diff --git a/windows/security/book/application-security-application-and-driver-control.md b/windows/security/book/application-security-application-and-driver-control.md
index 97eb0855a0..03f9155e8e 100644
--- a/windows/security/book/application-security-application-and-driver-control.md
+++ b/windows/security/book/application-security-application-and-driver-control.md
@@ -32,23 +32,24 @@ Devices running previous versions of Windows 11 will have to be reset with a cle
## App Control for Business
-Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
+Your organization is only as secure as the applications that run on your devices. With *application control*, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
-Windows 10 and above include App Control for Business (previously called Windows Defender Application Control) as well as AppLocker. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
+App Control for Business (previously called *Windows Defender Application Control*) and AppLocker are both included in Windows. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
-Customers using Microsoft Intune[\[9\]](conclusion.md#footnote9) to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
+Customers using Microsoft Intune to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
Customers can use some built-in options for App Control for Business or upload their own policy as an XML file for Intune to package and deploy.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac)
+- [Automatically allow apps deployed by a managed installer with App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer)
## User Account Control
User Account Control (UAC) helps prevent malware from damaging a PC and enables organizations to deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
-Organizations can use a device management solution like Microsoft Intune[\[9\]](conclusion.md#footnote9) to remotely configure UAC settings. For those without such a solution, settings can be adjusted directly on the device.
+Organizations can use a device management solution like Microsoft Intune to remotely configure UAC settings. For those without such a solution, settings can be adjusted directly on the device.
Enabling UAC helps prevent malware from altering PC settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized
apps and prevent inadvertent changes to system settings.
diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md
index b9a68056a0..97d0fab16c 100644
--- a/windows/security/book/application-security-application-isolation.md
+++ b/windows/security/book/application-security-application-isolation.md
@@ -74,7 +74,7 @@ These features can be set up using a device management solution such as Microsof
- [Intune setting for WSL][LINK-13]
- [Microsoft Defender for Endpoint plug-in for WSL][LINK-14]
-## Virtualization-based security enclave
+## Virtualization-based security enclaves
A **Virtualization-based security enclave** is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to use VBS to protect their application's secrets from admin-level attacks. VBS enclaves are available on Windows 10 onwards on both x64 and ARM64.
diff --git a/windows/security/book/conclusion.md b/windows/security/book/conclusion.md
index 067f25716d..f1089ebf05 100644
--- a/windows/security/book/conclusion.md
+++ b/windows/security/book/conclusion.md
@@ -17,9 +17,10 @@ New:
- [Config Refresh](operating-system-security-system-security.md#config-refresh)
- [Trusted signing](application-security-application-and-driver-control.md#trusted-signing)
-- [VBS Key Protection](identity-protection-advanced-credential-protection.md#vbs-key-protection)
-- [Virtualization-based security enclave](application-security-application-isolation.md#virtualization-based-security-enclave)
+- [VBS key protection](identity-protection-advanced-credential-protection.md#vbs-key-protection)
+- [Virtualization-based security enclaves](application-security-application-isolation.md#virtualization-based-security-enclaves)
- [Win32 app isolation](application-security-application-isolation.md#win32-app-isolation)
+- [Windows protected print mode](operating-system-security-system-security.md#windows-protected-print-mode)
Enhanced:
diff --git a/windows/security/book/features-index.md b/windows/security/book/features-index.md
index 7959d9daf5..52ce557b06 100644
--- a/windows/security/book/features-index.md
+++ b/windows/security/book/features-index.md
@@ -7,4 +7,4 @@ ms.date: 09/06/2024
# Features index
-[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)
[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)
[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)
[App containers](application-security-application-isolation.md#app-containers)
[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)
[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)
[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)
[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)
[Certificates](operating-system-security-system-security.md#certificates)
[Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management)
[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)
[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)
[Config Refresh](operating-system-security-system-security.md#config-refresh)
[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)
[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
[Cryptography](operating-system-security-system-security.md#cryptography)
[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
[Device health attestation](operating-system-security-system-security.md#device-health-attestation)
[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)
[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)
[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)
[Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen)
[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)
[Exploit protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)
[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)
[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)
[FIDO2](identity-protection-passwordless-sign-in.md#fido2)
[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)
[Kernel Direct Memory Access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)
[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)
[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
[Microsoft Account](cloud-services-protect-your-personal-information.md#microsoft-account)
[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)
[Microsoft Azure Attestation Service](cloud-services-protect-your-work-information.md#microsoft-azure-attestation-service)
[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)
[Microsoft Defender for Endpoint](operating-system-security-virus-and-threat-protection.md#microsoft-defender-for-endpoint)
[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)
[Microsoft Entra ID](cloud-services-protect-your-work-information.md#microsoft-entra-id)
[Microsoft Intune](cloud-services-protect-your-work-information.md#microsoft-intune)
[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)
[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)
[Microsoft security baselines](cloud-services-protect-your-work-information.md#microsoft-security-baselines)
[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)
[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)
[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)
[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)
[OneDrive for work or school](cloud-services-protect-your-work-information.md#onedrive-for-work-or-school)
[OneDrive Personal Vault](cloud-services-protect-your-personal-information.md#onedrive-personal-vault)
[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)
[Personal data encryption (PDE)](operating-system-security-encryption-and-data-protection.md#personal-data-encryption-pde)
[Privacy dashboard and report](privacy-controls.md#privacy-dashboard-and-report)
[Privacy resource usage](privacy-controls.md#privacy-resource-usage)
[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)
[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)
[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)
[Secure Future Initiative (SFI)](security-foundation-offensive-research.md#secure-future-initiative-sfi)
[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
[Secured-core PC](hardware-security-silicon-assisted-security.md#secured-core-pc)
[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)
[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)
[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)
[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)
[Token protection](identity-protection-advanced-credential-protection.md#token-protection)
[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)
[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)
[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)
[Trusted signing](application-security-application-and-driver-control.md#trusted-signing)
[Universal Print](cloud-services-protect-your-work-information.md#universal-print)
[User Account Control](application-security-application-and-driver-control.md#user-account-control)
[VBS key protection](identity-protection-advanced-credential-protection.md#vbs-key-protection)
[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)
[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)
[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)
[Win32 app isolation](application-security-application-isolation.md#win32-app-isolation)
[Windows App software development kit (SDK)](security-foundation-secure-supply-chain.md#windows-app-software-development-kit-sdk)
[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)
[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)
[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)
[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)
[Windows Firewall](operating-system-security-network-security.md#windows-firewall)
[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)
[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)
[Windows Insider and Bug Bounty program](security-foundation-offensive-research.md#windows-insider-and-bug-bounty-program)
[Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)
[Windows protected print](operating-system-security-system-security.md#windows-protected-print)
[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)
[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)
[Windows security settings](operating-system-security-system-security.md#windows-security-settings)
[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
[Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business)
+[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)
[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)
[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)
[App containers](application-security-application-isolation.md#app-containers)
[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)
[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)
[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)
[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)
[Certificates](operating-system-security-system-security.md#certificates)
[Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management)
[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)
[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)
[Config Refresh](operating-system-security-system-security.md#config-refresh)
[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)
[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
[Cryptography](operating-system-security-system-security.md#cryptography)
[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
[Device health attestation](operating-system-security-system-security.md#device-health-attestation)
[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)
[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)
[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)
[Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen)
[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)
[Exploit protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)
[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)
[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)
[FIDO2](identity-protection-passwordless-sign-in.md#fido2)
[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)
[Kernel Direct Memory Access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)
[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)
[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
[Microsoft Account](cloud-services-protect-your-personal-information.md#microsoft-account)
[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)
[Microsoft Azure Attestation Service](cloud-services-protect-your-work-information.md#microsoft-azure-attestation-service)
[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)
[Microsoft Defender for Endpoint](operating-system-security-virus-and-threat-protection.md#microsoft-defender-for-endpoint)
[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)
[Microsoft Entra ID](cloud-services-protect-your-work-information.md#microsoft-entra-id)
[Microsoft Intune](cloud-services-protect-your-work-information.md#microsoft-intune)
[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)
[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)
[Microsoft security baselines](cloud-services-protect-your-work-information.md#microsoft-security-baselines)
[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)
[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)
[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)
[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)
[OneDrive for work or school](cloud-services-protect-your-work-information.md#onedrive-for-work-or-school)
[OneDrive Personal Vault](cloud-services-protect-your-personal-information.md#onedrive-personal-vault)
[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)
[Personal data encryption (PDE)](operating-system-security-encryption-and-data-protection.md#personal-data-encryption-pde)
[Privacy dashboard and report](privacy-controls.md#privacy-dashboard-and-report)
[Privacy resource usage](privacy-controls.md#privacy-resource-usage)
[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)
[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)
[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)
[Secure Future Initiative (SFI)](security-foundation-offensive-research.md#secure-future-initiative-sfi)
[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
[Secured-core PC](hardware-security-silicon-assisted-security.md#secured-core-pc)
[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)
[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)
[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)
[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)
[Token protection](identity-protection-advanced-credential-protection.md#token-protection)
[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)
[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)
[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)
[Trusted signing](application-security-application-and-driver-control.md#trusted-signing)
[Universal Print](cloud-services-protect-your-work-information.md#universal-print)
[User Account Control](application-security-application-and-driver-control.md#user-account-control)
[VBS key protection](identity-protection-advanced-credential-protection.md#vbs-key-protection)
[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)
[Virtualization-based security enclaves](application-security-application-isolation.md#virtualization-based-security-enclaves)
[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)
[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)
[Win32 app isolation](application-security-application-isolation.md#win32-app-isolation)
[Windows App software development kit (SDK)](security-foundation-secure-supply-chain.md#windows-app-software-development-kit-sdk)
[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)
[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)
[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)
[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)
[Windows Firewall](operating-system-security-network-security.md#windows-firewall)
[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)
[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)
[Windows Insider and Bug Bounty program](security-foundation-offensive-research.md#windows-insider-and-bug-bounty-program)
[Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)
[Windows protected print mode](operating-system-security-system-security.md#windows-protected-print-mode)
[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)
[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)
[Windows security settings](operating-system-security-system-security.md#windows-security-settings)
[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
[Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business)
diff --git a/windows/security/book/hardware-security-silicon-assisted-security.md b/windows/security/book/hardware-security-silicon-assisted-security.md
index 0e07746026..7ff7ad6c2b 100644
--- a/windows/security/book/hardware-security-silicon-assisted-security.md
+++ b/windows/security/book/hardware-security-silicon-assisted-security.md
@@ -15,19 +15,33 @@ In addition to a modern hardware root-of-trust, there are multiple capabilities
To secure the kernel, we have two key features: Virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices support HVCI and most new devices come with VBS and HVCI protection turned on by default.
-**Virtualization-based security (VBS)**, also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS
+### Virtualization-based security (VBS)
+
+:::row:::
+ :::column:::
+ Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS
implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel.
Since more privileged virtual trust levels (VTLs) can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
-
-**Hypervisor-protected code integrity (HVCI)**, also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it's allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor uses processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that hasn't been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
-
-With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites.
+ :::column-end:::
+ :::column:::
+:::image type="content" source="images/vbs-diagram.png" alt-text="Diagram of VBS architecture." lightbox="images/vbs-diagram.png"" border="false":::
+ :::column-end:::
+:::row-end:::
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
- [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
- [Enable virtualization-based protection of code integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
+
+### Hypervisor-protected code integrity (HVCI)
+
+Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it's allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor uses processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that hasn't been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
+
+With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
- [Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)
### Hardware-enforced stack protection
@@ -36,7 +50,7 @@ Hardware-enforced stack protection integrates software and hardware for a modern
Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called *stack smashing*. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate *shadow stack* for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support.
-**Hypervisor-enforced paging translation (HVPT)** is an overall security enhancement for the system. HVPT protects linear address translations from being tampered with, to protect sensitive system structures from write-what-where attacks. HVPT will be available on x64 machines as of Fall 2024.
+🆕 Starting in windows 11, version 24H2, **Hypervisor-enforced paging translation (HVPT)** is a security enhancement for the system. HVPT protects linear address translations from being tampered with, to protect sensitive system structures from write-what-where attacks.
:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
diff --git a/windows/security/book/images/vbs-diagram.png b/windows/security/book/images/vbs-diagram.png
new file mode 100644
index 0000000000..c8a27ea370
Binary files /dev/null and b/windows/security/book/images/vbs-diagram.png differ
diff --git a/windows/security/book/operating-system-security-system-security.md b/windows/security/book/operating-system-security-system-security.md
index 47eb04b044..0422740fb7 100644
--- a/windows/security/book/operating-system-security-system-security.md
+++ b/windows/security/book/operating-system-security-system-security.md
@@ -137,11 +137,9 @@ With Assigned Access and Shell Launcher, you can configure Windows to restrict f
- [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access)
-## Windows protected print
+## Windows protected print mode
-Windows protected print mode is exclusively built to provide a more modern and secure print system that maximizes compatibility and puts users first. It simplifies the printing experience by allowing PCs exclusively print using the Windows modern print stack.
-
-Enabling Windows protected print mode is highly recommended.
+Windows protected print mode is built to provide a more modern and secure print system that maximizes compatibility and puts users first. It simplifies the printing experience by allowing devices to exclusively print using the Windows modern print stack.
The benefits of Windows protected print mode include: