-11.png
new file mode 100644
index 0000000000..bf153070c1
Binary files /dev/null and b/windows/configuration/windows-spotlight/images/lockscreen-11.png differ
diff --git a/windows/configuration/windows-spotlight/index.md b/windows/configuration/windows-spotlight/index.md
new file mode 100644
index 0000000000..53b5c10121
--- /dev/null
+++ b/windows/configuration/windows-spotlight/index.md
@@ -0,0 +1,129 @@
+---
+title: Configure Windows spotlight
+description: Learn how to configure Windows spotlight using Group Policy and mobile device management (MDM) settings.
+ms.topic: how-to
+ms.date: 04/23/2024
+ms.author: paoloma
+author: paolomatarazzo
+appliesto:
+zone_pivot_groups: windows-versions-11-10
+---
+
+# Configure Windows spotlight
+
+Windows spotlight is a feature that displays different wallpapers and offers suggestions, fun facts, tips, or organizational messages:
+
+::: zone pivot="windows-11"
+
+- **Wallpapers**: Windows spotlight displays a new image on the lock screen and in the background every day
+- **Suggestions, fun facts, tips**: recommendations on how to enhance the user's productivity of Microsoft products. They're displayed in different locations, such as the lock screen, the background, the taskbar, or the Get Started app
+- **Organizational messages**: messages from your organization, which can be displayed in the taskbar, the notification area, or the Get Started app
+
+:::image type="content" source="images/lockscreen-11.png" alt-text="Screenshot of the Windows 11 lock screen with Windows Spotlight enabled." border="false":::
+
+::: zone-end
+
+::: zone pivot="windows-10"
+
+- **Wallpapers**: Windows spotlight displays a new image on the lock screen every day
+- **Suggestions, fun facts, tips**: recommendations on how to enhance the user's productivity of Microsoft products. They're displayed in different locations, such as the lock screen, the background, the taskbar, or the Get Started app
+- **Organizational messages**: messages from your organization, which can be displayed in the taskbar, the notification area, or the Get Started app
+
+:::image type="content" source="images/lockscreen-10.png" alt-text="Screenshot of the Windows 10 lock screen with Windows Spotlight enabled." border="false":::
+
+::: zone-end
+
+## Windows edition and licensing requirements
+
+Windows spotlight is available on Windows Enterprise and Education editions only.
+
+## Configuration options
+
+Windows spotlight is enabled by default, but you can customize it to meet your organization's needs. There are several options to configure Windows spotlight.
+
+If you need to configure a device for a single user, go to:
+
+::: zone pivot="windows-11"
+
+- **Settings** > **Personalization** > **[Background](ms-settings:personalization-background)**. To change the background image to Windows spotlight, select **Windows spotlight** from the **Personalize your background** drop-down menu
+
+::: zone-end
+
+- **Settings** > **Personalization** > **[Lock screen](ms-settings:personalization-lockscreen)**. To change the lock screen image to Windows spotlight, select **Windows spotlight** from the **Personalize your lock screen** drop-down menu
+
+For advanced customizations and when you need to configure multiple devices, you can use one of the following options:
+
+- Configuration Service Provider (CSP): commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. CSPs can also be configured with [provisioning packages](../provisioning-packages/how-it-pros-can-use-configuration-service-providers.md#csps-in-windows-configuration-designer), which are used at deployment time or for unmanaged devices. To configure Windows spotlight, use the [Experience Policy CSP][CSP-1]
+- Group policy (GPO): used for devices that are Active Directory joined or Microsoft Entra hybrid joined, and not managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor
+
+## Policy settings
+
+Here's a sorted list of the policy settings to configure Windows spotlight:
+
+::: zone pivot="windows-11"
+|Policy name| CSP | GPO |
+|-|-|-|
+|[AllowSpotlightCollection](/windows/client-management/mdm/policy-csp-experience#allowspotlightcollection)|✅|❌|
+|[AllowThirdPartySuggestionsInWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#allowthirdpartysuggestionsinwindowsspotlight)|✅|✅|
+|[AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight)|✅|✅|
+|[AllowWindowsSpotlightOnActionCenter](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlightonactioncenter)|✅|✅|
+|[AllowWindowsSpotlightOnSettings](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlightonsettings)|✅|✅|
+|[AllowWindowsSpotlightWindowsWelcomeExperience](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlightwindowswelcomeexperience)|✅|✅|
+|[ConfigureWindowsSpotlightOnLockScreen](/windows/client-management/mdm/policy-csp-experience#configurewindowsspotlightonlockscreen)|✅|✅|
+
+::: zone-end
+
+::: zone pivot="windows-10"
+
+|Policy name| CSP | GPO |
+|-|-|-|
+|[AllowThirdPartySuggestionsInWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#allowthirdpartysuggestionsinwindowsspotlight)|✅|✅|
+|[AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight)|✅|✅|
+|[AllowWindowsSpotlightOnActionCenter](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlightonactioncenter)|✅|✅|
+|[AllowWindowsSpotlightOnSettings](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlightonsettings)|✅|✅|
+|[AllowWindowsSpotlightWindowsWelcomeExperience](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlightwindowswelcomeexperience)|✅|✅|
+|[ConfigureWindowsSpotlightOnLockScreen](/windows/client-management/mdm/policy-csp-experience#configurewindowsspotlightonlockscreen)|✅|✅|
+
+::: zone-end
+
+## Custom lock screen and background images
+
+You can replace the Windows spotlight lock screen and background images with a custom image. When you do so, users can still see suggestions, fun facts, tips, or organizational messages on the lock screen, but the background image is replaced with the custom image.
+
+To configure the lock screen and background images, use the [Personalization CSP][CSP-2].
+
+|Policy name| CSP | GPO |
+|-|-|-|
+|[DesktopImageUrl](/windows/client-management/mdm/personalization-csp#desktopimageurl)|✅|✅|
+|[LockScreenImageUrl](/windows/client-management/mdm/personalization-csp#lockscreenimageurl)|✅|✅|
+
+>[!NOTE]
+> A concern with custom images is how they'll appear on different screen sizes and resolutions. A custom image created in `16:9` aspect ratio (for example, `1600x900`) scales properly on devices using a `16:9` resolution, such as `1280x720` or `1920x1080`. On devices using other aspect ratios, such as `4:3` (`1024x768`) or `16:10` (`1280x800`), height scales correctly and width is cropped to a size equal to the aspect ratio. The image remains centered on the screen.
+>
+> Lock screen images created at other aspect ratios might scale and center unpredictably on your device when changing aspect ratios. The recommendation for custom images that include text (such as a legal statement), is to create the lock screen image in `16:9` resolution with text contained in the `4:3` region, allowing the text to remain visible at any aspect ratio.
+
+## User experience
+
+When Windows spotlight is enabled, devices apply a new image on the lock screen and in the background every day. The image is displayed in the background when the user signs in, and on the lock screen when the user locks the device. Users can still receive suggestions, fun facts, tips, or organizational messages. If you deploy a custom lock screen or background image, devices apply the custom image instead of the Windows spotlight image:
+
+::: zone pivot="windows-11"
+
+:::image type="content" source="images/contoso-lockscreen-11.png" alt-text="Screenshot of the Windows 11 lock screen with Windows spotlight enabled over an organization wallpaper." border="false":::
+
+::: zone-end
+
+::: zone pivot="windows-10"
+
+:::image type="content" source="images/contoso-lockscreen-10.png" alt-text="Screenshot of the Windows 10 lock screen with Windows spotlight enabled over an organization wallpaper." border="false":::
+
+::: zone-end
+
+## Next steps
+
+To learn more about organizational messages, see [Organizational messages in Microsoft Intune][INT-1].
+
+<!--links-->
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-experience
+[CSP-2]: /windows/client-management/mdm/personalization-csp
+[INT-1]: /mem/intune/remote-actions/organizational-messages-overview
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 84c4092f53..c94c1fb34b 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -3,7 +3,7 @@ title: Manage additional Windows Update settings
 description: In this article, learn about additional settings to control the behavior of Windows Update in your organization.
 ms.service: windows-client
 ms.subservice: itpro-updates
-ms.topic: conceptual
+ms.topic: reference
 author: mestew
 ms.author: mstewart
 manager: aaroncz
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 04/25/2023
+ms.date: 04/29/2024
 ---
 
 # Manage additional Windows Update settings
@@ -42,32 +42,35 @@ You can use Group Policy settings or mobile device management (MDM) to configure
 >[!IMPORTANT]
 >Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.
 >
->Additional settings that configure when Feature and Quality updates are received are detailed on **[Configure Windows Update for Business](waas-configure-wufb.md)**.
+>Additional settings that configure when feature and quality updates are received are detailed on **[Configure Windows Update for Business](waas-configure-wufb.md)**.
 
 ## Scanning for updates
 
-Admins have a lot of flexibility in configuring how their devices scan and receive updates.
+Admins have flexibility in configuring how their devices scan and receive updates.
 
 [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them the option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates.
 
-You can make custom device groups that will work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that weren't signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location).
+You can make custom device groups that work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that weren't signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location).
 
-Finally, to make sure the updating experience is fully controlled by the admins, you can [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) for users.
+Finally, to make sure the updating experience is fully admin controlled, you can [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) for users.
 
-For additional settings that configure when Feature and Quality updates are received, see [Configure Windows Update for Business](waas-configure-wufb.md).
+For additional settings that configure when feature and quality updates are received, see [Configure Windows Update for Business](waas-configure-wufb.md).
 
 ### Specify intranet Microsoft update service location
 
 Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
-This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
+This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client searches this service for updates that apply to the computers on your network.
 
-To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.
+To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: 
+- The server from which the Automatic Updates client detects and downloads updates
+- The server to which updated workstations upload statistics
+You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.
 
 If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them.
 If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates isn't disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
 
 The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service.
-The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service doesn't provide download Urls in the update metadata for files that are present on the alternate download server.
+The option to download files with missing URLs allows content to be downloaded from the Alternate Download Server when there are no download URLs for files in the update metadata. This option should only be used when the intranet update service doesn't provide download URLs in the update metadata for files that are present on the alternate download server.
 
 >[!NOTE]
 >If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.
@@ -84,8 +87,8 @@ Specifies the hours that Windows will use to determine how long to wait before c
 
 To set this setting with Group Policy, navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Automatic Updates detection frequency**.
 
-If the setting is set to **Enabled**, Windows will check for available updates at the specified interval.
-If the setting is set to **Disabled** or **Not Configured**, Windows will check for available updates at the default interval of 22 hours.
+If the setting is set to **Enabled**, Windows checks for available updates at the specified interval.
+If the setting is set to **Disabled** or **Not Configured**, Windows checks for available updates at the default interval of 22 hours.
 
 >[!NOTE]
 >The "Specify intranet Microsoft update service location" setting must be enabled for this policy to have effect.
@@ -96,7 +99,7 @@ To configure this policy with MDM, use [DetectionFrequency](/windows/client-mana
 
 ### Remove access to use all Windows Update features
 
-By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
+By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads, and installations will continue to work as configured.
 
 ### Do not connect to any Windows Update Internet locations
 
@@ -109,11 +112,11 @@ Use **Computer Configuration\Administrative Templates\Windows Components\Windows
 
 ### Enable client-side targeting
 
-Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. This allows admins to configure device groups that will receive different updates from sources like WSUS or Configuration Manager.
+Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. This allows admins to configure device groups that receive different updates from sources like WSUS or Configuration Manager.
 
 This Group Policy setting can be found under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Enable client-side targeting**.
 If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service, which uses it to determine which updates should be deployed to this computer.
-If the setting is set to **Disabled** or **Not Configured**, no target group information will be sent to the intranet Microsoft update service.
+If the setting is set to **Disabled** or **Not Configured**, no target group information is sent to the intranet Microsoft update service.
 
 If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified.
 
@@ -147,7 +150,7 @@ Allows admins to exclude Windows Update drivers during updates.
 
 To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**.
 Enable this policy to not include drivers with Windows quality updates.
-If you disable or don't configure this policy, Windows Update will include updates that have a Driver classification.
+If you disable or don't configure this policy, Windows Update includes updates that have a Driver classification.
 
 ### Configure Automatic Updates
 
@@ -157,15 +160,15 @@ Enables the IT admin to manage automatic update behavior to scan, download, and
 
 Under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Configure Automatic Updates**, you must select one of the following options:
 
-**2 - Notify for download and auto install** -  When Windows finds updates that apply to this device, users will be notified that updates are ready to be downloaded. After going to **Settings > Update & security > Windows Update**, users can download and install any available updates.
+**2 - Notify for download and auto install** -  When Windows finds updates that apply to this device, users are notified that updates are ready to be downloaded. After going to **Settings > Update & security > Windows Update**, users can download and install any available updates.
 
 **3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to **Settings > Update & security > Windows Update**, users can install them.
 
 **4 - Auto download and schedule the install** - Specify the schedule using the options in the Group Policy Setting. For more information about this setting, see [Schedule update installation](waas-restart.md#schedule-update-installation).
 
-**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates. This option isn't available in any Windows 10 or later versions. 
+**5 - Allow local admin to choose setting** - With this option, local administrators are allowed to use the settings app to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates. This option isn't available in any Windows 10 or later versions. 
 
-**7 - Notify for install and notify for restart** (Windows Server 2016 and later only) - With this option, when Windows finds updates that apply to this device, they'll be downloaded, then users will be notified that updates are ready to be installed. Once updates are installed, a notification will be displayed to users to restart the device. 
+**7 - Notify for install and notify for restart** (Windows Server 2016 and later only) - With this option, when Windows finds updates that apply to this device, they are downloaded, then users are notified that updates are ready to be installed. Once updates are installed, a notification is displayed to users to restart the device. 
 
 If this setting is set to **Disabled**, any updates that are available on Windows Update must be downloaded and installed manually. To do this, users must go to **Settings > Update & security > Windows Update**.
 
@@ -257,14 +260,14 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
 
 ## Display organization name in Windows Update notifications
 <!--6286260-->
-When Windows 11 clients are associated with a Microsoft Entra tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.  
+When Windows 11 clients are associated with a Microsoft Entra tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification displays a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.  
   
 The organization name appears automatically for Windows 11 clients that are associated with Microsoft Entra ID in any of the following ways:
 - [Microsoft Entra joined](/azure/active-directory/devices/concept-azure-ad-join) 
 - [Microsoft Entra registered](/azure/active-directory/devices/concept-azure-ad-register)
 - [Microsoft Entra hybrid joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
 
-To disable displaying the organization name in Windows Update notifications, add or modify the following in the registry:
+To disable displaying the organization name in Windows Update notifications, add or modify the following values in the registry:
 
    - **Registry key**: `HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations`
   - **DWORD value name**: UsoDisableAADJAttribution
diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md
index 520ba1010a..c13a48e0c7 100644
--- a/windows/deployment/usmt/usmt-loadstate-syntax.md
+++ b/windows/deployment/usmt/usmt-loadstate-syntax.md
@@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 04/30/2024
 ms.topic: article
 ms.subservice: itpro-deploy
 appliesto:
@@ -127,33 +127,33 @@ The `/uel`, `/ue` and `/ui` options can be used together to migrate only the use
 
 ## Incompatible command-line options
 
-The following table indicates which command-line options aren't compatible with the `LoadState.exe` command. If the table entry for a particular combination has a ✔️, the options are compatible, and they can be used together. The ❌ symbol means that the options aren't compatible. For example, the `/nocompress` option can't be used with the `/encrypt` option.
+The following table indicates which command-line options aren't compatible with the `LoadState.exe` command. If the table entry for a particular combination has a ✅, the options are compatible, and they can be used together. The ❌ symbol means that the options aren't compatible. For example, the `/nocompress` option can't be used with the `/encrypt` option.
 
 | Command-Line Option | /keyfile | /nocompress | /genconfig | /all |
 |--- |--- |--- |--- |--- |
-| **/i** | ✔️ | ✔️ | ✔️ | ✔️ |
-| **/v** | ✔️ | ✔️ | ✔️ | ✔️ |
-| **/nocompress** | ✔️ | N/A | ❌ | ✔️ |
-| **/key** | ❌ | ✔️ | ❌ | ✔️ |
-| **/decrypt** | Required* | ❌ | ❌ | ✔️ |
-| **/keyfile** | N/A | ✔️ | ❌ | ✔️ |
-| **/l** | ✔️ | ✔️ | ✔️ | ✔️ |
-| **/progress** | ✔️ | ✔️ | ❌ | ✔️ |
-| **/r** | ✔️ | ✔️ | ❌ | ✔️ |
-| **/w** | ✔️ | ✔️ | ❌ | ✔️ |
-| **/c** | ✔️ | ✔️ | ❌ | ✔️ |
-| **/p** | ✔️ | ✔️ | ❌ | N/A |
-| **/all** | ✔️ | ✔️ | ❌ | ✔️ |
-| **/ui** | ✔️ | ✔️ | ❌ | ❌ |
-| **/ue** | ✔️ | ✔️ | ❌ | ❌ |
-| **/uel** | ✔️ | ✔️ | ❌ | ❌ |
-| **/genconfig** | ✔️ | ✔️ | N/A | ✔️ |
-| **/config** | ✔️ | ✔️ | ❌ | ✔️ |
-| *StorePath* | ✔️ | ✔️ | ✔️ | ✔️ |
-| **/md** | ✔️ | ✔️ | ✔️ | ✔️ |
-| **/mu** | ✔️ | ✔️ | ✔️ | ✔️ |
-| **/lae** | ✔️ | ✔️ | ✔️ | ✔️ |
-| **/lac** | ✔️ | ✔️ | ✔️ | ✔️ |
+| **/i** | ✅ | ✅ | ✅ | ✅ |
+| **/v** | ✅ | ✅ | ✅ | ✅ |
+| **/nocompress** | ✅ | N/A | ❌ | ✅ |
+| **/key** | ❌ | ✅ | ❌ | ✅ |
+| **/decrypt** | Required* | ❌ | ❌ | ✅ |
+| **/keyfile** | N/A | ✅ | ❌ | ✅ |
+| **/l** | ✅ | ✅ | ✅ | ✅ |
+| **/progress** | ✅ | ✅ | ❌ | ✅ |
+| **/r** | ✅ | ✅ | ❌ | ✅ |
+| **/w** | ✅ | ✅ | ❌ | ✅ |
+| **/c** | ✅ | ✅ | ❌ | ✅ |
+| **/p** | ✅ | ✅ | ❌ | N/A |
+| **/all** | ✅ | ✅ | ❌ | ✅ |
+| **/ui** | ✅ | ✅ | ❌ | ❌ |
+| **/ue** | ✅ | ✅ | ❌ | ❌ |
+| **/uel** | ✅ | ✅ | ❌ | ❌ |
+| **/genconfig** | ✅ | ✅ | N/A | ✅ |
+| **/config** | ✅ | ✅ | ❌ | ✅ |
+| *StorePath* | ✅ | ✅ | ✅ | ✅ |
+| **/md** | ✅ | ✅ | ✅ | ✅ |
+| **/mu** | ✅ | ✅ | ✅ | ✅ |
+| **/lae** | ✅ | ✅ | ✅ | ✅ |
+| **/lac** | ✅ | ✅ | ✅ | ✅ |
 
 > [!NOTE]
 >
diff --git a/windows/deployment/usmt/usmt-requirements.md b/windows/deployment/usmt/usmt-requirements.md
index 1ed79eb022..cdb3d41096 100644
--- a/windows/deployment/usmt/usmt-requirements.md
+++ b/windows/deployment/usmt/usmt-requirements.md
@@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/18/2024
+ms.date: 04/30/2024
 ms.topic: article
 ms.subservice: itpro-deploy
 appliesto:
@@ -24,10 +24,10 @@ The following table lists the operating systems supported in USMT.
 
 | Operating<br>Systems | ScanState<br>(Source<br>Device)| LoadState<br>(Destination<br>Device)|
 |--- |--- |--- |
-|Windows 7|✔️|❌|
-|Windows 8|✔️|❌|
-|Windows 10|✔️|✔️|
-|Windows 11|✔️|✔️|
+|Windows 7|✅|❌|
+|Windows 8|✅|❌|
+|Windows 10|✅|✅|
+|Windows 11|✅|✅|
 
 > [!NOTE]
 >
@@ -79,7 +79,7 @@ To open an elevated command prompt:
 
 ### Specify the `/c` option and \<ErrorControl\> settings in the `Config.xml` file
 
-USMT fails if it can't migrate a file or setting, unless the `/c` option is specified. When the `/c` option is specified, USMT logs an error each time it encounters a file that is in use that didn't migrate, but the migration isn't be interrupted. In USMT, which types of errors should allow the migration to continue and which should cause the migration to fail can be specified in the `Config.xml` file. For more information about error reporting, and the **\<ErrorControl\>** element, see [Config.xml file](usmt-configxml-file.md#errorcontrol), [Log files](usmt-log-files.md), and [XML elements library](usmt-xml-elements-library.md).
+USMT fails if it can't migrate a file or setting, unless the `/c` option is specified. When the `/c` option is specified, USMT logs an error each time it encounters a file that is in use that didn't migrate, but the migration isn't to be interrupted. In USMT, which types of errors should allow the migration to continue and which should cause the migration to fail can be specified in the `Config.xml` file. For more information about error reporting, and the **\<ErrorControl\>** element, see [Config.xml file](usmt-configxml-file.md#errorcontrol), [Log files](usmt-log-files.md), and [XML elements library](usmt-xml-elements-library.md).
 
 ## LoadState
 
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index 5b74859a02..82d4e9ada4 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -6,7 +6,7 @@ manager: aaroncz
 ms.author: frankroj
 ms.service: windows-client
 author: frankroj
-ms.date: 01/09/2024
+ms.date: 04/30/2024
 ms.topic: article
 ms.subservice: itpro-deploy
 appliesto:
@@ -85,7 +85,7 @@ There are several benefits to running the `ScanState.exe` command on an offline
 - **Improved success of migration.**
 
   The migration success rate is increased because:
-  
+
   - Files aren't locked for editing while offline.
   - WinPE provides administrator access to files in the offline Windows file system, eliminating the need for administrator-level access to the online system.
 
@@ -197,33 +197,33 @@ For more information, see [Migrate EFS Files and Certificates](usmt-migrate-efs-
 
 ## Incompatible command-line options
 
-The following table indicates which command-line options aren't compatible with the `ScanState.exe` command. If the table entry for a particular combination has a ✔️, the options are compatible and they can be used together. The ❌ symbol means that the options aren't compatible. For example, the `/nocompress` option can't be used with the `/encrypt` option.
+The following table indicates which command-line options aren't compatible with the `ScanState.exe` command. If the table entry for a particular combination has a ✅, the options are compatible and they can be used together. The ❌ symbol means that the options aren't compatible. For example, the `/nocompress` option can't be used with the `/encrypt` option.
 
 |Command-Line Option|/keyfile|/nocompress|/genconfig|/all|
 |--- |--- |--- |--- |--- |
-|**/i**| ✔️ | ✔️ | ✔️ | ✔️ |
-|**/o**| ✔️ | ✔️ | ✔️ | ✔️ |
-|**/v**| ✔️ | ✔️ | ✔️ | ✔️ |
-|**/nocompress**| ✔️ | ✔️ | ✔️ |N/A|
-|**/localonly**| ✔️ | ✔️ | ❌ | ✔️ |
-|**/key**| ❌ | ✔️ | ❌ | ✔️ |
-|**/encrypt**|Required*| ❌ | ❌ | ✔️ |
-|**/keyfile**|N/A| ✔️ | ❌ | ✔️ |
-|**/l**| ✔️ | ✔️ | ✔️ | ✔️ |
-|**/listfiles**| ✔️ | ✔️ | ❌ | ✔️ |
-|**/progress**| ✔️ | ✔️ | ❌ | ✔️ |
-|**/r**| ✔️ | ✔️ | ❌ | ✔️ |
-|**/w**| ✔️ | ✔️ | ❌ | ✔️ |
-|**/c**| ✔️ | ✔️ | ❌ | ✔️ |
-|**/p**| ✔️ | ✔️ | ❌ |N/A|
-|**/all**| ✔️ | ✔️ | ❌ | ✔️ |
-|**/ui**| ✔️ | ✔️ | ❌ | ❌ |
-|**/ue**| ✔️ | ✔️ | ❌ | ❌ |
-|**/uel**| ✔️ | ✔️ | ❌ | ❌ |
-|**/efs**:*\<option\>*| ✔️ | ✔️ | ❌ | ✔️ |
-|**/genconfig**| ✔️ | ✔️ |N/A| ✔️ |
-|**/config**| ✔️ | ✔️ | ❌ | ✔️ |
-|*\<StorePath\>*| ✔️ | ✔️ | ❌ | ✔️ |
+|**/i**| ✅ | ✅ | ✅ | ✅ |
+|**/o**| ✅ | ✅ | ✅ | ✅ |
+|**/v**| ✅ | ✅ | ✅ | ✅ |
+|**/nocompress**| ✅ | ✅ | ✅ |N/A|
+|**/localonly**| ✅ | ✅ | ❌ | ✅ |
+|**/key**| ❌ | ✅ | ❌ | ✅ |
+|**/encrypt**|Required*| ❌ | ❌ | ✅ |
+|**/keyfile**|N/A| ✅ | ❌ | ✅ |
+|**/l**| ✅ | ✅ | ✅ | ✅ |
+|**/listfiles**| ✅ | ✅ | ❌ | ✅ |
+|**/progress**| ✅ | ✅ | ❌ | ✅ |
+|**/r**| ✅ | ✅ | ❌ | ✅ |
+|**/w**| ✅ | ✅ | ❌ | ✅ |
+|**/c**| ✅ | ✅ | ❌ | ✅ |
+|**/p**| ✅ | ✅ | ❌ |N/A|
+|**/all**| ✅ | ✅ | ❌ | ✅ |
+|**/ui**| ✅ | ✅ | ❌ | ❌ |
+|**/ue**| ✅ | ✅ | ❌ | ❌ |
+|**/uel**| ✅ | ✅ | ❌ | ❌ |
+|**/efs**:*\<option\>*| ✅ | ✅ | ❌ | ✅ |
+|**/genconfig**| ✅ | ✅ |N/A| ✅ |
+|**/config**| ✅ | ✅ | ❌ | ✅ |
+|*\<StorePath\>*| ✅ | ✅ | ❌ | ✅ |
 
 > [!NOTE]
 >
diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md
index 7234c849a8..ef124c0497 100644
--- a/windows/deployment/wds-boot-support.md
+++ b/windows/deployment/wds-boot-support.md
@@ -7,34 +7,37 @@ author: frankroj
 ms.author: frankroj
 manager: aaroncz
 ms.topic: article
-ms.date: 11/23/2022
+ms.date: 04/25/2024
 ms.subservice: itpro-deploy
+appliesto:
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2022</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2019</a>
+  - ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016</a>
 ---
 
 # Windows Deployment Services (WDS) boot.wim support
 
-*Applies to:*
-
-- Windows 10
-- Windows 11
-
-The operating system deployment functionality of [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831764(v=ws.11)) (WDS) is being partially deprecated. Starting with Windows 11, workflows that rely on **boot.wim** from installation media or on running Windows Setup in WDS mode will no longer be supported.
+The operating system deployment functionality of [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831764(v=ws.11)) (WDS) is being partially deprecated. Starting with Windows 11, workflows that rely on **boot.wim** from installation media or on running Windows Setup in WDS mode is no longer supported.
 
 When you PXE-boot from a WDS server that uses the **boot.wim** file from installation media as its boot image, Windows Setup automatically launches in WDS mode. This workflow is deprecated for Windows 11 and newer boot images. The following deprecation message is displayed:
 
-  ![WDS deprecation notice](images/wds-deprecation.png)
+> Windows Setup
+>
+> Windows Deployment Services client functionality is being partly deprecated. Please visit https://aka.ms/WDSSupport for more details on what is deprecated and what will continue to be supported.
 
 ## Deployment scenarios affected
 
-The table below provides support details for specific deployment scenarios. Boot.wim is the `boot.wim` file obtained from the Windows source files for each specified version of Windows.
+The following table provides support details for specific deployment scenarios. Boot.wim is the `boot.wim` file obtained from the Windows source files for each specified version of Windows.
 
 |Windows Version being deployed |Boot.wim from Windows 10|Boot.wim from Windows Server 2016|Boot.wim from Windows Server 2019|Boot.wim from Windows Server 2022|Boot.wim from Windows 11|
 |--- |--- |--- |--- |--- |--- |
-|**Windows 10**|Supported, using a boot image from matching or newer version.|Supported, using a boot image from Windows 10, version 1607 or later.|Supported, using a boot image from Windows 10, version 1809 or later.|Not supported.|Not supported.|
-|**Windows Server 2016**|Supported, using a boot image from Windows 10, version 1607 or later.|Supported.|Not supported.|Not supported.|Not supported.|
-|**Windows Server 2019**|Supported, using a boot image from Windows 10, version 1809 or later.|Supported.|Supported.|Not supported.|Not supported.|
-|**Windows Server 2022**|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Not supported.|
 |**Windows 11**|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|Not supported, blocked.|
+|**Windows 10**|Supported, using a boot image from matching or newer version.|Supported, using a boot image from Windows 10, version 1607 or later.|Supported, using a boot image from Windows 10, version 1809 or later.|Not supported.|Not supported.|
+|**Windows Server 2022**|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Deprecated, with a warning message.|Not supported.|
+|**Windows Server 2019**|Supported, using a boot image from Windows 10, version 1809 or later.|Supported.|Supported.|Not supported.|Not supported.|
+|**Windows Server 2016**|Supported, using a boot image from Windows 10, version 1607 or later.|Supported.|Not supported.|Not supported.|Not supported.|
 
 ## Reason for the change
 
@@ -46,15 +49,15 @@ Alternatives to WDS, such as [Microsoft Configuration Manager](/mem/configmgr/)
 
 ## Not affected
 
-WDS PXE boot isn't affected by this change. You can still use WDS to PXE boot devices with custom boot images, but you can't use **boot.wim** as the boot image and run Windows Setup in WDS mode.
+This change doesn’t affect WDS PXE boot. You can still use WDS to PXE boot devices with custom boot images, but you can't use **boot.wim** as the boot image and run Windows Setup in WDS mode.
 
-You can still run Windows Setup from a network share. Workflows that use a custom boot.wim, such as MDT or Configuration Manager aren't affected by this change.
+You can still run Windows Setup from a network share. This change doesn't change Workflows that use a custom boot.wim, such as MDT or Configuration Manager.
 
