updates

windows/security/book/application-security-application-and-driver-control.md

@@ -32,23 +32,24 @@ Devices running previous versions of Windows 11 will have to be reset with a cle
 
 ## App Control for Business
 
-Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
+Your organization is only as secure as the applications that run on your devices. With *application control*, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
 
-Windows 10 and above include App Control for Business (previously called Windows Defender Application Control) as well as AppLocker. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
+App Control for Business (previously called *Windows Defender Application Control*) and AppLocker are both included in Windows. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
 
-Customers using Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
+Customers using Microsoft Intune to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
 
 Customers can use some built-in options for App Control for Business or upload their own policy as an XML file for Intune to package and deploy.
 
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 
 - [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac)
+- [Automatically allow apps deployed by a managed installer with App Control for Business](/windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer)
 
 ## User Account Control
 
 User Account Control (UAC) helps prevent malware from damaging a PC and enables organizations to deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
 
-Organizations can use a device management solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to remotely configure UAC settings. For those without such a solution, settings can be adjusted directly on the device.
+Organizations can use a device management solution like Microsoft Intune to remotely configure UAC settings. For those without such a solution, settings can be adjusted directly on the device.
 
 Enabling UAC helps prevent malware from altering PC settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized
 apps and prevent inadvertent changes to system settings.

windows/security/book/application-security-application-isolation.md

@@ -74,7 +74,7 @@ These features can be set up using a device management solution such as Microsof
 - [Intune setting for WSL][LINK-13]
 - [Microsoft Defender for Endpoint plug-in for WSL][LINK-14]
 
-## Virtualization-based security enclave
+## Virtualization-based security enclaves
 
 A **Virtualization-based security enclave** is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to use VBS to protect their application's secrets from admin-level attacks. VBS enclaves are available on Windows 10 onwards on both x64 and ARM64.
 

windows/security/book/conclusion.md

@@ -17,9 +17,10 @@ New:
 
 - [Config Refresh](operating-system-security-system-security.md#config-refresh)
 - [Trusted signing](application-security-application-and-driver-control.md#trusted-signing)
-- [VBS Key Protection](identity-protection-advanced-credential-protection.md#vbs-key-protection)
+- [VBS key protection](identity-protection-advanced-credential-protection.md#vbs-key-protection)
-- [Virtualization-based security enclave](application-security-application-isolation.md#virtualization-based-security-enclave)
+- [Virtualization-based security enclaves](application-security-application-isolation.md#virtualization-based-security-enclaves)
 - [Win32 app isolation](application-security-application-isolation.md#win32-app-isolation)
+- [Windows protected print mode](operating-system-security-system-security.md#windows-protected-print-mode)
 
 Enhanced:
 

windows/security/book/hardware-security-silicon-assisted-security.md

@@ -15,19 +15,33 @@ In addition to a modern hardware root-of-trust, there are multiple capabilities
 
 To secure the kernel, we have two key features: Virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices support HVCI and most new devices come with VBS and HVCI protection turned on by default.
 
-**Virtualization-based security (VBS)**, also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS
+### Virtualization-based security (VBS)
+
+:::row:::
+    :::column:::
+        Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS
 implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel.
 
 Since more privileged virtual trust levels (VTLs) can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
-
+    :::column-end:::
-**Hypervisor-protected code integrity (HVCI)**, also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it's allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor uses processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that hasn't been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
+    :::column:::
-
+:::image type="content" source="images/vbs-diagram.png" alt-text="Diagram of VBS architecture." lightbox="images/vbs-diagram.png"" border="false":::
-With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites.
+    :::column-end:::
+:::row-end:::
 
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 
 - [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
 - [Enable virtualization-based protection of code integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
+
+### Hypervisor-protected code integrity (HVCI)
+
+Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it's allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor uses processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that hasn't been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
+
+With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
 - [Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)
 
 ### Hardware-enforced stack protection
@@ -36,7 +50,7 @@ Hardware-enforced stack protection integrates software and hardware for a modern
 
 Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called *stack smashing*. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate *shadow stack* for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support.
 
-**Hypervisor-enforced paging translation (HVPT)** is an overall security enhancement for the system. HVPT protects linear address translations from being tampered with, to protect sensitive system structures from write-what-where attacks. HVPT will be available on x64 machines as of Fall 2024.
+🆕 Starting in windows 11, version 24H2, **Hypervisor-enforced paging translation (HVPT)** is a security enhancement for the system. HVPT protects linear address translations from being tampered with, to protect sensitive system structures from write-what-where attacks.
 
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 

windows/security/book/operating-system-security-system-security.md

@@ -137,11 +137,9 @@ With Assigned Access and Shell Launcher, you can configure Windows to restrict f
 
 - [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access)
 
-## Windows protected print
+## Windows protected print mode
 
-Windows protected print mode is exclusively built to provide a more modern and secure print system that maximizes compatibility and puts users first. It simplifies the printing experience by allowing PCs exclusively print using the Windows modern print stack.
+Windows protected print mode is built to provide a more modern and secure print system that maximizes compatibility and puts users first. It simplifies the printing experience by allowing devices to exclusively print using the Windows modern print stack.
-
-Enabling Windows protected print mode is highly recommended.
 
 The benefits of Windows protected print mode include: