diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md
index 7ce3cfdfd1..47deb77fa1 100644
--- a/windows/security/book/application-security-application-isolation.md
+++ b/windows/security/book/application-security-application-isolation.md
@@ -63,14 +63,17 @@ With Windows Subsystem for Linux (WSL) you can run a Linux environment on your W
- **Auto proxy**: This new networking setting enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it makes that proxy automatically apply to WSL distributions
- **Intune/MDM setting in WSL**: Microsoft Defender for Endpoint (MDE) now integrates with WSL, providing the ability to monitor what's running inside of your WSL distros and report them to your online MDE dashboards
-## Virtualization-based security enclave
-
-A **Virtualization-based security enclave** is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to use VBS to protect their application's secrets from admin-level attacks. VBS enclaves are available on Windows 10 onwards on both x64 and ARM64.
-
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Hyper-V Firewall](/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall)
- [DNS Tunneling](/windows/wsl/networking#dns-tunneling)
- [Auto proxy](/windows/wsl/networking#auto-proxy)
- [Intune/MDM setting in WSL](/windows/wsl/intune)
+
+## Virtualization-based security enclave
+
+A **Virtualization-based security enclave** is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to use VBS to protect their application's secrets from admin-level attacks. VBS enclaves are available on Windows 10 onwards on both x64 and ARM64.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
- [Virtualization-based security enclave](/windows/win32/trusted-execution/vbs-enclaves)
diff --git a/windows/security/book/conclusion.md b/windows/security/book/conclusion.md
index aad13d7c78..bad9e244ec 100644
--- a/windows/security/book/conclusion.md
+++ b/windows/security/book/conclusion.md
@@ -28,6 +28,7 @@ Enhanced:
- [Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
- [Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
- [Enhanced phishing protection with Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-with-microsoft-defender-smartscreen)
+- [Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
- [Personal data encryption (PDE)](operating-system-security-encryption-and-data-protection.md#personal-data-encryption-pde)
- [Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
- [Universal Print](cloud-services-protect-your-work-information.md#universal-print)
diff --git a/windows/security/book/features-index.md b/windows/security/book/features-index.md
index c9f514ec7e..fb06897a15 100644
--- a/windows/security/book/features-index.md
+++ b/windows/security/book/features-index.md
@@ -7,4 +7,4 @@ ms.date: 09/06/2024
# Features index
-[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)
[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)
[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)
[App containers](application-security-application-isolation.md#app-containers)
[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)
[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)
[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)
[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)
[Certificates](operating-system-security-system-security.md#certificates)
[Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management)
[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)
[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)
[Config Refresh](operating-system-security-system-security.md#config-refresh)
[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)
[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
[Cryptography](operating-system-security-system-security.md#cryptography)
[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
[Device health attestation](operating-system-security-system-security.md#device-health-attestation)
[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)
[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)
[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)
[Enhanced phishing protection with Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-with-microsoft-defender-smartscreen)
[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)
[Exploit protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)
[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)
[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)
[FIDO2](identity-protection-passwordless-sign-in.md#fido2)
[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)
[Kernel Direct Memory Access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)
[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)
[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
[Microsoft Account](cloud-services-protect-your-personal-information.md#microsoft-account)
[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)
[Microsoft Azure Attestation Service](cloud-services-protect-your-work-information.md#microsoft-azure-attestation-service)
[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)
[Microsoft Defender for Endpoint](operating-system-security-virus-and-threat-protection.md#microsoft-defender-for-endpoint)
[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)
[Microsoft Entra ID](cloud-services-protect-your-work-information.md#microsoft-entra-id)
[Microsoft Intune](cloud-services-protect-your-work-information.md#microsoft-intune)
[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)
[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)
[Microsoft security baselines](cloud-services-protect-your-work-information.md#microsoft-security-baselines)
[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)
[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)
[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)
[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)
[OneDrive for work or school](cloud-services-protect-your-work-information.md#onedrive-for-work-or-school)
[OneDrive Personal Vault](cloud-services-protect-your-personal-information.md#onedrive-personal-vault)
[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)
[Personal data encryption (PDE)](operating-system-security-encryption-and-data-protection.md#personal-data-encryption-pde)
[Privacy dashboard and report](privacy-controls.md#privacy-dashboard-and-report)
[Privacy resource usage](privacy-controls.md#privacy-resource-usage)
[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)
[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)
[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)
[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
[Secured-core PC](hardware-security-silicon-assisted-security.md#secured-core-pc)
[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)
[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)
[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)
[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)
[Token protection](identity-protection-advanced-credential-protection.md#token-protection)
[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)
[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)
[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)
[Trusted signing](application-security-application-and-driver-control.md#trusted-signing)
[Universal Print](cloud-services-protect-your-work-information.md#universal-print)
[User Account Control](application-security-application-and-driver-control.md#user-account-control)
[VBS key protection](identity-protection-advanced-credential-protection.md#vbs-key-protection)
[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)
[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)
[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)
[Win32 app isolation](application-security-application-isolation.md#win32-app-isolation)
[Windows App software development kit (SDK)](security-foundation-secure-supply-chain.md#windows-app-software-development-kit-sdk)
[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)
[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)
[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)
[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)
[Windows Firewall](operating-system-security-network-security.md#windows-firewall)
[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)
[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)
[Windows Insider and Bug Bounty program](security-foundation-offensive-research.md#windows-insider-and-bug-bounty-program)
[Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)
[Windows protected print](operating-system-security-system-security.md#windows-protected-print)
[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)
[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)
[Windows security settings](operating-system-security-system-security.md#windows-security-settings)
[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
[Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business)
\ No newline at end of file
+[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)
[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)
[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)
[App containers](application-security-application-isolation.md#app-containers)
[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)
[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)
[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)
[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)
[Certificates](operating-system-security-system-security.md#certificates)
[Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management)
[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)
[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)
[Config Refresh](operating-system-security-system-security.md#config-refresh)
[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)
[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
[Cryptography](operating-system-security-system-security.md#cryptography)
[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
[Device health attestation](operating-system-security-system-security.md#device-health-attestation)
[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)
[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)
[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)
[Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen)
[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)
[Exploit protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)
[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)
[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)
[FIDO2](identity-protection-passwordless-sign-in.md#fido2)
[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)
[Kernel Direct Memory Access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)
[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)
[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
[Microsoft Account](cloud-services-protect-your-personal-information.md#microsoft-account)
[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)
[Microsoft Azure Attestation Service](cloud-services-protect-your-work-information.md#microsoft-azure-attestation-service)
[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)
[Microsoft Defender for Endpoint](operating-system-security-virus-and-threat-protection.md#microsoft-defender-for-endpoint)
[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)
[Microsoft Entra ID](cloud-services-protect-your-work-information.md#microsoft-entra-id)
[Microsoft Intune](cloud-services-protect-your-work-information.md#microsoft-intune)
[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)
[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)
[Microsoft security baselines](cloud-services-protect-your-work-information.md#microsoft-security-baselines)
[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)
[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)
[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)
[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)
[OneDrive for work or school](cloud-services-protect-your-work-information.md#onedrive-for-work-or-school)
[OneDrive Personal Vault](cloud-services-protect-your-personal-information.md#onedrive-personal-vault)
[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)
[Personal data encryption (PDE)](operating-system-security-encryption-and-data-protection.md#personal-data-encryption-pde)
[Privacy dashboard and report](privacy-controls.md#privacy-dashboard-and-report)
[Privacy resource usage](privacy-controls.md#privacy-resource-usage)
[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)
[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)
[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)
[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
[Secured-core PC](hardware-security-silicon-assisted-security.md#secured-core-pc)
[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)
[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)
[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)
[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)
[Token protection](identity-protection-advanced-credential-protection.md#token-protection)
[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)
[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)
[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)
[Trusted signing](application-security-application-and-driver-control.md#trusted-signing)
[Universal Print](cloud-services-protect-your-work-information.md#universal-print)
[User Account Control](application-security-application-and-driver-control.md#user-account-control)
[VBS key protection](identity-protection-advanced-credential-protection.md#vbs-key-protection)
[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)
[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)
[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)
[Win32 app isolation](application-security-application-isolation.md#win32-app-isolation)
[Windows App software development kit (SDK)](security-foundation-secure-supply-chain.md#windows-app-software-development-kit-sdk)
[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)
[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)
[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)
[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)
[Windows Firewall](operating-system-security-network-security.md#windows-firewall)
[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)
[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)
[Windows Insider and Bug Bounty program](security-foundation-offensive-research.md#windows-insider-and-bug-bounty-program)
[Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)
[Windows protected print](operating-system-security-system-security.md#windows-protected-print)
[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)
[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)
[Windows security settings](operating-system-security-system-security.md#windows-security-settings)
[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
[Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business)
\ No newline at end of file
diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md
index 39110959fb..bbd1aba015 100644
--- a/windows/security/book/identity-protection-advanced-credential-protection.md
+++ b/windows/security/book/identity-protection-advanced-credential-protection.md
@@ -13,9 +13,9 @@ In addition to adopting passwordless sign-in, organizations can strengthen secur
## Local Security Authority (LSA) protection
-Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Entra.
+Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users, and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Entra ID account.
-To help keep these credentials safe, with 24H2 LSA protection is enabled by default on all devices (MSA, Entra joined, hybrid, and local) after an evaluation period. By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection supports configuration using group policy and other device management solutions.
+To help keep these credentials safe, starting in Windows 11, version 24H2, LSA protection is enabled by default on all devices (MSA, Entra joined, hybrid, and local) after an evaluation period. By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection supports configuration using group policy and other device management solutions.
Users have the ability to manage the LSA protection state in the Windows Security application under **Device Security** > **Core Isolation** > **Local Security Authority protection**.
diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md
index ea5dc404e6..394a3d617d 100644
--- a/windows/security/book/identity-protection-passwordless-sign-in.md
+++ b/windows/security/book/identity-protection-passwordless-sign-in.md
@@ -199,7 +199,7 @@ When a password is used to sign in to a domain account, Windows uses the Kerbero
- [Smart Card technical reference][LINK-12]
-## Enhanced phishing protection with Microsoft Defender SmartScreen
+## Enhanced phishing protection in Microsoft Defender SmartScreen
As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing is a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business.
diff --git a/windows/security/book/images/chip-to-cloud.png b/windows/security/book/images/chip-to-cloud.png
index 94c91169ff..b3be0bd438 100644
Binary files a/windows/security/book/images/chip-to-cloud.png and b/windows/security/book/images/chip-to-cloud.png differ
diff --git a/windows/security/book/images/identity-protection.png b/windows/security/book/images/identity-protection.png
index c7bfad7f38..553013b3ce 100644
Binary files a/windows/security/book/images/identity-protection.png and b/windows/security/book/images/identity-protection.png differ
diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md
index cbaee4463e..6a9c0666a7 100644
--- a/windows/security/book/operating-system-security-encryption-and-data-protection.md
+++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md
@@ -21,7 +21,7 @@ BitLocker is a data protection feature that integrates with the operating system
## BitLocker To Go
-BitLocker To Go refers to BitLocker Drive Encryption on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password.
+BitLocker To Go refers to BitLocker on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
@@ -29,7 +29,11 @@ BitLocker To Go refers to BitLocker Drive Encryption on removable data drives. B
## Device Encryption
-Device Encryption is consumer-level device encryption that can't be managed. Device Encryption is turned on by default for devices with the right hardware components (for example, TPM 2.0, UEFI Secure Boot, Hardware Security Test Interface, and Modern Standby). However, for a commercial scenario, it's possible for organizations to disable Device Encryption in favor of BitLocker.
+Device encryption is a Windows feature that simplifies the process of enabling BitLocker encryption on certain devices. It ensures that only the OS drive and fixed drives are encrypted, while external/USB drives remain unencrypted. Additionally, devices with externally accessible ports that allow DMA access are not eligible for device encryption. Unlike standard BitLocker implementation, device encryption is enabled automatically to ensure continuous protection. Once a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use with encryption already in place.
+
+Organizations have the option to disable device encryption in favor of a full BitLocker implementation. This allows for more granular control over encryption policies and settings, ensuring that the organization's specific security requirements are met.
+
+Starting with Windows 11, version 24H2, the prerequisites of DMA and HSTI/Modern Standby is removed. This change makes more devices eligible for both automatic and manual device encryption.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
@@ -54,9 +58,9 @@ Encrypted hard drives enable:
## Personal data encryption (PDE)
-Personal Data Encryption refers to a user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the multi-factor authentication mechanism used with PDE. Windows Hello for Business, either with PIN, face, or fingerprint, is used to protect the container, which houses the encryption keys used by Personal Data Encryption (PDE). When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content.
+Personal Data Encryption (PDE) is a user-authenticated encryption mechanism designed to protect user's content. PDE uses Windows Hello for Business as its modern authentication scheme, with PIN or biometric authentication methods. The encryption keys used by PDE are securely stored within the Windows Hello container. When a user signs in with Windows Hello, the container is unlocked, making the keys available to decrypt the user's content.
-With the first release of PDE (Windows 11, version 22H2), the PDE API was available, which when adopted by applications can protect data under the purview of the applications. With the next Windows platform release, PDE for Folders will be released. This feature doesn't require updates to any applications, and protects the contents in the Known Windows Folders from bootup until first sign-in.
+The initial release of PDE in Windows 11 22H2 introduced a set of public APIs that applications can adopt to safeguard content. In Windows 11, version 24H2, PDE functionality is further enhanced with *PDE for folders*, which extends protection to the known Windows folders: Documents, Pictures, and Desktop.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**