 ## Summary
 
-- Windows 11 workflows that rely on **boot.wim** from installation media will be blocked. You can't perform an end to end deployment of Windows 11 using only WDS.
-- Windows 10, Windows Server 2019, and previous operating system versions aren't affected by this change.
-- Windows Server 2022 workflows that rely on **boot.wim** from installation media will show a non-blocking deprecation notice. The notice can be dismissed, and currently the workflow isn't blocked.
+- Windows 11 workflows that rely on **boot.wim** from installation media are blocked. You can't perform an end to end deployment of Windows 11 using only WDS.
+- This change doesn't affect Windows 10, Windows Server 2019, and previous operating system versions.
+- Windows Server 2022 workflows that rely on **boot.wim** from installation media show a non-blocking deprecation notice. The notice can be dismissed, and currently the workflow isn't blocked.
 - Windows Server workflows after Windows Server 2022 that rely on **boot.wim** from installation media are blocked.
 
 If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version isn't supported, deprecated, or blocked, it's recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image.
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
index 5db0cf29b6..82e1181f87 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
@@ -321,11 +321,11 @@ If you need assistance with your Windows Autopatch deployment journey, you have
 
 First contact your Microsoft Account team who can work with you to establish any guidance or support you might need. If you don't have a Microsoft Account Team contact or wish to explore other routes, Microsoft FastTrack offers Microsoft 365 deployment guidance for customers with 150 or more licenses of an eligible subscription at no additional cost. Finally, you can also log a support request with the Windows Autopatch Service Engineering Team.
 
-### Windows Autopatch Private Community (APC)
+### Windows Commercial Advisors (WCA)
 
-Once you're underway with your deployment, consider joining the [Windows Autopatch Private Community (APC)](https://aka.ms/WindowsAutopatchPrivateCommunity) where you can:
+Once you're underway with your deployment, consider joining the [Windows Commercial Advisors (WCA)](https://aka.ms/joinccp) community within the [Microsoft Management Customer Connection Program (MM CCP)](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/announcing-the-microsoft-management-customer-connection-program/ba-p/3725035), where you can:
 
-- Engage directly with the Windows Autopatch Engineering Teams and other Autopatch customers
+- Engage directly with the Windows Commercial Engineering Teams and other Windows Commercial Customers
 - Gain access to:
     - Exclusive virtual meetings
     - Focus groups
@@ -333,6 +333,3 @@ Once you're underway with your deployment, consider joining the [Windows Autopat
     - Teams discussions
     - Previews
 
-### Windows Autopatch Technology Adoption Program (TAP)
-
-If you have at least 500 devices enrolled in the service, and will test and give Microsoft feedback at least once a year, consider signing up to the [Windows Autopatch Technology Adoption Program (TAP)](https://aka.ms/JoinWindowsAutopatchTAP) to try out new and upcoming Windows Autopatch features.
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 1e492958a1..4b0d111d73 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -15,7 +15,7 @@ metadata:
   author: paolomatarazzo
   ms.author: paoloma
   manager: aaroncz
-  ms.date: 10/31/2023
+  ms.date: 04/25/2024
 
 highlightedContent:
   items:
@@ -127,24 +127,24 @@ productDirectory:
           text: Customize the Start menu layout
         - url: /windows/configuration/set-up-shared-or-guest-pc
           text: Set up a shared or guest PC
-        - url: /windows/configuration/kiosk-methods
-          text: Configure kiosks and digital signs
+        - url: /windows/configuration/assigned-access
+          text: Configure kiosks and restricted user experiences
         - url: /windows/configuration
           text: Learn more about Windows configuration >
 
     - title: Learn about Windows for Education
       imageSrc: /media/common/i_advanced.svg
       links:
+        - url: /education/windows/tutorial-school-deployment/
+          text: "Tutorial: deploy and manage Windows devices in a school"
         - url: /education/windows/windows-11-se-overview
           text: Windows 11 SE Overview
         - url: /education/windows/federated-sign-in
           text: Configure federated sign-in for Windows devices
         - url: /education/windows/get-minecraft-for-education
           text: Get and deploy Minecraft Education
-        - url: /education/windows/tutorial-school-deployment/
-          text: "Tutorial: deploy and manage Windows devices in a school"
-        - url: /education/windows/tutorial-deploy-apps-winse/
-          text: "Tutorial: deploy applications to Windows 11 SE"
+        - url: /education/windows/take-tests-in-windows
+          text: Take tests and assessments in Windows
         - url: /education/Windows
           text: Learn more about Windows for Education >
 
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 91dcf99489..ef87c4289b 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
-ms.date: 02/29/2024
+ms.date: 04/24/2024
 ms.topic: reference
 ms.collection: privacy-windows
 ---
@@ -8661,7 +8661,7 @@ The following fields are available:
 - **downlinkUsageBps**  The download speed (in bytes per second).
 - **downloadMode**  The download mode used for this file download session.
 - **downloadModeReason**  Reason for the download.
-- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
+- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, DefaultProvider = 99).
 - **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
 - **expiresAt**  The time when the content will expire from the Delivery Optimization Cache.
 - **fileID**  The ID of the file being downloaded.
@@ -8725,7 +8725,7 @@ The following fields are available:
 - **doErrorCode**  The Delivery Optimization error code that was returned.
 - **downloadMode**  The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100).
 - **downloadModeReason**  Reason for the download.
-- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
+- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, DefaultProvider = 99).
 - **errorCode**  The error code that was returned.
 - **experimentId**  ID used to correlate client/services calls that are part of the same test during A/B testing.
 - **fileID**  The ID of the file being downloaded.
diff --git a/windows/privacy/copilot-supplemental-terms.md b/windows/privacy/copilot-supplemental-terms.md
index 30382402e6..bf737de08f 100644
--- a/windows/privacy/copilot-supplemental-terms.md
+++ b/windows/privacy/copilot-supplemental-terms.md
@@ -8,7 +8,7 @@ author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
 ms.date: 03/04/2024
-ms.topic: conceptual
+ms.topic: legal
 ms.collection: windows-copilot
 hideEdit: true
 layout: ContentPage
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
index 27ba6af72a..7969cc1cca 100644
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
-ms.date: 02/29/2024
+ms.date: 04/24/2024
 ms.collection: privacy-windows
 ms.topic: reference
 ---
@@ -55,12 +55,12 @@ The following fields are available:
 - **DestinationPath**  The path to the destination we're installing to.
 - **DownloadSize**  The size in bytes needed to download the package.
 - **ErrorText**  Optional text describing any errors.
-- **InstallationActionId**  The type of action ( 0 - Unknown, 1 - Install Started, 2 - Install Paused, 3 - Install Resumed, 4 - Installation Ready to Play, 5 - Change Source (Merged Install), 6 - Install Error, 7 - Install Complete, 8 - Install Aborted, 9 - Change Source (Auto Select), 10 - Change Source (Apply Update))
+- **InstallationActionId**  The type of action (0 - Unknown, 1 - Install Started, 2 - Install Paused, 3 - Install Resumed, 4 - Installation Ready to Play, 5 - Change Source (Merged Install), 6 - Install Error, 7 - Install Complete, 8 - Install Aborted, 9 - Change Source (Auto Select), 10 - Change Source (Apply Update))
 - **InstallationErrorSource**  The source of the error: 0 - None, 1 - Optical Drive, 2 - Network, 3 - Local, 4 - Destination, 5 - Licensing, 6 - Registration, 7 - Other
 - **InstallationSessionId**  The unique Identifier for the installation session of this install. Goes from ‘Start’ to ‘End’ and all chunks/points in between.
-- **InstallationStageId**  The stage of install ( 0 - Unknown, 1 - Package, 2 - Pls )
+- **InstallationStageId**  The stage of install (0 - Unknown, 1 - Package, 2 - Pls)
 - **InstallationStatus**  HRESULT of the installation. Should be null except for the end or error events.
-- **InstallationTypeId**  The type of install ( 0 - Unknown, 1 - Network, 2 - Disc, 3 - Hybrid, 4 - Update, 5 - Move, 6 - Copy ).
+- **InstallationTypeId**  The type of install (0 - Unknown, 1 - Network, 2 - Disc, 3 - Hybrid, 4 - Update, 5 - Move, 6 - Copy).
 - **OriginalStatus**  The untransformed error code. The transformed, public value is stored in InstallationStatus.
 - **PackageSize**  The size in bytes of the package.
 - **PackageSpecifiers**  The map of Intelligent Delivery region specifiers present in the installing package.
@@ -1373,7 +1373,7 @@ The following fields are available:
 - **AppraiserBranch**  The source branch in which the version of Appraiser that is running was built.
 - **AppraiserDataVersion**  The version of the data files being used by the Appraiser diagnostic data run.
 - **AppraiserProcess**  The name of the process that launched Appraiser.
-- **AppraiserVersion**  The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
+- **AppraiserVersion**  The file version (major, minor, and build) of the Appraiser DLL, concatenated without dots.
 - **AuxFinal**  Obsolete, always set to false.
 - **AuxInitial**  Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
 - **CountCustomSdbs**  The number of custom Sdbs used by Appraiser.
@@ -1387,7 +1387,7 @@ The following fields are available:
 - **PCFP**  An ID for the system calculated by hashing hardware identifiers.
 - **PerfBackoff**  Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
 - **PerfBackoffInsurance**  Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
-- **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it's understood that data events won't be received from this device.
+- **RunAppraiser**  Indicates if Appraiser was set to run at all. If this is false, it's understood that data events won't be received from this device.
 - **RunDate**  The date that the diagnostic data run was stated, expressed as a filetime.
 - **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
 - **RunOnline**  Indicates if appraiser was able to connect to Windows Update and therefore is making decisions using up-to-date driver coverage information.
@@ -1601,7 +1601,7 @@ The following fields are available:
 
 - **ActivationChannel**  Retrieves the retail license key or Volume license key for a machine.
 - **AssignedAccessStatus**  Kiosk configuration mode.
-- **CompactOS**  Indicates if the Compact OS feature from Win10 is enabled.
+- **CompactOS**  Indicates if the Compact OS feature from Windows 10 is enabled.
 - **DeveloperUnlockStatus**  Represents if a device has been developer unlocked by the user or Group Policy.
 - **DeviceTimeZone**  The time zone that is set on the device. Example: Pacific Standard Time
 - **GenuineState**  Retrieves the ID Value specifying the OS Genuine check.
@@ -1615,7 +1615,7 @@ The following fields are available:
 - **LicenseStateReason**  Retrieves why (or how) a system is licensed or unlicensed.  The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we're running an OS License granted by the MS store.
 - **OA3xOriginalProductKey**  Retrieves the License key stamped by the OEM to the machine.
 - **OSEdition**  Retrieves the version of the current OS.
-- **OSInstallType**  Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
+- **OSInstallType**  Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc.
 - **OSOOBEDateTime**  Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
 - **OSSKU**  Retrieves the Friendly Name of OS Edition.
 - **OSSubscriptionStatus**  Represents the existing status for enterprise subscription feature for PRO machines.
@@ -1624,7 +1624,7 @@ The following fields are available:
 - **ProductActivationResult**  Returns Boolean if the OS Activation was successful.
 - **ProductActivationTime**  Returns the OS Activation time for tracking piracy issues.
 - **ProductKeyID2**  Retrieves the License key if the machine is updated with a new license key.
-- **RACw7Id**  Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability.
+- **RACw7Id**  Retrieves the Microsoft Reliability Analysis Component (RAC) Win 7 Identifier. RAC is used to monitor and analyze system usage and reliability.
 - **ServiceMachineIP**  Retrieves the IP address of the KMS host used for anti-piracy.
 - **ServiceMachinePort**  Retrieves the port of the KMS host used for anti-piracy.
 - **ServiceProductKeyID**  Retrieves the License key of the KMS
@@ -1783,7 +1783,7 @@ The following fields are available:
 - **InternalPrimaryDisplayPhysicalDPIY**  Retrieves the physical DPI in the y-direction of the internal display.
 - **InternalPrimaryDisplayResolutionHorizontal**  Retrieves the number of pixels in the horizontal direction of the internal display.
 - **InternalPrimaryDisplayResolutionVertical**  Retrieves the number of pixels in the vertical direction of the internal display.
-- **InternalPrimaryDisplaySizePhysicalH**  Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalH**  Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches.
 - **InternalPrimaryDisplaySizePhysicalY**  Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
 - **NumberofExternalDisplays**  Retrieves the number of external displays connected to the machine
 - **NumberofInternalDisplays**  Retrieves the number of internal displays in a machine.
@@ -1880,15 +1880,15 @@ The following fields are available:
 - **AppStoreAutoUpdatePolicy**  Retrieves the Microsoft Store App Auto Update group policy setting
 - **DelayUpgrade**  Retrieves the Windows upgrade flag for delaying upgrades.
 - **IsHotPatchEnrolled**  Represents the current state of the device in relation to enrollment in the hotpatch program.
-- **OSAssessmentFeatureOutOfDate**  How many days has it been since a the last feature update was released but the device didn't install it?
+- **OSAssessmentFeatureOutOfDate**  How many days has it been since the last feature update was released but the device didn't install it?
 - **OSAssessmentForFeatureUpdate**  Is the device is on the latest feature update?
 - **OSAssessmentForQualityUpdate**  Is the device on the latest quality update?
 - **OSAssessmentForSecurityUpdate**  Is the device  on the latest security update?
-- **OSAssessmentQualityOutOfDate**  How many days has it been since a the last quality update was released but the device didn't install it?
+- **OSAssessmentQualityOutOfDate**  How many days has it been since the last quality update was released but the device didn't install it?
 - **OSAssessmentReleaseInfoTime**  The freshness of release information used to perform an assessment.
 - **OSRollbackCount**  The number of times feature updates have rolled back on the device.
 - **OSRolledBack**  A flag that represents when a feature update has rolled back during setup.
-- **OSUninstalled**  A flag that represents when a feature update is uninstalled on a device .
+- **OSUninstalled**  A flag that represents when a feature update is uninstalled on a device.
 - **OSWUAutoUpdateOptions**  Retrieves the auto update settings on the device.
 - **OSWUAutoUpdateOptionsSource**  The source of auto update setting that appears in the OSWUAutoUpdateOptions field.  For example: Group Policy (GP), Mobile Device Management (MDM), and Default.
 - **UninstallActive**  A flag that represents when a device has uninstalled a previous upgrade recently.
@@ -2210,7 +2210,7 @@ The following fields are available:
 
 - **action**  The change that was invoked on a device inventory object.
 - **inventoryId**  Device ID used for Compatibility testing
-- **objectInstanceId**  Object identity which is unique within the device scope.
+- **objectInstanceId**  Object identity, which is unique within the device scope.
 - **objectType**  Indicates the object type that the event applies to.
 - **syncId**  A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
 
@@ -2290,7 +2290,7 @@ The following fields are available:
 - **pendingDecision**  Indicates the cause of reboot, if applicable.
 - **primitiveExecutionContext**  The state during system startup when the uninstall was completed.
 - **revisionVersion**  The revision number of the security update being uninstalled.
-- **transactionCanceled**  Indicates whether the uninstall was cancelled.
+- **transactionCanceled**  Indicates whether the uninstall was canceled.
 
 
 ### CbsServicingProvider.CbsQualityUpdateInstall
@@ -2552,7 +2552,7 @@ The following fields are available:
 - **HeartBeatSequenceNumber**  The sequence number of this heartbeat.
 - **InvalidHttpCodeCount**  Number of invalid HTTP codes received from contacting Vortex.
 - **LastAgentConnectionError**  Last non-timeout error encountered in the host/agent channel.
-- **LastEventSizeOffender**  Event name of last event which exceeded max event size.
+- **LastEventSizeOffender**  Event name of last event that exceeded max event size.
 - **LastInvalidHttpCode**  Last invalid HTTP code received from Vortex.
 - **MaxActiveAgentConnectionCount**  The maximum number of active agents during this heartbeat timeframe.
 - **MaxInUseScenarioCounter**  Soft maximum number of scenarios loaded by UTC.
@@ -3103,7 +3103,7 @@ The following fields are available:
 
 - **InventoryVersion**  The version of the inventory binary generating the events.
 - **ProducerId**  The ACPI vendor ID.
-- **VersionValue**  The 64 bit component version value.
+- **VersionValue**  The 64-bit component version value.
 
 
 ### Microsoft.Windows.Inventory.Core.InventoryAcpiPhatVersionElementStartSync
@@ -3132,7 +3132,7 @@ The following fields are available:
 - **LattePackageId**  The ID of the Latte package.
 - **MsiInstallDate**  The install date recorded in the program's MSI package.
 - **MsiPackageCode**  A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
-- **MsiProductCode**  A GUID that describe the MSI Product.
+- **MsiProductCode**  A GUID that describes the MSI Product.
 - **Name**  The name of the application.
 - **PackageFullName**  The package full name for a Store application.
 - **ProgramInstanceId**  A hash of the file IDs in an app.
@@ -3756,7 +3756,7 @@ This Ping event sends a detailed inventory of software and hardware information
 The following fields are available:
 
 - **appAp**  Any additional parameters for the specified application. Default: ''.
-- **appAppId**  The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined.
+- **appAppId**  The GUID that identifies the product. Compatible clients must transmit this attribute. See the wiki for additional information. Default: undefined.
 - **appBrandCode**  The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
 - **appChannel**  An integer indicating the channel of the installation (i.e. Canary or Dev).
 - **appClientId**  A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
@@ -3764,13 +3764,13 @@ The following fields are available:
 - **appCohortHint**  A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
 - **appCohortName**  A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
 - **appConsentState**  Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
-- **appDayOfInstall**  The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Please see the wiki for additional information. Default: '-2'.
+- **appDayOfInstall**  The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. See the wiki for additional information. Default: '-2'.
 - **appExperiments**  A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
 - **appInstallTime**  The product install time in seconds. '0' if unknown. Default: '-1'.
 - **appInstallTimeDiffSec**  The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
 - **appLang**  The language of the product install, in IETF BCP 47 representation. Default: ''.
 - **appLastLaunchTime**  The time when browser was last launched.
-- **appNextVersion**  The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **appNextVersion**  The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. See the wiki for additional information. Default: '0.0.0.0'.
 - **appPingEventAppSize**  The total number of bytes of all downloaded packages. Default: '0'.
 - **appPingEventDoneBeforeOOBEComplete**  Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event wasn't completed before OOBE finishes; -1 means the field doesn't apply.
 - **appPingEventDownloadMetricsCdnCCC**  ISO 2 character country or region code that matches to the country or region updated binaries are delivered from. E.g.: US.
@@ -3784,8 +3784,8 @@ The following fields are available:
 - **appPingEventDownloadMetricsUrl**  For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
 - **appPingEventDownloadTimeMs**  For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
 - **appPingEventErrorCode**  The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
-- **appPingEventEventResult**  An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'.
-- **appPingEventEventType**  An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information.
+- **appPingEventEventResult**  An enum indicating the result of the event. See the wiki for additional information. Default: '0'.
+- **appPingEventEventType**  An enum indicating the type of the event. Compatible clients MUST transmit this attribute. See the wiki for additional information.
 - **appPingEventExtraCode1**  Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
 - **appPingEventInstallTimeMs**  For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
 - **appPingEventNumBytesDownloaded**  The number of bytes downloaded for the specified application. Default: '0'.
@@ -3797,9 +3797,9 @@ The following fields are available:
 - **appUpdateCheckIsUpdateDisabled**  The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they haven't.
 - **appUpdateCheckTargetVersionPrefix**  A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
 - **appUpdateCheckTtToken**  An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
-- **appVersion**  The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **appVersion**  The version of the product install. See the wiki for additional information. Default: '0.0.0.0'.
 - **EventInfo.Level**  The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **eventType**  A string indicating the type of the event. Please see the wiki for additional information.
+- **eventType**  A string indicating the type of the event. See the wiki for additional information.
 - **expETag**  An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
 - **hwDiskType**  Device’s hardware disk type.
 - **hwHasAvx**  '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware doesn't support the AVX instruction set. '-1' if unknown. Default: '-1'.
@@ -3842,7 +3842,7 @@ The following fields are available:
 - **app_name**  The name of the crashing process.
 - **app_session_guid**  Encodes the boot session, process id, and process start time.
 - **app_version**  The version of the crashing process.
-- **client_id_hash**  Hash of the browser client ID which helps identify installations.
+- **client_id_hash**  Hash of the browser client ID that helps identify installations.
 - **etag**  Encodes the running experiments in the browser.
 - **module_name**  The name of the module in which the crash originated.
 - **module_offset**  Memory offset into the module in which the crash originated.
@@ -4039,11 +4039,11 @@ The following fields are available:
 
 ### Microsoft.Windows.SecureBootTelemetry.SecureBootEncodeUEFI
 
-Information about Secure Boot configuration including the PK, KEKs, DB and DBX files on the device.
+Information about Secure Boot configuration including the PK, KEKs, DB, and DBX files on the device.
 
 The following fields are available:
 
-- **SecureBootUEFIEncoding**  Information about the PK, KEKs, DB and DBX files on the device.
+- **SecureBootUEFIEncoding**  Information about the PK, KEKs, DB, and DBX files on the device.
 
 
 ### XboxSystemFlightRecorder.SmcErrorLog
@@ -4134,12 +4134,12 @@ The following fields are available:
 
 ### Microsoft.Windows.Setup.WinSetupMon.ProtectionViolation
 
-This event provides information about move or deletion of a file or a directory which is being monitored for data safety during feature updates. The data collected with this event is used to help keep Windows up to date.
+This event provides information about move or deletion of a file or a directory that is being monitored for data safety during feature updates. The data collected with this event is used to help keep Windows up to date.
 
 The following fields are available:
 
-- **Path**  Path to the file or the directory which is being moved or deleted.
-- **Process**  Path to the process which is requesting the move or the deletion.
+- **Path**  Path to the file or the directory that is being moved or deleted.
+- **Process**  Path to the process that is requesting the move or the deletion.
 - **TargetPath**  (Optional) If the operation is a move, the target path to which the file or directory is being moved.
 
 
@@ -4204,14 +4204,14 @@ The following fields are available:
 
 - **ActivityMatchingId**  Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
 - **AllowCachedResults**  Indicates if the scan allowed using cached results.
-- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable
+- **ApplicableUpdateInfo**  Metadata for the updates that were detected as applicable
 - **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine doesn't exist, the value is null.
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
 - **ClientVersion**  The version number of the software distribution client.
 - **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0.
 - **DriverSyncPassPerformed**  Were drivers scanned this time?
 - **EventInstanceID**  A globally unique identifier for event instance.
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed.
 - **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
 - **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
 - **IPVersion**  Indicates whether the download took place over IPv4 or IPv6
@@ -4222,9 +4222,9 @@ The following fields are available:
 - **MetadataIntegrityMode**  The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
 - **NumberOfApplicationsCategoryScanEvaluated**  The number of categories (apps) for which an app update scan checked
 - **NumberOfLoop**  The number of round trips the scan required
-- **NumberOfNewUpdatesFromServiceSync**  The number of updates which were seen for the first time in this scan
-- **NumberOfUpdatesEvaluated**  The total number of updates which were evaluated as a part of the scan
-- **NumFailedMetadataSignatures**  The number of metadata signatures checks which failed for new metadata synced down.
+- **NumberOfNewUpdatesFromServiceSync**  The number of updates that were seen for the first time in this scan
+- **NumberOfUpdatesEvaluated**  The total number of updates that were evaluated as a part of the scan
+- **NumFailedMetadataSignatures**  The number of metadata signatures checks that failed for new metadata synced down.
 - **Online**  Indicates if this was an online scan.
 - **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName wasn't provided.
 - **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
@@ -4232,7 +4232,7 @@ The following fields are available:
 - **ScanDurationInSeconds**  The number of seconds a scan took
 - **ScanEnqueueTime**  The number of seconds it took to initialize a scan
 - **ScanProps**  This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates).
-- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.).
+- **ServiceGuid**  An ID that represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.).
 - **ServiceUrl**  The environment URL a device is configured to scan with
 - **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
 - **SyncType**  Describes the type of scan the event was
@@ -4255,7 +4255,7 @@ The following fields are available:
 - **DownloadPriority**  Indicates whether a download happened at background, normal, or foreground priority.
 - **DownloadProps**  Information about the download operation properties in the form of a bitmask.
 - **EventInstanceID**  A globally unique identifier for event instance.
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was canceled, succeeded, or failed.
 - **EventType**  Possible values are Child, Bundle, or Driver.
 - **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
 - **FlightBuildNumber**  If this download was for a flight (pre-release build), this indicates the build number of that flight.
@@ -4285,7 +4285,7 @@ The following fields are available:
 
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
 - **ClientVersion**  The version number of the software distribution client
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was canceled, succeeded, or failed
 - **EventType**  Possible values are "Child", "Bundle", "Relase" or "Driver"
 - **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough
 - **FileId**  A hash that uniquely identifies a file
@@ -4293,7 +4293,7 @@ The following fields are available:
 - **FlightId**  The unique identifier for each flight
 - **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
 - **RevisionNumber**  Unique revision number of Update
-- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.)
+- **ServiceGuid**  An ID that represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.)
 - **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult)
 - **UpdateId**  Unique Update ID
 - **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
@@ -4315,7 +4315,7 @@ The following fields are available:
 - **DownloadState**  Current state of the active download for this content (queued, suspended, or progressing)
 - **EventType**  Possible values are "Child", "Bundle", or "Driver"
 - **FlightId**  The unique identifier for each flight
-- **IsNetworkMetered**  Indicates whether Windows considered the current network to be ?metered"
+- **IsNetworkMetered**  Indicates whether Windows considered the current network to be metered"
 - **MOAppDownloadLimit**  Mobile operator cap on size of application downloads, if any
 - **MOUpdateDownloadLimit**  Mobile operator cap on size of operating system update downloads, if any
 - **PowerState**  Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
@@ -4351,7 +4351,7 @@ This event sends data about an AppX app that has been updated from the Microsoft
 
 The following fields are available:
 
-- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable.
+- **ApplicableUpdateInfo**  Metadata for the updates that were detected as applicable.
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
 - **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
 - **NumberOfApplicableUpdates**  The number of updates ultimately deemed applicable to the system after the detection process is complete.
@@ -4554,7 +4554,7 @@ The following fields are available:
 
 ### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2
 
-This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly.
+This event sends reason for SAM, PCH, and SoC reset. The data collected with this event is used to keep Windows performing properly.
 
 The following fields are available:
 
@@ -4733,7 +4733,7 @@ The following fields are available:
 
 ### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantInteractive
 
-An user action such as button click happens.
+A user action such as button click happens.
 
 The following fields are available:
 
@@ -4814,7 +4814,7 @@ The following fields are available:
 
 - **CV**  The correlation vector.
 - **GlobalEventCounter**  The counter for all telemetry on the device.
-- **UpdateAssistantDownloadCancelled**  True when the ESD download is cancelled.
+- **UpdateAssistantDownloadCancelled**  True when the ESD download is canceled.
 - **UpdateAssistantDownloadDownloadTotalBytes**  The total size in bytes of the download.
 - **UpdateAssistantDownloadEditionMismatch**  True if downloaded ESD doesn't match edition.
 - **UpdateAssistantDownloadESDEncrypted**  True if ESD is encrypted.
@@ -4838,7 +4838,7 @@ This event indicates that the detection phase of USO has started. The data colle
 The following fields are available:
 
 - **CV**  Correlation vector.
-- **ExpeditePolicyId**  The policy ID of the expedite request.
+- **ExpeditePolicyId**  The policy ID of the expedited request.
 - **ExpediteUpdaterOfferedUpdateId**  UpdateId of the LCU expected to be expedited.
 - **ExpediteUpdatesInProgress**  List of update IDs in progress.
 - **ExpediteUsoLastError**  The last error returned by USO.
@@ -4938,7 +4938,7 @@ This event is received when the UpdateHealthTools service uploads device informa
 The following fields are available:
 
 - **CV**  Correlation vector.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter that indicates ordering of events sent by this user.
 - **PackageVersion**  Current package version of remediation.
 - **UpdateHealthToolsDeviceUbrChanged**  1 if the Ubr just changed, 0 otherwise.
 - **UpdateHealthToolsDeviceUri**  The URI to be used for push notifications on this device.
@@ -4946,7 +4946,7 @@ The following fields are available:
 
 ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploadFailed
 
-This event provides information for device which failed to upload the details. The data collected with this event is used to help keep Windows secure and up to date.
+This event provides information for device that failed to upload the details. The data collected with this event is used to help keep Windows secure and up to date.
 
 The following fields are available:
 
@@ -4963,7 +4963,7 @@ This event is received when a push notification has been completed by the Update
 The following fields are available:
 
 - **CV**  Correlation vector.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter that indicates ordering of events sent by this user.
 - **PackageVersion**  Current package version of UpdateHealthTools.
 - **UpdateHealthToolsEnterpriseActionResult**  The HRESULT return by the enterprise action.
 - **UpdateHealthToolsEnterpriseActionType**  Enum describing the type of action requested by the push.
@@ -4976,7 +4976,7 @@ This event is received when the UpdateHealthTools service receives a push notifi
 The following fields are available:
 
 - **CV**  Correlation vector.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter that indicates ordering of events sent by this user.
 - **PackageVersion**  Current package version of UpdateHealthTools.
 - **UpdateHealthToolsDeviceUri**  The URI to be used for push notifications on this device.
 - **UpdateHealthToolsEnterpriseActionType**  Enum describing the type of action requested by the push.
@@ -4992,7 +4992,7 @@ This event is received when there's status on a push notification. The data coll
 The following fields are available:
 
 - **CV**  Correlation vector.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter that indicates ordering of events sent by this user.
 - **PackageVersion**  Current package version of UpdateHealthTools.
 - **UpdateHealthToolsDeviceUri**  The URI to be used for push notifications on this device.
 - **UpdateHealthToolsEnterpriseActionType**  Enum describing the type of action requested by the push.
@@ -5007,7 +5007,7 @@ This event is sent when a device has been detected as DSS device. The data colle
 The following fields are available:
 
 - **CV**  A correlation vector.
-- **GlobalEventCounter**  This is a client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  This is a client side counter that indicates ordering of events sent by this user.
 - **PackageVersion**  The package version of the label.
 
 
@@ -5018,7 +5018,7 @@ This event is sent when the service first starts. It's a heartbeat indicating th
 The following fields are available:
 
 - **CV**  Correlation vector.
-- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user.
+- **GlobalEventCounter**  Client side counter that indicates ordering of events sent by this user.
 - **PackageVersion**  Current package version of remediation.
 
 
@@ -5347,7 +5347,7 @@ The following fields are available:
 - **ClientId**  If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
 - **FlightData**  Unique value that identifies the flight.
 - **HostOSBuildNumber**  The build number of the downlevel OS.
-- **HostOsSkuName**  The operating system edition which is running Setup360 instance (downlevel OS).
+- **HostOsSkuName**  The operating system edition that is running Setup360 instance (downlevel OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
 - **Setup360Extended**  More detailed information about phase/action when the potential failure occurred.
@@ -5355,7 +5355,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360 (HRESULT used to diagnose errors).
 - **Setup360Scenario**  The Setup360 flow type (for example, Boot, Media, Update, MCT).
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
-- **State**  Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  Exit state of given Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  An ID that uniquely identifies a group of events.
 - **WuId**  This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
 
@@ -5369,7 +5369,7 @@ The following fields are available:
 - **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightData**  Unique value that identifies the flight.
 - **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **HostOsSkuName**  The OS edition that is running Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
 - **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
 - **Setup360Extended**  More detailed information about the phase/action when the potential failure occurred.
@@ -5377,7 +5377,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
 
@@ -5391,7 +5391,7 @@ The following fields are available:
 - **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightData**  Unique value that identifies the flight.
 - **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
+- **HostOsSkuName**  The OS edition that is running the Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
 - **Setup360Extended**  Detailed information about the phase or action when the potential failure occurred.
@@ -5399,7 +5399,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  Windows Update client ID.
 
@@ -5413,7 +5413,7 @@ The following fields are available:
 - **ClientId**  With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightData**  Unique value that identifies the flight.
 - **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **HostOsSkuName**  The OS edition that is running Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
 - **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
@@ -5421,7 +5421,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
 
@@ -5435,7 +5435,7 @@ The following fields are available:
 - **ClientId**  Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightData**  Unique value that identifies the flight.
 - **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous operating system).
+- **HostOsSkuName**  The OS edition that is running Setup360 instance (previous operating system).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
 - **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
@@ -5457,7 +5457,7 @@ The following fields are available:
 - **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightData**  In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **HostOSBuildNumber**  The build number of the previous operating system.
-- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous operating system).
+- **HostOsSkuName**  The OS edition that is running the Setup360 instance (previous operating system).
 - **InstanceId**  Unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
 - **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
@@ -5465,7 +5465,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
-- **State**  The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  The exit state of the Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  ID that uniquely identifies a group of events.
 - **WuId**  Windows Update client ID.
 
@@ -5479,7 +5479,7 @@ The following fields are available:
 - **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightData**  Unique value that identifies the flight.
 - **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **HostOsSkuName**  The OS edition that is running Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
 - **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
 - **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
@@ -5487,7 +5487,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
 - **Setup360Scenario**  Setup360 flow type (Boot, Media, Update, MCT).
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
 
@@ -5501,7 +5501,7 @@ The following fields are available:
 - **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightData**  Unique value that identifies the flight.
 - **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
+- **HostOsSkuName**  The OS edition that is running the Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
 - **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
 - **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
@@ -5509,7 +5509,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type, Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  Windows Update client ID.
 
@@ -5616,7 +5616,7 @@ The following fields are available:
 - **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
 - **FlightData**  Unique value that identifies the flight.
 - **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **HostOsSkuName**  The OS edition that is running Setup360 instance (previous OS).
 - **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
 - **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
 - **Setup360Extended**  Detailed information about the phase/action when the potential failure occurred.
@@ -5624,7 +5624,7 @@ The following fields are available:
 - **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
 - **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT.
 - **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
 - **TestId**  A string to uniquely identify a group of events.
 - **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
 
@@ -5642,7 +5642,7 @@ The following fields are available:
 - **HrLastFailure**  Error code from the failed removal.
 - **HrResetDatastore**  Result of the attempted removal.
 - **HrStopGroupOfServices**  Result of stopping the services.
-- **MaskServicesStopped**  Bit field to indicate which services were stopped succesfully. Bit on means success. List of services: usosvc(1<<0), dosvc(1<<1), wuauserv(1<<2), bits(1<<3).
+- **MaskServicesStopped**  Bit field to indicate which services were stopped successfully. Bit on means success. List of services: usosvc(1<<0), dosvc(1<<1), wuauserv(1<<2), bits(1<<3).
 - **NumberServicesToStop**  The number of services that require manual stopping.
 
 
@@ -5681,7 +5681,7 @@ The following fields are available:
 
 ### Microsoft.Windows.WERVertical.OSCrash
 
-This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+This event sends binary data from the collected dump file whenever a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
 
 The following fields are available:
 
@@ -5735,7 +5735,7 @@ The following fields are available:
 
 - **creatorId**  The unique identifier for the entity that created the error record.
 - **errorFlags**  Any flags set on the error record.
-- **notifyType**  The unique identifier for the notification mechanism which reported the error to the operating system.
+- **notifyType**  The unique identifier for the notification mechanism that reported the error to the operating system.
 - **partitionId**  The unique identifier for the partition on which the hardware error occurred.
 - **platformId**  The unique identifier for the platform on which the hardware error occurred.
 - **record**  A collection of binary data containing the full error record.
@@ -6116,7 +6116,7 @@ The following fields are available:
 
 ### Microsoft.Windows.StoreAgent.Telemetry.StateTransition
 
-Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there's a change in a product's fulfillment status (pending, working, paused, cancelled, or complete), to help keep Windows up to date and secure.
+Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there's a change in a product's fulfillment status (pending, working, paused, canceled, or complete), to help keep Windows up to date and secure.
 
 The following fields are available:
 
@@ -6213,7 +6213,7 @@ The following fields are available:
 - **doClientVersion**  The version of the Delivery Optimization client.
 - **downloadMode**  The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100).
 - **downloadModeReason**  Reason for the download.
-- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
+- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, DefaultProvider = 99).
 - **errorCode**  The error code that was returned.
 - **experimentId**  ID used to correlate client/services calls that are part of the same test during A/B testing.
 - **fileID**  The ID of the file being downloaded.
@@ -6298,7 +6298,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary
 
-This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario that is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
 
 The following fields are available:
 
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index 3c844881cd..c336dba245 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
 author: DHB-MSFT
 ms.author: danbrown
 manager: laurawi
-ms.date: 02/29/2024
+ms.date: 04/24/2024
 ms.collection: privacy-windows
 ms.topic: reference
 ---
@@ -624,7 +624,7 @@ The following fields are available:
 - **ActiveNetworkConnection**  Indicates whether the device is an active network device.
 - **AppraiserVersion**  The version of the appraiser file generating the events.
 - **IsBootCritical**  Indicates whether the device boot is critical.
-- **WuDriverCoverage**  Indicates whether there is a driver uplevel for this device, according to Windows Update.
+- **WuDriverCoverage**  Indicates whether there's a driver uplevel for this device, according to Windows Update.
 - **WuDriverUpdateId**  The Windows Update ID of the applicable uplevel driver.
 - **WuPopulatedFromId**  The expected uplevel driver matching ID based on driver coverage from Windows Update.
 
@@ -686,7 +686,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
 
-This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date.
+This event sends blocking data about any compatibility blocking entries on the system that aren't directly related to specific applications or devices, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -720,7 +720,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
 
-This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+This event sends compatibility database information about non-blocking compatibility entries on the system that aren't keyed by either applications or devices, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -753,7 +753,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
 
-This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that aren't keyed by either applications or devices, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -831,8 +831,8 @@ The following fields are available:
 - **SdbBlockUpgrade**  The file is tagged as blocking upgrade in the SDB,
 - **SdbBlockUpgradeCanReinstall**  The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade.
 - **SdbBlockUpgradeUntilUpdate**  The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed.
-- **SdbReinstallUpgrade**  The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade.
-- **SdbReinstallUpgradeWarn**  The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
+- **SdbReinstallUpgrade**  The file is tagged as needing to be reinstalled after upgrade in the SDB. It doesn't block upgrade.
+- **SdbReinstallUpgradeWarn**  The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It doesn't block upgrade.
 - **SoftBlock**  The file is softblocked in the SDB and has a warning.
 
 
@@ -871,14 +871,14 @@ The following fields are available:
 - **AssociatedDriverWillNotMigrate**  Will the driver associated with this plug-and-play device migrate?
 - **BlockAssociatedDriver**  Should the driver associated with this PNP device be blocked?
 - **BlockingDevice**  Is this PNP device blocking upgrade?
-- **BlockUpgradeIfDriverBlocked**  Is the PNP device both boot critical and does not have a driver included with the OS?
+- **BlockUpgradeIfDriverBlocked**  Is the PNP device both boot critical and doesn't have a driver included with the OS?
 - **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork**  Is this PNP device the only active network device?
 - **DisplayGenericMessage**  Will a generic message be shown during Setup for this PNP device?
 - **DisplayGenericMessageGated**  Indicates whether a generic message will be shown during Setup for this PNP device.
 - **DriverAvailableInbox**  Is a driver included with the operating system for this PNP device?
 - **DriverAvailableOnline**  Is there a driver for this PNP device on Windows Update?
 - **DriverAvailableUplevel**  Is there a driver on Windows Update or included with the operating system for this PNP device?
-- **DriverBlockOverridden**  Is there is a driver block on the device that has been overridden?
+- **DriverBlockOverridden**  Is there's a driver block on the device that has been overridden?
 - **NeedsDismissAction**  Will the user would need to dismiss a warning during Setup for this device?
 - **NotRegressed**  Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
 - **SdbDeviceBlockUpgrade**  Is there an SDB block on the PNP device that blocks upgrade?
@@ -949,7 +949,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
 
-This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+This event sends compatibility decision data about blocking entries on the system that aren't keyed by either applications or devices, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -963,7 +963,7 @@ The following fields are available:
 - **SdbBlockUpgrade**  Is a matching info block blocking upgrade?
 - **SdbBlockUpgradeCanReinstall**  Is a matching info block blocking upgrade, but has the can reinstall tag?
 - **SdbBlockUpgradeUntilUpdate**  Is a matching info block blocking upgrade but has the until update tag?
-- **SdbReinstallUpgradeWarn**  The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
+- **SdbReinstallUpgradeWarn**  The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It doesn't block upgrade.
 
 
 ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
@@ -990,7 +990,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
 
-This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+This event sends compatibility decision data about non-blocking entries on the system that aren't keyed by either applications or devices, to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -1345,7 +1345,7 @@ The following fields are available:
 - **BinaryType**  A binary type.  Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
 - **BinFileVersion**  An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
 - **BinProductVersion**  An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
-- **BoeProgramId**  If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **BoeProgramId**  If there's no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
 - **CompanyName**  The company name of the vendor who developed this file.
 - **FileId**  A hash that uniquely identifies a file.
 - **FileVersion**  The File version field from the file metadata under Properties -> Details.
@@ -1489,7 +1489,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
 
-This event runs only during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. It is critical in understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. The data collected with this event is used to help keep Windows up to date.
+This event runs only during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. It's critical in understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. The data collected with this event is used to help keep Windows up to date.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -1886,7 +1886,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Appraiser.General.WmdrmAdd
 
-This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data doesn't indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
 
 This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
 
@@ -1984,7 +1984,7 @@ The following fields are available:
 
 ### Census.Azure
 
-This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines with Server SKUs). All other machines (those outside Microsoft and/or machines that are not part of the “Azure fleet”) return empty data sets. The data collected with this event is used to help keep Windows secure.
+This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines with Server SKUs). All other machines (those outside Microsoft and/or machines that aren't part of the “Azure fleet”) return empty data sets. The data collected with this event is used to help keep Windows secure.
 
 The following fields are available:
 
@@ -2121,11 +2121,11 @@ This event sends data about the mobile and cellular network used by the device (
 The following fields are available:
 
 - **CellularModemHWInstanceId0**  HardwareInstanceId of the embedded Mobile broadband modem, as reported and used by PnP system to identify the WWAN modem device in Windows system. Empty string (null string) indicates that this property is unknown for telemetry.
-- **IMEI0**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
-- **IMEI1**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI0**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft doesn't have access to mobile operator billing data so collecting this data doesn't expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI1**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft doesn't have access to mobile operator billing data so collecting this data doesn't expose or identify the user. The two fields represent phone with dual sim coverage.
 - **MCC0**  Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
 - **MCC1**  Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
-- **MEID**  Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user.
+- **MEID**  Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft doesn't have access to mobile operator billing data so collecting this data doesn't expose or identify the user.
 - **MNC0**  Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
 - **MNC1**  Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
 - **MobileOperatorBilling**  Represents the telephone company that provides services for mobile phone users.
@@ -2159,7 +2159,7 @@ The following fields are available:
 - **IsPortableOperatingSystem**  Retrieves whether OS is running Windows-To-Go
 - **IsSecureBootEnabled**  Retrieves whether Boot chain is signed under UEFI.
 - **LanguagePacks**  The list of language packages installed on the device.
-- **LicenseStateReason**  Retrieves why (or how) a system is licensed or unlicensed.  The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
+- **LicenseStateReason**  Retrieves why (or how) a system is licensed or unlicensed.  The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we're running an OS License granted by the MS store.
 - **OA3xOriginalProductKey**  Retrieves the License key stamped by the OEM to the machine.
 - **OSEdition**  Retrieves the version of the current OS.
 - **OSInstallType**  Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
@@ -2429,11 +2429,11 @@ The following fields are available:
 - **AppStoreAutoUpdatePolicy**  Retrieves the Microsoft Store App Auto Update group policy setting
 - **DelayUpgrade**  Retrieves the Windows upgrade flag for delaying upgrades.
 - **IsHotPatchEnrolled**  Represents the current state of the device in relation to enrollment in the hotpatch program.
-- **OSAssessmentFeatureOutOfDate**  How many days has it been since a the last feature update was released but the device did not install it?
+- **OSAssessmentFeatureOutOfDate**  How many days has it been since a the last feature update was released but the device didn't install it?
 - **OSAssessmentForFeatureUpdate**  Is the device is on the latest feature update?
 - **OSAssessmentForQualityUpdate**  Is the device on the latest quality update?
 - **OSAssessmentForSecurityUpdate**  Is the device  on the latest security update?
-- **OSAssessmentQualityOutOfDate**  How many days has it been since a the last quality update was released but the device did not install it?
+- **OSAssessmentQualityOutOfDate**  How many days has it been since a the last quality update was released but the device didn't install it?
 - **OSAssessmentReleaseInfoTime**  The freshness of release information used to perform an assessment.
 - **OSRollbackCount**  The number of times feature updates have rolled back on the device.
 - **OSRolledBack**  A flag that represents when a feature update has rolled back during setup.
@@ -2506,7 +2506,7 @@ Fires when driver scanning fails to get results.
 
 ### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.HvciScanningDriverInSdbError
 
-Fires when there is an error checking the SDB for a particular driver.
+Fires when there's an error checking the SDB for a particular driver.
 
 The following fields are available:
 
@@ -2664,7 +2664,7 @@ The following fields are available:
 - **popSample**  Represents the effective sample rate for this event at the time it was generated by a client.
 - **providerGuid**  The ETW provider ID associated with the provider name.
 - **raId**  Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
-- **seq**  Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue.  The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **seq**  Represents the sequence field used to track absolute order of uploaded events. It's an incrementing identifier for each event added to the upload queue.  The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
 - **sqmId**  The Windows SQM (Software Quality Metrics—a precursor of Windows 10 Diagnostic Data collection) device identifier.
 - **stId**  Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
 - **wcmp**  The Windows Shell Composer ID.
@@ -2767,11 +2767,11 @@ The following fields are available:
 
 ### CbsServicingProvider.CbsLateAcquisition
 
-This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date.
+This event sends data to indicate if some Operating System packages couldn't be updated as part of an upgrade, to help keep Windows up to date.
 
 The following fields are available:
 
-- **Features**  The list of feature packages that could not be updated.
+- **Features**  The list of feature packages that couldn't be updated.
 - **RetryID**  The ID identifying the retry attempt to update the listed packages.
 
 
@@ -3004,7 +3004,7 @@ The following fields are available:
 - **PowerButtonPressLastPowerWatchdogStage**  Progress while the monitor is being turned on.
 - **PowerButtonPressPowerWatchdogArmed**  Indicates whether or not the watchdog for the monitor was active at the time of the last power button press.
 - **ShutdownDeviceType**  Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API.
-- **SleepCheckpoint**  Provides the last checkpoint when there is a failure during a sleep transition.
+- **SleepCheckpoint**  Provides the last checkpoint when there's a failure during a sleep transition.
 - **SleepCheckpointSource**  Indicates whether the source is the EFI variable or bootstat file.
 - **SleepCheckpointStatus**  Indicates whether the checkpoint information is valid.
 - **StaleBootStatData**  Identifies if the data from bootstat is stale.
@@ -3030,12 +3030,12 @@ The following fields are available:
 
 ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
 
-This event is fired by UTC at state transitions to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+This event is fired by UTC at state transitions to signal what data we're allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
 
 The following fields are available:
 
 - **CanAddMsaToMsTelemetry**  True if we can add MSA PUID and CID to telemetry, false otherwise.
-- **CanCollectAnyTelemetry**  True if we are allowed to collect partner telemetry, false otherwise.
+- **CanCollectAnyTelemetry**  True if we're allowed to collect partner telemetry, false otherwise.
 - **CanCollectCoreTelemetry**  True if we can collect CORE/Basic telemetry, false otherwise.
 - **CanCollectHeartbeats**  True if we can collect heartbeat telemetry, false otherwise.
 - **CanCollectOsTelemetry**  True if we can collect diagnostic data telemetry, false otherwise.
@@ -3044,17 +3044,17 @@ The following fields are available:
 - **CanReportScenarios**  True if we can report scenario completions, false otherwise.
 - **IsProcessorMode**  True if it's Processor Mode, false otherwise.
 - **PreviousPermissions**  Bitmask of previous telemetry state.
-- **TransitionFromEverythingOff**  True if we are transitioning from all telemetry being disabled, false otherwise.
+- **TransitionFromEverythingOff**  True if we're transitioning from all telemetry being disabled, false otherwise.
 
 
 ### TelClientSynthetic.AuthorizationInfo_Startup
 
-This event is fired by UTC at startup to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+This event is fired by UTC at startup to signal what data we're allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
 
 The following fields are available:
 
 - **CanAddMsaToMsTelemetry**  True if we can add MSA PUID and CID to telemetry, false otherwise.
-- **CanCollectAnyTelemetry**  True if we are allowed to collect partner telemetry, false otherwise.
+- **CanCollectAnyTelemetry**  True if we're allowed to collect partner telemetry, false otherwise.
 - **CanCollectCoreTelemetry**  True if we can collect CORE/Basic telemetry, false otherwise.
 - **CanCollectHeartbeats**  True if we can collect heartbeat telemetry, false otherwise.
 - **CanCollectOsTelemetry**  True if we can collect diagnostic data telemetry, false otherwise.
@@ -3063,7 +3063,7 @@ The following fields are available:
 - **CanReportScenarios**  True if we can report scenario completions, false otherwise.
 - **IsProcessorMode**  True if it's Processor Mode, false otherwise.
 - **PreviousPermissions**  Bitmask of previous telemetry state.
-- **TransitionFromEverythingOff**  True if we are transitioning from all telemetry being disabled, false otherwise.
+- **TransitionFromEverythingOff**  True if we're transitioning from all telemetry being disabled, false otherwise.
 
 
 ### TelClientSynthetic.ConnectivityHeartBeat_0
@@ -3131,7 +3131,7 @@ The following fields are available:
 - **VortexHttpAttempts**  Number of attempts to contact Vortex.
 - **VortexHttpFailures4xx**  Number of 400-499 error codes received from Vortex.
 - **VortexHttpFailures5xx**  Number of 500-599 error codes received from Vortex.
-- **VortexHttpResponseFailures**  Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponseFailures**  Number of Vortex responses that aren't 2XX or 400.
 - **VortexHttpResponsesWithDroppedEvents**  Number of Vortex responses containing at least 1 dropped event.
 
 
@@ -3662,7 +3662,7 @@ The following fields are available:
 - **CoordinatorVersion**  Coordinator version of DTU.
 - **CV**  Correlation vector.
 - **HRESULT**  Error (if any) that occurred.
-- **NextState**  Next workflow state we will enter.
+- **NextState**  Next workflow state we'll enter.
 - **State**  The state of the workflow.
 
 
@@ -3909,7 +3909,7 @@ The following fields are available:
 
 ### Microsoft.Windows.DxDiag.DxDiagProviderErrorStatistics
 
-This event provides statistics of major error(s) occurred during data collection, when data has not been properly collected in some queries. The data collected with this event is used to help keep Windows up to date and performing properly.
+This event provides statistics of major error(s) occurred during data collection, when data hasn't been properly collected in some queries. The data collected with this event is used to help keep Windows up to date and performing properly.
 
 The following fields are available:
 
@@ -4010,7 +4010,7 @@ The following fields are available:
 
 ### Microsoft.Windows.FaultReporting.AppCrashEvent
 
-This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event.
+This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event.
 
 The following fields are available:
 
@@ -4020,7 +4020,7 @@ The following fields are available:
 - **AppVersion**  The version of the app that has crashed.
 - **ExceptionCode**  The exception code returned by the process that has crashed.
 - **ExceptionOffset**  The address where the exception had occurred.
-- **Flags**  Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
+- **Flags**  Flags indicating how reporting is done. For example, queue the report, don't offer JIT debugging, or don't terminate the process after reporting.
 - **FriendlyAppName**  The description of the app that has crashed, if different from the AppName. Otherwise, the process name.
 - **IsFatal**  True/False to indicate whether the crash resulted in process termination.
 - **ModName**  Exception module name (e.g. bar.dll).
@@ -4114,7 +4114,7 @@ The following fields are available:
 
 ### Microsoft.Windows.HangReporting.AppHangEvent
 
-This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and won't produce AppHang events.
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and won't produce AppHang events.
 
 The following fields are available:
 
@@ -4261,7 +4261,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
 
-This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. The data collected with this event is used to keep Windows performing properly.
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they'll always represent a count of a given object. The data collected with this event is used to keep Windows performing properly.
 
 The following fields are available:
 
@@ -5162,14 +5162,14 @@ The following fields are available:
 - **appCohortName**  A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
 - **appConsentState**  Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
 - **appDayOfInstall**  The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Please see the wiki for additional information. Default: '-2'.
-- **appExperiments**  A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client should not transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
+- **appExperiments**  A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
 - **appInstallTime**  The product install time in seconds. '0' if unknown. Default: '-1'.
 - **appInstallTimeDiffSec**  The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
 - **appLang**  The language of the product install, in IETF BCP 47 representation. Default: ''.
 - **appLastLaunchTime**  The time when browser was last launched.
 - **appNextVersion**  The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
 - **appPingEventAppSize**  The total number of bytes of all downloaded packages. Default: '0'.
-- **appPingEventDoneBeforeOOBEComplete**  Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event wasn't completed before OOBE finishes; -1 means the field does not apply.
+- **appPingEventDoneBeforeOOBEComplete**  Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event wasn't completed before OOBE finishes; -1 means the field doesn't apply.
 - **appPingEventDownloadMetricsCdnAzureRefOriginShield**  Provides a unique reference string that identifies a request served by Azure Front Door. It's used to search access logs and is critical for troubleshooting. For example, Ref A: E172B39D19774147B0EFCC8E3E823D9D Ref B: BL2EDGE0215 Ref C: 2021-05-11T22:25:48Z.
 - **appPingEventDownloadMetricsCdnCache**  Corresponds to the result, whether the proxy has served the result from cache (HIT for yes, and MISS for no) For example, HIT from proxy.domain.tld, MISS from proxy.local.
 - **appPingEventDownloadMetricsCdnCCC**  ISO 2 character country or region code that matches to the country or region updated binaries are delivered from. E.g.: US.
@@ -5190,15 +5190,15 @@ The following fields are available:
 - **appPingEventExtraCode1**  Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
 - **appPingEventInstallTimeMs**  For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
 - **appPingEventNumBytesDownloaded**  The number of bytes downloaded for the specified application. Default: '0'.
-- **appPingEventPackageCacheResult**  Indicates whether there is an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key; 2 means there's a cache hit under a different key; 0 means that there's a cache miss; -1 means the field does not apply.
+- **appPingEventPackageCacheResult**  Indicates whether there's an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key; 2 means there's a cache hit under a different key; 0 means that there's a cache miss; -1 means the field doesn't apply.
 - **appPingEventSequenceId**  An id that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
 - **appPingEventSourceUrlIndex**  For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag.
 - **appPingEventUpdateCheckTimeMs**  For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'.
 - **appReferralHash**  The hash of the referral code used to install the product. '0' if unknown. Default: '0'.
 - **appUpdateCheckIsRollbackAllowed**  Check for status showing whether or not rollback is allowed.
-- **appUpdateCheckIsUpdateDisabled**  The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not.
+- **appUpdateCheckIsUpdateDisabled**  The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they haven't.
 - **appUpdateCheckTargetChannel**  Check for status showing the target release channel.
-- **appUpdateCheckTargetVersionPrefix**  A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
+- **appUpdateCheckTargetVersionPrefix**  A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
 - **appUpdateCheckTtToken**  An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
 - **appVersion**  The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'.
 - **EventInfo.Level**  The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
@@ -5207,13 +5207,13 @@ The following fields are available:
 - **expEtag**  An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
 - **expETag**  An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
 - **hwDiskType**  Device’s hardware disk type.
-- **hwHasAvx**  '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware does not support the AVX instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse**  '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse2**  '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse3**  '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware does not support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse41**  '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse42**  '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSsse3**  '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasAvx**  '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware doesn't support the AVX instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse**  '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware doesn't support the SSE instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse2**  '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware doesn't support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse3**  '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware doesn't support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse41**  '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware doesn't support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse42**  '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware doesn't support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSsse3**  '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware doesn't support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
 - **hwLogcicalCpus**  Number of logical CPUs of the device. Used for testing only.
 - **hwLogicalCpus**  Number of logical CPUs of the device.
 - **hwPhysmemory**  The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
@@ -5235,7 +5235,7 @@ The following fields are available:
 - **requestRequestId**  A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Each request attempt should have (with high probability) a unique request id. Default: ''.
 - **requestSessionCorrelationVectorBase**  A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''.
 - **requestSessionId**  A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) should have (with high probability) a single unique session ID. Default: ''.
-- **requestTestSource**  Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''.
+- **requestTestSource**  Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and shouldn't be counted toward normal metrics. Default: ''.
 - **requestUid**  A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
 
 
@@ -5347,18 +5347,18 @@ The following fields are available:
 - **appPingEventSequenceId**  An ID that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
 - **appPingEventSourceUrlIndex**  For events representing a download, the position of the download URL in the list of URLs supplied by the server in a tag.
 - **appPingEventUpdateCheckTimeMs**  For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'.
-- **appUpdateCheckIsUpdateDisabled**  The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not.
+- **appUpdateCheckIsUpdateDisabled**  The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they haven't.
 - **appUpdateCheckTargetVersionPrefix**  A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' MUST match '1.2.3.4' but MUST NOT match '1.2.34'). Default: ''.
 - **appUpdateCheckTtToken**  An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request is sent over SSL or another secure protocol. This field is unused by Edge Update and always empty. Default: ''.
 - **appVersion**  The version of the product install. Default: '0.0.0.0'.
 - **eventType**  A string representation of appPingEventEventType indicating the type of the event.
-- **hwHasAvx**  '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware does not support the AVX instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse**  '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse2**  '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse3**  '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware does not support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse41**  '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse42**  '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSsse3**  '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasAvx**  '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware doesn't support the AVX instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse**  '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware doesn't support the SSE instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse2**  '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware doesn't support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse3**  '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware doesn't support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse41**  '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware doesn't support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse42**  '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware doesn't support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSsse3**  '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware doesn't support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
 - **hwPhysmemory**  The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
 - **isMsftDomainJoined**  '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
 - **osArch**  The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''.
@@ -5376,7 +5376,7 @@ The following fields are available:
 - **requestRequestId**  A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
 - **requestSessionCorrelationVectorBase**  A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''.
 - **requestSessionId**  A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) SHOULD have (with high probability) a single unique session ID. Default: ''.
-- **requestTestSource**  Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''.
+- **requestTestSource**  Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and shouldn't be counted toward normal metrics. Default: ''.
 - **requestUid**  A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
 
 
@@ -5805,7 +5805,7 @@ The following fields are available:
 
 - **Action**  It indicates phase/stage of operation.
 - **Detail**  It indicates details about the phase/stage of the operation.
-- **Rollback**  It is blank as this event triggers in success scenario only.
+- **Rollback**  It's blank as this event triggers in success scenario only.
 - **Status**  It indicates details about the status for getting the disk device object during boot.
 
 
@@ -5817,7 +5817,7 @@ The following fields are available:
 
 - **Action**  It indicates phase/stage of operation.
 - **Detail**  It indicates details about the phase/stage of the operation.
-- **Rollback**  It is blank as this event triggers in success scenario only.
+- **Rollback**  It's blank as this event triggers in success scenario only.
 - **Status**  It indicates details about the status for getting the disk device object during boot.
 
 
@@ -5829,7 +5829,7 @@ The following fields are available:
 
 - **Action**  It indicates phase/stage of operation. As success event fires on exiting the operation, this value must be 'Exiting'.
 - **Duration(ms)**  Duration of filter setup instance operation in milliseconds.
-- **Rollback**  It is blank as this event triggers in success scenario only.
+- **Rollback**  It's blank as this event triggers in success scenario only.
 
 
 ### Microsoft.Windows.Setup.WinSetupBoot.Warning
@@ -5911,9 +5911,9 @@ The following fields are available:
 - **BIOSVendor**  The vendor of the BIOS.
 - **BiosVersion**  The version of the BIOS.
 - **BranchReadinessLevel**  The servicing branch configured on the device.
-- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine doesn't exist, the value is null.
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
-- **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that could not be evaluated.
+- **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that couldn't be evaluated.
 - **CDNCountryCode**  Two letter country or region abbreviation for the Content Distribution Network (CDN) location.
 - **CDNId**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
 - **ClientVersion**  The version number of the software distribution client.
@@ -5991,7 +5991,7 @@ This event sends data on whether the Update Service has been called to execute a
 
 The following fields are available:
 
-- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleId**  Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
 - **BundleRevisionNumber**  Identifies the revision number of the content bundle
 - **CallerApplicationName**  Name provided by the caller who initiated API calls into the software distribution client
 - **ClassificationId**  Classification identifier of the update content.
@@ -6027,7 +6027,7 @@ The following fields are available:
 - **BIOSVendor**  The vendor of the BIOS.
 - **BiosVersion**  The version of the BIOS.
 - **BundleBytesDownloaded**  Number of bytes downloaded for the specific content bundle.
-- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleId**  Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
 - **BundleRepeatFailCount**  Indicates whether this particular update bundle previously failed.
 - **BundleRepeatFailFlag**  Indicates whether this particular update bundle previously failed to download.
 - **BundleRevisionNumber**  Identifies the revision number of the content bundle.
@@ -6154,7 +6154,7 @@ This event sends tracking data about the software distribution client installati
 
 The following fields are available:
 
-- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleId**  Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
 - **BundleRepeatFailCount**  Indicates whether this particular update bundle has previously failed.
 - **BundleRevisionNumber**  Identifies the revision number of the content bundle.
 - **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
@@ -6211,13 +6211,13 @@ This is a revert event for target update on Windows Update Client. See EventScen
 
 The following fields are available:
 
-- **BundleId**  Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found.
+- **BundleId**  Identifier associated with the specific content bundle. Shouldn't be all zeros if the BundleId was found.
 - **BundleRepeatFailCount**  Indicates whether this particular update bundle has previously failed.
 - **BundleRevisionNumber**  Identifies the revision number of the content bundle.
 - **CallerApplicationName**  Name of application making the Windows Update request. Used to identify context of request.
 - **ClassificationId**  Classification identifier of the update content.
 - **ClientVersion**  Version number of the software distribution client.
-- **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior. There's no value being reported in this field right now. Expected value for this field is 0.
 - **CSIErrorType**  Stage of CBS installation that failed.
 - **DeploymentMutexId**  Mutex identifier of the deployment operation.
 - **DeploymentProviderHostModule**  Name of the module which is hosting the Update Deployment Provider for deployment operation.
@@ -6277,13 +6277,13 @@ This is an uninstall event for target update on Windows Update Client. See Event
 
 The following fields are available:
 
-- **BundleId**  The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found.
+- **BundleId**  The identifier associated with the specific content bundle. This shouldn't be all zeros if the bundleID was found.
 - **BundleRepeatFailCount**  Indicates whether this particular update bundle previously failed.
 - **BundleRevisionNumber**  Identifies the revision number of the content bundle.
 - **CallerApplicationName**  Name of the application making the Windows Update request. Used to identify context of request.
 - **ClassificationId**  Classification identifier of the update content.
 - **ClientVersion**  Version number of the software distribution client.
-- **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **CommonProps**  A bitmask for future flags associated with the Windows Update client behavior. There's no value being reported in this field right now. Expected value for this field is 0.
 - **DeploymentMutexId**  Mutex identifier of the deployment operation.
 - **DeploymentProviderHostModule**  Name of the module which is hosting the Update Deployment Provider for deployment operation.
 - **DeploymentProviderMode**  The mode of operation of the Update Deployment Provider.
@@ -6361,7 +6361,7 @@ The following fields are available:
 - **SLSPrograms**  A test program to which a device may have opted in. Example: Insider Fast
 - **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
 - **TimestampTokenCertThumbprint**  The thumbprint of the encoded timestamp token.
-- **TimestampTokenId**  The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
+- **TimestampTokenId**  The time this was created. It's encoded in a timestamp blob and will be zero if the token is malformed.
 - **UpdateId**  The update ID for a specific piece of content.
 - **ValidityWindowInDays**  The validity window that's in effect when verifying the timestamp.
 
@@ -6627,7 +6627,7 @@ The following fields are available:
 - **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this device.
 - **KBNumber**  KBNumber of the update being installed.
 - **PackageVersion**  Current package version of quality update assistant.
-- **Reason**  Indicates why the device did not pass the readiness check.
+- **Reason**  Indicates why the device didn't pass the readiness check.
 - **Result**  Device readiness check for quality update assistant.
 
 
@@ -6740,7 +6740,7 @@ This event is raised when a targeted mitigation is rejected by the device based
 
 The following fields are available:
 
-- **callerId**  It is a GUID to identify the component that is calling into Mitigation Client APIs. It can be: Task Scheduler,  Settings App, or GetHelp App.
+- **callerId**  It's a GUID to identify the component that is calling into Mitigation Client APIs. It can be: Task Scheduler,  Settings App, or GetHelp App.
 - **description**  String describing why a mitigation was rejected.
 - **mitigationId**  GUID identifier for a mitigation.
 - **mitigationVersion**  Version of the mitigation.
@@ -7213,7 +7213,7 @@ The following fields are available:
 
 ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsPushNotificationStatus
 
-This event is received when there is status on a push notification. The data collected with this event is used to help keep Windows secure and up to date.
+This event is received when there's status on a push notification. The data collected with this event is used to help keep Windows secure and up to date.
 
 The following fields are available:
 
@@ -7269,7 +7269,7 @@ The following fields are available:
 
 ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceStarted
 
-This event is sent when the service first starts. It is a heartbeat indicating that the service is available on the device. The data collected with this event is used to help keep Windows secure and up to date.
+This event is sent when the service first starts. It's a heartbeat indicating that the service is available on the device. The data collected with this event is used to help keep Windows secure and up to date.
 
 The following fields are available:
 
@@ -7545,7 +7545,7 @@ The following fields are available:
 - **FlightId**  Unique ID for the flight (test instance version).
 - **IsSuspendable**  Indicates whether the update has the ability to be suspended and resumed at the time of reboot. When the machine is rebooted and the update is in middle of Predownload or Install and Setup.exe is running, this field is TRUE, if not its FALSE.
 - **ObjectId**  The unique value for each Update Agent mode.
-- **Reason**  Indicates the HResult why the machine could not be suspended. If it's successfully suspended, the result is 0.
+- **Reason**  Indicates the HResult why the machine couldn't be suspended. If it's successfully suspended, the result is 0.
 - **RelatedCV**  The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
 - **Result**  The HResult of the event.
 - **ScenarioId**  The ID of the update scenario.
@@ -7988,8 +7988,8 @@ The following fields are available:
 - **remediationSummary**  Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
 - **usingBackupFeatureAssessment**  Relying on backup feature assessment.
 - **usingBackupQualityAssessment**  Relying on backup quality assessment.
-- **usingCachedFeatureAssessment**  WaaS Medic run did not get OS build age from the network on the previous run.
-- **usingCachedQualityAssessment**  WaaS Medic run did not get OS revision age from the network on the previous run.
+- **usingCachedFeatureAssessment**  WaaS Medic run didn't get OS build age from the network on the previous run.
+- **usingCachedQualityAssessment**  WaaS Medic run didn't get OS revision age from the network on the previous run.
 - **versionString**  Version of the WaaSMedic engine.
 - **waasMedicRunMode**  Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter.
 
@@ -8214,7 +8214,7 @@ The following fields are available:
 
 ### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
 
-This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure.
+This event is sent when an app update requires an updated Framework package and the process starts to download it. It's used to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
@@ -8284,7 +8284,7 @@ The following fields are available:
 
 ### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
 
-This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure.
+This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
@@ -8310,7 +8310,7 @@ The following fields are available:
 
 ### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
 
-This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure.
+This event is sent after restoring user data (if any) that needs to be restored following a product install. It's used to keep Windows up-to-date and secure.
 
 The following fields are available:
 
@@ -8463,7 +8463,7 @@ The following fields are available:
 
 ### Microsoft.Windows.StoreAgent.Telemetry.StateTransition
 
-Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there is a change in a product's fulfillment status (pending, working, paused, cancelled, or complete), to help keep Windows up to date and secure.
+Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there's a change in a product's fulfillment status (pending, working, paused, cancelled, or complete), to help keep Windows up to date and secure.
 
 The following fields are available:
 
@@ -8550,7 +8550,7 @@ The following fields are available:
 
 ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityNotApplicable
 
-This event informs you whether a rollback of Quality updates is applicable to the devices that you are attempting to rollback. The data collected with this event is used to help keep Windows secure and up to date.
+This event informs you whether a rollback of Quality updates is applicable to the devices that you're attempting to rollback. The data collected with this event is used to help keep Windows secure and up to date.
 
 The following fields are available:
 
@@ -8718,7 +8718,7 @@ The following fields are available:
 - **doErrorCode**  The Delivery Optimization error code that was returned.
 - **downloadMode**  The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100).
 - **downloadModeReason**  Reason for the download.
-- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
+- **downloadModeSrc**  Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, DefaultProvider = 99).
 - **errorCode**  The error code that was returned.
 - **experimentId**  ID used to correlate client/services calls that are part of the same test during A/B testing.
 - **fileID**  The ID of the file being downloaded.
@@ -8796,7 +8796,7 @@ This event collects information regarding the state of devices and drivers on th
 The following fields are available:
 
 - **activated**  Whether the entire device manifest update is considered activated and in use.
-- **analysisErrorCount**  The number of driver packages that could not be analyzed because errors occurred during analysis.
+- **analysisErrorCount**  The number of driver packages that couldn't be analyzed because errors occurred during analysis.
 - **flightId**  Unique ID for each flight.
 - **missingDriverCount**  The number of driver packages delivered by the device manifest that are missing from the system.
 - **missingUpdateCount**  The number of updates in the device manifest that are missing from the system.
@@ -9050,8 +9050,8 @@ This event sends launch data for a Windows Update scan to help keep Windows secu
 The following fields are available:
 
 - **detectionBlockingPolicy**  State of update action.
-- **detectionBlockreason**  The reason detection did not complete.
-- **detectionRetryMode**  Indicates whether we will try to scan again.
+- **detectionBlockreason**  The reason detection didn't complete.
+- **detectionRetryMode**  Indicates whether we'll try to scan again.
 - **errorCode**  The error code returned for the current process.
 - **eventScenario**  End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
 - **interactive**  Indicates whether the session was user initiated.
@@ -9270,7 +9270,7 @@ The following fields are available:
 
 ### Microsoft.Windows.Update.Orchestrator.StickUpdate
 
-This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. The data collected with this event is used to help keep Windows secure and up to date.
+This event is sent when the update service orchestrator (USO) indicates the update can't be superseded by a newer update. The data collected with this event is used to help keep Windows secure and up to date.
 
 The following fields are available:
 
@@ -9683,7 +9683,7 @@ This event is generated whenever the RUXIM Evaluator DLL performs an evaluation.
 
 The following fields are available:
 
-- **HRESULT**  Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.)
+- **HRESULT**  Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks don't affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.)
 - **Id**  GUID passed in by the caller to identify the evaluation.
 - **NodeEvaluationData**  Structure showing the results of individual checks that occurred during the overall evaluation.
 - **Result**  Overall result generated by the evaluation.
@@ -9714,9 +9714,9 @@ The following fields are available:
 - **MitigationScenario**  The update scenario in which the mitigation was executed.
 - **MountedImageCount**  The number of mounted images.
 - **MountedImageMatches**  The number of mounted image matches.
-- **MountedImagesFailed**  The number of mounted images that could not be removed.
+- **MountedImagesFailed**  The number of mounted images that couldn't be removed.
 - **MountedImagesRemoved**  The number of mounted images that were successfully removed.
-- **MountedImagesSkipped**  The number of mounted images that were not found.
+- **MountedImagesSkipped**  The number of mounted images that weren't found.
 - **RelatedCV**  The correlation vector value generated from the latest USO scan.
 - **Result**  HResult of this operation.
 - **ScenarioId**  ID indicating the mitigation scenario.
@@ -9760,7 +9760,7 @@ The following fields are available:
 - **RelatedCV**  Correlation vector value generated from the latest USO scan.
 - **ReparsePointsFailed**  Number of reparse points that are corrupted but we failed to fix them.
 - **ReparsePointsFixed**  Number of reparse points that were corrupted and were fixed by this mitigation.
-- **ReparsePointsSkipped**  Number of reparse points that are not corrupted and no action is required.
+- **ReparsePointsSkipped**  Number of reparse points that aren't corrupted and no action is required.
 - **Result**  HResult of this operation.
 - **ScenarioId**  ID indicating the mitigation scenario.
 - **ScenarioSupported**  Indicates whether the scenario was supported.
diff --git a/windows/security/book/application-security-application-and-driver-control.md b/windows/security/book/application-security-application-and-driver-control.md
new file mode 100644
index 0000000000..462cf9cf11
--- /dev/null
+++ b/windows/security/book/application-security-application-and-driver-control.md
@@ -0,0 +1,68 @@
+---
+title: Application and driver control
+description: Windows 11 security book - Application and driver control.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Application and driver control
+
+:::image type="content" source="images/application-security.png" alt-text="Diagram of containing a list of application security features." lightbox="images/application-security.png" border="false":::
+
+Windows 11 offers a rich application platform with layers of security like isolation and code integrity that help protect your valuable data. Developers can also take advantage of these
+capabilities to build in security from the ground up to protect against breaches and malware.
+
+## Smart App Control
+
+Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run if they are predicted to be safe based on existing and new intelligence updated daily.
+
+Smart App Control builds on top of the same cloud-based AI used in App Control for Business to predict the safety of an application so that users can be confident that their applications are safe and reliable on their new Windows devices. Additionally, Smart App Control blocks unknown script files and macros from the web are blocked, greatly improving security for everyday users.
+Smart App Control will ship with new devices with Windows 11, version 22H2 installed.
+
+Devices running previous versions of Windows 11 will have to be reset with a clean installation of Windows 11, version 22H2 to take advantage of this feature. Smart App Control will be disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to leverage App Control for Business.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Smart App Control](/windows/apps/develop/smart-app-control/overview)
+
+## App Control for Business
+
+Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
+
+Windows 10 and above include App Control for Business (previously called Windows Defender Application Control) as well as AppLocker. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
+
+Customers using Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
+
+Customers can use some built-in options for App Control for Business or upload their own policy as an XML file for Intune to package and deploy.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac)
+
+## User Account Control
+
+User Account Control (UAC) helps prevent malware from damaging a PC and enables organizations to deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
+
+Organizations can use a modern device management (MDM) solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to remotely configure UAC settings. Organizations without MDM can change settings directly
+on the device.
+
+Enabling UAC helps prevent malware from altering PC settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized
+apps and prevent inadvertent changes to system settings.
+
+Users with standard accounts, or those using administrative accounts with UAC enabled, run most programs with limited access rights. This includes the Windows shell and any apps started from the shell, such as Windows Explorer, a web browser, productivity suite, graphics programs, or games.
+
+Some apps require additional permissions and will not work properly (or at all) when running with limited permissions. When an app needs to run with more than standard user rights, UAC allows users to run apps with a "full" administrator token (with administrative groups and privileges) instead of their default user access token. Users continue to operate in the standard user security context while enabling certain executables to run with elevated privileges if needed.
+
+:::image type="content" source="images/uac-settings.png" alt-text="Screenshot of the UAC settings." border="false":::
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [How User Account Control works](/windows/security/identity-protection/user-account-control/how-user-account-control-works)
+
+## Microsoft vulnerable driver blocklist
+
+The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. Prior to the Windows 11 2022 Update, Windows enforced a block policy when hypervisor-protected code integrity (HVCI) was enabled to prevent vulnerable versions of drivers from running. Beginning with the Windows 11 2022 Update, the block policy is now on by default for all new Windows PCs, and users can opt in to enforce the policy from the Windows Security app.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)
diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md
new file mode 100644
index 0000000000..603d0138a4
--- /dev/null
+++ b/windows/security/book/application-security-application-isolation.md
@@ -0,0 +1,53 @@
+---
+title: Application isolation
+description: Windows 11 security book - Application isolation.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Application isolation
+
+:::image type="content" source="images/application-security.png" alt-text="Diagram of containing a list of application security features." lightbox="images/application-security.png" border="false":::
+
+## Win32 app isolation
+
+Win32 app isolation is a new security feature in public preview designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using the tools provided by Microsoft.
+
+Win32 app isolation follows a two-step process. In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Microsoft. Consequently, the process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level.
+
+In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. Securable objects in this context refer to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List](/windows/win32/secauthz/access-control-lists) on Windows.
+
+To help ensure that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The Application Capability Profiler (ACP) simplifies the entire process by allowing the application to run in "learn mode" with low privileges. Instead of denying access if the capability is not present, ACP allows access and logs additional capabilities required for access if the application were to run isolated. For more information on ACP, please refer to the [GitHub documentation page](https://github.com/microsoft/win32-app-isolation/blob/main/docs/profiler/application-capability-profiler.md#stack-tracing---acp-stacktracewpaprofile).
+
+To create a smooth user experience that aligns with nonisolated, native Win32 applications, two key factors should be taken into consideration:
+
+- Approaches for accessing data and privacy information
+- Integrating Win32 apps for compatibility with other Windows interfaces
+
+The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary ([AppContainer](/windows/win32/secauthz/implementing-an-appcontainer)). The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Win32 app isolation](https://github.com/microsoft/win32-app-isolation)
+
+## Windows Sandbox
+
+Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation using the same hardware-based Hyper-V virtualization technology without fear of lasting impact to the PC. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host.
+
+Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
+- [Windows Sandbox is a new lightweight desktop environment tailored for safely
+running applications in isolation](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/windows-sandbox/ba-p/301849)
+
+## App containers
+
+In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP) applications run in Windows containers known as *app containers*. App containers act as process and resource isolation boundaries, but unlike Docker containers, these are special containers designed to run Windows applications.
+
+Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows and app container](/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)
diff --git a/windows/security/book/application-security.md b/windows/security/book/application-security.md
new file mode 100644
index 0000000000..5b8a5238ab
--- /dev/null
+++ b/windows/security/book/application-security.md
@@ -0,0 +1,16 @@
+---
+title: Application security
+description: Windows 11 security book - Application security chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Application security
+
+:::image type="content" source="images/application-security-cover.png" alt-text="Cover of the application security chapter." border="false":::
+
+:::image type="content" source="images/application-security-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/application-security.png" border="false":::
+
+Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows 11, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts so that PCs run with the least amount of privileges to prevent malicious applications from accessing sensitive resources.
+
+In addition, organizations can control which applications run on their devices with App Control for Business (previously called Windows Defender Application Control - WDAC).
diff --git a/windows/security/book/cloud-services-protect-your-personal-information.md b/windows/security/book/cloud-services-protect-your-personal-information.md
new file mode 100644
index 0000000000..39b189a20f
--- /dev/null
+++ b/windows/security/book/cloud-services-protect-your-personal-information.md
@@ -0,0 +1,58 @@
+---
+title: Cloud services - Protect your personal information
+description: Windows 11 security book - Cloud services chapter - Protect your personal information.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Protect your personal information
+
+:::image type="content" source="images/cloud-security.png" alt-text="Diagram of containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
+
+## Microsoft Account
+
+Your Microsoft Account (MSA) gives you access to Microsoft products and services with just one login, allowing you to manage everything all in one place. Keep tabs on your subscriptions and order history, update your privacy and security settings, track the health and safety of your devices, and get rewards. Everything stays with you in the cloud, across devices, and between OS ecosystems, including iOS and Android.
+
+You can even go passwordless with your Microsoft Account by removing the password from your MSA and using the Microsoft Authenticator app on your mobile Android or iOS phone.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [What is a Microsoft account?](https://support.microsoft.com/windows/what-is-a-microsoft-account-4a7c48e9-ff5a-e9c6-5a5c-1a57d66c3bfa)
+
+## User reauthentication before password disablement
+
+Windows provides greater flexibility for users to balance ease of use with security. Users can choose the interval that the machine remains idle before it automatically signs the user out. To avoid a security breach and prevent users from accidentally making settings changes, Windows reauthenticates the user before they are allowed to change the setting to not sign out the user even after the device remains idle indefinitely.
+
+This setting is available on the Sign-in options page in Settings and is available on Windows 11 and onward for MSA users worldwide.
+
+## Find my device
+
+When location services and Find my device settings are turned on, basic system services like time zone and Find my device will be allowed to use the device's location. When enabled, Find my device can be used by the admin on the device to help recover lost or stolen Windows devices to reduce security threats that rely on physical access.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [How to set up, find, and lock a lost Windows device using a Microsoft Account](https://support.microsoft.com/account-billing/find-and-lock-a-lost-windows-device-890bf25e-b8ba-d3fe-8253-e98a12f26316)
+
+## OneDrive for personal
+
+Microsoft OneDrive17 for personal provides additional security, backup, and restore options for important personal files. OneDrive stores and protects files in the cloud, allowing users to access them from laptops, desktops, and mobile devices. Plus, OneDrive provides an excellent solution for backing up folders. If a device is lost or stolen, the user can quickly recover all their important files from the cloud.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [OneDrive](/onedrive/plan-onedrive-enterprise)
+
+In the event of a ransomware attack, OneDrive can enable recovery. And if backups are configured in OneDrive, users have additional options to mitigate and recover from a ransomware attack.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [How to recover from a ransomware attack using Microsoft 365](/microsoft-365/security/office-365-security/recover-from-ransomware)
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [How to restore from OneDrive](https://support.microsoft.com/office/restore-your-onedrive-fa231298-759d-41cf-bcd0-25ac53eb8a15)
+
+## OneDrive Personal Vault
+
+OneDrive Personal Vault<sup>[\[9\]](conclusion.md#footnote9)</sup> also provides protection for the most important or sensitive files and photos without sacrificing the convenience of anywhere access. Protect digital copies of important documents in OneDrive Personal Vault. Files will be secured by identity verification yet are still easily accessible across devices.
+
+Learn how to [set up a Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4) with a strong authentication method or a second step of identity verification, such as fingerprint, face, PIN, or a code sent via email or SMS.
diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md
new file mode 100644
index 0000000000..f60f7c0f9a
--- /dev/null
+++ b/windows/security/book/cloud-services-protect-your-work-information.md
@@ -0,0 +1,269 @@
+---
+title: Cloud services - Protect your work information
+description: Windows 11 security book - Cloud services chapter - Protect your work information.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Protect your work information
+
+:::image type="content" source="images/cloud-security.png" alt-text="Diagram of containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
+
+## Microsoft Entra ID
+
+Microsoft Entra ID, formerly Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
+
+Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. By registering devices with Microsoft Entra ID - also called Workplace joined - IT admins can support users in bring your own device (BYOD) or mobile device scenarios. Credentials are authenticated and bound to the joined device and cannot be copied to another device without explicit reverification.
+
+To provide more security and control for IT and a seamless experience for end users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management.
+
+Windows 11 works with Microsoft Entra ID to provide secure access, identity management, and single sign-on to apps and services from anywhere. Windows has built-in settings to add work or school accounts by syncing the device configuration to an Active Directory domain or Microsoft Entra ID tenant.
+
+:::image type="content" source="images/access-work-or-school.png" alt-text="Screenshot of the add work or school account in Settings." border="false":::
+
+When a device is Microsoft Entra ID joined and managed with Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, it receives the following security benefits:
+
+- Default managed user and device settings and policies
+- Single sign-in to all Microsoft Online Services
+- Full suite of authentication management capabilities using Windows Hello for Business
+- Single sign-on (SSO) to enterprise and SaaS applications
+- No use of consumer Microsoft Account identity
+
+Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can setup Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication.
+
+In combination with Microsoft Intune, Microsoft Entra ID offers powerful security control through Conditional Access to restrict access to organizational resources to healthy and compliant devices. Note that Microsoft Entra ID is only supported on Windows Pro and Enterprise editions.
+
+Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Local Administrator Password Solution with Microsoft Entra (Azure AD)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487)
+- [Microsoft Entra plans and pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing?rtc=1)
+
+## Modern device management through (MDM)
+
+Windows 11 supports modern device management through mobile device management (MDM) protocols so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, IT can manage Windows 11 using industrystandard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
+
+Windows 11 built-in management features include:
+
+- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server
+- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Mobile device management overview](/windows/client-management/mdm-overview)
+
+## Microsoft security baselines
+
+Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company may focus on protecting its internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
+
+A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows security baselines you can deploy with Microsoft Intune](/mem/intune/protect/security-baselines)
+
+## MDM security baseline
+
+Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices.
+
+The security baseline includes policies for:
+
+- Microsoft inbox security technology such as BitLocker, Microsoft Defender SmartScreen, virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall
+- Restricting remote access to devices
+- Setting credential requirements for passwords and PINs
+- Restricting use of legacy technology
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [MDM security baseline](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)
+
+## Microsoft Intune
+
+Microsoft Intune15 is a comprehensive endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
+
+Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication.
+
+Organizations can cut costs while securing and managing remote PCs through the cloud in compliance with company policies.16 For example, organizations save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot for zerotouch deployment.
+
+Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for Group Policy administrative templates (ADMX-backed policies) in MDM solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
+
+### Endpoint Privilege Management (EPM)
+
+Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run tasks allowed by the organization to remain productive.
+
+### Local Administrator Password (LAPs)
+
+Local Administrator Password solution was a key consideration for many customers when deciding to make the transition from on-premises to cloud-managed devices using Intune. With LAPS (available in preview), organizations can automatically manage and back up the password of a local administrator account on Microsoft Entra ID joined or hybrid Microsoft Entra ID joined devices.
+
+### Mobile Application Management (MAM)
+
+With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
+
+Customers have asked for App Control for Business (previously called Windows Defender Application Control) to manage Installer support for a long time. Now customers will be able to enable allowlisting of Win32 apps within their enterprise to proactively reduce the number of malware infections.
+
+Finally, Config Refresh helps organizations move to cloud from on-premises by protecting against settings deviating from the admin's intent.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows LAPS overview](/windows-server/identity/laps/laps-overview)
+
+Microsoft Intune also has policies and settings to configure and manage the flow of operating system updates to devices, working with WUfB and WUfB-DS and giving admins great control over their deployments
+
+With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune)
+
+## Remote Wipe
+
+When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
+
+Windows 11 supports the Remote Wipe configuration service provider (CSP) so that MDM Solutions<sup>[\[9\]](conclusion.md#footnote9)</sup> can remotely initiate any of the following operations:
+
+- Reset the device and remove user accounts and data
+- Reset the device and clean the drive
+- Reset the device but persist user accounts and data
+
+Learn More: [Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp)
+
+## Microsoft Azure Attestation Service
+
+Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they are allowed to access resources. Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> integrates with [Microsoft Azure Attestation Service](/azure/attestation/overview) to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> Conditional Access.
+
+**Attestation policies are configured in the Microsoft Azure Attestation Service which can then:**
+
+- Verify the integrity of evidence provided by the Windows Attestation component by validating the signature and ensuring the Platform Configuration Registers (PCRs) match the values recomputed by replaying the measured boot log
+- Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM
+- Verify that security features are in the expected states
+
+Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party - such as Microsoft Intune - to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Azure Attestation overview](/azure/attestation/overview)
+
+## Windows Update for Business deployment service
+
+The Windows Update for Business deployment service, a core component of the Windows Update for Business product family, is a cloud-based solution that transforms the way update management is handled. Complementing existing [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) policies and [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), the service provides control over the approval, scheduling, and safeguarding of updates - delivered straight from Windows Update to managed devices.
+
+The Windows Update for Business deployment service powers Windows Update management via Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> and Autopatch. The deployment services currently allows the management of [drivers and firmware](/graph/windowsupdates-manage-driver-update), expedited [quality updates](/graph/windowsupdates-deploy-expedited-update) and [feature updates](/graph/windowsupdates-deploy-update).
+
+For an in-depth understanding of this service, including its benefits and prerequisites for use, practical guides on specific capabilities, Microsoft Graph training, and a behind-the-scenes look at how the deployment service functions, read [here](/windows/deployment/update/waas-manage-updates-wufb)[.](/windows/deployment/update/waas-manage-updates-wufb)
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Update for Business - Windows Deployment](/windows/deployment/update/waas-manage-updates-wufb)
+
+## Windows Autopatch
+
+Cybercriminals often target outdated or unpatched software to gain access to networks. Keeping endpoints up to date is critical in closing existing vulnerabilities, but planning, monitoring, and reporting on update compliance can take IT resources away from other important tasks.
+
+Available as part of Windows Enterprise E3 and E5, Windows Autopatch automates update management for Windows, drivers, firmware, Microsoft 365, Edge, and Teams apps. The service can even manage the upgrade to Windows 11. While the service is designed to be simple by default, admins can customize the service to reflect their business organization with Autopatch groups. This allows custom content or deployment schedules to be applied to different populations of devices.
+
+From a technical standpoint, Windows Autopatch configures the policies and deployment service of Windows Update for Business to deliver updates, all within Microsoft Intune.<sup>[\[9\]](conclusion.md#footnote9)</sup> The results for IT admins: up-to-date endpoints and detailed reports to demonstrate compliance or help identify issues. The goal is to help IT teams be more secure and update more efficiently with less effort.
+
+There's a lot more to learn about Windows Autopatch:
+
+- This [Forrester study](https://aka.ms/AutopatchProductivity) commissioned by Microsoft, analyzes the impact of Windows Autopatch on real customers
+- [IT pro blogs](https://aka.ms/MoreAboutAutopatch) provide updates and background on Autopatch features and the future of the service
+- The [Windows Autopatch community](https://aka.ms/AutopatchCommunity) allows IT professionals to get answers to questions from their peers and the Autopatch team
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Autopatch documentation](https://aka.ms/Autopatchdocs)
+
+## Windows Autopilot and zero-touch deployment
+
+Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach with a collection of technologies used to set up and preconfigure new devices, getting them ready for productive use and ensuring they are delivered locked down and compliant with corporate security policies.
+
+- From a user perspective, it only takes a few simple operations to get their device ready for use
+- From an IT professional perspective, the only interaction required from the end user is to connect to a network and verify their credentials. Setup is automated after that point
+
+Windows Autopilot enables you to:
+
+- Automatically join devices to Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> or Active Directory via hybrid Microsoft Entra ID Join. For more information about the differences between these two join options, see [Introduction to device management in Microsoft Entra ID](/azure/active-directory/device-management-introduction).
+- Auto-enroll devices into MDM services such as Microsoft Intune (requires an Microsoft Entra ID Premium subscription for configuration)
+- Automatic upgrade to Enterprise Edition if required
+- Restrict administrator account creation
+- Create and auto-assign devices to configuration groups based on a device's profile
+- Customize Out of Box Experience (OOBE) content specific to the organization
+
+Existing devices can also be quickly prepared for a new user with [Windows Autopilot Reset](/mem/autopilot/windows-autopilot-reset). The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Autopilot](https://aka.ms/WindowsAutopilot)
+
+## Enterprise State Roaming with Azure
+
+Available to any organization with a Microsoft Entra ID Premium<sup>[\[9\]](conclusion.md#footnote9)</sup> or Enterprise Mobility + Security (EMS)<sup>[\[9\]](conclusion.md#footnote9)</sup> license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Enterprise State Roaming FAQ](/azure/active-directory/devices/enterprise-state-roaming-faqs)
+
+## Universal Print
+
+Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models](/universal-print/fundamentals/universal-print-partner-integrations). It also supports existing printers by using the connector software that comes with Universal Print.
+
+Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices do not need to be on the same local network as the printers or the Universal Print connector.
+
+Universal Print supports Zero Trust security by requiring that:
+
+- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup>. A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service
+- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data
+- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data
+- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it is highly recommended that only cloud applications use application authentication
+- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant
+- Each authentication with Microsoft Entra ID from an acting application cannot extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached
+
+Additionally, Windows 11 and Windows 10 include MDM support to simplify printer setup for users. With initial support from Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, admins can now configure policies to provision specific printers onto the user's Windows devices.
+
+Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft Office products.
+
+More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here](/microsoft-365/enterprise/m365-dr-overview).
+
+The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here](/universal-print/fundamentals/universal-print-qrcode).
+
+Universal Print has integrated with Administrative Units in Microsoft Entra ID to enable customers to assign a Printer Administrator role to their local IT team in the same way customers assign User Administrator or Groups Administrator roles. The local IT team can configure only the printers that are part of the same Administrative Unit.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Universal Print](https://www.microsoft.com/microsoft-365/windows/universal-print)
+- [Data storage in Universal Print](/universal-print/fundamentals/universal-print-encryption)
+- [Delegate Printer Administration with Administrative Units](/universal-print/portal/delegated-admin)
+
+For customers who want to stay on Print Servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Print support app design guide](/windows-hardware/drivers/devapps/print-support-app-design-guide)
+
+## OneDrive for work or school
+
+Data in OneDrive for work or school is protected both in transit and at rest.
+
+When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access.
+
+Authenticated connections are not allowed over HTTP and instead redirect to HTTPS.
+
+There are several ways that OneDrive for work or school is protected at rest:
+
+- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security)
+- Network protection: The networks and identities are isolated from the corporate network. Firewalls limit traffic into the environment from unauthorized locations
+- Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983), people across the world can earn money by reporting vulnerabilities
+- Content protection: Each file is encrypted at rest with a unique AES-256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/office/how-onedrive-safeguards-your-data-in-the-cloud-23c6ea94-3608-48d7-8bf0-80e142edd1e1)
+
+## MDM enrollment certificate attestation
+
+When a device is enrolled into device management, the administrator assumes that the device will enroll and receive appropriate policies to secure and manage the PC as they expect. In some circumstances, enrollment certificates can be removed by malicious actors and then used on unmanaged PCs to appear as though they are enrolled, but without the security and management policies the administrator intended. With MDM enrollment certificate attestation, the certificate and keys are bound to a specific machine through the use of the Trusted Platform Module (TPM) to ensure that they can't be lifted from one device and applied to another. This capability has existed for physical PCs since Windows 11 22H2 and is now being extended to Windows 11-based Cloud PCs and Azure Virtual Desktop VMs.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Configuration Service Provider - Windows Client Management](/windows/client-management/mdm/)
diff --git a/windows/security/book/cloud-services.md b/windows/security/book/cloud-services.md
new file mode 100644
index 0000000000..9c78f4867b
--- /dev/null
+++ b/windows/security/book/cloud-services.md
@@ -0,0 +1,16 @@
+---
+title: Cloud services
+description: Windows 11 security book - Cloud services chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Cloud services
+
+:::image type="content" source="images/cloud-services-cover.png" alt-text="Cover of the cloud services chapter." border="false":::
+
+:::image type="content" source="images/cloud-security-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/cloud-security.png" border="false":::
+
+Today's workforce has more freedom and mobility than ever before, but the risk of data exposure is also at its highest. At Microsoft, we are focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on Zero Trust principles, Windows 11 works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
+
+From identity and device management to Office apps and data storage, Windows 11 and integrated cloud services can help improve productivity, security, and resilience anywhere.
diff --git a/windows/security/book/conclusion.md b/windows/security/book/conclusion.md
new file mode 100644
index 0000000000..c8137e0758
--- /dev/null
+++ b/windows/security/book/conclusion.md
@@ -0,0 +1,92 @@
+---
+title: Conclusion
+description: Conclusion
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Conclusion
+
+We will continue to bring you new features to protect against evolving threats, simplify management, and securely enable new workstyles. With Windows 11 devices, organizations of all sizes can benefit from the security and performance to thrive anywhere.
+
+:::image type="content" source="images/chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containing a list of security features." lightbox="images/chip-to-cloud.png" border="false":::
+
+## What's new
+
+New:
+
+- Config Refresh
+- 5G and eSIM
+- Win32 apps in isolation (public preview)
+- Passkey
+- Sign-in Session Token Protection
+- Windows Local Administrator Password Solution (LAPS) (public preview)
+- Microsoft Intune Suite Endpoint Privilège Management (EPM)
+- Microsoft Intune Suite Endpoint Privilege Management (EPM)
+
+Enhanced:
+
+- Hardware security user experience
+- BitLocker to go
+- Device encryption
+- Windows Firewall
+- Server Message Block direct
+- Smart App Control (SAC) going into Enforcement mode
+- Application Control for Business
+- Enhanced Sign-in security (ESS)
+- Windows Hello for Business
+- Presence Detection
+- Wake on approach, lock on leave
+- Universal Print
+- Lockout policies for local admin
+- Enhanced Phishing protection
+
+## Document revision history
+
+| Date | Summary |
+|-|-|
+|November 2021 |Link updates and formatting.|
+|February 2022 |Revisions to Hardware root-of-trust, Virus and threat protection, and Windows Hello for Business content.|
+|April 2022| Added Upcoming features section.|
+| September 2022| Updates with Windows 11 2022 Update features and enhancements.|
+|April 2023| Minor edits and updates to edition availability.|
+|September 2023| Updates with Windows 11 2023 Update features and enhancement.|
+|May 2024| Move form PDF format to web format.|
+
+## Endnotes
+
+<sup><a name="footnote1"></a>1</sup> "2023 Data Breach Investigations Report" - Verizon, 2023.\
+<sup><a name="footnote2"></a>2</sup> "Microsoft Digital Defense Report 2022" - Microsoft, 2022.\
+<sup><a name="footnote3"></a>3</sup> Compared to Windows 10 devices. "Improve your day-to-day experience with Windows 11 Pro laptops" - Principled Technologies, February 2023.\
+<sup><a name="footnote4"></a>4</sup> Based on Monthly Active Device data. "Earnings Release FY23 Q3" - Microsoft, April 2023.\
+<sup><a name="footnote5"></a>5</sup> Windows 11 results are in comparison with Windows 10 devices. "Windows 11 Survey Report," Techaisle, February 2022.\
+<sup><a name="footnote6"></a>6</sup> Requires developer enablement.\
+<sup><a name="footnote7"></a>7</sup> Requires Microsoft Entra ID and Microsoft Intune, or other modern device management solution product required; sold separately.\
+<sup><a name="footnote8"></a>8</sup> Commissioned study delivered by Forrester Consulting. "The Total Economic Impact&trade; of Windows 11 Pro Devices", December 2022. Note: quantified benefits reflect results over three years combined into a single composite organization that generates $1 billion in annual revenue, has 2,000 employees, refreshes hardware on a four-year cycle, and migrates the entirety of its workforce to Windows 11 devices.\
+<sup><a name="footnote9"></a>9</sup> Sold separately.\
+<sup><a name="footnote"></a>10</sup> Email encryption is supported on products such as Microsoft Exchange Server and Microsoft Exchange Online.\
+<sup><a name="footnote"></a>11</sup> Microsoft internal data.\
+<sup><a name="footnote"></a>12</sup> Microsoft Entra ID Basic is included with Microsoft Azure and Microsoft 365 subscriptions, and other commercial services subscriptions.\
+<sup><a name="footnote"></a>13</sup> Requires Microsoft Entra ID (formerly AAD) Premium; sold separately.\
+<sup><a name="footnote"></a>14</sup> Hardware dependent.\
+<sup><a name="footnote"></a>15</sup> Microsoft 365 E3 or E5 required; sold separately.\
+<sup><a name="footnote"></a>16</sup> The Total Economic Impact&trade; of Windows Pro Device, Forrester study commissioned by Microsoft, June 2020.\
+<sup><a name="footnote"></a>17</sup> All users with a Microsoft Account get 5GB of OneDrive storage free, and all Microsoft 365 subscriptions include 1TB of OneDrive storage. Additional OneDrive storage is sold separately.
+
+---
+
+> The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
+>
+> This paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this document.
+>
+> Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
+>
+> Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
+>
+> &copy; 2024 Microsoft Corporation. All rights reserved.
+>
+> Microsoft, list Microsoft trademarks used in your white paper alphabetically are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
+>
+> The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
+>
+> Part No. May 2024
diff --git a/windows/security/book/hardware-security-hardware-root-of-trust.md b/windows/security/book/hardware-security-hardware-root-of-trust.md
new file mode 100644
index 0000000000..871680e2f4
--- /dev/null
+++ b/windows/security/book/hardware-security-hardware-root-of-trust.md
@@ -0,0 +1,35 @@
+---
+title: Hardware root-of-trust
+description: Windows 11 security book - Hardware root-of-trust.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Hardware root-of-trust
+
+:::image type="content" source="images/hardware.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
+
+## Trusted Platform Module (TPM)
+
+Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard (previously called Windows Defender System Guard), and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows 11 TPM specifications](https://www.microsoft.com/windows/windows-11-specifications)
+- [Enabling TPM 2.0 on your PC](https://support.microsoft.com/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c)
+- [Trusted Platform Module Technology Overview](../hardware-security/tpm/trusted-platform-module-overview.md)
+
+## Microsoft Pluton security processor
+
+The Microsoft Pluton security processor is the result of Microsoft's close partnership with silicon partners. Pluton enhances the protection of Windows 11 devices, including Secured-core PCs, with a hardware security processor that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface by integrating the security chip directly into the processor. It can be used as a TPM 2.0 or as a standalone security processor. When a security processor is located on a separate, discrete chip on the motherboard, the communication path between the hardware root-of-trust and the CPU can be vulnerable to physical attack. Embedding Pluton into the CPU makes it harder to exploit the communication path.
+
+Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update.
+
+As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers cannot access sensitive data - even if attackers use emerging techniques like speculative execution.
+
+Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for customers to get alerts about security updates, keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Meet the Microsoft Pluton processor - The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/)
+- [Microsoft Pluton security processor](../hardware-security/pluton/microsoft-pluton-security-processor.md)
diff --git a/windows/security/book/hardware-security-silicon-assisted-security.md b/windows/security/book/hardware-security-silicon-assisted-security.md
new file mode 100644
index 0000000000..8be924910a
--- /dev/null
+++ b/windows/security/book/hardware-security-silicon-assisted-security.md
@@ -0,0 +1,82 @@
+---
+title: Silicon assisted security
+description: Windows 11 security book - Silicon assisted security.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Silicon assisted security
+
+:::image type="content" source="images/hardware.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
+
+In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats by protecting the boot process, safeguarding the integrity of memory, isolating security-sensitive compute logic, and more.
+
+## Secured kernel
+
+To secure the kernel we have two key features: virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices will support HVCI and most new devices will come with VBS and HVCI protection turned on by default.
+
+Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS
+implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel.
+
+Since more privileged VTLs can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
+
+Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
+
+With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Enable virtualization-based protection of code integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
+- [Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)
+
+## Hardware-enforced stack protection
+
+Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control- flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack.
+
+Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called stack smashing. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate "shadow stack" for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Understanding Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)
+- [Developer Guidance for Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-kernel-internals/developer-guidance-for-hardware-enforced-stack-protection/ba-p/2163340)
+
+## Kernel Direct Memory Access (DMA) protection
+
+Windows 11 protects against physical threats such as drive-by Direct Memory Access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that do not require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)
+
+## Secured-core PC
+
+The March 2021 Security Signals report found that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data-sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs (SCPCs). The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows.
+
+Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root-of-trust. Virtualization-based security comes enabled by default. With built-in hypervisor-protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all kernel executable code is signed only by known and approved authorities. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks with kernel DMA protection.
+
+Secured-core PCs provide multiple layers of robust protection against hardware and firmware attacks. Sophisticated malware attacks may commonly attempt to install "bootkits" or "rootkits" on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows leverage virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard, a baseline security feature of all Windows 11 PCs. Secure Boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a non-repudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM).
+
+Thousands of PC vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements.
+
+In Secured-core PCs, [System Guard Secure Launch](/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection) protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit or bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. [Firmware Attack Surface Reduction (FASR) technology](/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) can be used instead of DRTM on supported devices, such as Microsoft Surface.
+
+System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation.
+
+:::image type="content" source="images/secure-launch.png" alt-text="Diagram of secure launch components." lightbox="images/secure-launch.png" border="false":::
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Dynamic Root of Trust measure and SMM isolation](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/)
+- [Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)
+
+## Secured-core configuration lock
+
+In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync, when configuration is reset with the mobile device management (MDM) solution. Secured-core configuration lock (config lock) is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that are supported and reverts to the IT-desired SCPC state in seconds after detecting a drift.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows 11 with config lock](/windows/client-management/mdm/config-lock)
diff --git a/windows/security/book/hardware-security.md b/windows/security/book/hardware-security.md
new file mode 100644
index 0000000000..f6a8137aac
--- /dev/null
+++ b/windows/security/book/hardware-security.md
@@ -0,0 +1,16 @@
+---
+title: Hardware security
+description: Windows 11 security book - Hardware security chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Hardware security
+
+:::image type="content" source="images/hardware-security-cover.png" alt-text="Cover of the hardware security chapter." border="false":::
+
+:::image type="content" source="images/hardware-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
+
+Today's ever-evolving threats require strong alignment between hardware and software technologies to keep users, data, and devices protected. The operating system alone cannot defend against the wide range of tools and techniques cybercriminals use to compromise a computer. Once they gain a foothold, intruders can be difficult to detect as they engage in multiple nefarious activities ranging from stealing important data and credentials to implanting malware into low-level device firmware. Once malware is installed in firmware, it becomes difficult to identify and remove. These new threats call for computing hardware that is secure down to the very core, including the hardware chips and processors that store sensitive business information. With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone. Hardware-based protection can also improve the system's overall security without measurably slowing performance, compared to implementing the same capability in software.
+
+With Windows 11, Microsoft has raised the hardware security bar to design the most secure version of Windows ever from chip to cloud. We have carefully chosen the hardware requirements and default security features based on threat intelligence, global regulatory requirements, and our own Microsoft Security team's expertise. We have worked with our chip and device manufacturing partners to integrate advanced security capabilities across software, firmware, and hardware. Through a powerful combination of hardware root-of-trust and silicon-assisted security, Windows 11 delivers built-in hardware protection out of the box.
diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md
new file mode 100644
index 0000000000..f5b1e3d1a4
--- /dev/null
+++ b/windows/security/book/identity-protection-advanced-credential-protection.md
@@ -0,0 +1,96 @@
+---
+title: Identity protection - Advanced credential protection
+description: Windows 11 security book -Identity protection chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Advanced credential protection
+
+:::image type="content" source="images/identity-protection.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
+
+In addition to adopting passwordless sign-in, organizations can strengthen security for user and domain credentials in Windows 11 with Credential Guard and Remote Credential Guard.
+
+## Enhanced phishing protection with Microsoft Defender SmartScreen
+
+As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing has emerged as a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business.
+
+However, people who are still using passwords can also benefit from powerful credential protection in Windows 11. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Enhanced phishing protection in Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)
+
+## Local Security Authority (LSA) protection
+
+Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Azure services.
+
+To help keep these credentials safe, additional LSA protection will be enabled by default on new, enterprise-joined Windows 11 devices. By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection also now supports configuration using Group Policy and modern device management.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Configuring additional LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
+
+## Credential Guard
+
+Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-backed, virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+
+By protecting the LSA process with virtualization-based security, Credential Guard shields systems from credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
+
+## Remote Credential Guard
+
+Remote Credential Guard helps organizations protect credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
+
+Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured and enabled to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials aren't exposed.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Remote Credential Guard - Windows Security | Microsoft Learn](/windows/security/identity-protection/remote-credential-guard?tabs=intune)
+
+## Token protection
+
+Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies<sup>[\[9\]](conclusion.md#footnote9)</sup> can be configured to require token protection when using sign-in tokens for specific services.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Token protection in Entra ID Conditional Access](/azure/active-directory/conditional-access/concept-token-protection)
+
+## Sign-in session token protection policy
+
+At the inaugural Microsoft Secure event in March 2023, we announced the public preview of token protection for sign-ins. This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Conditional Access: Token protection (preview)](/azure/active-directory/conditional-access/concept-token-protection)
+
+## Account lockout policies
+
+New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies will mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP).
+
+The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The Allow Administrator account lockout is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Account lockout policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)
+
+## Access management and control
+
+Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.
+
+Access Control Lists (ACLs) describe the permissions for a specific object and can also contain System Access Control Lists (SACLs). SACLs provide a way to audit specific system level events, such as when a user attempts to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack.
+
+IT administrators can refine the application and management of access to:
+
+- Protect a greater number and variety of network resources from misuse
+- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. Organizations can implement the principle of least-privilege access, which asserts that users should be granted access only to the data and operations they require to perform their jobs
+- Update users' ability to access resources on a regular basis as an organization's policies change or as users' jobs change
+- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and mobile phones
+- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Access control](/windows/security/identity-protection/access-control/access-control)
diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md
new file mode 100644
index 0000000000..00ee61f822
--- /dev/null
+++ b/windows/security/book/identity-protection-passwordless-sign-in.md
@@ -0,0 +1,172 @@
+---
+title: Identity protection - Passwordless sign-in
+description: Windows 11 security book -Identity protection chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Passwordless sign-in
+
+:::image type="content" source="images/identity-protection.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
+
+Passwords are inconvenient to use and prime targets for cybercriminals - and they've been an important part of digital security for years. That changes with the passwordless protection available with Windows 11. After a secure authorization process, credentials are protected behind layers of hardware and software security, giving users secure, passwordless access to their apps and cloud services.
+
+## Windows Hello
+
+Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their employees and customers. Microsoft is committed to helping customers move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection.
+
+[Windows Hello](/windows/security/identity-protection/hello-for-business/passwordless-strategy) can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication.
+
+The secure, convenient sign-in experience can augment or replace passwords with a stronger authentication model based on a PIN or biometric data such as facial or fingerprint recognition secured by the Trusted Platform Module (TPM). Step-by-step guidance makes setup easy.
+
+Using asymmetric keys provisioned in the TPM, Windows Hello protects authentication by binding a user's credentials to their device. Windows Hello validates the user based on either a PIN or biometrics match and only then allows the use of cryptographic keys bound to that user in the TPM.
+
+PIN and biometric data stay on the device and cannot be stored or accessed externally. Since the data cannot be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks.
+
+Windows Hello can authenticate users to a Microsoft account (MSA), identity provider services, or the relying parties that also implement the FIDO2 or WebAuthn standards.
+
+## Windows Hello for Business
+
+Windows Hello for Business extends Windows Hello to work with an organization's Active Directory and Microsoft Entra ID accounts. It provides single sign-on access to work or school resources such as OneDrive for Business, work email, and other business apps. Windows Hello for Business also give IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources.
+
+## Windows Hello for Business Passwordless
+
+Windows 11 devices with Windows Hello for Business can protect user identities by removing the need to use passwords from day one.
+
+IT can now set a policy for Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources.12 Once the policy is set, passwords are removed from the Windows user experience, both for device unlock as well as in-session authentication scenarios via CredUI. However, passwords are not eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can leverage passwordless recovery mechanisms such as Windows Hello for Business PIN reset or Web Sign-in.
+
+During a device's lifecycle, a password may only need to be used once during the provisioning process. After that, people can use a PIN, face, or fingerprint to unlock credentials and sign into the device.
+
+Provisioning methods include:
+
+- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID
+- Existing multifactor authentication with Microsoft Entra ID, including authentication methods like the Microsoft Authenticator app
+
+Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometric data and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business depending on an organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers.
+
+Organizations with hybrid scenarios can eliminate the need for on-premises domain controllers and simplify passwordless adoption by using Windows Hello for Business cloud Kerberos trust.13 This solution uses security keys and replaces on-premises domain controllers with a cloud-based root-of-trust. As a result, organizations can take advantage of Windows Hello for Business and deploy passwordless security keys with minimal additional setup or infrastructure.
+
+Users will authenticate directly with Microsoft Entra ID, helping speed access to on- premises applications and other resources.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Hello for Business overview](/windows/security/identity-protection/hello-for-business/)
+
+## Windows Hello PIN
+
+The Windows Hello PIN, which can only be entered by someone with physical access to the device, can be used for strong multifactor authentication. The PIN is protected by the TPM and, like biometric data, never leaves the device. When a user enters their PIN, an authentication key is unlocked and used to sign a request sent to the authenticating server.
+
+The TPM protects against threats including PIN brute-force attacks on lost or stolen devices. After too many incorrect guesses, the device locks. IT admins can set security policies for PINs, such as complexity, length, and expiration requirements.
+
+## Windows Hello biometric sign-in
+
+Windows Hello biometric sign-in enhances both security and productivity with a quick, convenient sign-in experience. There's no need to enter a password every time when a face or fingerprint is the credential.
+
+Windows devices that support biometric hardware such as fingerprint or facial recognition cameras integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with [Microsoft](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements). Windows Hello facial recognition is designed to only authenticate from trusted cameras used at the time of enrollment.
+
+If a peripheral camera is attached to the device after enrollment, that camera will only be allowed for facial authentication after it has been validated by signing in with the internal camera. For additional security, external cameras can be disabled for use with Windows Hello facial recognition.
+
+## Windows Hello Enhanced Sign-in Security
+
+Windows Hello biometrics also supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in.
+
+Enhanced Sign-in Security biometrics uses virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated.
+
+These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional attack classes.
+
+Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in Secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - please check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Please reach out to specific OEMs for support details.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
+
+## Windows Hello for Business multi-factor unlock
+
+For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows by requiring a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi.
+
+Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Multi-factor unlock](/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock)
+
+## Windows presence sensing
+
+Windows presence sensing14 provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment.
+
+Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers will be able to customize and build extensions for the presence sensor.
+
+## Developer APIs and app privacy support for presence sensing
+
+Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. We are pleased to announce new app privacy settings that enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup.
+
+Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We are also supporting developers with new APIs for presence sensing for thirdparty applications. Third-party applications can now access user presence information on devices with modern presence sensors.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Presence sensing](/windows-hardware/design/device-experiences/sensors-presence-sensing)
+- [Manage presence sensing settings in Windows 11](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)
+
+## FIDO support
+
+The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) have worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications, which are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
+
+Windows 11 can also use passkeys from external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Passwordless security key sign-in](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
+
+## Passkeys
+
+Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the crossplatform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services.
+
+A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey from Windows Hello, an external security provider, or their mobile device.
+
+Passkeys on Windows 11 are protected by Windows Hello or Windows Hello for Business. This enables users to sign in to the site or app using their face, fingerprint, or device PIN. Passkeys on Windows work in any browser or app that supports them for sign in. Users can manage passkeys on their device on Windows 11 account settings.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Passkeys (passkey authentication)](https://fidoalliance.org/passkeys/)
+
+## Microsoft Authenticator
+
+The Microsoft Authenticator app, which runs on iOS and Android devices, helps keep
+
+Windows 11 users secure and productive. Microsoft Authenticator can be used to bootstrap Windows Hello for Business, which removes the need for a password to get started on Windows 11.
+
+Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can leverage different tools to nudge their users to set up the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they are actively using it.
+
+Individual users can back up their credentials to the cloud by enabling the encrypted backup option in settings. They can also see their sign-in history and security settings for Microsoft personal, work, or school accounts.
+
+Using this secure app for authentication and authorization enables people to be in control of how, where, and when their credentials are used. To keep up with an ever-changing security landscape, the app is constantly updated, and new capabilities are added to stay ahead of emerging threat vectors.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Microsoft Authenticator](/azure/active-directory/authentication/concept-authentication-authenticator-app)
+
+## Smart cards for Windows service
+
+Organizations also have the option of using smart cards, an authentication method that predates biometric authentication. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating users, signing code, securing e-mail, and signing in with Windows domain accounts.
+
+**Smart cards provide:**
+
+- Ease of use in scenarios such as healthcare where employees need to sign in and out quickly without using their hands or when sharing a workstation
+- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card
+- Portability of credentials and other private information between computers at work, home, or on the road
+
+Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID accounts.
+
+When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Entra ID certificate-based authentication. Smart cards cannot be used with local accounts.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Smart Card technical reference](/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference)
+
+## Federated sign-in
+
+Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures. Additionally, we have added shared device support. It allows multiple students (one at a time) to use the device throughout the school day.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in)
diff --git a/windows/security/book/identity-protection.md b/windows/security/book/identity-protection.md
new file mode 100644
index 0000000000..d614925654
--- /dev/null
+++ b/windows/security/book/identity-protection.md
@@ -0,0 +1,16 @@
+---
+title: Identity protection
+description: Windows 11 security book -Identity protection chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Identity protection
+
+:::image type="content" source="images/identity-protection-cover.png" alt-text="Cover of the identity protection chapter." border="false":::
+
+:::image type="content" source="images/identity-protection-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
+
+Today's flexible workstyles and the security of your organization depend on secure access to corporate resources, including strong identity protection. Weak or reused passwords, password spraying, social engineering, and phishing are some of the top attack vectors. In the last 12 months, we saw an average of more than 4,000 password attacks per second.11 And phishing threats have increased, making identity a continuous battleground. As Bret Arsenault, Chief Information Security Officer at Microsoft says, *Hackers don't break in, they log in.*
+
+Because threats are constantly evolving and often difficult for employees to detect, organizations need proactive protection, including effortlessly secure authentication and features that defend users in real time while they work. Windows 11 is designed with powerful identity protection from chip to cloud, keeping identities and personal and business data safe anywhere people work.
diff --git a/windows/security/book/images/access-work-or-school.png b/windows/security/book/images/access-work-or-school.png
new file mode 100644
index 0000000000..4c256ca182
Binary files /dev/null and b/windows/security/book/images/access-work-or-school.png differ
diff --git a/windows/security/book/images/application-security-cover.png b/windows/security/book/images/application-security-cover.png
new file mode 100644
index 0000000000..3d8d9aa3d9
Binary files /dev/null and b/windows/security/book/images/application-security-cover.png differ
diff --git a/windows/security/book/images/application-security-on.png b/windows/security/book/images/application-security-on.png
new file mode 100644
index 0000000000..d15844943d
Binary files /dev/null and b/windows/security/book/images/application-security-on.png differ
diff --git a/windows/security/book/images/application-security.png b/windows/security/book/images/application-security.png
new file mode 100644
index 0000000000..bebbcf3891
Binary files /dev/null and b/windows/security/book/images/application-security.png differ
diff --git a/windows/security/book/images/chip-to-cloud.png b/windows/security/book/images/chip-to-cloud.png
new file mode 100644
index 0000000000..08f370e1f9
Binary files /dev/null and b/windows/security/book/images/chip-to-cloud.png differ
diff --git a/windows/security/book/images/cloud-security-on.png b/windows/security/book/images/cloud-security-on.png
new file mode 100644
index 0000000000..eb2666b9fa
Binary files /dev/null and b/windows/security/book/images/cloud-security-on.png differ
diff --git a/windows/security/book/images/cloud-security.png b/windows/security/book/images/cloud-security.png
new file mode 100644
index 0000000000..2d1b118594
Binary files /dev/null and b/windows/security/book/images/cloud-security.png differ
diff --git a/windows/security/book/images/cloud-services-cover.png b/windows/security/book/images/cloud-services-cover.png
new file mode 100644
index 0000000000..d5961c347e
Binary files /dev/null and b/windows/security/book/images/cloud-services-cover.png differ
diff --git a/windows/security/book/images/cover.png b/windows/security/book/images/cover.png
new file mode 100644
index 0000000000..4d5b549c44
Binary files /dev/null and b/windows/security/book/images/cover.png differ
diff --git a/windows/security/book/images/defender-antivirus.png b/windows/security/book/images/defender-antivirus.png
new file mode 100644
index 0000000000..e5b202db18
Binary files /dev/null and b/windows/security/book/images/defender-antivirus.png differ
diff --git a/windows/security/book/images/hardware-on.png b/windows/security/book/images/hardware-on.png
new file mode 100644
index 0000000000..89bc3c7a69
Binary files /dev/null and b/windows/security/book/images/hardware-on.png differ
diff --git a/windows/security/book/images/hardware-security-cover.png b/windows/security/book/images/hardware-security-cover.png
new file mode 100644
index 0000000000..5328456231
Binary files /dev/null and b/windows/security/book/images/hardware-security-cover.png differ
diff --git a/windows/security/book/images/hardware.png b/windows/security/book/images/hardware.png
new file mode 100644
index 0000000000..9f526775df
Binary files /dev/null and b/windows/security/book/images/hardware.png differ
diff --git a/windows/security/book/images/identity-protection-cover.png b/windows/security/book/images/identity-protection-cover.png
new file mode 100644
index 0000000000..6fe6084305
Binary files /dev/null and b/windows/security/book/images/identity-protection-cover.png differ
diff --git a/windows/security/book/images/identity-protection-on.png b/windows/security/book/images/identity-protection-on.png
new file mode 100644
index 0000000000..c099ebb82f
Binary files /dev/null and b/windows/security/book/images/identity-protection-on.png differ
diff --git a/windows/security/book/images/identity-protection.png b/windows/security/book/images/identity-protection.png
new file mode 100644
index 0000000000..300e3d89ef
Binary files /dev/null and b/windows/security/book/images/identity-protection.png differ
diff --git a/windows/security/book/images/learn-more.svg b/windows/security/book/images/learn-more.svg
new file mode 100644
index 0000000000..947593db41
--- /dev/null
+++ b/windows/security/book/images/learn-more.svg
@@ -0,0 +1,3 @@
+<svg width="22" height="18" viewBox="0 0 22 18" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M0 2.25C0 1.00736 1.00736 0 2.25 0H12.6C13.8426 0 14.85 1.00736 14.85 2.25V15.075C14.85 15.4478 14.5478 15.75 14.175 15.75H1.35C1.35 16.2471 1.75295 16.65 2.25 16.65H14.175C14.5478 16.65 14.85 16.9522 14.85 17.325C14.85 17.6978 14.5478 18 14.175 18H2.25C1.00736 18 0 16.9926 0 15.75V2.25ZM7.425 5.4C7.92207 5.4 8.325 4.99705 8.325 4.5C8.325 4.00295 7.92207 3.6 7.425 3.6C6.92793 3.6 6.525 4.00295 6.525 4.5C6.525 4.99705 6.92793 5.4 7.425 5.4ZM6.75 6.975V11.475C6.75 11.8478 7.05222 12.15 7.425 12.15C7.79778 12.15 8.1 11.8478 8.1 11.475V6.975C8.1 6.60221 7.79778 6.3 7.425 6.3C7.05222 6.3 6.75 6.60221 6.75 6.975Z" fill="#0883D9"/>
+</svg>
diff --git a/windows/security/book/images/operating-system-on.png b/windows/security/book/images/operating-system-on.png
new file mode 100644
index 0000000000..d97bd2a9ba
Binary files /dev/null and b/windows/security/book/images/operating-system-on.png differ
diff --git a/windows/security/book/images/operating-system-security-cover.png b/windows/security/book/images/operating-system-security-cover.png
new file mode 100644
index 0000000000..955891f34d
Binary files /dev/null and b/windows/security/book/images/operating-system-security-cover.png differ
diff --git a/windows/security/book/images/operating-system.png b/windows/security/book/images/operating-system.png
new file mode 100644
index 0000000000..288e01fc73
Binary files /dev/null and b/windows/security/book/images/operating-system.png differ
diff --git a/windows/security/book/images/privacy-cover.png b/windows/security/book/images/privacy-cover.png
new file mode 100644
index 0000000000..09a4364bb0
Binary files /dev/null and b/windows/security/book/images/privacy-cover.png differ
diff --git a/windows/security/book/images/privacy-on.png b/windows/security/book/images/privacy-on.png
new file mode 100644
index 0000000000..83e4d59c8b
Binary files /dev/null and b/windows/security/book/images/privacy-on.png differ
diff --git a/windows/security/book/images/privacy.png b/windows/security/book/images/privacy.png
new file mode 100644
index 0000000000..f0772e28ba
Binary files /dev/null and b/windows/security/book/images/privacy.png differ
diff --git a/windows/security/book/images/secure-launch.png b/windows/security/book/images/secure-launch.png
new file mode 100644
index 0000000000..dd00cdc393
Binary files /dev/null and b/windows/security/book/images/secure-launch.png differ
diff --git a/windows/security/book/images/security-foundation-cover.png b/windows/security/book/images/security-foundation-cover.png
new file mode 100644
index 0000000000..5fdd9c7a92
Binary files /dev/null and b/windows/security/book/images/security-foundation-cover.png differ
diff --git a/windows/security/book/images/security-foundation-on.png b/windows/security/book/images/security-foundation-on.png
new file mode 100644
index 0000000000..d6ddf2af1f
Binary files /dev/null and b/windows/security/book/images/security-foundation-on.png differ
diff --git a/windows/security/book/images/security-foundation.png b/windows/security/book/images/security-foundation.png
new file mode 100644
index 0000000000..2810449234
Binary files /dev/null and b/windows/security/book/images/security-foundation.png differ
diff --git a/windows/security/book/images/uac-settings.png b/windows/security/book/images/uac-settings.png
new file mode 100644
index 0000000000..d4a8fc4bb0
Binary files /dev/null and b/windows/security/book/images/uac-settings.png differ
diff --git a/windows/security/book/index.md b/windows/security/book/index.md
new file mode 100644
index 0000000000..3fddf8be3c
--- /dev/null
+++ b/windows/security/book/index.md
@@ -0,0 +1,55 @@
+---
+title: Windows security book introduction
+description: Windows security book introduction
+ms.topic: overview
+ms.date: 04/09/2024
+ROBOTS:
+---
+
+# Windows 11 Security Book
+
+:::image type="content" source="images/cover.png" alt-text="Cover of the Windows 11 security book.":::
+
+## Introduction
+
+Emerging technologies and evolving business trends bring new opportunities and challenges for organizations of all sizes. As technology and workstyles transform, so does the threat landscape with growing numbers of increasingly sophisticated attacks on organizations and employees.
+
+To thrive, organizations need security to work anywhere. [Microsoft's 2022 Work Trend Index](https://www.microsoft.com/security/blog/2022/04/05/new-security-features-for-windows-11-will-help-protect-hybrid-work/) shows *cybersecurity issues and risks* are top concerns for business decision-makers, who worry about issues like malware, stolen credentials, devices that lack security updates, and physical attacks on lost or stolen devices.
+
+In the past, a corporate network and software-based security were the first lines of defense. With an increasingly distributed and mobile workforce, attention has shifted to hardware-based endpoint security. People are now the top target for cybercriminals, with 74% of all breaches due to human error, privilege misuses, stolen credentials, or social engineering. Most attacks are financially motivated, and credential theft, phishing, and exploitation of vulnerabilities are the primary attack vectors. Credential theft is the most prevalent attack vector, accounting for 50% of breaches <sup>[\[1\]](conclusion.md#footnote1)</sup>.
+
+At Microsoft, we work hard to help organizations evolve and stay agile while protecting against modern threats. We're committed to helping businesses and their employees get secure, and stay secure. We [synthesize 43 trillion signals daily](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5bcRe?culture=en-us&country=us) to understand and protect against digital threats. We have more than 8,500 dedicated security professionals across 77 countries and over 15,000 partners in our security ecosystem striving to increase resilience for our customers <sup>[\[2\]](conclusion.md#footnote2)</sup>.
+
+Businesses worldwide are moving toward [secure-by-design and secure-by-default strategies](https://www.cisa.gov/securebydesign). With these models, organizations choose products from manufacturers that consider security as a business requirement, not just a technical feature. With a secure-by-default strategy, businesses can proactively reduce risk and exposure to threats across their organization because products are shipped with security features already built in and enabled.
+
+To help businesses transform and thrive in a new era, we built Windows 11 to be secure by design and secure by default. Windows 11 devices arrive with more security features enabled out of the box. In contrast, Windows 10 devices came with many safeguards turned off unless enabled by IT or employees. The default security provided by Windows 11 elevates protection without needing to configure settings. In addition, Windows 11 devices have been shown to increase malware resistance without impacting performance <sup>[\[3\]](conclusion.md#footnote3)</sup>. Windows 11 is the most secure Windows ever, built in deep partnership with original equipment manufacturers (OEMs) and silicon manufacturers. Discover why organizations of all sizes, including 90% of Fortune 500 companies, are taking advantage of the powerful default protection of Windows 11 <sup>[\[4\]](conclusion.md#footnote4)</sup>.
+
+## Security priorities and benefits
+
+### Security by design and security by default
+
+Windows 11 is designed with layers of security enabled by default, so you can focus on your work, not your security settings. **Out-of-the-box features such as credential safeguards, malware shields, and application protection led to a reported 58% drop in security incidents, including a 3.1x reduction in firmware attacks** <sup>[\[5\]](conclusion.md#footnote5)</sup>.
+
+In Windows 11, hardware and software work together to shrink the attack surface, protect system integrity, and shield valuable data. New and enhanced features are designed for security by default. For example, Win32 apps in isolation <sup>[\[6\]](conclusion.md#footnote6)</sup>, token protection <sup>[\[6\]](conclusion.md#footnote6)</sup>, and Microsoft Intune Endpoint Privilege Management <sup>[\[7\]](conclusion.md#footnote7)</sup> are some of the latest capabilities that help protect your organization and employees against attack. Windows Hello and Windows Hello for Business work with hardware-based features like TPM 2.0 and biometric scanners for credential protection and easier, secure sign-on. Existing security features like BitLocker encryption have also been enhanced to optimize both security and performance.
+
+### Protect employees against evolving threats
+
+With attackers targeting employees and their devices, organizations need stronger security against increasingly sophisticated cyberthreats. Windows 11 provides proactive protection against credential theft. Windows Hello and TPM 2.0 work together to shield identities. Secure biometric sign-in virtually eliminates the risk of lost or stolen passwords. And enhanced phishing protection increases safety. In fact, **businesses reported 2.8x fewer instances of identity theft with the hardware-backed protection in Windows 11** <sup>[\[5\]](conclusion.md#footnote5)</sup>.
+
+### Gain mission-critical application safeguards
+
+Help keep business data secure and employees productive with robust safeguards and control for applications. Windows 11 has multiple layers of application security that shield critical data and code integrity. Application protection, privacy controls, and least-privilege principles enable developers to build in security by design. This integrated security protects against breaches and malware, helps keep data private, and gives IT administrators the controls they need. As a result, organizations and regulators can be confident that critical data is protected.
+
+### End-to-end protection with modern management
+
+Increase protection and efficiency with Windows 11 and chip-to-cloud security. Microsoft offers comprehensive cloud services for identity, storage, and access management. In addition, Microsoft also provides the tools needed to attest that Windows 11 devices connecting to your network or accessing your data and resources are trustworthy. You can also enforce compliance and conditional access with modern device management (MDM) solutions such as Microsoft Intune and Microsoft Entra ID. Security by default not only enables people to work securely anywhere, but it also simplifies IT. A streamlined, chip-to-cloud security solution based on Windows 11 has improved productivity for IT and security teams by a reported 25% <sup>[\[8\]](conclusion.md#footnote8)</sup>.
+
+## Security by design and default
+
+In Windows 11, hardware and software work together to protect sensitive data from the core of your PC all the way to the cloud. Comprehensive protection helps keep your organization secure, no matter where people work. This simple diagram shows the layers of protection in Windows 11, while each chapter provides a layer-by-layer deep dive into features.
+
+:::image type="content" source="images/chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containing a list of security features." lightbox="images/chip-to-cloud.png" border="false":::
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows security features licensing and edition requirements](/windows/security/licensing-and-edition-requirements?tabs=edition)
diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md
new file mode 100644
index 0000000000..c574d203f1
--- /dev/null
+++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md
@@ -0,0 +1,74 @@
+---
+title: Operating System security
+description: Windows 11 security book - Operating System security chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Encryption and data protection
+
+:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+
+When people travel with their PCs, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications.
+
+## BitLocker
+
+BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure<sup>[\[9\]](conclusion.md#footnote9)</sup> can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune<sup>[\[6\]](conclusion.md#footnote6)</sup>> using a configuration service provider (CSP)<sup>[\[9\]](conclusion.md#footnote9)</sup>. BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), leveraging technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. Windows consistently improves data protection by expanding existing options and providing new strategies.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [BitLocker overview](../operating-system-security/data-protection/bitlocker/index.md)
+
+## BitLocker To Go
+
+BitLocker To Go refers to BitLocker Drive Encryption on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [BitLocker FAQ](../operating-system-security/data-protection/bitlocker/faq.yml)
+
+## Device Encryption
+
+Device Encryption is consumer-level device encryption that can't be managed. Device Encryption is turned on by default for devices with the right hardware components (for example, TPM 2.0, UEFI Secure Boot, Hardware Security Test Interface, and Modern Standby). However, for a commercial scenario, it's possible for commercial customers to disable Device Encryption in favor of BitLocker Drive Encryption. BitLocker Drive Encryption is manageable through MDM.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Device encryption](../operating-system-security/data-protection/bitlocker/index.md#device-encryption)
+
+## Encrypted hard drive
+
+Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full-disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
+
+By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity.
+
+Encrypted hard drives enable:
+
+- Smooth performance: Encryption hardware integrated into the drive controller allows the drive to operate at full data rate without performance degradation
+- Strong security based in hardware: Encryption is always "on," and the keys for encryption never leave the hard drive. The drive authenticates the user independently from the operating system before it unlocks
+- Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using an onboard encryption key. There's no need
+to re-encrypt data on the drive
+- Lower cost of ownership: There's no need for new infrastructure to manage encryption keys since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Encrypted hard drive](../operating-system-security/data-protection/encrypted-hard-drive.md)
+
+## Personal data encryption
+
+Personal Data Encryption refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism, which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container, which houses the encryption keys used by Personal Data Encryption (PDE). When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content.
+
+With the first release of PDE (Windows 11 22H2), the PDE API was available, which when adopted by applications can protect data under the purview of the applications. With the platform release of the next Windows version, PDE for Folders will be released, this feature would require no updates to any applications and protects the contents in the Known Windows Folders from bootup till first login. This reduces the barrier for entry for customers and they'll be able to get PDE security as part of the OS.
+
+PDE requires Microsoft Entra ID.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Personal Data Encryption (PDE)](../operating-system-security/data-protection/personal-data-encryption/index.md)
+
+## Email encryption
+
+Email encryption enables users to encrypt outgoing email messages and attachments so that only intended recipients with a digital identification (ID) - also called a certificate - can read them.10 Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.
+
+These encrypted messages can be sent by a user to people within their organization as well as external contacts who have proper encryption certificates.
+
+However, recipients using Windows 11 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. Encrypted messages can be read only by recipients who have a certificate. If an encrypted message is sent to recipients whose encryption certificates are not available, the app will prompt you to remove these recipients before sending the email.
diff --git a/windows/security/book/operating-system-security-network-security.md b/windows/security/book/operating-system-security-network-security.md
new file mode 100644
index 0000000000..5638c71bce
--- /dev/null
+++ b/windows/security/book/operating-system-security-network-security.md
@@ -0,0 +1,128 @@
+---
+title: Operating System security
+description: Windows 11 security book - Operating System security chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Network security
+
+:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+
+Windows 11 raises the bar for network security, offering comprehensive protection to help people work with confidence from almost anywhere. To help reduce an organization's attack
+surface, network protection in Windows prevents people from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content.
+Using reputation-based services, network protection blocks access to potentially harmful, low-reputation domains and IP addresses.
+
+New DNS and TLS protocol versions strengthen the end-to-end protections needed for applications, web services, and Zero Trust networking. File access adds an untrusted network scenario with Server Message Block over QUIC, as well as new encryption and signing capabilities. Wi-Fi and Bluetooth advancements also provide greater trust in connections to other devices. In addition, VPN and Windows Firewall (previously called Windows Defender Firewall) platforms offer new ways to easily configure and debug software.
+
+In enterprise environments, network protection works best with Microsoft Defender for Endpoint, which provides detailed reporting on protection events as part of larger investigation scenarios.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [How to protect your network](/defender-endpoint/network-protection)
+
+## Transport layer security (TLS)
+
+Transport Layer Security (TLS) is the internet's most deployed security protocol, encrypting data in transit to provide a secure communication channel between two endpoints. Windows defaults to the latest protocol versions and strong cipher suites unless policies are in effect to limit them. There are many extensions available, such as client authentication for enhanced server security and session resumption for improved application performance.
+
+TLS 1.3 is the latest version of the protocol and is enabled by default starting with Windows 11 and Windows Server 2022. TLS 1.3 eliminates obsolete cryptographic algorithms, enhances security over older versions, and encrypts as much of the TLS handshake as possible. The handshake is more performant, with one fewer round trip per connection on average, and supports only five strong cipher suites, which provide perfect forward secrecy and reduced operational risk.
+
+Customers using TLS 1.3 (or Windows components that support it, including HTTP.SYS, WinInet, .NET, MsQuic, and more) will get enhanced privacy and lower latencies for their encrypted online connections. Note that if either the client or server does not support TLS 1.3, Windows will fall back to TLS 1.2.
+
+Legacy protocol versions TLS 1.0 and 1.1 are officially deprecated and will be disabled by default in future OS versions only. This change will come to Windows Insider Preview in September 2023. Organizations and application developers are strongly encouraged to begin to identify and remove code dependencies on TLS 1.0/1.1 if they have not done so already.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [TLS/SSL overview (Schannel SSP)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)
+- [TLS 1.0 and TLS 1.1 soon to be disabled in Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/bc-p/3894928/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExMM0hCN0VURDk3OU9OfDM4OTQ5Mjh8U1VCU0NSSVBUSU9OU3xoSw#M6180)
+
+## DNS security
+
+In Windows 11, the Windows DNS client supports DNS over HTTPS and DNS over TLS, two encrypted DNS protocols. These allow administrators to ensure their devices protect their
+name queries from on-path attackers, whether they are passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust
+model where no trust is placed in a network boundary, having a secure connection to a trusted name resolver is required.
+
+Windows 11 provides Group Policy as well as programmatic controls to configure DNS over HTTPS behavior. As a result, IT administrators can extend existing security to adopt new models such as Zero Trust. IT administrators can mandate DNS over HTTPS protocol, ensuring that devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option not to use DNS over HTTPS or DNS over TLS for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. By default, Windows 11 will defer to the local administrator on which resolvers should use encrypted DNS.
+
+Support for DNS encryption integrates with existing Windows DNS configurations such as the Name Resolution Policy Table (NRPT) and the system Hosts file, as well as resolvers specified per network adapter or network profile. The integration helps Windows 11 ensure that the benefits of greater DNS security do not regress existing DNS control mechanisms.
+
+## Bluetooth protection
+
+The number of Bluetooth devices connected to Windows 11 continues to increase. Windows users connect their Bluetooth headsets, mice, keyboards, and other accessories and improve their day-to-day PC experience by enjoying streaming, productivity, and gaming. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host-based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG) and Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that Bluetooth accessories' firmware and software are kept up to date.
+
+IT-managed environments have a number of [Bluetooth policies](/windows/client-management/mdm/policy-csp-bluetooth) (MDM, Group Policy, and PowerShell) that can be managed through MDM tools such as Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>. You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
+
+## Securing Wi-Fi connections
+
+Windows Wi-Fi supports industry-standard authentication and encryption methods when connecting to Wi-Fi networks. WPA (Wi-Fi Protected Access) is a security standard defined by the Wi-Fi Alliance (WFA) to provide sophisticated data encryption and better user authentication.
+
+The current security standard for Wi-Fi authentication is WPA3, which provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes - WPA3 Personal, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.
+
+Windows 11 includes WPA3 Personal with the new H2E protocol and WPA3 Enterprise 192-bit Suite B. Windows 11 also supports WPA3 Enterprise, which includes enhanced server certificate validation and TLS 1.3 for authentication using EAP-TLS authentication.
+
+Opportunistic Wireless Encryption (OWE), a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots, is also included.
+
+## 5G and eSIM
+
+5G networks use stronger encryption and better network segmentation compared to previous generations of cellular protocols. Unlike Wi-Fi, 5G access is always mutually authenticated. Access credentials are stored in an EAL4-certified eSIM that is physically embedded in the device, making it much harder for attackers to tamper with. Together, 5G and eSIM provide a strong foundation for security.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [eSIM configuration of a download server](/mem/intune/configuration/esim-device-configuration-download-server)
+
+## Windows Firewall
+
+Windows Firewall with Advanced Security (previously called Windows Defender Firewall) is an important part of a layered security model. It provides host-based, two-way network traffic
+filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks the device is connected to.
+
+Windows Firewall in Windows 11 offers the following benefits:
+
+- Reduces the risk of network security threats: Windows Firewall reduces the attack surface of a device with rules that restrict or allow traffic by many properties, such as IP addresses,
+ports, or program paths. This functionality increases manageability and decreases the likelihood of a successful attack
+- Safeguards sensitive data and intellectual property: By integrating with Internet Protocol Security (IPSec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data
+- Extends the value of existing investments: Because Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API)
+
+Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior has been integrated with Packet Monitor (pktmon), an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools.
+
+Admins can now configure additional settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, leveraging the platform
+support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Firewall overview](../operating-system-security/network-security/windows-firewall/index.md)
+
+## Virtual private networks (VPN)
+
+Organizations have long relied on Windows to provide reliable, secured, and manageable virtual private network (VPN) solutions. The Windows VPN client platform includes built-in VPN
+protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and
+consumer VPNs, including apps for the most popular enterprise VPN gateways.
+
+In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and with one click, go to the modern Settings app for more control.
+
+The Windows VPN platform connects to Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune and other modern device management (MDM) providers. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites.
+
+With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an old version of their VPN client. VPN apps from the store will be automatically updated as needed. Naturally, the updates are in the control of your IT admins.
+
+The Windows VPN platform has been tuned and hardened for cloud-based VPN providers like Azure VPN. Features like Microsoft Entra ID authentication, Windows user interface integration, plumbing IKE traffic selectors, and server support are all built into the Windows VPN platform. The integration into the Windows VPN platform leads to a simpler IT admin experience. User authentication is more consistent, and users can easily find and control their VPN.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows VPN technical guide](../operating-system-security/network-security/vpn/vpn-guide.md)
+
+## Server Message Block file services
+
+Server Message Block (SMB) and file services are the most common Windows workloads in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations of all sizes. In Windows 11, the SMB protocol has significant security updates to meet today's threats, including AES-256 encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and an entirely new scenario, SMB over QUIC for untrusted networks.
+
+SMB encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of this more advanced security or continue to use the more compatible and still-safe AES-128 encryption.
+
+In Windows 11 Enterprise, Education, Pro, and Pro Workstation, SMB Direct now supports encryption. For demanding workloads like video rendering, data science, or extremely large files, you can now operate with the same safety as traditional Transmission Control Protocol (TCP) and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now, data is encrypted before placement, leading to relatively minor performance degradation while adding packet privacy with AES-128 and AES-256 protection.
+
+Windows 11 also introduces AES-128-GMAC for SMB signing. Windows will automatically negotiate this better-performing cipher method when connecting to another computer that supports it. Signing prevents common attacks like relay and spoofing, and it is required by default when clients communicate with Active Directory domain controllers.
+
+Finally, Windows 11 introduces SMB over QUIC, an alternative to the TCP network transport that provides secure, reliable connectivity to edge file servers over untrusted networks like the internet, as well as highly secure communications on internal networks. QUIC is an Internet Engineering Task Force (IETF)-standardized protocol with many benefits when compared with TCP, but most importantly, it always requires TLS 1.3 and encryption. SMB over QUIC offers an SMB VPN for telecommuters, mobile device users, and high-security organizations. All SMB traffic, including authentication and authorization within the tunnel, is never exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn't change. SMB over QUIC will be a game-changing feature for Windows 11 accessing Windows file servers and eventually Azure Files and third parties.
+
+Newly installed Windows 11 Home editions that contain the February 2023 cumulative update no longer install the SMB 1.0 client by default, meaning the Home edition now operates like all other editions of Windows 11. SMB 1.0 is an unsafe and deprecated protocol that Microsoft superseded by later versions of SMB starting with Windows Vista. Microsoft began uninstalling SMB 1.0 by  default in certain Windows 10 editions in 2017. No versions of Windows 11 now install SMB 1.0 by default.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [File sharing using the SMB 3 protocol](/windows-server/storage/file-server/file-server-smb-overview)
diff --git a/windows/security/book/operating-system-security-system-security.md b/windows/security/book/operating-system-security-system-security.md
new file mode 100644
index 0000000000..a3d5e5e95b
--- /dev/null
+++ b/windows/security/book/operating-system-security-system-security.md
@@ -0,0 +1,129 @@
+---
+title: Operating System security
+description: Windows 11 security book - Operating System security chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# System security
+
+:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+
+## Trusted Boot (Secure Boot + Measured Boot)
+
+Windows 11 requires all PCs to use Unified Extensible Firmware Interface (UEFI)'s Secure Boot feature. When a Windows 11 device starts, Secure Boot and Trusted Boot work together to prevent malware and corrupted components from loading. Secure Boot provides initial protection, then Trusted Boot picks up the process.
+
+Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
+
+To reduce the risk of firmware rootkits, the PC verifies that firmware is digitally signed as it begins the boot process. Then Secure Boot checks the OS bootloader's digital signature as well as all code that runs prior to the operating system starting to ensure the signature and code are uncompromised and trusted by the Secure Boot policy.
+
+Trusted Boot picks up the process that begins with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and any anti-malware product's early-launch anti-malware (ELAM) driver. If any of these files have been tampered with, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
+
+Tampering or malware attacks on the Windows boot sequence are blocked by the signature enforcement handshakes between the UEFI, bootloader, kernel, and application environments.
+
+For more information about these features and how they help prevent rootkits and bootkits from loading during the startup process, see [Secure the Windows boot process](../operating-system-security/system-security/secure-the-windows-10-boot-process.md)
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Secure Boot and Trusted Boot](../operating-system-security/system-security/trusted-boot.md)
+
+## Cryptography
+
+Cryptography is designed to protect user and system data. The cryptography stack in Windows 11 extends from the chip to the cloud, enabling Windows, applications, and services to protect system and user secrets. For example, data can be encrypted so that only a specific reader with a unique key can read it. As a basis for data security, cryptography helps prevent anyone except the intended recipient from reading data, performs integrity checks to ensure data is free of tampering, and authenticates identity to ensure that communication is secure. Windows 11 cryptography is certified to meet the Federal Information Processing Standard (FIPS) 140. FIPS 140 certification ensures that US government-approved algorithms are correctly implemented.
+
+Learn more: FIPS 140 validation
+
+Windows cryptographic modules provide low-level primitives such as:
+
+- Random number generators (RNG)
+- Support for AES 128/256 with XTS, ECB, CBC, CFB, CCM, and GCM modes of operation; RSA and DSA 2048, 3072, and 4,096 key sizes; ECDSA over curves P-256, P-384, P-521
+- Hashing (support for SHA1, SHA-256, SHA-384, and SHA-512)
+- Signing and verification (padding support for OAEP, PSS, and PKCS1)
+- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521 and HKDF)
+
+Application developers can use these cryptographic modules to perform low-level cryptographic operations (Bcrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
+
+Learn more: Cryptography and certificate management
+
+Developers can access the modules on Windows through the Cryptography Next Generation API (CNG), which is powered by Microsoft's open-source cryptographic library, SymCrypt. SymCrypt supports complete transparency through its open-source code. In addition, SymCrypt offers performance optimization for cryptographic operations by taking advantage of assembly and hardware acceleration when available.
+
+SymCrypt is part of Microsoft's commitment to transparency, which includes the global Microsoft Government Security Program that aims to provide the confidential security information and resources people need to trust Microsoft's products and services. The program offers controlled access to source code, threat and vulnerability information
+exchange, opportunities to engage with technical content about Microsoft's products and services, and access to five globally distributed Transparency Centers.
+
+## Certificates
+
+To help safeguard and authenticate information, Windows provides comprehensive support for certificates and certificate management. The built-in certificate management command-line utility (certmgr.exe) or MMC snap-in (certmgr.msc) can be used to view and manage certificates, certificate trust lists (CTLs), and
+certificate revocation lists (CRLs). Whenever a certificate is used in Windows, we validate that the leaf certificate and all the certificates in its chain of trust have not been revoked or compromised. The CTLs and CRLs on the machine are used as a reference for PKI trust and are updated monthly by the Microsoft Trusted Root program. If a trusted certificate or root is revoked, all global devices will be updated, meaning users can trust that Windows will automatically protect against vulnerabilities in public key infrastructure. For cloud and enterprise deployments, Windows also offers users the ability to autoenroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Additionally, enterprise certificate pinning can be used to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificate authorities. Any web application triggering a name mismatch will start event logging and prevent user access from Microsoft Edge.
+
+## Code signing and integrity
+
+To ensure that Windows files haven't been tampered with, the Windows Code Integrity process verifies the signature of each file in Windows. Code signing is core to establishing the integrity of firmware, drivers, and software across the Windows platform. Code signing creates a digital signature by encrypting the hash of the file with the private key portion of a code-signing certificate and embedding the signature into the file. The Windows code integrity process verifies the signed file by decrypting the signature to check the integrity of the file and confirm that it is from a reputable publisher, ensuring that the file hasn't been tampered with.
+
+The digital signature is evaluated across the Windows environment on Windows boot code, Windows kernel code, and Windows user mode applications. Secure Boot and Code Integrity verify the signature on bootloaders, Option ROMs, and other boot components to ensure that it's trusted and from a reputable publisher. For drivers not published by Microsoft, Kernel Code Integrity verifies the signature on kernel drivers and requires that drivers be signed by Windows or certified by the Windows Hardware Compatibility Program (WHCP). This program ensures that third-party drivers are compatible with various hardware and Windows and that the drivers are from vetted driver developers.
+
+## Device health attestation
+
+The Windows device health attestation process supports a Zero Trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. These
+determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a modern device management (MDM) tool like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> reviews device health and connects this information with Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> for conditional access.
+
+Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and isn't tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your antimalware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured Boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM, that functions as a hardware root-of-trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper-resilient report. Remote attestation is the trusted auditor of your system's boot, allowing reliant parties to bind trust to the device and its security.
+
+A summary of the steps involved in attestation and Zero-Trust on a Windows device are as follows:
+
+- During each step of the boot process - such as a file load, update of special variables, and more - information such as file hashes and signature(s) are measured in the TPM Platform Configuration Register (PCRs). The measurements are bound by a Trusted Computing Group specification that dictates which events can be recorded and the format of each event. The data provides important information about device security from the moment it powers on
+- Once Windows has booted, the attestor (or verifier) requests the TPM get the measurements stored in its PCRs alongside the Measured Boot log. Together, these form the attestation evidence that's sent to the Microsoft Azure Attestation Service
+- The TPM is verified by using the keys or cryptographic material available on the chipset with an Azure Certificate Service
+- The above information is sent to the Azure Attestation Service to verify that the device is in a trusted state.
+
+Learn more: Control the health of Windows devices
+
+## Windows security policy settings and auditing
+
+Security policy settings are a critical part of your overall security strategy. Windows provides a robust set of security setting policies that IT administrators can use to help protect Windows devices and other resources in your organization. Security policies settings are rules you can configure on a device, or multiple devices, to control:
+
+- User authentication to a network or device
+- Resources that users are permitted to access
+- Whether to record a user or group's actions in the event log
+- Membership in a group
+
+Security auditing is one of the most powerful tools that you can use to maintain the integrity of your network and assets. Auditing can help identify attacks, network vulnerabilities, and attacks against high-value targets. You can specify categories of security-related events to create an audit policy tailored to the needs of your organization.
+
+All auditing categories are disabled when Windows is first installed. Before enabling them, follow these steps to create an effective security auditing policy:
+
+1. Identify your most critical resources and activities.
+1. Identify the audit settings you need to track them.
+1. Assess the advantages and potential costs associated with each resource or setting.
+1. Test these settings to validate your choices.
+1. Develop plans for deploying and managing your audit policy.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Security policy settings](/windows/security/threat-protection/security-policy-settings/security-policy-settings)
+- [Security auditing](/windows/security/threat-protection/auditing/security-auditing-overview)
+
+## Assigned Access
+
+With Assigned Access, Windows devices restrict functionality to pre-selected applications depending on the user and keep individual identities separate, which is ideal for public-facing or shared devices. Configuring a device in Kiosk Mode is a straightforward process. You can do this locally on the device or remotely using modern device management.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access)
+
+## Config Refresh
+
+With traditional Group Policy, policies were refreshed on a PC when a user signed in and every 90 minutes by default. Administrators could adjust that timing to be shorter to ensure that the PC's policies were compliant with the management settings set by IT.
+
+By contrast, with an MDM solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, policies are refreshed when a user signs in and then at eight-hour intervals by default. But as more available group policies were implemented through MDM, one remaining gap was the longer period between the reapplication of a changed policy.
+
+Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It is configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with Group Policy and are now set through MDM.
+
+Config Refresh can also be *paused* for a configurable period of time, after which it will be reenabled. This is to support scenarios where a helpdesk technician might need to reconfigure a PC for troubleshooting purposes. It can also be resumed at any time by an administrator.
+
+## Windows security settings
+
+Visibility and awareness of device security and health are key to any action taken. The Windows built-in security settings provide an at-a-glance view of the security status and health of your device. These insights help you identify issues and act to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows security settings](https://support.microsoft.com/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963)
+- [Windows Security](../operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md)
diff --git a/windows/security/book/operating-system-security-virus-and-threat-protection.md b/windows/security/book/operating-system-security-virus-and-threat-protection.md
new file mode 100644
index 0000000000..c5873bd86f
--- /dev/null
+++ b/windows/security/book/operating-system-security-virus-and-threat-protection.md
@@ -0,0 +1,126 @@
+---
+title: Operating System security
+description: Windows 11 security book - Operating System security chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Virus and threat protection
+
+:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+
+Today's threat landscape is more complex than ever. This new world requires a new approach to threat prevention, detection, and response. Microsoft Defender Antivirus, along with many other features that are built into Windows 11, is at the frontlines, protecting customers against current and emerging threats.
+
+## Microsoft Defender SmartScreen
+
+Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files.
+
+SmartScreen determines whether a site is potentially malicious by:
+
+- Analyzing visited webpages to find indications of suspicious behavior. If it determines a page is suspicious, it will show a warning page advising caution
+- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen warns that the site might be malicious
+
+SmartScreen also determines whether a downloaded app or app installer is potentially malicious by:
+
+- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen warns that the file might be malicious
+- Checking downloaded files against a list of well-known files. If the file is of a dangerous type and not well-known, SmartScreen displays a caution alert
+
+With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they are entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>. This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement.
+
+Because Windows 11 comes with these enhancements already built in and enabled, users have extra security from the moment they turn on their device.
+
+The app and browser control section contains information and settings for Microsoft Defender SmartScreen. IT administrators and IT pros can get configuration guidance in the [Microsoft Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
+
+## Microsoft Defender Antivirus
+
+Microsoft Defender Antivirus is a next-generation protection solution included in all versions of Windows 10 and Windows 11. From the moment you turn on Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. In addition to real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.
+
+Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection. This combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA), applications deemed to negatively impact your device but are not considered malware.
+
+Microsoft Defender Antivirus always-on protection is integrated with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats. This combination of local and cloud-delivered technologies provides award-winning protection at home and at work.
+
+:::image type="content" source="images/defender-antivirus.png" alt-text="Diagram of the Microsoft Defender Antivirus components." border="false":::
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Next-generation protection with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).
+
+## Attack surface reduction
+
+Attack surface reduction rules help prevent software behaviors that are often abused to compromise devices and networks. By reducing the attack surface, you can reduce the overall vulnerability of your organization. Administrators can configure specific attack surface reduction rules to help block certain behaviors, such as:
+
+- Launching executable files and scripts that attempt to download or run files
+- Running obfuscated or otherwise suspicious scripts
+- Performing behaviors that apps don't usually initiate during normal day-to-day work
+
+For example, an attacker might try to run an unsigned script from a USB drive or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve the defensive posture of the device. For comprehensive protection, follow steps for enabling hardware-based isolation
+
+For Microsoft Edge and reducing the attack surface across applications, folders, device,
+network, and firewall.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)
+
+## Tamper protection
+
+Attacks like ransomware attempt to disable security features, such as anti-virus protection. Bad actors like to disable security features to get easier access to user's data, to install malware, or otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.
+
+With tamper protection, malware is prevented from taking actions such as:
+
+- Disabling real-time protection
+- Turning off behavior monitoring
+- Disabling antivirus, such as IOfficeAntivirus (IOAV)
+- Disabling cloud-delivered protection
+- Removing security intelligence updates
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)
+
+## Exploit protection
+
+Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint<sup>[\[9\]](conclusion.md#footnote9)</sup>, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device and then use Group Policy in Active Directory or Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to distribute the configuration XML file to multiple devices simultaneously.
+
+When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.
+
+You can use audit mode to evaluate how exploit protection would impact your organization if it were enabled.
+
+Windows 11 provides configuration options for exploit protection. You can prevent users from modifying these specific options with Group Policy.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Protecting devices from exploits](/microsoft-365/security/defender-endpoint/enable-exploit-protection)
+
+## Controlled folder access
+
+You can protect your valuable information in specific folders by managing app access to them. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, and downloads, are included in the list of controlled folders.
+
+Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.
+
+Controlled folder access helps protect user's valuable data from malicious apps and threats such as ransomware.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
+
+## Microsoft Defender for Endpoint
+
+Microsoft Defender for Endpoint<sup>[\[9\]](conclusion.md#footnote9)</sup> is an enterprise endpoint detection and response solution that helps security teams detect, investigate, and respond to advanced threats.
+
+Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents:
+
+- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint
+- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365<sup>[\[9\]](conclusion.md#footnote9)</sup>, and online assets
+- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked
+attacks that include 31 billion identity threats and 32 billion email threats
+- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing
+detailed investigation outcomes
+
+Defender for Endpoint is also part of Microsoft 365 Defender, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other
+platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint)
+- [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)
diff --git a/windows/security/book/operating-system-security.md b/windows/security/book/operating-system-security.md
new file mode 100644
index 0000000000..f5bf82d057
--- /dev/null
+++ b/windows/security/book/operating-system-security.md
@@ -0,0 +1,14 @@
+---
+title: Operating System security
+description: Windows 11 security book - Operating System security chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Operating System security
+
+:::image type="content" source="images/operating-system-security-cover.png" alt-text="Cover of the operating system security chapter." border="false":::
+
+:::image type="content" source="images/operating-system-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+
+Windows 11 is the most secure Windows yet with extensive security measures in the operating system designed to help keep devices, identities, and information safe. These measures include built-in advanced encryption and data protection, robust network system security, and intelligent safeguards against ever-evolving viruses and threats.
diff --git a/windows/security/book/privacy-controls.md b/windows/security/book/privacy-controls.md
new file mode 100644
index 0000000000..01caad195d
--- /dev/null
+++ b/windows/security/book/privacy-controls.md
@@ -0,0 +1,32 @@
+---
+title: Privacy
+description: Windows 11 security book - Privacy chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Privacy controls
+
+:::image type="content" source="images/privacy.png" alt-text="Diagram of containing a list of security features." lightbox="images/privacy.png" border="false":::
+
+## Privacy dashboard and report
+
+Customers can use the [Microsoft Privacy dashboard](https://account.microsoft.com/privacy) to view, export, and delete their information, giving them further transparency and control. They can also use the [Microsoft Privacy Report](https://privacy.microsoft.com/privacy-report) to learn more about Windows data collection and how to manage it. For enterprises we provide a guide for Windows Privacy Compliance that includes additional details on the available controls and transparency.
+
+## Privacy transparency and controls
+
+Prominent system tray icons show users when resources and apps like microphones and location are in use. A description of the app and its activity are presented in a simple tooltip that appears when you hover over an icon with your cursor. Apps can also make use of new Windows APIs to support Quick Mute functionality and more.
+
+## Privacy resource usage
+
+Every Microsoft customer should be able to use our products secure in the knowledge that we will protect their privacy and give them the information and tools they need to easily make privacy decisions with confidence. Accessed in Settings, the new app usage history feature gives users a seven-day history of resource access for Location, Camera, Microphone, Phone Calls, Messaging, Contacts, Pictures, Videos, Music library, Screenshots, and other apps.
+
+This information helps you determine if an app is behaving as expected so that you can change the app's access to resources as desired.
+
+## Windows diagnostic data processor configuration
+
+The Windows diagnostic data processor configuration enables the user to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that meet the configuration requirements.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration)
diff --git a/windows/security/book/privacy.md b/windows/security/book/privacy.md
new file mode 100644
index 0000000000..19cae8027a
--- /dev/null
+++ b/windows/security/book/privacy.md
@@ -0,0 +1,16 @@
+---
+title: Privacy
+description: Windows 11 security book - Privacy chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Privacy
+
+:::image type="content" source="images/privacy-cover.png" alt-text="Cover of the privacy chapter." border="false":::
+
+:::image type="content" source="images/privacy-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/privacy.png" border="false":::
+
+[Privacy: Your data, powering your experiences, controlled by you](https://privacy.microsoft.com/).
+
+Privacy is becoming top of mind for customers, who want to know who is using their data and why. They also need to know how to control and manage the data that is being collected - so providing transparency and control over this personal data is essential. At Microsoft we are focused on protecting the privacy and confidentiality of your data and will only use it in a way that is consistent with your expectations.
diff --git a/windows/security/book/security-foundation-certification.md b/windows/security/book/security-foundation-certification.md
new file mode 100644
index 0000000000..fe9fa899fc
--- /dev/null
+++ b/windows/security/book/security-foundation-certification.md
@@ -0,0 +1,24 @@
+---
+title: Security foundation
+description: Windows 11 security book - Security foundation chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Certification
+
+:::image type="content" source="images/security-foundation.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+
+Microsoft is committed to supporting product security standards and certifications, including FIPS 140 and Common Criteria, as an external validation of security assurance.
+
+## Federal Information Processing Standard (FIPS)
+
+The Federal Information Processing Standard (FIPS) Publication 140 is a US government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established. Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules.
+
+## Common Criteria (CC)
+
+Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. Common Criteria defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements.
+
+Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products.
+
+Microsoft publishes the list of FIPS 140 and Common Criteria certified products at [Federal](/windows/security/security-foundations/certification/fips-140-validation) [Information Processing Standard (FIPS)](/windows/security/security-foundations/certification/fips-140-validation) 140 Validation and [Common Criteria Certifications.](/windows/security/threat-protection/windows-platform-common-criteria)
diff --git a/windows/security/book/security-foundation-offensive-research.md b/windows/security/book/security-foundation-offensive-research.md
new file mode 100644
index 0000000000..965ecba6c0
--- /dev/null
+++ b/windows/security/book/security-foundation-offensive-research.md
@@ -0,0 +1,42 @@
+---
+title: Security foundation
+description: Windows 11 security book - Security foundation chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Offensive research
+
+:::image type="content" source="images/security-foundation.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+
+## Microsoft Security Development Lifecycle (SDL)
+
+The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development.
+
+## OneFuzz service
+
+A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released.
+
+Microsoft is dedicated to working with the community and our customers to continuously improve and tune our platform and products to help defend against the dynamic and sophisticated threat landscape. Project OneFuzz - an extensible fuzz testing framework used by Microsoft Edge, Windows, and teams across Microsoft - is now available to developers around the world through GitHub as an open-source tool.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Project OneFuzz framework, an open source developer tool to find and fix bugs at scale](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)
+- [OneFuzz on GitHub](https://github.com/microsoft/onefuzz)
+
+## Microsoft Offensive Research and Security Engineering
+
+[Microsoft Offensive Research and Security Engineering](https://github.com/microsoft/WindowsAppSDK-Samples?msclkid=1a6280c6c73d11ecab82868efae04e5c) performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle.
+
+## Windows Insider and Bug Bounty program
+
+As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel.
+
+The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.
+
+Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quick fix the issues before releasing our final Windows.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Windows Insider Program](/windows-insider/get-started)
+- [Microsoft bounty programs](https://www.microsoft.com/msrc/bounty)
diff --git a/windows/security/book/security-foundation-secure-supply-chain.md b/windows/security/book/security-foundation-secure-supply-chain.md
new file mode 100644
index 0000000000..ee2f6ef548
--- /dev/null
+++ b/windows/security/book/security-foundation-secure-supply-chain.md
@@ -0,0 +1,66 @@
+---
+title: Secure supply chain
+description: Windows 11 security book - Security foundation chapter - Secure supply chain.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Secure supply chain
+
+:::image type="content" source="images/security-foundation.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+
+The end-to-end Windows 11 supply chain is complex, extending from the entire development process to components such as chips, firmware, drivers, operating system, and apps from other organizations, manufacturing, and security updates. Microsoft invests significantly in Windows 11 supply chain security, as well as the security of features and components. In 2021, the United States issued an executive order on enhancing the nation's cybersecurity. The executive order, along with various attacks like SolarWinds and WannaCry, elevated the urgency and importance of ensuring a secure supply chain.
+
+Microsoft requires the Windows 11 supply chain to comply with controls including:
+
+- Identity management and user access control
+  - Access control
+  - Principles of least privilege
+  - RBAC
+  - Segregation of duties
+  - MFAs
+  - Account management
+  - Physical access control
+- Information security
+  - Information handling
+  - Cryptography
+  - Vulnerability scanning
+  - Encryption
+  - Integrity and attestation
+  - Confidentiality
+- Operational controls
+  - Code of repo ownership
+  - Config & change management
+  - Asset ownership
+  - Manufacturing standards
+- Security monitoring & event logging
+  - Network
+  - Host
+  - Application
+  - Services
+  - DevOps
+  - Manufacturing security
+  - Physical security monitoring
+- Supplier security control
+  - SSPA
+  - Supplier screening
+  - Supplier inventory
+- Logistics security control
+  - Receiving
+  - Shipping
+  - Warehouse & storage
+  - Logistics management
+
+## Software bill of materials (SBOM)
+
+In addition to following the above supply chain security controls, SBOMs are leveraged to provide the transparency and provenance of the content as it moves through various stages of the Windows supply chain. This enables trust between each supply chain segment, ensures that tampering has not taken place during ingestion and along the way, and provides a provable chain of custody for the product that we ship to customers.
+
+Code-signing software is the best way to guarantee application integrity and authenticity and helps users distinguish between trusted applications and malware before downloading or installing. Code signing proprietary applications and software from other organizations greatly reduces the complexity of creating and managing application control policies. Code signing enables the creation and deployment of certificate chain-based application control policies, which can then be cryptographically enforced.
+
+Traditionally, code signing has been a difficult undertaking due to the complexities involved in obtaining certificates, securely managing those certificates, and integrating a proper signing process into the development and continuous integration and continuous deployment (CI/CD) pipelines.
+
+## Windows App software development kit (SDK)
+
+Developers can design highly secure applications that benefit from the latest Windows 11 safeguards using the Windows App SDK. The SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows 11 and Windows 10. To help create apps that are up to date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system.
+
+If you are a developer, you can find security best practices and information at [Windows application development - best practices](/windows/security/threat-protection/windows-platform-common-criteria#security-and-privacy). You can get started with [Windows App SDK samples on GitHub](/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples). For an example of the continuous security process in action with the Windows App SDK, see the [most recent release](https://insider.windows.com/#version-11).
diff --git a/windows/security/book/security-foundation.md b/windows/security/book/security-foundation.md
new file mode 100644
index 0000000000..f0fb340c8a
--- /dev/null
+++ b/windows/security/book/security-foundation.md
@@ -0,0 +1,18 @@
+---
+title: Security foundation
+description: Windows 11 security book - Security foundation chapter.
+ms.topic: overview
+ms.date: 04/09/2024
+---
+
+# Security foundation
+
+:::image type="content" source="images/security-foundation-cover.png" alt-text="Cover of the security foundation chapter." border="false":::
+
+Microsoft is committed to continuously investing in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest lifecycle phases of all our product design and software development processes. We build in security from the ground up for powerful defense in today's threat environment and have the infrastructure to protect and react quickly to future threats.
+
+Every component of the Windows 11 technology stack, from chip-to-cloud, is purposefully built secure by design. Windows 11 meets the modern threats of today's flexible work environments by delivering hardware-based isolation, end-to-end encryption, and advanced malware protection.
+
+With Windows 11, organizations can improve productivity and gain intuitive new experiences without compromising security.
+
+:::image type="content" source="images/security-foundation-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
diff --git a/windows/security/book/toc.yml b/windows/security/book/toc.yml
new file mode 100644
index 0000000000..e1135516e9
--- /dev/null
+++ b/windows/security/book/toc.yml
@@ -0,0 +1,65 @@
+items:
+- name: Windows 11 Security Book
+  href: index.md
+- name: 1. Hardware security
+  items:
+  - name: Overview
+    href: hardware-security.md
+  - name: Hardware root-of-trust
+    href: hardware-security-hardware-root-of-trust.md
+  - name: Silicon assisted security
+    href: hardware-security-silicon-assisted-security.md
+- name: 2. Operating system security
+  items:
+  - name: Overview
+    href: operating-system-security.md
+  - name: System security
+    href: operating-system-security-system-security.md
+  - name: Encryption and data protection
+    href: operating-system-security-encryption-and-data-protection.md
+  - name: Network security
+    href: operating-system-security-network-security.md
+  - name: Virus and threat protection
+    href: operating-system-security-virus-and-threat-protection.md
+- name: 3. Application security
+  items:
+  - name: Overview
+    href: application-security.md
+  - name: Application and driver control
+    href: application-security-application-and-driver-control.md
+  - name: Application isolation
+    href: application-security-application-isolation.md
+- name: 4. Identity protection
+  items:
+  - name: Overview
+    href: identity-protection.md
+  - name: Passwordless sign-in
+    href: identity-protection-passwordless-sign-in.md
+  - name: Advanced credential protection
+    href: identity-protection-advanced-credential-protection.md
+- name: 5. Privacy
+  items:
+  - name: Overview
+    href: privacy.md
+  - name: Privacy controls
+    href: privacy-controls.md
+- name: 6. Cloud services
+  items:
+  - name: Overview
+    href: cloud-services.md
+  - name: Protect your work information
+    href: cloud-services-protect-your-work-information.md
+  - name: Protect your personal information
+    href: cloud-services-protect-your-personal-information.md
+- name: 7. Security foundation
+  items:
+  - name: Overview
+    href: security-foundation.md
+  - name: Offensive research
+    href: security-foundation-offensive-research.md
+  - name: Certification
+    href: security-foundation-certification.md
+  - name: Secure supply chain
+    href: security-foundation-secure-supply-chain.md
+- name: Conclusion
+  href: conclusion.md
\ No newline at end of file
diff --git a/windows/security/cloud-security/index.md b/windows/security/cloud-services/index.md
similarity index 77%
rename from windows/security/cloud-security/index.md
rename to windows/security/cloud-services/index.md
index 9fde8b8939..9124be688f 100644
--- a/windows/security/cloud-security/index.md
+++ b/windows/security/cloud-services/index.md
@@ -1,18 +1,18 @@
 ---
-title: Windows and cloud security
-description: Get an overview of cloud security features in Windows.
-ms.date: 08/02/2023
+title: Windows and cloud services
+description: Get an overview of cloud-based services in Windows.
+ms.date: 05/06/2024
 ms.topic: overview
 author: paolomatarazzo
 ms.author: paoloma
 ---
 
-# Windows and cloud security
+# Windows and cloud services
 
 Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We're focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
 
 From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere.
 
-Learn more about cloud security features in Windows.
+Learn more about cloud-based services in Windows.
 
 [!INCLUDE [cloud-services](../includes/sections/cloud-services.md)]
diff --git a/windows/security/cloud-security/toc.yml b/windows/security/cloud-services/toc.yml
similarity index 100%
rename from windows/security/cloud-security/toc.yml
rename to windows/security/cloud-services/toc.yml
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 87d822d8a1..2e3135282a 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -85,6 +85,8 @@
         "application-security//**/*.yml": "vinaypamnani-msft",
         "application-security/application-control/windows-defender-application-control/**/*.md": "jsuther1974",
         "application-security/application-control/windows-defender-application-control/**/*.yml": "jsuther1974",
+        "book//**/*.md": "paolomatarazzo",
+        "book//**/*.yml": "paolomatarazzo",
         "hardware-security/**/*.md": "vinaypamnani-msft",
         "hardware-security/**/*.yml": "vinaypamnani-msft",
         "identity-protection/**/*.md": "paolomatarazzo",
@@ -103,6 +105,8 @@
         "application-security//**/*.yml": "vinpa",
         "application-security/application-control/windows-defender-application-control/**/*.md": "jsuther",
         "application-security/application-control/windows-defender-application-control/**/*.yml": "jsuther",
+        "book//**/*.md": "paoloma",
+        "book//**/*.yml": "paoloma",
         "hardware-security//**/*.md": "vinpa",
         "hardware-security//**/*.yml": "vinpa",
         "identity-protection/**/*.md": "paoloma",
@@ -135,6 +139,9 @@
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
         ],
+        "book/**/*.md": [
+          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
+        ],
         "hardware-security/**/*.md": [
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
           "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
@@ -216,6 +223,7 @@
       "ms.reviewer": {
         "application-security/application-control/windows-defender-application-control/**/*.md": "vinpa",
         "application-security/application-isolation/microsoft-defender-application-guard/*.md": "sazankha",
+        "book/*.md": "paoloma",
         "identity-protection/access-control/*.md": "sulahiri",
         "identity-protection/credential-guard/*.md": "zwhittington",
         "identity-protection/hello-for-business/*.md": "erikdau",
@@ -227,12 +235,16 @@
         "operating-system-security/network-security/windows-firewall/*.md": "nganguly"
       },
       "ms.collection": {
+        "book/*.md": "tier3",
         "identity-protection/hello-for-business/*.md": "tier1",
         "information-protection/pluton/*.md": "tier1",
         "information-protection/tpm/*.md": "tier1",
         "operating-system-security/data-protection/bitlocker/*.md": "tier1",
         "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
         "threat-protection/auditing/*.md": "tier3"
+      },
+      "ROBOTS": {
+        "book/*.md": "NOINDEX"
       }
     },
     "template": [],
diff --git a/windows/security/hardware-security/index.md b/windows/security/hardware-security/index.md
index a6314a6d44..dbe8b6153f 100644
--- a/windows/security/hardware-security/index.md
+++ b/windows/security/hardware-security/index.md
@@ -3,10 +3,13 @@ title: Windows hardware security
 description: Learn more about hardware security features support in Windows.
 ms.date: 07/28/2023
 ms.topic: overview
+appliesto:
 ---
 
 # Windows hardware security
 
+:::image type="content" source="..\book\images\hardware.png" alt-text="Diagram of containing a list of security features." lightbox="..\book\images\hardware.png" border="false":::
+
 Learn more about hardware security features support in Windows.
 
 [!INCLUDE [hardware](../includes/sections/hardware.md)]
diff --git a/windows/security/identity-protection/hello-for-business/dual-enrollment.md b/windows/security/identity-protection/hello-for-business/dual-enrollment.md
new file mode 100644
index 0000000000..7dd1507298
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/dual-enrollment.md
@@ -0,0 +1,72 @@
+---
+title: Dual enrollment
+description: Learn how to configure Windows Hello for Business dual enrollment and how to configure Active Directory to support Domain Administrator enrollment.
+ms.date: 05/06/2024
+ms.topic: how-to
+---
+
+# Dual enrollment
+
+[!INCLUDE [intro](deploy/includes/intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](deploy/includes/tooltip-deployment-onpremises.md)], [!INCLUDE [tooltip-deployment-hybrid](deploy/includes/tooltip-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [tooltip-cert-trust](deploy/includes/tooltip-trust-cert.md)]
+- **Join type:** [!INCLUDE [tooltip-join-domain](deploy/includes/tooltip-join-domain.md)], [!INCLUDE [tooltip-join-hybrid](deploy/includes/tooltip-join-hybrid.md)]
+---
+
+> [!IMPORTANT]
+> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages organizations to use the Privileged Access Workstations for their privileged credential users. Organizations can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature can't be used. To learn more, see [Privileged Access Workstations](/windows-server/identity/securing-privileged-access/privileged-access-workstations).
+
+Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their nonprivileged and privileged credentials on their device.
+
+By design, Windows doesn't enumerate all Windows Hello for Business users from within a user's session. Using the group policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
+
+With this setting, administrative users can sign in to Windows using their nonprivileged Windows Hello credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using `runas.exe` combined with the `/smartcard` argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and nonprivileged workloads.
+
+> [!IMPORTANT]
+> You must configure a Windows computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
+
+## Configure Windows Hello for Business dual enrollment
+
+Here are the steps to enable dual enrollment:
+
+- Configure Active Directory to support Domain Administrator enrollment
+- Configure dual enrollment using Group Policy
+
+### Configure Active Directory to support Domain Administrator enrollment
+
+The designed Windows Hello for Business configuration gives the `Key Admins` group read and write permissions to the `msDS-KeyCredentialsLink` attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
+
+Active Directory Domain Services uses `AdminSDHolder` to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account might receive the permissions but they disappear from the user object unless you give the `AdminSDHolder` read and write permissions to the `msDS-KeyCredential` attribute.
+
+Sign in to a domain controller or management workstation with access equivalent to *domain administrator*.
+
+1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object
+
+    ```cmd
+    dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink
+    ```
+
+    where `DC=domain,DC=com` is the LDAP path of your Active Directory domain and `domainName\keyAdminGroup` is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:
+
+    ```cmd
+    dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink
+    ```
+
+1. To trigger security descriptor propagation, open `ldp.exe`
+1. Select **Connection** and select **Connect...**  Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK**
+1. Select **Connection** and select **Bind...**  Select **OK** to bind as the currently signed-in user
+1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List**
+1. Select **Run** to start the task
+1. Close LDP
+
+### Configure dual enrollment with group policy
+
+You configure Windows to support dual enrollment using the computer configuration portion of a Group Policy object:
+
+1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users
+1. Edit the Group Policy object from step 1
+1. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**
+1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC
+1. Restart computers targeted by this Group Policy object
+
+The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the nonprivileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
deleted file mode 100644
index 276e763252..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: Dual Enrollment
-description: Learn how to configure Windows Hello for Business dual enrollment and how to configure Active Directory to support Domain Administrator enrollment.
-ms.date: 07/05/2023
-ms.topic: how-to
----
-
-# Dual Enrollment
-
-**Requirements**
-
-- Hybrid and On-premises Windows Hello for Business deployments
-- Enterprise joined or Hybrid Azure joined devices
-- Certificate trust
-
-> [!IMPORTANT]
-> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature.  Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users.  Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used.  Read [Privileged Access Workstations](/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information.
-
-Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
-
-By design, Windows does not enumerate all Windows Hello for Business users from within a user's session.  Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
-
-With this setting, administrative users can sign in to Windows 10, version 1709 or later using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN.  Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument.  This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
-
-> [!IMPORTANT]
-> You must configure a Windows computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business.  Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
-
-## Configure Windows Hello for Business Dual Enrollment
-
-In this task, you will
-
-* Configure Active Directory to support Domain Administrator enrollment
-* Configure Dual Enrollment using Group Policy
-
-### Configure Active Directory to support Domain Administrator enrollment
-
-The designed Windows Hello for Business configuration gives the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute.  You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
-
-Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
-
-Sign in to a domain controller or management workstation with access equivalent to _domain administrator_.
-
-1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.</br>
-```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink```</br>
-where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment.  For example:</br>
-```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink```
-2. To trigger security descriptor propagation, open **ldp.exe**.
-3. Click **Connection** and select **Connect...**  Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**.
-4. Click **Connection** and select **Bind...**  Click **OK** to bind as the currently signed-in user.
-5. Click **Browser** and select **Modify**.  Leave the **DN** text box blank.  Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type **1**.  Click **Enter** to add this to the **Entry List**.
-6. Click **Run** to start the task.
-7. Close LDP.  
-
-### Configuring Dual Enrollment using Group Policy
-
-You configure Windows 10 or Windows 11 to support dual enrollment using the computer configuration portion of a Group Policy object.
-
-1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
-2. Edit the Group Policy object from step 1.
-3. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
-4. Close the Group Policy Management Editor to save the Group Policy object.  Close the GPMC.
-5. Restart computers targeted by this Group Policy object.
-
-The computer is ready for dual enrollment.  Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the non-privileged user and enroll for Windows Hello for Business.  You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index ff9bf8c522..805091b707 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -1,7 +1,7 @@
 ---
 title: Use Certificates to enable SSO for Microsoft Entra join devices
 description: If you want to use certificates for on-premises single-sign on for Microsoft Entra joined devices, then follow these additional steps.
-ms.date: 08/19/2018
+ms.date: 04/24/2024
 ms.topic: how-to
 ---
 
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 946281222c..a9067a5752 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -20,7 +20,7 @@ items:
   - name: Configure PIN reset
     href: pin-reset.md
   - name: Configure dual enrollment
-    href: hello-feature-dual-enrollment.md
+    href: dual-enrollment.md
   - name: Configure dynamic lock
     href: hello-feature-dynamic-lock.md
   - name: Configure multi-factor unlock
diff --git a/windows/security/includes/mdag-edge-deprecation-notice.md b/windows/security/includes/mdag-edge-deprecation-notice.md
index cc4103ac7a..cf4028ac1c 100644
--- a/windows/security/includes/mdag-edge-deprecation-notice.md
+++ b/windows/security/includes/mdag-edge-deprecation-notice.md
@@ -1,9 +1,10 @@
 ---
 author: vinaypamnani-msft
 ms.author: vinpa
-ms.date: 12/13/2023
+ms.date: 04/23/2024
 ms.topic: include
 ---
 
 > [!NOTE]
-> Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), will be deprecated for Microsoft Edge for Business and [will no longer be updated](/windows/whats-new/feature-lifecycle). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities.
\ No newline at end of file
+> - Microsoft Defender Application Guard, including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), will be deprecated for Microsoft Edge for Business and [will no longer be updated](/windows/whats-new/feature-lifecycle). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities.
+> - Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated [Windows Store app](https://apps.microsoft.com/detail/9N8GNLC8Z9C8) will not be available after May 2024. This affects the following browsers: [*Application Guard Extension - Chrome*](https://chromewebstore.google.com/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj) and [*Application Guard Extension - Firefox*](https://addons.mozilla.org/firefox/addon/application-guard-extension/). If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard).<!--8932292--> 
\ No newline at end of file
diff --git a/windows/security/introduction.md b/windows/security/introduction.md
index 887774184b..7b90b57e21 100644
--- a/windows/security/introduction.md
+++ b/windows/security/introduction.md
@@ -4,10 +4,10 @@ description: System security book.
 ms.date: 09/01/2023
 ms.topic: tutorial
 ms.author: paoloma
-ms.collection: 
+ms.collection:
   - essentials-security
   - essentials-overview
-content_well_notification: 
+content_well_notification:
   - AI-contribution
 author: paolomatarazzo
 appliesto:
@@ -57,4 +57,6 @@ Microsoft offers comprehensive cloud services for identity, storage, and access
 
 ## Next steps
 
-To learn more about the security features included in Windows 11, download the [Windows 11 Security Book: Powerful security from chip to cloud](https://aka.ms/Windows11SecurityBook).
+To learn more about the security features included in Windows 11, read the [Windows 11 Security Book](book/index.md).
+
+<!--(https://aka.ms/Windows11SecurityBook).-->
diff --git a/windows/security/licensing-and-edition-requirements.md b/windows/security/licensing-and-edition-requirements.md
index 00c468a2dd..34a527cefe 100644
--- a/windows/security/licensing-and-edition-requirements.md
+++ b/windows/security/licensing-and-edition-requirements.md
@@ -19,7 +19,7 @@ Select one of the two tabs to learn about licensing requirements to use the secu
 
 [!INCLUDE [licensing-requirements](../../includes/licensing/_licensing-requirements.md)]
 
-#### [:::image type="icon" source="images/icons/subscription.svg" border="false"::: **Edition requirements**](#tab/edition)
+#### [:::image type="icon" source="images/icons/certificate.svg" border="false"::: **Edition requirements**](#tab/edition)
 
 [!INCLUDE [_edition-requirements](../../includes/licensing/_edition-requirements.md)]
 
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png
new file mode 100644
index 0000000000..223d0bc3b6
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
index a8446d34d2..c7613a0f46 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
@@ -29,6 +29,10 @@ The following list provides examples of common events that cause a device to ent
 - Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile
 - Moving a BitLocker-protected drive into a new computer
 - On devices with TPM 1.2, changing the BIOS or firmware boot device order
+- Exceeding the maximum allowed number of failed sign-in attempts
+
+    > [!NOTE]
+    > To take advantage of this functionality, you must configure the policy setting **Interactive logon: Machine account lockout threshold** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options**. Alternatively, use the [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) **MaxFailedPasswordAttempts** policy setting, or the [DeviceLock Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-csp-devicelock#accountlockoutpolicy).
 
 As part of the [BitLocker recovery process](recovery-process.md), it's recommended to determine what caused a device to enter in recovery mode. Root cause analysis might help to prevent the problem from occurring again in the future. For instance, if you determine that an attacker modified a device by obtaining physical access, you can implement new security policies for tracking who has physical presence.
 
@@ -40,6 +44,23 @@ For planned scenarios, such as a known hardware or firmware upgrades, initiating
 > [!TIP]
 > Recovery is described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When devices are redeployed to other departments or employees in the organization, BitLocker can be forced into recovery before the device is delivered to a new user.
 
+## Windows RE and BitLocker recovery
+
+Windows Recovery Environment (Windows RE) can be used to recover access to a drive protected by BitLocker. If a device is unable to boot after two failures, *Startup Repair* starts automatically.
+
+When Startup Repair is launched automatically due to boot failures, it only executes operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. On devices that support specific TPM measurements for PCR[7], the TPM validates that Windows RE is a trusted operating environment and unlocks any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM is disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically, and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker-protected drives.
+
+Windows RE will also ask for your BitLocker recovery key when you start a *Remove everything* reset from Windows RE on a device that uses the **TPM + PIN** or **Password for OS drive** protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally.
+
+The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key:
+
+- To activate the narrator during BitLocker recovery in Windows RE, press <kbd>WIN</kbd> + <kbd>CTRL</kbd> + <kbd>Enter</kbd>
+- To activate the on-screen keyboard, tap on a text input control
+
+:::image type="content" source="images/bl-narrator.png" alt-text="Screenshot of Windows RE and narrator.":::
+
+If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available.
+
 ## BitLocker recovery options
 
 In a recovery scenario, the following options to restore access to the drive might be available, depending on the policy settings applied to the devices:
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index dc6e715410..02b20cfc2d 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -2,7 +2,7 @@
 title: PDE settings and configuration
 description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
 ms.topic: how-to
-ms.date: 08/11/2023
+ms.date: 05/06/2024
 ---
 
 # PDE settings and configuration
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
index 6d9ebee1ad..cc6278f590 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
@@ -4,7 +4,7 @@ metadata:
   title: Frequently asked questions for Personal Data Encryption (PDE)
   description: Answers to common questions regarding Personal Data Encryption (PDE).
   ms.topic: faq
-  ms.date: 08/11/2023
+  ms.date: 05/06/2024
 
 title: Frequently asked questions for Personal Data Encryption (PDE)
 summary: |
@@ -15,19 +15,19 @@ sections:
     questions:
       - question: Can PDE encrypt entire volumes or drives?
         answer: |
-          No. PDE only encrypts specified files and content.
+          No, PDE only encrypts specified files and content.
       - question: How are files and content protected by PDE selected?
         answer: |
           [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using PDE.
       - question: Can users manually encrypt and decrypt files with PDE?
         answer: |
-          Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content). 
+          Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content).
       - question: Can PDE protected content be accessed after signing on via a Remote Desktop connection (RDP)?
         answer: |
-          No. Accessing PDE protected content over RDP isn't currently supported.
+          No, it's not supported to access PDE-protected content over RDP.
       - question: Can PDE protected content be accessed via a network share?
         answer: |
-          No. PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
+          No, PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
       - question: What encryption method and strength does PDE use?
         answer: |
           PDE uses AES-CBC with a 256-bit key to encrypt content.
@@ -39,13 +39,13 @@ sections:
           During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to protect content.
       - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
         answer: |
-          No. The keys used by PDE to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+          No, the keys used by PDE to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
       - question: Can a file be protected with both PDE and EFS at the same time?
         answer: |
-          No. PDE and EFS are mutually exclusive.
+          No, PDE and EFS are mutually exclusive.
       - question: Is PDE a replacement for BitLocker?
         answer: |
-          No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
+          No, it's recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
       - question: Do I need to use OneDrive in Microsoft 365 as my backup provider?
         answer: |
-          No. PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
+          No, PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index 14df705407..f0f3e1f99f 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -2,7 +2,7 @@
 title: Personal Data Encryption (PDE)
 description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
 ms.topic: how-to
-ms.date: 08/11/2023
+ms.date: 05/06/2024
 ---
 
 # Personal Data Encryption (PDE)
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index d87edf7174..c2a7ae57a8 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -1,7 +1,7 @@
 ---
 title: How to configure cryptographic settings for IKEv2 VPN connections
 description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 
@@ -9,11 +9,11 @@ ms.topic: how-to
 
 In IKEv2 VPN connections, the default setting for IKEv2 cryptographic settings are:
 
-- Encryption Algorithm: DES3  
-- Integrity, Hash Algorithm: SHA1  
+- Encryption Algorithm: DES3
+- Integrity, Hash Algorithm: SHA1
 - Diffie Hellman Group (Key Size): DH2
 
-These settings aren't secure for IKE exchanges.  
+These settings aren't secure for IKE exchanges.
 
 To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.
 
@@ -42,27 +42,27 @@ Set-VpnConnectionIPsecConfiguration -ConnectionName <String>
 
 ## IKEv2 Crypto Settings Example
 
-The following commands configure the IKEv2 cryptographic settings to:  
+The following commands configure the IKEv2 cryptographic settings to:
 
-- Encryption Algorithm: AES128  
-- Integrity, Hash Algorithm: SHA256  
-- Diffie Hellman Group (Key Size): DH14  
+- Encryption Algorithm: AES128
+- Integrity, Hash Algorithm: SHA256
+- Diffie Hellman Group (Key Size): DH14
 
-### IKEv2 VPN Server  
+### IKEv2 VPN Server
 
 ```powershell
-Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000  
+Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000
 restart-service RemoteAccess -PassThru
 ```
 
 If you need to switch back to the default IKEv2 settings, use this command:
 
 ```powershell
-Set-VpnServerConfiguration -TunnelType IKEv2 -RevertToDefault  
+Set-VpnServerConfiguration -TunnelType IKEv2 -RevertToDefault
 restart-service RemoteAccess -PassThru
 ```
 
-### IKEv2 VPN Client  
+### IKEv2 VPN Client
 
 ```powershell
 Set-VpnConnectionIPsecConfiguration -ConnectionName <String - your VPN connection name> -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -Force
@@ -74,5 +74,5 @@ If you need to switch back to the default IKEv2 settings, use this command:
 Set-VpnConnectionIPsecConfiguration -ConnectionName <String - your VPN connection name> -RevertToDefault -Force
 ```
 
-> [!TIP]  
-> If you're configuring a all-user VPN connection or a Device Tunnel you must use the `-AllUserConnection` parameter in the `Set-VpnConnectionIPsecConfiguration` command.  
\ No newline at end of file
+> [!TIP]
+> If you're configuring a all-user VPN connection or a Device Tunnel you must use the `-AllUserConnection` parameter in the `Set-VpnConnectionIPsecConfiguration` command.
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index a3bf98bb64..daf7f89f5d 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -1,7 +1,7 @@
 ---
 title: How to use single sign-on (SSO) over VPN and Wi-Fi connections
 description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections.
-ms.date: 12/12/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
index 60dd8c3517..539eeaeda6 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
@@ -1,7 +1,7 @@
 ---
-title: VPN authentication options 
+title: VPN authentication options
 description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---
 
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
index 5e6ac3a460..85b51dd4d1 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
@@ -1,7 +1,7 @@
 ---
 title: VPN auto-triggered profile options
 description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 
@@ -32,7 +32,7 @@ For more information, see [Traffic filters](vpn-security-features.md#traffic-fil
 
 ## Name-based trigger
 
-You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.\ 
+You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.\
 Name-based auto-trigger can be configured using the `VPNv2/<ProfileName>/DomainNameInformationList/dniRowId/AutoTrigger` setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
 
 There are four types of name-based triggers:
@@ -56,7 +56,7 @@ When a device has multiple profiles with Always On triggers, the user can specif
 
 ## Preserving user Always On preference
 
-Another Windows feature is to preserve a user's Always On preference. If a user manually unchecks the **Connect automatically** checkbox, Windows remembers the user preference for the profile name by adding the profile name to the registry value *AutoTriggerDisabledProfilesList*.  
+Another Windows feature is to preserve a user's Always On preference. If a user manually unchecks the **Connect automatically** checkbox, Windows remembers the user preference for the profile name by adding the profile name to the registry value *AutoTriggerDisabledProfilesList*.
 
 If a management tool removes or adds the same profile name back and set **AlwaysOn** to **true**, Windows doesn't check the box if the profile name exists in the following registry value, in order to preserve user preference.
 
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
index 20c906ac63..8fa4ab6725 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
@@ -1,7 +1,7 @@
 ---
 title: VPN and conditional access
 description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
index a58cace67e..7199978f6c 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
@@ -1,7 +1,7 @@
 ---
 title: VPN connection types
 description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---
 
@@ -30,7 +30,7 @@ Tunneling protocols:
 
 Using the UWP platform, non-Microsoft VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
 
-There are many Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
+There are many Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, SonicWall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
 
 ## Configure connection type
 
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
index 8243496ddd..3233517baa 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
@@ -1,7 +1,7 @@
 ---
 title: Windows VPN technical guide
 description: Learn how to plan and configure Windows devices for your organization's VPN solution.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: overview
 ---
 
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
index 82260ba0a4..666f60d6c1 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
@@ -1,7 +1,7 @@
 ---
 title: VPN name resolution
 description: Learn how name resolution works when using a VPN connection.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---
 
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
index 21b3797cf1..aced17dd8e 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
@@ -2,7 +2,7 @@
 title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
 description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
 ms.topic: how-to
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ---
 # Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
 
@@ -70,7 +70,7 @@ An example of a PowerShell script that can be used to update a force tunnel VPN
 
 ```powershell
 # Copyright (c) Microsoft Corporation.  All rights reserved.
-#  
+#
 # THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
 # WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
 # WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
@@ -113,7 +113,7 @@ To check a VPN profile XML file:
 Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF XML FILE]
 
 "@
-  
+
 # Check if filename has been provided #
 if ($VPNprofilefile -eq "")
 {
@@ -335,7 +335,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
     # Clear variables to allow re-run testing #
     $ARRVPN=$null              # Array to hold VPN addresses from the XML file #
     $In_Opt_Only=$null         # Variable to hold IP Addresses that only appear in optimize list #
-    $In_VPN_Only=$null         # Variable to hold IP Addresses that only appear in the VPN profile XML file #  
+    $In_VPN_Only=$null         # Variable to hold IP Addresses that only appear in the VPN profile XML file #
 
     # Extract the Profile XML from the XML file #
     $regex = '(?sm).*^*.<VPNProfile>\r?\n(.*?)\r?\n</VPNProfile>.*'
@@ -542,12 +542,12 @@ $ProfileXML = '<VPNProfile>
       <Address>104.146.128.0</Address>
       <PrefixSize>17</PrefixSize>
       <ExclusionRoute>true</ExclusionRoute>
-    </Route>  
+    </Route>
     <Route>
       <Address>150.171.40.0</Address>
       <PrefixSize>22</PrefixSize>
       <ExclusionRoute>true</ExclusionRoute>
-    </Route>  
+    </Route>
     <Route>
       <Address>13.107.60.1</Address>
       <PrefixSize>32</PrefixSize>
@@ -568,9 +568,9 @@ $ProfileXML = '<VPNProfile>
       <PrefixSize>14</PrefixSize>
     <ExclusionRoute>true</ExclusionRoute>
     </Route>
-    <Proxy>  
-            <AutoConfigUrl>http://webproxy.corp.contoso.com/proxy.pac</AutoConfigUrl>  
-      </Proxy>  
+    <Proxy>
+            <AutoConfigUrl>http://webproxy.corp.contoso.com/proxy.pac</AutoConfigUrl>
+      </Proxy>
 </VPNProfile>'
 
 <#-- Convert ProfileXML to Escaped Format --#>
@@ -625,7 +625,7 @@ try
     $session.CreateInstance($namespaceName, $newInstance, $options)
     $Message = "Created $ProfileName profile."
     Write-Host "$Message"
-    Write-Host "$ProfileName profile summary:"  
+    Write-Host "$ProfileName profile summary:"
     $session.EnumerateInstances($namespaceName, $className, $options)
 }
 catch [Exception]
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
index 1975863b9a..4fdbb86971 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
@@ -1,7 +1,7 @@
 ---
-title: VPN profile options 
+title: VPN profile options
 description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: how-to
 ---
 
@@ -43,16 +43,16 @@ The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN prof
 The following sample is a sample Native VPN profile. This blob would fall under the ProfileXML node.
 
 ```xml
-<VPNProfile>  
-  <ProfileName>TestVpnProfile</ProfileName>  
-  <NativeProfile>  
-    <Servers>testServer.VPN.com</Servers>  
-    <NativeProtocolType>IKEv2</NativeProtocolType> 
-    
-    <!--Sample EAP profile (PEAP)--> 
-    <Authentication>  
-      <UserMethod>Eap</UserMethod> 
-      <Eap>  
+<VPNProfile>
+  <ProfileName>TestVpnProfile</ProfileName>
+  <NativeProfile>
+    <Servers>testServer.VPN.com</Servers>
+    <NativeProtocolType>IKEv2</NativeProtocolType>
+
+    <!--Sample EAP profile (PEAP)-->
+    <Authentication>
+      <UserMethod>Eap</UserMethod>
+      <Eap>
        <Configuration>
           <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
             <EapMethod>
@@ -118,95 +118,95 @@ The following sample is a sample Native VPN profile. This blob would fall under
             </Config>
           </EapHostConfig>
         </Configuration>
-      </Eap>  
-    </Authentication>  
-    
+      </Eap>
+    </Authentication>
+
     <!--Sample routing policy: in this case, this is a split tunnel configuration with two routes configured-->
-    <RoutingPolicyType>SplitTunnel</RoutingPolicyType>  
-    <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>  
-  </NativeProfile>  
-    <Route>  
-    <Address>192.168.0.0</Address>  
-    <PrefixSize>24</PrefixSize>  
-  </Route>  
-  <Route>  
-    <Address>10.10.0.0</Address>  
-    <PrefixSize>16</PrefixSize>  
-  </Route>  
-  
+    <RoutingPolicyType>SplitTunnel</RoutingPolicyType>
+    <DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
+  </NativeProfile>
+    <Route>
+    <Address>192.168.0.0</Address>
+    <PrefixSize>24</PrefixSize>
+  </Route>
+  <Route>
+    <Address>10.10.0.0</Address>
+    <PrefixSize>16</PrefixSize>
+  </Route>
+
   <!--VPN will be triggered for the two apps specified here-->
-  <AppTrigger>  
-    <App>  
-      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>  
-    </App>  
-  </AppTrigger>  
-  <AppTrigger>  
-    <App>  
-      <Id>C:\windows\system32\ping.exe</Id>  
-    </App>  
-  </AppTrigger>  
-  
+  <AppTrigger>
+    <App>
+      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
+    </App>
+  </AppTrigger>
+  <AppTrigger>
+    <App>
+      <Id>C:\windows\system32\ping.exe</Id>
+    </App>
+  </AppTrigger>
+
   <!--Example of per-app VPN. This configures traffic filtering rules for two apps. Internet Explorer is configured for force tunnel, meaning that all traffic allowed through this app must go over VPN. Microsoft Edge is configured as split tunnel, so whether data goes over VPN or the physical interface is dictated by the routing configuration.-->
-  <TrafficFilter>  
-    <App>  
-      <Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>  
-    </App>  
-    <Protocol>6</Protocol>  
-    <LocalPortRanges>10,20-50,100-200</LocalPortRanges>  
-    <RemotePortRanges>20-50,100-200,300</RemotePortRanges>  
-    <RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>  
-    <RoutingPolicyType>ForceTunnel</RoutingPolicyType>  
-  </TrafficFilter>  
-  <TrafficFilter>  
-    <App>  
-      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>  
-    </App>  
-    <LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>  
-  </TrafficFilter>  
-  
+  <TrafficFilter>
+    <App>
+      <Id>%ProgramFiles%\Internet Explorer\iexplore.exe</Id>
+    </App>
+    <Protocol>6</Protocol>
+    <LocalPortRanges>10,20-50,100-200</LocalPortRanges>
+    <RemotePortRanges>20-50,100-200,300</RemotePortRanges>
+    <RemoteAddressRanges>30.30.0.0/16,10.10.10.10-20.20.20.20</RemoteAddressRanges>
+    <RoutingPolicyType>ForceTunnel</RoutingPolicyType>
+  </TrafficFilter>
+  <TrafficFilter>
+    <App>
+      <Id>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</Id>
+    </App>
+    <LocalAddressRanges>3.3.3.3/32,1.1.1.1-2.2.2.2</LocalAddressRanges>
+  </TrafficFilter>
+
   <!--Name resolution configuration. The AutoTrigger node configures name-based triggering. In this profile, the domain "hrsite.corporate.contoso.com" triggers VPN.-->
-  <DomainNameInformation>  
-    <DomainName>hrsite.corporate.contoso.com</DomainName>  
-    <DnsServers>1.2.3.4,5.6.7.8</DnsServers>  
-    <WebProxyServers>5.5.5.5</WebProxyServers>  
-    <AutoTrigger>true</AutoTrigger>  
-  </DomainNameInformation>  
-  <DomainNameInformation>  
-    <DomainName>.corp.contoso.com</DomainName>  
-    <DnsServers>10.10.10.10,20.20.20.20</DnsServers>  
-    <WebProxyServers>100.100.100.100</WebProxyServers>  
-  </DomainNameInformation>  
-  
+  <DomainNameInformation>
+    <DomainName>hrsite.corporate.contoso.com</DomainName>
+    <DnsServers>1.2.3.4,5.6.7.8</DnsServers>
+    <WebProxyServers>5.5.5.5</WebProxyServers>
+    <AutoTrigger>true</AutoTrigger>
+  </DomainNameInformation>
+  <DomainNameInformation>
+    <DomainName>.corp.contoso.com</DomainName>
+    <DnsServers>10.10.10.10,20.20.20.20</DnsServers>
+    <WebProxyServers>100.100.100.100</WebProxyServers>
+  </DomainNameInformation>
+
   <!--EDPMode is turned on for the enterprise ID "corp.contoso.com". When a user accesses an app with that ID, VPN will be triggered.-->
-  <EdpModeId>corp.contoso.com</EdpModeId>  
-  <RememberCredentials>true</RememberCredentials>  
-  
+  <EdpModeId>corp.contoso.com</EdpModeId>
+  <RememberCredentials>true</RememberCredentials>
+
   <!--Always On is turned off, and triggering VPN for the apps and domain name specified earlier in the profile will not occur if the user is connected to the trusted network "contoso.com".-->
-  <AlwaysOn>false</AlwaysOn>  
-  <DnsSuffix>corp.contoso.com</DnsSuffix>  
-  <TrustedNetworkDetection>contoso.com</TrustedNetworkDetection>  
-  <Proxy>  
-    <Manual>  
-      <Server>HelloServer</Server>  
-    </Manual>  
-    <AutoConfigUrl>Helloworld.Com</AutoConfigUrl>  
-  </Proxy>  
-  
+  <AlwaysOn>false</AlwaysOn>
+  <DnsSuffix>corp.contoso.com</DnsSuffix>
+  <TrustedNetworkDetection>contoso.com</TrustedNetworkDetection>
+  <Proxy>
+    <Manual>
+      <Server>HelloServer</Server>
+    </Manual>
+    <AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
+  </Proxy>
+
   <!--Device compliance is enabled and an alternate certificate is specified for domain resource authentication.-->
-  <DeviceCompliance>  
-        <Enabled>true</Enabled>  
-        <Sso>  
-            <Enabled>true</Enabled>  
-            <Eku>This is my Eku</Eku>  
-            <IssuerHash>This is my issuer hash</IssuerHash>  
-        </Sso>  
-    </DeviceCompliance>  
-</VPNProfile> 
+  <DeviceCompliance>
+        <Enabled>true</Enabled>
+        <Sso>
+            <Enabled>true</Enabled>
+            <Eku>This is my Eku</Eku>
+            <IssuerHash>This is my issuer hash</IssuerHash>
+        </Sso>
+    </DeviceCompliance>
+</VPNProfile>
 ```
 
 ## Sample plug-in VPN profile
 
-The following sample is a sample plug-in VPN profile. This blob would fall under the ProfileXML node. 
+The following sample is a sample plug-in VPN profile. This blob would fall under the ProfileXML node.
 
 ```xml
 <VPNProfile>
@@ -279,7 +279,7 @@ The following sample is a sample plug-in VPN profile. This blob would fall under
         </Manual>
         <AutoConfigUrl>Helloworld.Com</AutoConfigUrl>
     </Proxy>
-</VPNProfile>  
+</VPNProfile>
 ```
 
 ## Apply ProfileXML using Intune
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
index 1f3e5a3784..e5f0bc3f68 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
@@ -1,5 +1,5 @@
 ---
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 title: VPN routing decisions
 description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
 ms.topic: concept-article
@@ -23,7 +23,7 @@ For each route item in the list, you can configure the following options:
 
 With Windows VPN, you can specify exclusion routes that shouldn't go over the physical interface.
 
-Routes can also be added at connect time through the server for UWP VPN apps.  
+Routes can also be added at connect time through the server for UWP VPN apps.
 
 ## Force tunnel configuration
 
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
index a299f51731..0ca87d7370 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
@@ -1,7 +1,7 @@
 ---
 title: VPN security features
 description: Learn about security features for VPN, including LockDown VPN and traffic filters.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
 ms.topic: concept-article
 ---
 
diff --git a/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md b/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md
index 8c8a0fc482..d8b655246d 100644
--- a/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md
+++ b/windows/security/security-foundations/certification/validations/cc-windows-server-previous.md
@@ -83,7 +83,7 @@ The following tables list the completed Common Criteria certifications for Windo
 [admin-guide-january-2014]: https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx
 [admin-guide-march-2011]: https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00
 [admin-guide-july-2009]: https://www.microsoft.com/download/en/details.aspx?id=29308
-[admin-guide-july-2009-hyperv]: https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08
+[admin-guide-july-2009-hyperv]: https://www.microsoft.com/en-us/download/details.aspx?id=14252
 [admin-guide-august-2009]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567
 [admin-guide-september-2008]: https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567
 
diff --git a/windows/security/toc.yml b/windows/security/toc.yml
index 74469d7972..6fbbd83941 100644
--- a/windows/security/toc.yml
+++ b/windows/security/toc.yml
@@ -1,6 +1,8 @@
 items:
 - name: Introduction to Windows security
   href: introduction.md
+- name: Windows 11 security book 🔗
+  href: book/index.md
 - name: Security features licensing and edition requirements
   href: licensing-and-edition-requirements.md
 - name: Security foundations
@@ -14,6 +16,6 @@ items:
 - name: Identity protection
   href: identity-protection/toc.yml
 - name: Cloud security
-  href: cloud-security/toc.yml
+  href: cloud-services/toc.yml
 - name: Windows Privacy 🔗
   href: /windows/privacy
\ No newline at end of file
diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md
index 521dc1b1be..b9a23d6024 100644
--- a/windows/whats-new/deprecated-features-resources.md
+++ b/windows/whats-new/deprecated-features-resources.md
@@ -27,7 +27,7 @@ WordPad will be removed from all editions of Windows starting in Windows 11, ver
 
 - wordpad.exe
 - wordpadfilter.dll
-- write.exe
+- write.exe 
 
 Avoid taking a direct dependency on these binaries and Wordpad in your product. Instead, for trying to open a text file, rely on Microsoft Word or Notepad.
 
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 662ade9a57..35fd910e40 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,14 +1,14 @@
 ---
 title: Deprecated features in the Windows client
 description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
-ms.date: 03/25/2024
+ms.date: 04/23/2024
 ms.service: windows-client
 ms.subservice: itpro-fundamentals
 ms.localizationpriority: medium
 author: mestew
-ms.author: mstewart
+ms.author: mstewart 
 manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
 ms.collection:
   - highpri
   - tier1
@@ -47,11 +47,11 @@ The features in this article are no longer being actively developed, and might b
 
 | Feature | Details and mitigation  | Deprecation announced |
 |---|---|---|
-| NPLogonNotify and NPPasswordChangeNotify APIs <!--8787264--> | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a users password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
+| NPLogonNotify and NPPasswordChangeNotify APIs <!--8787264--> | Starting in Windows 11, version 24H2, the inclusion of password payload in MPR notifications is set to disabled by default through group policy in [NPLogonNotify](/windows/win32/api/npapi/nf-npapi-nplogonnotify) and [NPPasswordChangeNotify](/windows/win32/api/npapi/nf-npapi-nppasswordchangenotify) APIs. The APIs may be removed in a future release. The primary reason for disabling this feature is to enhance security. When enabled, these APIs allow the caller to retrieve a user's password, presenting potential risks for password exposure and harvesting by malicious users. To include password payload in MPR notifications, set the [EnableMPRNotifications](/windows/client-management/mdm/policy-csp-windowslogon#enablemprnotifications) policy to `enabled`.| March 2024 |
 | TLS server authentication certificates using RSA keys with key lengths shorter than 2048 bits <!--8644149-->| Support for certificates using RSA keys with key lengths shorter than 2048 bits will be deprecated. Internet standards and regulatory bodies disallowed the use of 1024-bit keys in 2013, recommending specifically that RSA keys should have a key length of 2048 bits or longer. For more information, see [Transitioning of Cryptographic Algorithms and Key Sizes - Discussion Paper (nist.gov)](https://csrc.nist.gov/CSRC/media/Projects/Key-Management/documents/transitions/Transitioning_CryptoAlgos_070209.pdf). This deprecation focuses on ensuring that all RSA certificates used for TLS server authentication must have key lengths greater than or equal to 2048 bits to be considered valid by Windows. </br></br> TLS certificates issued by enterprise or test certification authorities (CA) aren't impacted with this change. However, we recommend that they be updated to RSA keys greater than or equal to 2048 bits as a security best practice. This change is necessary to preserve security of Windows customers using certificates for authentication and cryptographic purposes.| March 2024|
 | Test Base <!--8790681--> | [Test Base for Microsoft 365](/microsoft-365/test-base/overview), an Azure cloud service for application testing, is deprecated. The service will be retired in the future and will be no longer available for use after retirement. | March 2024 |
 | Windows Mixed Reality <!--8412877--> | [Windows Mixed Reality](/windows/mixed-reality/enthusiast-guide/before-you-start) is deprecated and will be removed in Windows 11, version 24H2. This deprecation includes the [Mixed Reality Portal](/windows/mixed-reality/enthusiast-guide/install-windows-mixed-reality) app, [Windows Mixed Reality for SteamVR](/windows/mixed-reality/enthusiast-guide/using-steamvr-with-windows-mixed-reality), and Steam VR Beta. Existing Windows Mixed Reality devices will continue to work with Steam through November 2026, if users remain on their current released version of Windows 11, version 23H2. After November 2026, Windows Mixed Reality will no longer receive security updates, nonsecurity updates, bug fixes, technical support, or online technical content updates.</br> </br>This deprecation doesn't affect HoloLens. We remain committed to HoloLens and our enterprise customers. | December 2023 |
-| Microsoft Defender Application Guard for Edge <!--8591267-->| [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities. | December 2023 |
+| Microsoft Defender Application Guard for Edge <!--8591267-->| [Microsoft Defender Application Guard](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated for Microsoft Edge for Business and [will no longer be updated](feature-lifecycle.md). Please download the [Microsoft Edge For Business Security Whitepaper](https://edgestatic.azureedge.net/shared/cms/pdfs/Microsoft_Edge_Security_Whitepaper_v2.pdf) to learn more about Edge for Business security capabilities. </br></br> **[Update - April 2024]**: Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding extensions and associated [Windows Store app](https://apps.microsoft.com/detail/9N8GNLC8Z9C8) will not be available after May 2024. This affects the following browsers: [*Application Guard Extension - Chrome*](https://chromewebstore.google.com/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj) and [*Application Guard Extension - Firefox*](https://addons.mozilla.org/firefox/addon/application-guard-extension/). If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or [Microsoft Edge management service](/deployedge/microsoft-edge-management-service). For more information, see [Microsoft Edge and Microsoft Defender Application Guard](/deployedge/microsoft-edge-security-windows-defender-application-guard). <!--8932292-->| December 2023 |
 | Legacy console mode <!-- 8577271 -->| The [legacy console mode](/windows/console/legacymode) is deprecated and no longer being updated. In future Windows releases, it will be available as an optional [Feature on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). This feature won't be installed by default. | December 2023 |
 | Windows speech recognition <!--8396142-->| [Windows speech recognition](https://support.microsoft.com/windows/83ff75bd-63eb-0b6c-18d4-6fae94050571) is  deprecated and is no longer being developed. This feature is being replaced with [voice access](https://support.microsoft.com/topic/4dcd23ee-f1b9-4fd1-bacc-862ab611f55d). Voice access is available for Windows 11, version 22H2, or later devices. Currently, voice access supports five English locales: English - US, English - UK, English - India, English - New Zealand, English - Canada, and English - Australia. For more information, see [Setup voice access](https://support.microsoft.com/topic/set-up-voice-access-9fc44e29-12bf-4d86-bc4e-e9bb69df9a0e). | December 2023 |
 | Microsoft Defender Application Guard for Office <!--8396036-->| [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/app-guard-for-office-install), including the [Windows Isolated App Launcher APIs](/windows/win32/api/isolatedapplauncher/), is being deprecated and will no longer be updated. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365#global-settings-for-safe-attachments) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac).  | November 2023 |
diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md
index 93c72a5390..d7f6ed956b 100644
--- a/windows/whats-new/removed-features.md
+++ b/windows/whats-new/removed-features.md
@@ -6,10 +6,10 @@ ms.localizationpriority: medium
 author: mestew
 ms.author: mstewart
 manager: aaroncz
-ms.topic: conceptual
+ms.topic: reference
 ms.subservice: itpro-fundamentals
 ms.date: 03/11/2024
-ms.collection:
+ms.collection: 
   - highpri
   - tier1
 appliesto: