diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json
index 25701bb0a1..04839ec4dd 100644
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@@ -9982,7 +9982,47 @@
     },
     {
       "source_path": "windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md",
-      "redirect_url": "/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol.md",
+      "redirect_url": "/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/application-security/index.md",
+      "redirect_url": "/windows/security/book/application-security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/hardware-security/index.md",
+      "redirect_url": "/windows/security/book/hardware-security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/cloud-services/index.md",
+      "redirect_url": "/windows/security/book/cloud-services",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/identity-protection/index.md",
+      "redirect_url": "/windows/security/book/identity-protection",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/index.md",
+      "redirect_url": "/windows/security/book/operating-system-security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/security-foundations/index.md",
+      "redirect_url": "/windows/security/book/security-foundation",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/introduction.md",
+      "redirect_url": "/windows/security/book",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/security-foundations/zero-trust-windows-device-health.md",
+      "redirect_url": "/windows/security/book/security-foundation",
       "redirect_document_id": false
     }
   ]
diff --git a/includes/licensing/_edition-requirements.md b/includes/licensing/_edition-requirements.md
index 9810ebe8bf..19e8e7499f 100644
--- a/includes/licensing/_edition-requirements.md
+++ b/includes/licensing/_edition-requirements.md
@@ -1,11 +1,11 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
-ms.date: 09/18/2023
+ms.date: 11/06/2024
 ms.topic: include
 ---
 
-| Feature name | Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education |
+| Feature name | Windows Pro | Windows Enterprise/IoT Enterprise | Windows Pro Education | Windows Education |
 |:---|:---:|:---:|:---:|:---:|
 |**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|
 |**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|
@@ -13,7 +13,7 @@ ms.topic: include
 |**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|❌|Yes|
 |**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|
 |**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|Yes|Yes|Yes|Yes|
-|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|
+|**[Assigned Access (kiosk mode)](/windows/configuration/assigned-access)**|Yes|Yes|Yes|Yes|
 |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|
 |**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|
 |**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|
@@ -32,7 +32,7 @@ ms.topic: include
 |**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|
 |**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
 |**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|
-|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
+|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/blog/windowsosplatform/understanding-hardware-enforced-stack-protection/1247815)**|Yes|Yes|Yes|Yes|
 |**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
 |**[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
 |**[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)**|Yes|Yes|Yes|Yes|
@@ -53,7 +53,7 @@ ms.topic: include
 |**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|
 |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
 |**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|
-|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
+|**[Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
 |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
 |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|
 |**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
@@ -84,6 +84,7 @@ ms.topic: include
 |**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
+|**Windows Hotpatch**|❌|Yes|❌|❌|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
 |**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|
 |**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md
index 022cbf278b..0ba2e7193a 100644
--- a/includes/licensing/_licensing-requirements.md
+++ b/includes/licensing/_licensing-requirements.md
@@ -5,7 +5,7 @@ ms.date: 11/02/2023
 ms.topic: include
 ---
 
-|Feature name|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|Feature name|Windows Pro/Pro Education|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---|:---:|:---:|:---:|:---:|:---:|
 |**[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)**|Yes|Yes|Yes|Yes|Yes|
 |**[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)**|Yes|Yes|Yes|Yes|Yes|
@@ -13,7 +13,7 @@ ms.topic: include
 |**[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)**|❌|Yes|Yes|Yes|Yes|
 |**[App containers](/virtualization/windowscontainers/about/)**|Yes|Yes|Yes|Yes|Yes|
 |**[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)**|❌|Yes|Yes|Yes|Yes|
-|**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes|
+|**[Assigned Access (kiosk mode)](/windows/configuration/assigned-access)**|Yes|Yes|Yes|Yes|Yes|
 |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes|
 |**[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)**|Yes|Yes|Yes|Yes|Yes|
 |**[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)**|Yes|Yes|Yes|Yes|Yes|
@@ -53,7 +53,7 @@ ms.topic: include
 |**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|Yes|
 |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
 |**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|Yes|
-|**[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
+|**[Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
 |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
 |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes|
 |**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
@@ -84,6 +84,7 @@ ms.topic: include
 |**[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
+|**Windows Hotpatch**|❌|Yes|Yes|❌|❌|
 |**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)**|Yes|Yes|Yes|Yes|Yes|
 |**[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
diff --git a/windows/client-management/mdm/personaldataencryption-csp.md b/windows/client-management/mdm/personaldataencryption-csp.md
index 2a4648393a..afef3cb25e 100644
--- a/windows/client-management/mdm/personaldataencryption-csp.md
+++ b/windows/client-management/mdm/personaldataencryption-csp.md
@@ -1,21 +1,21 @@
 ---
-title: PDE CSP
-description: Learn more about the PDE CSP.
+title: Personal Data Encryption CSP
+description: Learn more about the Personal Data Encryption CSP.
 ms.date: 01/18/2024
 ---
 
 <!-- Auto-Generated CSP Document -->
 
 <!-- PDE-Begin -->
-# PDE CSP
+# Personal Data Encryption CSP
 
 <!-- PDE-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-The Personal Data Encryption (PDE) configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
+The Personal Data Encryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
 <!-- PDE-Editable-End -->
 
 <!-- PDE-Tree-Begin -->
-The following list shows the PDE configuration service provider nodes:
+The following list shows the Personal Data Encryption configuration service provider nodes:
 
 - ./User/Vendor/MSFT/PDE
   - [EnablePersonalDataEncryption](#enablepersonaldataencryption)
@@ -45,7 +45,7 @@ Allows the Admin to enable Personal Data Encryption. Set to '1' to set this poli
 
 <!-- User-EnablePersonalDataEncryption-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for PDE to be enabled.
+The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for Personal Data Encryption to be enabled.
 <!-- User-EnablePersonalDataEncryption-Editable-End -->
 
 <!-- User-EnablePersonalDataEncryption-DFProperties-Begin -->
@@ -93,10 +93,10 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u
 
 <!-- User-Status-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
-Reports the current status of Personal Data Encryption (PDE) for the user.
+Reports the current status of Personal Data Encryption for the user.
 
-- If prerequisites of PDE aren't met, then the status will be 0.
-- If all prerequisites are met for PDE, then PDE will be enabled and status will be 1.
+- If prerequisites of Personal Data Encryption aren't met, then the status will be 0.
+- If all prerequisites are met for Personal Data Encryption, then Personal Data Encryption will be enabled and status will be 1.
 <!-- User-Status-Editable-End -->
 
 <!-- User-Status-DFProperties-Begin -->
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 3011ad91da..4b5c7ff09c 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -837,10 +837,10 @@ items:
       items:
       - name: PassportForWork DDF file
         href: passportforwork-ddf.md
-    - name: PDE
+    - name: Personal Data Encryption
       href: personaldataencryption-csp.md
       items:
-      - name: PDE DDF file
+      - name: Personal Data Encryption DDF file
         href: personaldataencryption-ddf-file.md
     - name: Personalization
       href: personalization-csp.md
diff --git a/windows/configuration/assigned-access/policy-settings.md b/windows/configuration/assigned-access/policy-settings.md
index 5facd6498a..64518f0dca 100644
--- a/windows/configuration/assigned-access/policy-settings.md
+++ b/windows/configuration/assigned-access/policy-settings.md
@@ -39,7 +39,7 @@ The following policy settings are applied at the device level when you deploy a
 
 ## User policy settings
 
-The following policy settings are applied to any nonadministrator account when you deploy a restricted user experience:
+The following policy settings are applied to targeted user accounts when you deploy a restricted user experience:
 
 | Type    | Path                                                                             | Name/Description                                                  |
 |---------|----------------------------------------------------------------------------------|-------------------------------------------------------------------|
@@ -47,8 +47,9 @@ The following policy settings are applied to any nonadministrator account when y
 | **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar`                           | Hide People Bar from appearing on taskbar                         |
 | **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentlyAddedApps`                   | Hide recently added apps from appearing on the Start menu         |
 | **CSP** | `./User/Vendor/MSFT/Policy/Config/Start/HideRecentJumplists`                     | Hide recent jumplists from appearing on the Start menu/taskbar    |
+| **GPO** | User Configuration\Administrative Templates\Desktop                              | Hide and disable all items on the desktop                         |
 | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar               | Clear history of recently opened documents on exit                |
-| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar               | Disable showing balloon notifications as toast                    |
+| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar               | Disable showing balloon notifications as toasts                   |
 | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar               | Do not allow pinning items in Jump Lists                          |
 | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar               | Do not allow pinning programs to the Taskbar                      |
 | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar               | Do not display or track items in Jump Lists from remote locations |
@@ -69,21 +70,23 @@ The following policy settings are applied to any nonadministrator account when y
 | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar               | Remove Notification and Action Center                             |
 | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar               | Remove Quick Settings                                             |
 | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar               | Remove Run menu from Start Menu                                   |
-| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar               | Remove the Security and Maintenance icon                          |
 | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar               | Turn off all balloon notifications                                |
 | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar               | Turn off feature advertisement balloon notifications              |
+| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications | Hide the TaskView button                                          |
 | **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications | Turn off toast notifications                                      |
 | **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options          | Remove Change Password                                            |
 | **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options          | Remove Logoff                                                     |
 | **GPO** | User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options          | Remove Task Manager                                               |
+| **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer     | Prevent access to drives from My Computer                         |
 | **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer     | Remove *Map network drive* and *Disconnect Network Drive*         |
 | **GPO** | User Configuration\Administrative Templates\Windows Components\File Explorer     | Remove File Explorer's default context menu                       |
+| **GPO** | User Configuration\Administrative Templates\Windows Components\Windows Copilot   | Turn off Windows Copilot                                          |
 
 The following policy settings are applied to the kiosk account when you configure a kiosk experience with Microsoft Edge:
 
 | Type    | Path                                                                              | Name/Description                                       |
 |---------|-----------------------------------------------------------------------------------|--------------------------------------------------------|
-| **GPO** | User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications  | Run only specified Windows applications > `msedge.exe` |
+| **GPO** | User Configuration\Administrative Templates\System                                | Run only specified Windows applications > `msedge.exe` |
 | **GPO** | User Configuration\Administrative Templates\System                                | Turn off toast notifications                           |
 | **GPO** | User Configuration\Administrative Templates\Windows Components\Attachment Manager | Default risk level for file attachments > High risk    |
 | **GPO** | User Configuration\Administrative Templates\Windows Components\Attachment Manager | Inclusion list for low file types > `.pdf;.epub`       |
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index cc988cacb3..e5b5cd4a0b 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -13,7 +13,7 @@ appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server</a>
-ms.date: 11/06/2024
+ms.date: 11/11/2024
 ---
 
 # Update Windows installation media with Dynamic Update
@@ -40,8 +40,49 @@ Devices must be able to connect to the internet to obtain Dynamic Updates. In so
 
 You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://catalog.update.microsoft.com). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. Check various parts of the results to be sure you've identified the files needed. The following tables show the key values to search for or look for in the results. 
 
+
+### Windows Server 2025 Dynamic Update packages
+**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. 
+
+| Update packages                   |Title                                                                                 |
+|-----------------------------------|--------------------------------------------------------------------------------------|
+|Safe OS Dynamic Update             | YYYY-MM Safe OS Dynamic Update for Microsoft server operating system version 24H2    |
+|Setup Dynamic Update               | YYYY-MM Setup Dynamic Update for Microsoft server operating system version 24H2      |
+|Latest cumulative update           | YYYY-MM Cumulative Update for Microsoft server operating system version 24H2         |
+|Servicing stack Dynamic Update     | YYYY-MM Servicing Stack Update for Microsoft server operating system version 24H2    |
+
+### Windows Server, version 23H2 Dynamic Update packages
+**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. Azure Stack HCI, version 23H2 has a similar format.
+
+| Update packages                   |Title                                                                                 |
+|-----------------------------------|--------------------------------------------------------------------------------------|
+|Safe OS Dynamic Update             | YYYY-MM Safe OS Dynamic Update for Microsoft server operating system version 23H2    |
+|Setup Dynamic Update               | YYYY-MM Setup Dynamic Update for Microsoft server operating system version 23H2      |
+|Latest cumulative update           | YYYY-MM Cumulative Update for Microsoft server operating system version 23H2         |
+|Servicing stack Dynamic Update     | YYYY-MM Servicing Stack Update for Microsoft server operating system version 23H2    |
+
+### Azure Stack HCI, version 22H2 Dynamic Update packages
+**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+
+| Update packages                   |Title                                                          |Product                                                                |Description       |
+|-----------------------------------|----------------------------------------------------------------------------------------|----------------------------------------------|------------------|
+|Safe OS Dynamic Update             | YYYY-MM Dynamic Update for Microsoft server operating system, version 22H2             |Windows Safe OS Dynamic Update                | ComponentUpdate  |
+|Setup Dynamic Update               | YYYY-MM Dynamic Update for Microsoft server operating system, version 22H2             |Windows 10 and later Dynamic Update           | SetupUpdate      |
+|Latest cumulative update           | YYYY-MM Cumulative Update for Microsoft server operating system, version 22H2          |                                              |                  |
+|Servicing stack Dynamic Update     | YYYY-MM Servicing Stack Update for Microsoft server operating system, version 22H2     |                                              |                  |
+
+### Windows Server 2022 later Dynamic Update packages
+**Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
+
+| Update packages                   |Title                                                          |Product                                                                |Description       |
+|-----------------------------------|----------------------------------------------------------------------------------------|----------------------------------------------|------------------|
+|Safe OS Dynamic Update             | YYYY-MM Dynamic Update for Microsoft server operating system, version 21H2             |Windows Safe OS Dynamic Update                | ComponentUpdate  |
+|Setup Dynamic Update               | YYYY-MM Dynamic Update for Microsoft server operating system, version 21H2             |Windows 10 and later Dynamic Update           | SetupUpdate      |
+|Latest cumulative update           | YYYY-MM Cumulative Update for Microsoft server operating system, version 21H2          |                                              |                  |
+|Servicing stack Dynamic Update     | YYYY-MM Servicing Stack Update for Microsoft server operating system, version 21H2     |                                              |                  |
+
 ### Windows 11, version 22H2 and later Dynamic Update packages
-**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update.Titles below are for Windows 11, version 22H2. Windows 11, version 23H2 and 24H2 have a similar format.
+**Title** can distinguish each Dynamic Package. Latest cumulative updates have the servicing stack embedded. The servicing stack is published only if necessary for a given cumulative update. Titles below are for Windows 11, version 22H2. Windows 11, version 23H2 and 24H2 have a similar format.
 
 | Update packages                   |Title                                                          |
 |-----------------------------------|---------------------------------------------------------------|
@@ -50,7 +91,6 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
 |Latest cumulative update           | YYYY-MM Cumulative Update for Windows 11 Version 22H2         |
 |Servicing stack Dynamic Update     | YYYY-MM Servicing Stack Update for Windows 11 Version 22H2    |
 
-
 ### Windows 11, version 21H2 Dynamic Update packages
 **Title**, **Product** and **Description** are required to distinguish each Dynamic Package. Latest cumulative update has the servicing stack embedded. Servicing stack published separately only if necessary as a prerequisite for a given cumulative update.
 
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index 30052f5291..a011e4c21c 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -68,6 +68,8 @@
               href: manage/windows-autopatch-windows-update-policies.md
             - name: Programmatic controls for expedited Windows quality updates
               href: manage/windows-autopatch-windows-quality-update-programmatic-controls.md
+            - name: Hotpatch updates
+              href: manage/windows-autopatch-hotpatch-updates.md
         - name: Driver and firmware updates
           href: manage/windows-autopatch-manage-driver-and-firmware-updates.md
           items:
@@ -116,6 +118,8 @@
                   href: monitor/windows-autopatch-windows-quality-update-trending-report.md
                 - name: Reliability report
                   href: monitor/windows-autopatch-reliability-report.md
+                - name: Hotpatch quality update report
+                  href: monitor/windows-autopatch-hotpatch-quality-update-report.md
             - name: Windows feature and quality update device alerts
               href: monitor/windows-autopatch-device-alerts.md
         - name: Policy health and remediation
diff --git a/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
new file mode 100644
index 0000000000..f59aeefc45
--- /dev/null
+++ b/windows/deployment/windows-autopatch/manage/windows-autopatch-hotpatch-updates.md
@@ -0,0 +1,78 @@
+---
+title: Hotpatch updates
+description: Use Hotpatch updates to receive security updates without restarting your device
+ms.date: 11/19/2024
+ms.service: windows-client
+ms.subservice: autopatch
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: aaroncz
+ms.reviewer: adnich
+ms.collection:
+  - highpri
+  - tier1
+---
+
+# Hotpatch updates (public preview)
+
+[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
+
+> [!IMPORTANT]
+> This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
+
+Hotpatch updates are [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) that can be installed without requiring you to restart the device. Hotpatch updates are designed to reduce downtime and disruptions. By minimizing the need to restart, these updates help ensure faster compliance, making it easier for organizations to maintain security while keeping workflows uninterrupted.
+
+## Key benefits
+
+- Hotpatch updates streamline the installation process and enhance compliance efficiency.
+- No changes are required to your existing update ring configurations. Your existing ring configurations are honored alongside Hotpatch policies.
+- The [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates.
+
+## Eligible devices
+
+To benefit from Hotpatch updates, devices must meet the following prerequisites:
+
+- Operating System: Devices must be running Windows 11 24H2 or later.
+- VBS (Virtualization-based security): VBS must be enabled to ensure secure installation of Hotpatch updates.
+- Latest Baseline Release: Devices must be on the latest baseline release version to qualify for Hotpatch updates. Microsoft releases Baseline updates quarterly as standard cumulative updates. For more information on the latest schedule for these releases, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).
+
+## Ineligible devices
+
+Devices that don't meet one or more prerequisites automatically receive the Latest Cumulative Update (LCU) instead. Latest Cumulative Update (LCU) contains monthly updates that supersede the previous month's updates containing both security and nonsecurity releases.  
+
+LCUs requires you to restart the device, but the LCU ensures that the device remains fully secure and compliant.
+
+> [!NOTE]
+> If devices aren't eligible for Hotpatch updates, these devices are offered the LCU. The LCU keeps your configured Update ring settings, it doesn't change the settings.
+
+## Release cycles
+
+For more information about the release calendar for Hotpatch updates, see [Release notes for Hotpatch](https://support.microsoft.com/topic/release-notes-for-hotpatch-in-azure-automanage-for-windows-server-2022-4e234525-5bd5-4171-9886-b475dabe0ce8?preview=true).  
+
+- Baseline Release Months: January, April, July, October
+- Hotpatch Release Months: February, March, May, June, August, September, November, December
+
+## Enroll devices to receive Hotpatch updates
+
+> [!NOTE]
+> If you're using Autopatch groups and want your devices to receive Hotpatch updates, you must create a Hotpatch policy and assign devices to it.  Turning on Hotpatch updates doesn't change the deferral setting applied to devices within an Autopatch group.
+
+**To enroll devices to receive Hotpatch updates:**
+
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** from the left navigation menu.
+1. Under the **Manage updates** section, select **Windows updates**.
+1. Go to the **Quality updates** tab.
+1. Select **Create**, and select **Windows quality update policy (preview)**.
+1. Under the **Basics** section, enter a name for your new policy and select Next.
+1. Under the **Settings** section, set **"When available, apply without restarting the device ("hotpatch")** to **Allow**. Then, select **Next**.
+1. Select the appropriate Scope tags or leave as Default and select **Next**.
+1. Assign the devices to the policy and select **Next**.
+1. Review the policy and select **Create**.
+
+These steps ensure that targeted devices, which are [eligible](#eligible-devices) to receive Hotpatch updates, are configured properly. [Ineligible devices](#ineligible-devices) are offered the latest cumulative updates (LCU).
+
+> [!NOTE]
+> Turning on Hotpatch updates doesn't change the existing deadline-driven or scheduled install configurations on your managed devices.  Deferral and active hour settings will still apply.
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md
new file mode 100644
index 0000000000..afa0dfe072
--- /dev/null
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-hotpatch-quality-update-report.md
@@ -0,0 +1,67 @@
+---
+title: Hotpatch quality update report
+description: Use the Hotpatch quality update report to view the current update statuses for all devices that receive Hotpatch updates
+ms.date: 11/19/2024
+ms.service: windows-client
+ms.subservice: autopatch
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: aaroncz
+ms.reviewer: adnich
+ms.collection:
+  - highpri
+  - tier1
+---
+
+# Hotpatch quality update report (public preview)
+
+[!INCLUDE [windows-autopatch-applies-to-all-licenses](../includes/windows-autopatch-applies-to-all-licenses.md)]
+
+> [!IMPORTANT]
+> This feature is in public preview. It is being actively developed and might not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios and provide feedback.
+
+The Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. For more information about Hotpatching, see [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md).
+
+**To view the Hotpatch quality update status report:**
+
+1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**.
+1. Select the **Reports** tab.
+1. Select **Hotpatch quality updates (preview)**.
+
+> [!NOTE]
+> The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
+
+## Report information
+
+The Hotpatch quality update report provides a visual representation of the update status trend for all devices over the last 90 days.
+
+### Default columns
+
+> [!IMPORTANT]
+> **Due to a recent change, we have identified an issue that prevents the Paused column from being displayed**. Until a fix is deployed, **you must keep track of your paused releases so you can resume them at a later date**. The team is actively working on resolving this issue and we'll provide an update when a fix is deployed.
+
+The following information is available as default columns in the Hotpatch quality update report:
+
+| Column name | Description |
+| ----- | ----- |
+| Quality update policy | The name of the policy. |
+| Device name | Total number of devices in the policy. |
+| Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
+| Hotpatched | Total devices that successfully received a Hotpatch update. |
+| Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
+| In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). |
+| % with the latest quality update | Percent of [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) devices on the most current Windows release and its build number |
+| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
+| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
+
+## Report options
+
+The following options are available:
+
+| Option | Description |
+| ----- | ----- |
+| By percentage | Select **By percentage** to show your trending graphs and indicators by percentage. |
+| By device count | Select **By device count** to show your trending graphs and indicators by numeric value. |
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
index b2b2d8bf42..07b8b574fd 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-and-feature-update-reports-overview.md
@@ -1,7 +1,7 @@
 ---
 title: Windows quality and feature update reports overview
 description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch.
-ms.date: 09/16/2024
+ms.date: 11/19/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: overview
@@ -61,7 +61,7 @@ Users with the following permissions can access the reports:
 
 ## About data latency
 
-The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 48 hours.
+The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately four hours.
 
 ## Windows quality and feature update statuses
 
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md
index 326817f021..abde6947cc 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-status-report.md
@@ -29,7 +29,7 @@ The Quality update status report provides a per device view of the current updat
 1. Select **Quality update status**.
 
 > [!NOTE]
-> The data in this report is refreshed every 24 hours with data received by your managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
+> The data in this report is refreshed every four hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
 
 ## Report information
 
diff --git a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
index e0f41c201e..35bf2a1359 100644
--- a/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
+++ b/windows/deployment/windows-autopatch/monitor/windows-autopatch-windows-quality-update-summary-dashboard.md
@@ -27,7 +27,7 @@ The Summary dashboard provides a summary view of the current update status for a
 1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**.
 
 > [!NOTE]
-> The data in this report is refreshed every 24 hours with data received by your managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
+> The data in this report is refreshed every four hours with data received by your managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency).
 
 ## Report information
 
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index 386ec22830..0ef22984f0 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -1,7 +1,7 @@
 ---
 title: What is Windows Autopatch?
 description: Details what the service is and shortcuts to articles.
-ms.date: 09/27/2024
+ms.date: 11/19/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: overview
@@ -49,7 +49,9 @@ The goal of Windows Autopatch is to deliver software updates to registered devic
 | [Windows quality updates](../manage/windows-autopatch-windows-quality-update-overview.md) | With Windows Autopatch, you can manage Windows quality update profiles for Windows 10 and later devices. You can expedite a specific Windows quality update using targeted policies. |
 | [Windows feature updates](../manage/windows-autopatch-windows-feature-update-overview.md) | Windows Autopatch provides tools to assist with the controlled roll out of annual Windows feature updates. |
 | [Driver and firmware updates](../manage/windows-autopatch-manage-driver-and-firmware-updates.md) | You can manage and control your driver and firmware updates with Windows Autopatch.|
+| [Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md) | Install [Monthly B release security updates](/windows/deployment/update/release-cycle#monthly-security-update-release) without requiring you to restart the device. |
 | [Intune reports](/mem/intune/fundamentals/reports) | Use Intune reports to monitor the health and activity of endpoints in your organization.|
+| [Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md) | Hotpatch quality update report provides a per policy level view of the current update statuses for all devices that receive Hotpatch updates. |
 
 > [!IMPORTANT]
 > Microsoft 365 Business Premium and Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) do **not** have access to all Windows Autopatch features. For more information, see [Features and capabilities](../overview/windows-autopatch-overview.md#features-and-capabilities).
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
index f7ca1e60c8..815d13a816 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2024.md
@@ -1,7 +1,7 @@
 ---
 title: What's new 2024
 description: This article lists the 2024 feature releases and any corresponding Message center post numbers.
-ms.date: 09/27/2024
+ms.date: 11/19/2024
 ms.service: windows-client
 ms.subservice: autopatch
 ms.topic: whats-new
@@ -21,6 +21,14 @@ This article lists new and updated feature releases, and service releases, with
 
 Minor corrections such as typos, style, or formatting issues aren't listed.
 
+## November 2024
+
+### November feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| Hotpatch | <ul><li>[Hotpatch updates](../manage/windows-autopatch-hotpatch-updates.md)</li><li>[Hotpatch quality update report](../monitor/windows-autopatch-hotpatch-quality-update-report.md)</li></ul> |
+
 ## September 2024
 
 ### September feature releases or updates
diff --git a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md
index 4948af5cf1..f2db0b2d7a 100644
--- a/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md
+++ b/windows/security/application-security/application-control/app-control-for-business/operations/event-tag-explanations.md
@@ -139,22 +139,22 @@ The Microsoft Root certificates can be allowed and denied in policy using 'WellK
 | 0| None | N/A |
 | 1| Unknown | N/A |
 | 2 | Self-Signed | N/A |
-| 3 | Microsoft Authenticode(tm) Root Authority  | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100DF08BAE33F6E649BF589AF28964A078F1B2E8B3E1DFCB88069A3A1CEDBDFB08E6C8976294FCA603539AD7232E00BAE293D4C16D94B3C9DDAC5D3D109C92C6FA6C2605345DD4BD155CD031CD2595624F3E578D807CCD8B31F903FC01A71501D2DA712086D7CB0866CC7BA853207E1616FAF03C56DE5D6A18F36F6C10BD13E69974872C97FA4C8C24A4C7EA1D194A6D7DCEB05462EB818B4571D8649DB694A2C21F55E0F542D5A43A97A7E6A8E504D2557A1BF1B1505437B2C058DBD3D038C93227D63EA0A5705060ADB6198652D4749A8E7E656755CB8640863A9304066B2F9B6E334E86730E1430B87FFC9BE72105E23F09BA74865BF09887BCD72BC2E799B7B0203010001` |
-| 4 | Microsoft Product Root 1997 | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100A902BDC170E63BF24E1B289F97785E30EAA2A98D255FF8FE954CA3B7FE9DA2203E7C51A29BA28F60326BD1426479EEAC76C954DAF2EB9C861C8F9F8466B3C56B7A6223D61D3CDE0F0192E896C4BF2D669A9A682699D03A2CBF0CB55826C146E70A3E38962CA92839A8EC498342E3840FBB9A6C5561AC827CA1602D774CE999B4643B9A501C310824149FA9E7912B18E63D986314605805659F1D375287F7A7EF9402C61BD3BF5545B38980BF3AEC54944EAEFDA77A6D744EAF18CC96092821005790606937BB4B12073C56FF5BFBA4660A08A6D2815657EFB63B5E16817704DAF6BEAE8095FEB0CD7FD6A71A725C3CCABCF008A32230B30685C9B320771385DF0203010001` |
-| 5 | Microsoft Product Root 2001 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F35DFA8067D45AA7A90C2C9020D035083C7584CDB707899C89DADECEC360FA91685A9E94712918767CC2E0C82576940E58FA043436E6DFAFF780BAE9580B2B93E59D05E3772291F734643C22911D5EE10990BC14FEFC755819E179B70792A3AE885908D89F07CA0358FC68296D32D7D2A8CB4BFCE10B48324FE6EBB8AD4FE45C6F139499DB95D575DBA81AB79491B4775BF5480C8F6A797D1470047D6DAF90F5DA70D847B7BF9B2F6CE705B7E11160AC7991147CC5D6A6E4E17ED5C37EE592D23C00B53682DE79E16DF3B56EF89F33C9CB527D739836DB8BA16BA295979BA3DEC24D26FF0696672506C8E7ACE4EE1233953199C835084E34CA7953D5B5BE6332594036C0A54E044D3DDB5B0733E458BFEF3F5364D842593557FD0F457C24044D9ED6387411972290CE684474926FD54B6FB086E3C73642A0D0FCC1C05AF9A361B9304771960A16B091C04295EF107F286AE32A1FB1E4CD033F777104C720FC490F1D4588A4D7CB7E88AD8E2DEC45DBC45104C92AFCEC869E9A11975BDECE5388E6E2B7FDAC95C22840DBEF0490DF813339D9B245A5238706A5558931BB062D600E41187D1F2EB597CB11EB15D524A594EF151489FD4B73FA325BFCD13300F95962700732EA2EAB402D7BCADD21671B30998F16AA23A841D1B06E119B36C4DE40749CE15865C1601E7A5B38C88FBB04267CD41640E5B66B6CAA86FD00BFCEC1350203010001`|
-| 6 | Microsoft Product Root 2010 | `30820222300D06092A864886F70D01010105000382020F003082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
-| 7 | Microsoft Standard Root 2011 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100B28041AA35384D13723268224DB8B2F1FFD552BC6CC7F5D24A8C36EED1C25C7E8C8AAEAF13286FC073E33ACED025A85A3A6DEFA8B859AB132368CD0C2987D16F805C8F447F5D90015258AC51C55F2A87DCDCD80A1DC103B97BB056E8A3DE6461C29EF8F37CB9EC0DB554FE4CB6654F88F09C48990C420B097C315917790678288D893A4C0325BE716A5C0BE78460A49922E3D2AF84A4A7FBD198ED0CA9DE9489E10EA0DCC0CE993DEA0852BB5679E41F84BA1EB8B4C4495C4F314B87DDDD0567269980E07111A3B8A541E2A453B9F73229830C13BF365E04B34B43472F6BE2911ED3984FDD4207C8E81D12FC99A96B3E927EC8D6693AFC64BDB6099DCAFD0C0BA29B77604B0394A4306912D6422DC1414CCADCAAFD8F5B83469AD9FCB1D1E3B3C97F487ACD24F0418F5C74D0ACB010200649B7C72D21C857E3D086F30368FBD0CE71C189994A64016CFDEC3091CF413C92C7E5BA861D6184C75F833962AEB4922F47F30BF855EBA01F59D0BB749B1ED076E6F2E906D710E8FA64DE69C635968802F046B83F27996FCB71892935F7481602358FD5797C4D02CF5FEB8A834F457188F9A90D4E72E9C29C07CF491B4E040E63518C5ED800C1552CB6C6E0C2654EC93439F59CB3C47EE8616E135F15C45FD97EED1DCEEE44ECCB2E86B1EC38F670EDAB5C13C1D90F0DC780B255ED34F7AC9BE4C3DAE7473CA6B58F31DFC54BAFEBF10203010001`|
-| 8 | Microsoft Code Verification Root 2006 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100BD77C91C7F157838C50743215AFBE4CC3BC65531FC2189B1BCE7019CFB90BE20115576A74D02E7B2F42E8DEFB2874656CA47CEC8C363E308034B9606B9702244E64B7B443F75B7B8A62B910841EF4B0759D6A4199DF6CBA4BB8E02654DCADE0FB49022F1B56B5C22F6CAF938AA280B062D3C198DB7355F83EDDD65738446929F44E2894A8CD598A76D3DE819CB44AD180BEA5C5F7C0BC39A936844F3B6BF979930723F2859D070C8055778F54A82340A24C17AB064A53A6E12D5036138BB0E2DFD859CD648756A1CB2A2E891FAB7E4F53C5FFDC940ACC7A042F574D8B9DBD7FE73771AE0C4B709B1059A6DE35E8038757852B612D379AE43F765A7D1166469858F783AB894BF4512625A4D8748D6F819BC590106F51ADB60299F013F6E73F9FD8045CE95D78AF6920CC173402C6DAA32A6F17F30F890F1AE4527B9B40E3002BDC60EEC3C8C5BB63485CF140B0C500DA9E259912EA80139F42C15630480B840DF62F7FEB74C13A82CA966133862FC4070627B7577D52B8E1BA599E5B9B7C7ADEA01A0257B5846525654A2C9922B581D4851C01FFE3700D1E2AB10C2A959E942996E8FB51E4766741E98765757045EBD2F8593D50E0B9F2E7B2664A78612095063E7D1C78E7E0E3B07E7BBE4CD1A40D47ABA05594AD6D0EEDC965E224A271C45E3DEDAB2E9D343FDE96FC0C97D1FFD9F909C862008CC74DC40A729B3AB58656BB10203010001`|
+| 3 | Microsoft Authenticode(tm) Root Authority  | `3082010A0282010100DF08BAE33F6E649BF589AF28964A078F1B2E8B3E1DFCB88069A3A1CEDBDFB08E6C8976294FCA603539AD7232E00BAE293D4C16D94B3C9DDAC5D3D109C92C6FA6C2605345DD4BD155CD031CD2595624F3E578D807CCD8B31F903FC01A71501D2DA712086D7CB0866CC7BA853207E1616FAF03C56DE5D6A18F36F6C10BD13E69974872C97FA4C8C24A4C7EA1D194A6D7DCEB05462EB818B4571D8649DB694A2C21F55E0F542D5A43A97A7E6A8E504D2557A1BF1B1505437B2C058DBD3D038C93227D63EA0A5705060ADB6198652D4749A8E7E656755CB8640863A9304066B2F9B6E334E86730E1430B87FFC9BE72105E23F09BA74865BF09887BCD72BC2E799B7B0203010001` |
+| 4 | Microsoft Product Root 1997 | `3082010A0282010100A902BDC170E63BF24E1B289F97785E30EAA2A98D255FF8FE954CA3B7FE9DA2203E7C51A29BA28F60326BD1426479EEAC76C954DAF2EB9C861C8F9F8466B3C56B7A6223D61D3CDE0F0192E896C4BF2D669A9A682699D03A2CBF0CB55826C146E70A3E38962CA92839A8EC498342E3840FBB9A6C5561AC827CA1602D774CE999B4643B9A501C310824149FA9E7912B18E63D986314605805659F1D375287F7A7EF9402C61BD3BF5545B38980BF3AEC54944EAEFDA77A6D744EAF18CC96092821005790606937BB4B12073C56FF5BFBA4660A08A6D2815657EFB63B5E16817704DAF6BEAE8095FEB0CD7FD6A71A725C3CCABCF008A32230B30685C9B320771385DF0203010001` |
+| 5 | Microsoft Product Root 2001 | `3082020A0282020100F35DFA8067D45AA7A90C2C9020D035083C7584CDB707899C89DADECEC360FA91685A9E94712918767CC2E0C82576940E58FA043436E6DFAFF780BAE9580B2B93E59D05E3772291F734643C22911D5EE10990BC14FEFC755819E179B70792A3AE885908D89F07CA0358FC68296D32D7D2A8CB4BFCE10B48324FE6EBB8AD4FE45C6F139499DB95D575DBA81AB79491B4775BF5480C8F6A797D1470047D6DAF90F5DA70D847B7BF9B2F6CE705B7E11160AC7991147CC5D6A6E4E17ED5C37EE592D23C00B53682DE79E16DF3B56EF89F33C9CB527D739836DB8BA16BA295979BA3DEC24D26FF0696672506C8E7ACE4EE1233953199C835084E34CA7953D5B5BE6332594036C0A54E044D3DDB5B0733E458BFEF3F5364D842593557FD0F457C24044D9ED6387411972290CE684474926FD54B6FB086E3C73642A0D0FCC1C05AF9A361B9304771960A16B091C04295EF107F286AE32A1FB1E4CD033F777104C720FC490F1D4588A4D7CB7E88AD8E2DEC45DBC45104C92AFCEC869E9A11975BDECE5388E6E2B7FDAC95C22840DBEF0490DF813339D9B245A5238706A5558931BB062D600E41187D1F2EB597CB11EB15D524A594EF151489FD4B73FA325BFCD13300F95962700732EA2EAB402D7BCADD21671B30998F16AA23A841D1B06E119B36C4DE40749CE15865C1601E7A5B38C88FBB04267CD41640E5B66B6CAA86FD00BFCEC1350203010001`|
+| 6 | Microsoft Product Root 2010 | `3082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
+| 7 | Microsoft Standard Root 2011 | `3082020A0282020100B28041AA35384D13723268224DB8B2F1FFD552BC6CC7F5D24A8C36EED1C25C7E8C8AAEAF13286FC073E33ACED025A85A3A6DEFA8B859AB132368CD0C2987D16F805C8F447F5D90015258AC51C55F2A87DCDCD80A1DC103B97BB056E8A3DE6461C29EF8F37CB9EC0DB554FE4CB6654F88F09C48990C420B097C315917790678288D893A4C0325BE716A5C0BE78460A49922E3D2AF84A4A7FBD198ED0CA9DE9489E10EA0DCC0CE993DEA0852BB5679E41F84BA1EB8B4C4495C4F314B87DDDD0567269980E07111A3B8A541E2A453B9F73229830C13BF365E04B34B43472F6BE2911ED3984FDD4207C8E81D12FC99A96B3E927EC8D6693AFC64BDB6099DCAFD0C0BA29B77604B0394A4306912D6422DC1414CCADCAAFD8F5B83469AD9FCB1D1E3B3C97F487ACD24F0418F5C74D0ACB010200649B7C72D21C857E3D086F30368FBD0CE71C189994A64016CFDEC3091CF413C92C7E5BA861D6184C75F833962AEB4922F47F30BF855EBA01F59D0BB749B1ED076E6F2E906D710E8FA64DE69C635968802F046B83F27996FCB71892935F7481602358FD5797C4D02CF5FEB8A834F457188F9A90D4E72E9C29C07CF491B4E040E63518C5ED800C1552CB6C6E0C2654EC93439F59CB3C47EE8616E135F15C45FD97EED1DCEEE44ECCB2E86B1EC38F670EDAB5C13C1D90F0DC780B255ED34F7AC9BE4C3DAE7473CA6B58F31DFC54BAFEBF10203010001`|
+| 8 | Microsoft Code Verification Root 2006 | `3082020A0282020100BD77C91C7F157838C50743215AFBE4CC3BC65531FC2189B1BCE7019CFB90BE20115576A74D02E7B2F42E8DEFB2874656CA47CEC8C363E308034B9606B9702244E64B7B443F75B7B8A62B910841EF4B0759D6A4199DF6CBA4BB8E02654DCADE0FB49022F1B56B5C22F6CAF938AA280B062D3C198DB7355F83EDDD65738446929F44E2894A8CD598A76D3DE819CB44AD180BEA5C5F7C0BC39A936844F3B6BF979930723F2859D070C8055778F54A82340A24C17AB064A53A6E12D5036138BB0E2DFD859CD648756A1CB2A2E891FAB7E4F53C5FFDC940ACC7A042F574D8B9DBD7FE73771AE0C4B709B1059A6DE35E8038757852B612D379AE43F765A7D1166469858F783AB894BF4512625A4D8748D6F819BC590106F51ADB60299F013F6E73F9FD8045CE95D78AF6920CC173402C6DAA32A6F17F30F890F1AE4527B9B40E3002BDC60EEC3C8C5BB63485CF140B0C500DA9E259912EA80139F42C15630480B840DF62F7FEB74C13A82CA966133862FC4070627B7577D52B8E1BA599E5B9B7C7ADEA01A0257B5846525654A2C9922B581D4851C01FFE3700D1E2AB10C2A959E942996E8FB51E4766741E98765757045EBD2F8593D50E0B9F2E7B2664A78612095063E7D1C78E7E0E3B07E7BBE4CD1A40D47ABA05594AD6D0EEDC965E224A271C45E3DEDAB2E9D343FDE96FC0C97D1FFD9F909C862008CC74DC40A729B3AB58656BB10203010001`|
 | 9 | Microsoft Test Root 1999 | `3081DF300D06092A864886F70D01010105000381CD003081C90281C100A9AA83586DB5D30C4B5B8090E5C30F280C7E3D3C24C52956638CEEC7834AD88C25D30ED312B7E1867274A78BFB0F05E965C19BD856C293F0FBE95A48857D95AADF0186B733334656CB5B7AC4AFA096533AE9FB3B78C1430CC76E1C2FD155F119B23FF8D6A0C724953BC845256F453A464FD2278BC75075C6805E0D9978617739C1B30F9D129CC4BB327BB24B26AA4EC032B02A1321BEED24F47D0DEAAA8A7AD28B4D97B54D64BAFB46DD696F9A0ECC5377AA6EAE20D6219869D946B96432D4170203010001`|
-| 0A | Microsoft Test Root 2010 | `30820222300D06092A864886F70D01010105000382020F003082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
-| 0B | Microsoft DMD Test Root 2005 | `30820122300D06092A864886F70D01010105000382010F003082010A0282010100BCACAFF12BE9877F310994630F483012C16BEA7E0EFC58B8C890F3C7719F41B5BB29E3834735BF42DE7A9CC16D125094061E721B6FF8C0207FDF6DAD840F08BB9A3F93589D931F05B640AB878C7FAA4F033D7DFA6B3BBCFBE0C426B0173EB67ECC9D089875667A34AF189B3D2CCEFCD943599197F3933255B7DA328ADADE6826C30C6F7EAB434CF5C00A22FD5B47A7A9964617529FBB3B1D850A90CD818105342BCA43C29075574D6151C0D6D2648C412107BE5C824A4F9451087522B9AEB94828F7C78606040B7011F0CDCDA079D3CE9CC5367C579BB6DF5B83BE616BE258D2D9858D7EE1A446574661F9DF4F82B9AC8FD2DFEF6082EC1272BF14D20ACCAF3F0203010001`|
-| 0C | Microsoft DMDRoot 2005 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100BCFD36D32F1C7CBAC60458F2AB30A3F17DD4B983EF72DB009CCFE65F0CF144BE62225D2F77507CD68539FE7AAE991EC8B3F9C73CC0228DC7A7F9ED87E841ACE42DF2804E148BB4F5250B948D6FB42982CFE69EFDF79FE5B828B7366B2F6D00A449BF78814FA8069433D0D55720A8728BFED7F5632C8D44E960FE2FF539B625069E04C34D952ED52205304A4122610D5A24F0DF636C7FD8D2F69EF35E76E7B4BDBB9589F20AD44E73BD917E46103D2749427489C4E8AAA3A7407785A27F4626CCC6C0CBC3F2B88121A3BB68F3E2E57EF47C7107EBC10AF5DC038C510BE9C71373C1349EABD28E665811A57441CBD2D9E47480F089CB459896D7DB0815A598446CE223785693BC122A854CC29FD15917A1161025FAE7BD141A56F44E396FF563A256C50B7C9FD6F0B068151C6B367171F83983762354F755BC16E30CBC218BDE6DE9EB943D5440C3D320B0AF96BBE7C3B89DFBEEDC9B7153830D9A9FA6B3D216ACEAC8801D8D24243C8291463C497290BA698FBA7A30DDF6A6F13D68E537ED1A43528F19D71A52528CD80FB26428A5ABA70E04A267AA650B666FF696B2905FA5ECAE9BB3B984536DBC5FBE647036E6EE1DD17EB58AE4A137E8DB3E8FC2FDEAE9E35F74B494FCA0206E8FD396146BFBF56AD8122636955F1C7516AD18E50C9AC53774EC0CC367044FD6DAA68096D1263713BD7A0F21892B33B3189B3B37FDE451170203010001`|
-| 0D | Microsoft DMD Preview Root 2005 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100C3FF519F7576E65C5B6C6EBBB50760626E065740611131724066A5CE94519D702061FCE3C43A49BB6690D5BF94AFEB506B90F3AE5432F01A8AB0EFB064A7CC5EDCEDA6F8DA0FF0430A84B65AC746A1B4D8108CB74924F5FC6F7A4CD1232433E2554EC9778248C08FFDA9F89C189C5A23C608E68CD5C917954E424FA35F3F3649012BA2A1EC4C84FFC182E9B1F2E83773BAA7795AF85A421FDC904665DCE74FC8B3B9501C267F2B7E96790F170EC951E88BEC1E9D425C2DE4907722E6E8411265380A79D128255E67B79B393F76372FB388204E365FF7E952218B5D694CF0146BFFEAD4E8A5E82364E7AACE73E8F5DF25753A0446802321AFC923C322B2631D7B6364FA95FEE16191EBCD2F8755C61DF17B44DABD736FFEE5846569785AE835D35A893968487BB49890DA9FC166E87D5672EA9F73647A2BD0B4F340F0037226F6A0C500B721CC4B9B5E1756A1DA9B45B3B61E300DFFC85F13590147A57AB51950628FFD18ABA29A7CC5EF83CD5A1F00FDC8E854A5B9AEC755B5C572196A370D15A5736C1B9C772DA34B88C338E69044581C54F2EE23048ABAB7D5FEEF22C037163DCFE6D4E35CB088C5AFCA850ADF675CDB5E063412B262A912D0A1E25984BC5FEBFF0194F49A8B388DFD3C5EC02C31062B35D56F04BD1B3F29CE55113785FFAA000778EF5D080E911FF3432187AF0AD7786141429523F274EA749383187A47CF0203010001`|
-| 0E | Microsoft Flight Root 2014 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100C20F7F6D49BB39F04D943FE8FB4DC5EB3BE1285AB9892A467EA5C333271D82893FEB33A1876AEAE882B9DAC39D77D135C0CB833672A6571912BC15E2C83C7B83623414D5ABB6DE368BA15A71A65196A70633B3221D146253C2A5AF9A40CABE2C485499E72A9368A769190B99693BC1B2ACAE94DC5FAB7E02CADE3CA774A68C10A0E5AEB69C35EF838B10E5972ABA916B9A6A4595D9D054718E653FC48A53CA1E38470AE9D04184A5DA1E66016504E6505B7735F5B42E29320CC6BF5F61EE3220B77C39F911FAFF605EFEC669F46F1E1DED1D06E7651E9A112E6344065F31431733E9A32682D44B83124FD2A126032548E13ABD84F58AD5B46E1AE871200E45530167ADE31E6BE8B2E4ABFDF53B8EBA67AF5984CC5C75D09DAA5C72C42636A2AC324C6AB1F8331744D2A77D70EEEB70949ABCEABA1C104B635B38DDD2254504B2F0B35A7C0B0A8E21406437114D96694533E493839EF9B3B51C2B0571EA6DCCE748B6B6DE805010CA4938B35905704EBD9E880222586489EB40DAB12D2D6A40885D23C33ED0F5D5B7908A28543962A2C5C6B1BF74CD8695F9456BCCF207EAAC5CD336F7A27AB5B472532A063EC337945858B14A71BB5CCD9CB2AF109AD943363E528519E7422891118C8CE7BBDFE6C855087375F3960D86B7D2E506B2C08A54A86177207D6CD1FEBA68F3454AAF1184EB867D2F04F354EA20FFD5DB3D250270870203010001`|
-| 0F | Microsoft Third Party Marketplace Root | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F0AD5E8240052D682459CBDE0AE884CC48B93B1DB08B52250E1214C410153A84BE81E075E6BA0EF861E36B1DCE9D1EDF9F283336DA8332C8A1A1ED594AE28C600C6A82B19A09A25C222E39ED92F681017AFF91689085A39C8A97837112946E32D71527E6670B7FE57A02FB90FFF049001ACF300C7BFFE94EA806FD2231166DDE496D96AA91261603419B1614EE98B85B4BD3F12FDB7E30FC79A668124A86773CECE533C3DFEA815519AD085E65D3DEAFBD5E741326839CCE585648E08AA76992ED72DB6782C2E6384ECF5F2BA03BD3C38B9A9A17125554A6647394F85356F21DE1BBD9CE92E2275B7DC4569CEB57FC0D9EE4A27A5999BD23C4656C906D08B25E871A6EA7D1F0EA0532857806504996988928566B0D29793567B8629FA3CFEF8563F8BE16DCED94047C6D610F9B78341E824CDD2A1C8F6D80B6DD7A051F84EDD855D711EB8793179F9A4D0E2874AAAC094F0E08BFFE59BF66EEE2F3511C178E3E3E5B7F2478A31CF4CAC2D619FDE8EBED4F94A55F34C49CE254BA48838B6444D3423B156AC60A6810242A227F4BB079D6DEE5E317199098063AEB5981A64EF496233FA28DCC76C8194EBD68553CD8FD8F844439894D1061951AE89CCCAFF14D38AE821C631CBF68EA45A236B6886A042C6BCB66D4C741090DADF3B0B498127369278E60E606ECEE8A6F30E55DDB56F0F02B523CA73B2A1A7EC0FF03C5ECE029DF0203010001`|
+| 0A | Microsoft Test Root 2010 | `3082020A028202010095E3A8C1B99C2654B099EF261FAC1EC73080BBF53FF2E4BBF8FE066A0AA688BCB48C45E070551988B405CBB5C1A1FAD47CC24253079C5456A897E09469BE1324EFE58A299CA6D02B2F8AA6E879442E8BEAC9BEB8548653BE07243454152220017B8A46FBD291079509B05611CC76B2D01F4479523428EC4F49C2CB61D386DCE4A37E559E9FEE106FCFE13DF8B78479A23B8D1CB0817CE44407E4CE46B098838D878FE5F5AE407AF1ED3D9B9A7C4AD1B9C394057BDCDAB8CEDC1E6CCFD99E37EFC35A367B908645DCF62ECADDEEDE27D9749A69F5D95D092D4541CCB7C282D42A8C162592973D944E89337E5B0354CDB083A08E41B7878DD9056352F6EEE64E139D54CD49FEE38B3B509B48BBB2E592D4ABA0C510AF3EB145213490DCADB9F7FE21AEEE50587A3AE5AAD8E382D6CF6D4DC915AC9C3117A516A742F6DA1278A76690ECFCCD0163FFF00EBAE1CDF0DB6B9A0FF60F040109BC9FCEB76C517057081BFF799A525DBAAC14E53B67CF2C52DE279A34036E2548B01974FC4D98C24B8C92E188AE482AABABCD144DB6610EA1098F2CDB45AF7D3B815608C93B41B7649F5D2E127FB969291F52454A23C6AFB6B238729D0833FFD0CF89B6EA6E8544943E9159EBEF9EBD9B9C1A47034EA21796FA620BE853B64EE3E82A7359E213B8F85A7EC6E20ADD4A43CCC3773B7A31040AC184963A636E1A3E0A0C25B87EB5520CB9AB0203010001`|
+| 0B | Microsoft DMD Test Root 2005 | `3082010A0282010100BCACAFF12BE9877F310994630F483012C16BEA7E0EFC58B8C890F3C7719F41B5BB29E3834735BF42DE7A9CC16D125094061E721B6FF8C0207FDF6DAD840F08BB9A3F93589D931F05B640AB878C7FAA4F033D7DFA6B3BBCFBE0C426B0173EB67ECC9D089875667A34AF189B3D2CCEFCD943599197F3933255B7DA328ADADE6826C30C6F7EAB434CF5C00A22FD5B47A7A9964617529FBB3B1D850A90CD818105342BCA43C29075574D6151C0D6D2648C412107BE5C824A4F9451087522B9AEB94828F7C78606040B7011F0CDCDA079D3CE9CC5367C579BB6DF5B83BE616BE258D2D9858D7EE1A446574661F9DF4F82B9AC8FD2DFEF6082EC1272BF14D20ACCAF3F0203010001`|
+| 0C | Microsoft DMDRoot 2005 | `3082020A0282020100BCFD36D32F1C7CBAC60458F2AB30A3F17DD4B983EF72DB009CCFE65F0CF144BE62225D2F77507CD68539FE7AAE991EC8B3F9C73CC0228DC7A7F9ED87E841ACE42DF2804E148BB4F5250B948D6FB42982CFE69EFDF79FE5B828B7366B2F6D00A449BF78814FA8069433D0D55720A8728BFED7F5632C8D44E960FE2FF539B625069E04C34D952ED52205304A4122610D5A24F0DF636C7FD8D2F69EF35E76E7B4BDBB9589F20AD44E73BD917E46103D2749427489C4E8AAA3A7407785A27F4626CCC6C0CBC3F2B88121A3BB68F3E2E57EF47C7107EBC10AF5DC038C510BE9C71373C1349EABD28E665811A57441CBD2D9E47480F089CB459896D7DB0815A598446CE223785693BC122A854CC29FD15917A1161025FAE7BD141A56F44E396FF563A256C50B7C9FD6F0B068151C6B367171F83983762354F755BC16E30CBC218BDE6DE9EB943D5440C3D320B0AF96BBE7C3B89DFBEEDC9B7153830D9A9FA6B3D216ACEAC8801D8D24243C8291463C497290BA698FBA7A30DDF6A6F13D68E537ED1A43528F19D71A52528CD80FB26428A5ABA70E04A267AA650B666FF696B2905FA5ECAE9BB3B984536DBC5FBE647036E6EE1DD17EB58AE4A137E8DB3E8FC2FDEAE9E35F74B494FCA0206E8FD396146BFBF56AD8122636955F1C7516AD18E50C9AC53774EC0CC367044FD6DAA68096D1263713BD7A0F21892B33B3189B3B37FDE451170203010001`|
+| 0D | Microsoft DMD Preview Root 2005 | `3082020A0282020100C3FF519F7576E65C5B6C6EBBB50760626E065740611131724066A5CE94519D702061FCE3C43A49BB6690D5BF94AFEB506B90F3AE5432F01A8AB0EFB064A7CC5EDCEDA6F8DA0FF0430A84B65AC746A1B4D8108CB74924F5FC6F7A4CD1232433E2554EC9778248C08FFDA9F89C189C5A23C608E68CD5C917954E424FA35F3F3649012BA2A1EC4C84FFC182E9B1F2E83773BAA7795AF85A421FDC904665DCE74FC8B3B9501C267F2B7E96790F170EC951E88BEC1E9D425C2DE4907722E6E8411265380A79D128255E67B79B393F76372FB388204E365FF7E952218B5D694CF0146BFFEAD4E8A5E82364E7AACE73E8F5DF25753A0446802321AFC923C322B2631D7B6364FA95FEE16191EBCD2F8755C61DF17B44DABD736FFEE5846569785AE835D35A893968487BB49890DA9FC166E87D5672EA9F73647A2BD0B4F340F0037226F6A0C500B721CC4B9B5E1756A1DA9B45B3B61E300DFFC85F13590147A57AB51950628FFD18ABA29A7CC5EF83CD5A1F00FDC8E854A5B9AEC755B5C572196A370D15A5736C1B9C772DA34B88C338E69044581C54F2EE23048ABAB7D5FEEF22C037163DCFE6D4E35CB088C5AFCA850ADF675CDB5E063412B262A912D0A1E25984BC5FEBFF0194F49A8B388DFD3C5EC02C31062B35D56F04BD1B3F29CE55113785FFAA000778EF5D080E911FF3432187AF0AD7786141429523F274EA749383187A47CF0203010001`|
+| 0E | Microsoft Flight Root 2014 | `3082020A0282020100C20F7F6D49BB39F04D943FE8FB4DC5EB3BE1285AB9892A467EA5C333271D82893FEB33A1876AEAE882B9DAC39D77D135C0CB833672A6571912BC15E2C83C7B83623414D5ABB6DE368BA15A71A65196A70633B3221D146253C2A5AF9A40CABE2C485499E72A9368A769190B99693BC1B2ACAE94DC5FAB7E02CADE3CA774A68C10A0E5AEB69C35EF838B10E5972ABA916B9A6A4595D9D054718E653FC48A53CA1E38470AE9D04184A5DA1E66016504E6505B7735F5B42E29320CC6BF5F61EE3220B77C39F911FAFF605EFEC669F46F1E1DED1D06E7651E9A112E6344065F31431733E9A32682D44B83124FD2A126032548E13ABD84F58AD5B46E1AE871200E45530167ADE31E6BE8B2E4ABFDF53B8EBA67AF5984CC5C75D09DAA5C72C42636A2AC324C6AB1F8331744D2A77D70EEEB70949ABCEABA1C104B635B38DDD2254504B2F0B35A7C0B0A8E21406437114D96694533E493839EF9B3B51C2B0571EA6DCCE748B6B6DE805010CA4938B35905704EBD9E880222586489EB40DAB12D2D6A40885D23C33ED0F5D5B7908A28543962A2C5C6B1BF74CD8695F9456BCCF207EAAC5CD336F7A27AB5B472532A063EC337945858B14A71BB5CCD9CB2AF109AD943363E528519E7422891118C8CE7BBDFE6C855087375F3960D86B7D2E506B2C08A54A86177207D6CD1FEBA68F3454AAF1184EB867D2F04F354EA20FFD5DB3D250270870203010001`|
+| 0F | Microsoft Third Party Marketplace Root | `3082020A0282020100F0AD5E8240052D682459CBDE0AE884CC48B93B1DB08B52250E1214C410153A84BE81E075E6BA0EF861E36B1DCE9D1EDF9F283336DA8332C8A1A1ED594AE28C600C6A82B19A09A25C222E39ED92F681017AFF91689085A39C8A97837112946E32D71527E6670B7FE57A02FB90FFF049001ACF300C7BFFE94EA806FD2231166DDE496D96AA91261603419B1614EE98B85B4BD3F12FDB7E30FC79A668124A86773CECE533C3DFEA815519AD085E65D3DEAFBD5E741326839CCE585648E08AA76992ED72DB6782C2E6384ECF5F2BA03BD3C38B9A9A17125554A6647394F85356F21DE1BBD9CE92E2275B7DC4569CEB57FC0D9EE4A27A5999BD23C4656C906D08B25E871A6EA7D1F0EA0532857806504996988928566B0D29793567B8629FA3CFEF8563F8BE16DCED94047C6D610F9B78341E824CDD2A1C8F6D80B6DD7A051F84EDD855D711EB8793179F9A4D0E2874AAAC094F0E08BFFE59BF66EEE2F3511C178E3E3E5B7F2478A31CF4CAC2D619FDE8EBED4F94A55F34C49CE254BA48838B6444D3423B156AC60A6810242A227F4BB079D6DEE5E317199098063AEB5981A64EF496233FA28DCC76C8194EBD68553CD8FD8F844439894D1061951AE89CCCAFF14D38AE821C631CBF68EA45A236B6886A042C6BCB66D4C741090DADF3B0B498127369278E60E606ECEE8A6F30E55DDB56F0F02B523CA73B2A1A7EC0FF03C5ECE029DF0203010001`|
 | 14 | Microsoft Trusted Root Store | N/A |
-| 15 | Microsoft OEM Root Certificate Authority 2017 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100F8DB3BE3FCDCEBA78508F59D89CEF3CE3B0FDA78135D682B2FA6977DA8111D685C2CAE4B190FC07E19EC30DA6079E1B9F728EAC5ACFAB79E824700F7015B1BD58112F57A43DCAF44179E179A9D40A8C05BD52F4155144E35C65A40C7D2D6216D4636B678E8311DF6812BC64A05354A5035A1A3783779702E7FB3D48E44B51A71E50F9F0DB4C261A91A664C6F88DC62DCEF19631FB43549D953AC564FAD2C9500C9EDCD351ABB2EFD1DDEFAC282E4CCAE8936D80AA4F28739F1A2E1D5735EA68723962540EAC1850E0619C2867A89584F4FFD372A05B4510BF6122F55A721FFB5B44C609D6160A8453A014F28F1545F78510D322020B06E6FEF9E248173B7D6DA3721C40E674ED45A000B390210BEF3D2C4B5E210144830E3E3049B70429F71A1C8128A333EBA664AF1B216C690D598CFFC160A18D609A2CAAF28BC0DDFE57C81BF0D93A320DAE44FF8E3AB00101D52C4A0049811ECFA872EC5765267A17911AA6D857060F821768C1120CE6FB778C1ED0DA2A3DC3C24B1F371630C174EF80A7EDA331B35A19A87CAA9DCC0DC1889BAF5A1B117899E8C4D70FFDC333ACF78A2BA37BC04A7D376660718B16DD69FE58D0F515680EB16A72E4D4F0233D132C561CFCB2FC0ADE8708AD0A2B50184DB995F8218CF49830367BD7E3A10A72919810D77101BAB42E54A021D45FC048F2C2C3A59A442E3F0E99EA3369537A1AA9D9DA7B90203010001`|
-| 16 | Microsoft Identity Verification Root Certificate Authority 2020 | `30820222300D06092A864886F70D01010105000382020F003082020A0282020100B3912A07830667FD9E9DE0C7C0B7A4E642047F0FA6DB5FFBD55AD745A0FB770BF080F3A66D5A4D7953D8A08684574520C7A254FBC7A2BF8AC76E35F3A215C42F4EE34A8596490DFFBE99D814F6BC2707EE429B2BF50B9206E4FD691365A89172F29884EB833D0EE4D771124821CB0DEDF64749B79BF9C9C717B6844FFFB8AC9AD773674985E386BD3740D02586D4DEB5C26D626AD5A978BC2D6F49F9E56C1414FD14C7D3651637DECB6EBC5E298DFD629B152CD605E6B9893233A362C7D7D6526708C42EF4562B9E0B87CCECA7B4A6AAEB05CD1957A53A0B04271C91679E2D622D2F1EBEDAC020CB0419CA33FB89BE98E272A07235BE79E19C836FE46D176F90F33D008675388ED0E0499ABBDBD3F830CAD55788684D72D3BF6D7F71D8FDBD0DAE926448B75B6F7926B5CD9B952184D1EF0F323D7B578CF345074C7CE05E180E35768B6D9ECB3674AB05F8E0735D3256946797250AC6353D9497E7C1448B80FDC1F8F47419E530F606FB21573E061C8B6B158627497B8293CA59E87547E83F38F4C75379A0B6B4E25C51EFBD5F38C113E6780C955A2EC5405928CC0F24C0ECBA0977239938A6B61CDAC7BA20B6D737D87F37AF08E33B71DB6E731B7D9972B0E486335974B516007B506DC68613DAFDC439823D24009A60DABA94C005512C34AC50991387BBB30580B24D30025CB826835DB46373EFAE23954F6028BE37D55BA50203010001`|
+| 15 | Microsoft OEM Root Certificate Authority 2017 | `3082020A0282020100F8DB3BE3FCDCEBA78508F59D89CEF3CE3B0FDA78135D682B2FA6977DA8111D685C2CAE4B190FC07E19EC30DA6079E1B9F728EAC5ACFAB79E824700F7015B1BD58112F57A43DCAF44179E179A9D40A8C05BD52F4155144E35C65A40C7D2D6216D4636B678E8311DF6812BC64A05354A5035A1A3783779702E7FB3D48E44B51A71E50F9F0DB4C261A91A664C6F88DC62DCEF19631FB43549D953AC564FAD2C9500C9EDCD351ABB2EFD1DDEFAC282E4CCAE8936D80AA4F28739F1A2E1D5735EA68723962540EAC1850E0619C2867A89584F4FFD372A05B4510BF6122F55A721FFB5B44C609D6160A8453A014F28F1545F78510D322020B06E6FEF9E248173B7D6DA3721C40E674ED45A000B390210BEF3D2C4B5E210144830E3E3049B70429F71A1C8128A333EBA664AF1B216C690D598CFFC160A18D609A2CAAF28BC0DDFE57C81BF0D93A320DAE44FF8E3AB00101D52C4A0049811ECFA872EC5765267A17911AA6D857060F821768C1120CE6FB778C1ED0DA2A3DC3C24B1F371630C174EF80A7EDA331B35A19A87CAA9DCC0DC1889BAF5A1B117899E8C4D70FFDC333ACF78A2BA37BC04A7D376660718B16DD69FE58D0F515680EB16A72E4D4F0233D132C561CFCB2FC0ADE8708AD0A2B50184DB995F8218CF49830367BD7E3A10A72919810D77101BAB42E54A021D45FC048F2C2C3A59A442E3F0E99EA3369537A1AA9D9DA7B90203010001`|
+| 16 | Microsoft Identity Verification Root Certificate Authority 2020 | `3082020A0282020100B3912A07830667FD9E9DE0C7C0B7A4E642047F0FA6DB5FFBD55AD745A0FB770BF080F3A66D5A4D7953D8A08684574520C7A254FBC7A2BF8AC76E35F3A215C42F4EE34A8596490DFFBE99D814F6BC2707EE429B2BF50B9206E4FD691365A89172F29884EB833D0EE4D771124821CB0DEDF64749B79BF9C9C717B6844FFFB8AC9AD773674985E386BD3740D02586D4DEB5C26D626AD5A978BC2D6F49F9E56C1414FD14C7D3651637DECB6EBC5E298DFD629B152CD605E6B9893233A362C7D7D6526708C42EF4562B9E0B87CCECA7B4A6AAEB05CD1957A53A0B04271C91679E2D622D2F1EBEDAC020CB0419CA33FB89BE98E272A07235BE79E19C836FE46D176F90F33D008675388ED0E0499ABBDBD3F830CAD55788684D72D3BF6D7F71D8FDBD0DAE926448B75B6F7926B5CD9B952184D1EF0F323D7B578CF345074C7CE05E180E35768B6D9ECB3674AB05F8E0735D3256946797250AC6353D9497E7C1448B80FDC1F8F47419E530F606FB21573E061C8B6B158627497B8293CA59E87547E83F38F4C75379A0B6B4E25C51EFBD5F38C113E6780C955A2EC5405928CC0F24C0ECBA0977239938A6B61CDAC7BA20B6D737D87F37AF08E33B71DB6E731B7D9972B0E486335974B516007B506DC68613DAFDC439823D24009A60DABA94C005512C34AC50991387BBB30580B24D30025CB826835DB46373EFAE23954F6028BE37D55BA50203010001`|
 
 For well-known roots, the TBS hashes for the certificates are baked into the code for App Control for Business. For example, they don't need to be listed as TBS hashes in the policy file.
 
diff --git a/windows/security/application-security/index.md b/windows/security/application-security/index.md
deleted file mode 100644
index 6d2ac65456..0000000000
--- a/windows/security/application-security/index.md
+++ /dev/null
@@ -1,14 +0,0 @@
----
-title: Windows application security
-description: Get an overview of application security in Windows
-ms.date: 08/02/2023
-ms.topic: conceptual
----
-
-# Windows application security
-
-Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts, so that PCs run with least privilege to prevent malicious applications from accessing sensitive resources.
-
-Learn more about application security features in Windows.
-
-[!INCLUDE [application](../includes/sections/application.md)]
diff --git a/windows/security/application-security/toc.yml b/windows/security/application-security/toc.yml
index 84c5873b45..c8a80ddfef 100644
--- a/windows/security/application-security/toc.yml
+++ b/windows/security/application-security/toc.yml
@@ -1,6 +1,4 @@
 items:
-- name: Overview
-  href: index.md
 - name: Application and driver control
   href: application-control/toc.yml
 - name: Application isolation
diff --git a/windows/security/book/application-security-application-and-driver-control.md b/windows/security/book/application-security-application-and-driver-control.md
index 462cf9cf11..6435037d78 100644
--- a/windows/security/book/application-security-application-and-driver-control.md
+++ b/windows/security/book/application-security-application-and-driver-control.md
@@ -2,67 +2,76 @@
 title: Application and driver control
 description: Windows 11 security book - Application and driver control.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Application and driver control
 
-:::image type="content" source="images/application-security.png" alt-text="Diagram of containing a list of application security features." lightbox="images/application-security.png" border="false":::
+:::image type="content" source="images/application-security.png" alt-text="Diagram containing a list of application security features." lightbox="images/application-security.png" border="false":::
 
 Windows 11 offers a rich application platform with layers of security like isolation and code integrity that help protect your valuable data. Developers can also take advantage of these
 capabilities to build in security from the ground up to protect against breaches and malware.
 
 ## Smart App Control
 
-Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run if they are predicted to be safe based on existing and new intelligence updated daily.
+Smart App Control prevents users from running malicious applications by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, Smart App Control only allows processes to run if they're predicted to be safe based on existing and new intelligence updated daily.
 
-Smart App Control builds on top of the same cloud-based AI used in App Control for Business to predict the safety of an application so that users can be confident that their applications are safe and reliable on their new Windows devices. Additionally, Smart App Control blocks unknown script files and macros from the web are blocked, greatly improving security for everyday users.
-Smart App Control will ship with new devices with Windows 11, version 22H2 installed.
+Smart App Control builds on top of the same cloud-based AI used in *App Control for Business* to predict the safety of an application, so that users can be confident that their applications are safe and reliable. Additionally, Smart App Control blocks unknown script files and macros from the web, greatly improving security for everyday users.
 
-Devices running previous versions of Windows 11 will have to be reset with a clean installation of Windows 11, version 22H2 to take advantage of this feature. Smart App Control will be disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to leverage App Control for Business.
+We've been making significant improvements to Smart App Control to increase the security, usability, and cloud intelligence response for apps in the Windows ecosystem. Users can get the latest and best experience with Smart App Control by keeping their devices up to date via Windows Update every month.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+To ensure that users have a seamless experience with Smart App Control enabled, we ask developers to sign their applications with a code signing certificate from the Microsoft Trusted Root Program. Developers should include all binaries, such as exe, dll, temp installer files, and uninstallers. Trusted Signing makes the process of obtaining, maintaining, and signing with a trusted certificate simple and secure.
 
-- [Smart App Control](/windows/apps/develop/smart-app-control/overview)
+Smart App Control is disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to use *App Control for Business*.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Smart App Control][LINK-1]
 
 ## App Control for Business
 
-Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
+Your organization is only as secure as the applications that run on your devices. With *application control*, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means of defending against executable file-based malware.
 
-Windows 10 and above include App Control for Business (previously called Windows Defender Application Control) as well as AppLocker. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
+App Control for Business (previously called *Windows Defender Application Control*) and AppLocker are both included in Windows. App Control for Business is the next-generation app control solution for Windows and provides powerful control over what runs in your environment. Organizations that were using AppLocker on previous versions of Windows, can continue to use the feature as they consider whether to switch to App Control for Business for stronger protection.
 
-Customers using Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to manage their devices are now able to configure App Control for Business in the admin console, including setting up Intune as a managed installer.
+Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> can configure App Control for Business in the admin console, including setting up Intune as a managed installer. Intune includes built-in options for App Control for Business and the possibility to upload policies as an XML file for Intune to package and deploy.
 
-Customers can use some built-in options for App Control for Business or upload their own policy as an XML file for Intune to package and deploy.
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+- [Application Control for Windows][LINK-2]
+- [Automatically allow apps deployed by a managed installer with App Control for Business][LINK-3]
 
-- [Application Control for Windows](/windows/security/application-security/application-control/windows-defender-application-control/wdac)
+## :::image type="icon" source="images/soon-button-title.svg" border="false"::: Administrator protection
 
-## User Account Control
+When users sign in with administrative rights to Windows, they have the power to make significant changes to the system, which can impact its overall security. These rights can be a target for malicious software.
 
-User Account Control (UAC) helps prevent malware from damaging a PC and enables organizations to deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
+Administrator protection is a new security feature in Windows 11 designed to safeguard these administrative rights. It allows administrators to perform all necessary functions with **just-in-time administrative rights**, while running most tasks without administrative privileges. The goal of administrator protection is to provide a secure and seamless experience, ensuring users operate with the least required privileges.
 
-Organizations can use a modern device management (MDM) solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to remotely configure UAC settings. Organizations without MDM can change settings directly
-on the device.
+When administrator protection is enabled, if an app needs special permissions like administrative rights, the user is asked for approval. When an approval is needed, Windows Hello provides a secure and easy way to approve or deny these requests.
 
-Enabling UAC helps prevent malware from altering PC settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized
-apps and prevent inadvertent changes to system settings.
-
-Users with standard accounts, or those using administrative accounts with UAC enabled, run most programs with limited access rights. This includes the Windows shell and any apps started from the shell, such as Windows Explorer, a web browser, productivity suite, graphics programs, or games.
-
-Some apps require additional permissions and will not work properly (or at all) when running with limited permissions. When an app needs to run with more than standard user rights, UAC allows users to run apps with a "full" administrator token (with administrative groups and privileges) instead of their default user access token. Users continue to operate in the standard user security context while enabling certain executables to run with elevated privileges if needed.
-
-:::image type="content" source="images/uac-settings.png" alt-text="Screenshot of the UAC settings." border="false":::
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [How User Account Control works](/windows/security/identity-protection/user-account-control/how-user-account-control-works)
+> [!NOTE]
+> Administrator protection is currently in preview. For devices running previous versions of Windows, refer to [User Account Control (UAC)][LINK-5].
 
 ## Microsoft vulnerable driver blocklist
 
-The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. Prior to the Windows 11 2022 Update, Windows enforced a block policy when hypervisor-protected code integrity (HVCI) was enabled to prevent vulnerable versions of drivers from running. Beginning with the Windows 11 2022 Update, the block policy is now on by default for all new Windows PCs, and users can opt in to enforce the policy from the Windows Security app.
+The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers. To prevent vulnerable versions of drivers from running, Windows has a *block policy* turned on by default. Users can configure the policy from the Windows Security app.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Microsoft recommended driver block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules)
+- [Microsoft recommended driver block rules][LINK-4]
+
+## :::image type="icon" source="images/new-button-title.svg" border="false"::: Trusted Signing
+
+Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the signing process and empowers third-party developers to easily build and distribute applications.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [What is Trusted Signing](/azure/trusted-signing/overview)
+
+<!--links-->
+
+[LINK-1]: /windows/apps/develop/smart-app-control/overview
+[LINK-2]: /windows/security/application-security/application-control/windows-defender-application-control/wdac
+[LINK-3]: /windows/security/application-security/application-control/app-control-for-business/design/configure-authorized-apps-deployed-with-a-managed-installer
+[LINK-4]: /windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
+[LINK-5]: /windows/security/identity-protection/user-account-control/how-user-account-control-works
diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md
index 603d0138a4..6bc9c40284 100644
--- a/windows/security/book/application-security-application-isolation.md
+++ b/windows/security/book/application-security-application-isolation.md
@@ -2,45 +2,37 @@
 title: Application isolation
 description: Windows 11 security book - Application isolation.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Application isolation
 
-:::image type="content" source="images/application-security.png" alt-text="Diagram of containing a list of application security features." lightbox="images/application-security.png" border="false":::
+:::image type="content" source="images/application-security.png" alt-text="Diagram containing a list of application security features." lightbox="images/application-security.png" border="false":::
 
-## Win32 app isolation
+## :::image type="icon" source="images/new-button-title.svg" border="false"::: Win32 app isolation
 
-Win32 app isolation is a new security feature in public preview designed to be the default isolation standard on Windows clients. It's built on [AppContainer](/windows/win32/secauthz/implementing-an-appcontainer), and offers several added security features to help the Windows platform defend against attacks that leverage vulnerabilities in applications or third-party libraries. To isolate their apps, developers can update their applications using the tools provided by Microsoft.
+Win32 app isolation is a security feature designed to be the default isolation standard on Windows clients. It's built on [AppContainer][LINK-1], and offers several added security features to help the Windows platform defend against attacks that use vulnerabilities in applications or third-party libraries. To isolate their applications, developers can update them using Visual Studio.
 
-Win32 app isolation follows a two-step process. In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Microsoft. Consequently, the process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level.
+Win32 app isolation follows a two-step process:
 
-In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. Securable objects in this context refer to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List](/windows/win32/secauthz/access-control-lists) on Windows.
+- In the first step, the Win32 application is launched as a low-integrity process using AppContainer, which is recognized as a security boundary by Windows. The process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level
+- In the second step, least privilege is enforced by granting authorized access to Windows securable objects. This access is determined by capabilities that are added to the application manifest through MSIX packaging. *Securable objects* in this context refers to Windows resources whose access is safeguarded by capabilities. These capabilities enable the implantation of a [Discretionary Access Control List][LINK-2] on Windows
 
-To help ensure that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The Application Capability Profiler (ACP) simplifies the entire process by allowing the application to run in "learn mode" with low privileges. Instead of denying access if the capability is not present, ACP allows access and logs additional capabilities required for access if the application were to run isolated. For more information on ACP, please refer to the [GitHub documentation page](https://github.com/microsoft/win32-app-isolation/blob/main/docs/profiler/application-capability-profiler.md#stack-tracing---acp-stacktracewpaprofile).
+To help ensuring that isolated applications run smoothly, developers must define the access requirements for the application via access capability declarations in the application package manifest. The *Application Capability Profiler (ACP)* simplifies the entire process by allowing the application to run in *learn mode* with low privileges. Instead of denying access if the capability isn't present, ACP allows access and logs additional capabilities required for access if the application were to run isolated.
 
 To create a smooth user experience that aligns with nonisolated, native Win32 applications, two key factors should be taken into consideration:
 
 - Approaches for accessing data and privacy information
 - Integrating Win32 apps for compatibility with other Windows interfaces
 
-The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary ([AppContainer](/windows/win32/secauthz/implementing-an-appcontainer)). The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts.
+The first factor relates to implementing methods to manage access to files and privacy information within and outside the isolation boundary AppContainer. The second factor involves integrating Win32 apps with other Windows interfaces in a way that helps enable seamless functionality without causing perplexing user consent prompts.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Win32 app isolation](https://github.com/microsoft/win32-app-isolation)
-
-## Windows Sandbox
-
-Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation using the same hardware-based Hyper-V virtualization technology without fear of lasting impact to the PC. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host.
-
-Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
-- [Windows Sandbox is a new lightweight desktop environment tailored for safely
-running applications in isolation](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/windows-sandbox/ba-p/301849)
+- [Win32 app isolation][LINK-4]
+- [Application Capability Profiler (ACP)][LINK-5]
+- [Learn how to adopt Win32 app isolation with Visual Studio][LINK-6]
+- [Sandboxing Python with Win32 app isolation][LINK-7]
 
 ## App containers
 
@@ -48,6 +40,61 @@ In addition to Windows Sandbox for Win32 apps, Universal Windows Platform (UWP)
 
 Processes that run in app containers operate at a low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the file system, registry, and other resources. The app container also enforces restrictions on network connectivity. For example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Windows and app container](/windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations)
+- [Windows and app container][LINK-8]
+
+## Windows Sandbox
+
+Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based virtualization technology as Hyper-V. Any untrusted Win32 app installed in Windows Sandbox stays only in the sandbox and can't affect the host.
+
+Once Windows Sandbox is closed, nothing persists on the device. All the software with all its files and state are permanently deleted after the untrusted Win32 application is closed.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows Sandbox][LINK-9]
+
+## Windows Subsystem for Linux (WSL)
+
+With Windows Subsystem for Linux (WSL) you can run a Linux environment on a Windows device, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time.
+
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
+
+- **Hyper-V Firewall** is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows
+- **DNS Tunneling** is a networking setting that improves compatibility in different networking environments, making use of virtualization features to obtain DNS information rather than a networking packet
+- **Auto proxy** is a networking setting that enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it makes that proxy automatically apply to WSL distributions
+
+These features can be set up using a device management solution such as Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>. Microsoft Defender for Endpoint (MDE) integrates with WSL, allowing it to monitor activities within a WSL distro and report them to the MDE dashboards.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Hyper-V Firewall][LINK-10]
+- [DNS Tunneling][LINK-11]
+- [Auto proxy][LINK-12]
+- [Intune setting for WSL][LINK-13]
+- [Microsoft Defender for Endpoint plug-in for WSL][LINK-14]
+
+## :::image type="icon" source="images/new-button-title.svg" border="false"::: Virtualization-based security enclaves
+
+A **Virtualization-based security enclave** is a software-based trusted execution environment (TEE) inside a host application. VBS enclaves enable developers to use VBS to protect their application's secrets from admin-level attacks. VBS enclaves are available on Windows 10 onwards on both x64 and ARM64.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Virtualization-based security enclave][LINK-15]
+
+<!--links-->
+
+[LINK-1]: /windows/win32/secauthz/implementing-an-appcontainer
+[LINK-2]: /windows/win32/secauthz/access-control-lists
+[LINK-4]: https://github.com/microsoft/win32-app-isolation
+[LINK-5]: https://github.com/microsoft/win32-app-isolation/blob/main/docs/profiler/application-capability-profiler.md
+[LINK-6]: https://github.com/microsoft/win32-app-isolation/blob/main/docs/packaging/packaging-with-visual-studio.md
+[LINK-7]: https://blogs.windows.com/windowsdeveloper/2024/03/06/sandboxing-python-with-win32-app-isolation/
+[LINK-8]: /windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations
+[LINK-9]: /windows/security/threat-protection/windows-sandbox/windows-sandbox-overview
+[LINK-10]: /windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall
+[LINK-11]: /windows/wsl/networking#dns-tunneling
+[LINK-12]: /windows/wsl/networking#auto-proxy
+[LINK-13]: /windows/wsl/intune
+[LINK-14]: /defender-endpoint/mde-plugin-wsl
+[LINK-15]: /windows/win32/trusted-execution/vbs-enclaves
diff --git a/windows/security/book/application-security.md b/windows/security/book/application-security.md
index 5b8a5238ab..450a054437 100644
--- a/windows/security/book/application-security.md
+++ b/windows/security/book/application-security.md
@@ -2,15 +2,15 @@
 title: Application security
 description: Windows 11 security book - Application security chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Application security
 
 :::image type="content" source="images/application-security-cover.png" alt-text="Cover of the application security chapter." border="false":::
 
+Applications are prime vectors for cyberattacks due to their frequent usage and access to valuable data. Common attempts include injection attacks that insert malicious code, man-in-the-middle attacks that intercept and potentially alter communication between users and applications, and various methods of tricking users into divulging sensitive information or changing system settings.
+
+Windows 11 protects users, apps, and data with features like Windows App Control for Business and the Microsoft vulnerable driver blocklist, which help ensure that only trusted apps and drivers can run on the device.
+
 :::image type="content" source="images/application-security-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/application-security.png" border="false":::
-
-Cybercriminals can take advantage of poorly secured applications to access valuable resources. With Windows 11, IT admins can combat common application attacks from the moment a device is provisioned. For example, IT can remove local admin rights from user accounts so that PCs run with the least amount of privileges to prevent malicious applications from accessing sensitive resources.
-
-In addition, organizations can control which applications run on their devices with App Control for Business (previously called Windows Defender Application Control - WDAC).
diff --git a/windows/security/book/cloud-services-protect-your-personal-information.md b/windows/security/book/cloud-services-protect-your-personal-information.md
index 39b189a20f..855a3e1e34 100644
--- a/windows/security/book/cloud-services-protect-your-personal-information.md
+++ b/windows/security/book/cloud-services-protect-your-personal-information.md
@@ -2,57 +2,64 @@
 title: Cloud services - Protect your personal information
 description: Windows 11 security book - Cloud services chapter - Protect your personal information.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Protect your personal information
 
-:::image type="content" source="images/cloud-security.png" alt-text="Diagram of containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
+:::image type="content" source="images/cloud-security.png" alt-text="Diagram containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
 
-## Microsoft Account
+## Microsoft account
 
-Your Microsoft Account (MSA) gives you access to Microsoft products and services with just one login, allowing you to manage everything all in one place. Keep tabs on your subscriptions and order history, update your privacy and security settings, track the health and safety of your devices, and get rewards. Everything stays with you in the cloud, across devices, and between OS ecosystems, including iOS and Android.
+Your Microsoft account (MSA) provides seamless access to Microsoft products and services with just one sign-in, allowing you to manage everything in one place. You can easily keep track of your subscriptions and order history, update your privacy and security settings, monitor the health and safety of your devices, and earn rewards. Your information stays with you in the cloud, accessible across devices and operating systems, including iOS and Android.
 
-You can even go passwordless with your Microsoft Account by removing the password from your MSA and using the Microsoft Authenticator app on your mobile Android or iOS phone.
+You can even go passwordless with your Microsoft account by removing the password from your MSA:
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+- Use Windows Hello to eliminate the password sign-in method for an even more secure experience
+- Use the Microsoft Authenticator app on your Android or iOS device
 
-- [What is a Microsoft account?](https://support.microsoft.com/windows/what-is-a-microsoft-account-4a7c48e9-ff5a-e9c6-5a5c-1a57d66c3bfa)
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-## User reauthentication before password disablement
-
-Windows provides greater flexibility for users to balance ease of use with security. Users can choose the interval that the machine remains idle before it automatically signs the user out. To avoid a security breach and prevent users from accidentally making settings changes, Windows reauthenticates the user before they are allowed to change the setting to not sign out the user even after the device remains idle indefinitely.
-
-This setting is available on the Sign-in options page in Settings and is available on Windows 11 and onward for MSA users worldwide.
+- [What is a Microsoft account?][LINK-1]
+- [Go passwordless with your Microsoft account][LINK-5]
 
 ## Find my device
 
-When location services and Find my device settings are turned on, basic system services like time zone and Find my device will be allowed to use the device's location. When enabled, Find my device can be used by the admin on the device to help recover lost or stolen Windows devices to reduce security threats that rely on physical access.
+When location services and *Find my device* settings are turned on, basic system services like time zone and Find my device are allowed to use the device's location. Find my device can be used to help recover lost or stolen Windows devices, reducing the security threats that rely on physical access.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [How to set up, find, and lock a lost Windows device using a Microsoft Account](https://support.microsoft.com/account-billing/find-and-lock-a-lost-windows-device-890bf25e-b8ba-d3fe-8253-e98a12f26316)
+- [How to set up, find, and lock a lost Windows device using a Microsoft account][LINK-2]
 
 ## OneDrive for personal
 
-Microsoft OneDrive17 for personal provides additional security, backup, and restore options for important personal files. OneDrive stores and protects files in the cloud, allowing users to access them from laptops, desktops, and mobile devices. Plus, OneDrive provides an excellent solution for backing up folders. If a device is lost or stolen, the user can quickly recover all their important files from the cloud.
+Microsoft OneDrive for personal<sup>[\[10\]](conclusion.md#footnote10)</sup> offers enhanced security, backup, and restore options for important personal files. Users can access their data from anywhere, since their files are stored and protected in the cloud. OneDrive provides an excellent solution for backing up folders, ensuring that:
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+- If a device is lost or stolen, users can quickly recover all their important files from the cloud
+- If a user is targeted by a ransomware attack, OneDrive enables recovery. With configured backups, users have more options to mitigate and recover from such attacks
 
-- [OneDrive](/onedrive/plan-onedrive-enterprise)
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-In the event of a ransomware attack, OneDrive can enable recovery. And if backups are configured in OneDrive, users have additional options to mitigate and recover from a ransomware attack.
+- [Get started with OneDrive][LINK-6]
+- [How to recover from a ransomware attack using Microsoft 365][LINK-7]
+- [How to restore from OneDrive][LINK-3]
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+## Personal Vault
 
-- [How to recover from a ransomware attack using Microsoft 365](/microsoft-365/security/office-365-security/recover-from-ransomware)
+Personal Vault offers robust protection for the most important or sensitive files, without sacrificing the convenience of anywhere access. Secure digital copies of crucial documents in Personal Vault, where they're protected by identity verification and are easily accessible across devices.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Once the Personal Vault is configured, users can access it using a strong authentication method or a second step of identity verification. The second steps of verification include fingerprint, face recognition, PIN, or a code sent via email or text.
 
-- [How to restore from OneDrive](https://support.microsoft.com/office/restore-your-onedrive-fa231298-759d-41cf-bcd0-25ac53eb8a15)
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-## OneDrive Personal Vault
+- [Protect your OneDrive files in Personal Vault][LINK-4]
 
-OneDrive Personal Vault<sup>[\[9\]](conclusion.md#footnote9)</sup> also provides protection for the most important or sensitive files and photos without sacrificing the convenience of anywhere access. Protect digital copies of important documents in OneDrive Personal Vault. Files will be secured by identity verification yet are still easily accessible across devices.
+<!--links-->
 
-Learn how to [set up a Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4) with a strong authentication method or a second step of identity verification, such as fingerprint, face, PIN, or a code sent via email or SMS.
+[LINK-1]: https://support.microsoft.com/topic/4a7c48e9-ff5a-e9c6-5a5c-1a57d66c3bfa
+[LINK-2]: https://support.microsoft.com/topic/890bf25e-b8ba-d3fe-8253-e98a12f26316
+[LINK-3]: https://support.microsoft.com/topic/fa231298-759d-41cf-bcd0-25ac53eb8a15
+[LINK-4]: https://support.microsoft.com/topic/6540ef37-e9bf-4121-a773-56f98dce78c4
+[LINK-5]: https://support.microsoft.com/topic/585a71d7-2295-4878-aeac-a014984df856
+[LINK-6]: https://support.microsoft.com/onedrive
+[LINK-7]: /microsoft-365/security/office-365-security/recover-from-ransomware
diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md
index 97aafdbec1..c695db60bd 100644
--- a/windows/security/book/cloud-services-protect-your-work-information.md
+++ b/windows/security/book/cloud-services-protect-your-work-information.md
@@ -2,137 +2,87 @@
 title: Cloud services - Protect your work information
 description: Windows 11 security book - Cloud services chapter - Protect your work information.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/04/2024
 ---
 
 # Protect your work information
 
-:::image type="content" source="images/cloud-security.png" alt-text="Diagram of containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
+:::image type="content" source="images/cloud-security.png" alt-text="Diagram containing a list of security features for cloud security." lightbox="images/cloud-security.png" border="false":::
 
-## Microsoft Entra ID
+## :::image type="icon" source="images/microsoft-entra-id.svg" border="false"::: Microsoft Entra ID
 
-Microsoft Entra ID, formerly Azure Active Directory is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
+Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. Microsoft Entra ID can also be used with Windows Autopilot for zero-touch provisioning of devices preconfigured with corporate security policies.
 
-Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. By registering devices with Microsoft Entra ID - also called Workplace joined - IT admins can support users in bring your own device (BYOD) or mobile device scenarios. Credentials are authenticated and bound to the joined device and cannot be copied to another device without explicit reverification.
+Organizations can deploy Microsoft Entra ID joined devices to enable access to both cloud and on-premises apps and resources. Access to resources can be controlled based on the Microsoft Entra ID account and Conditional Access policies applied to the device. For the most seamless and delightful end to end single sign-on (SSO) experience, we recommend users configure Windows Hello for Business during the out of box experience for easy passwordless sign-in to Entra ID .
 
-To provide more security and control for IT and a seamless experience for end users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management.
+:::row:::
+    :::column:::
+        For users wanting to connect to Microsoft Entra on their personal devices, they can do so by adding their work or school account to Windows. This action registers the user's personal device with Microsoft Entra ID, allowing IT admins to support users in bring your own device (BYOD) scenarios. Credentials are authenticated and bound to the joined device, and can't be copied to another device without explicit reverification.
+    :::column-end:::
+    :::column:::
+:::image type="content" source="images/device-registration.png" alt-text="Screenshot of the Entra account registration page." border="false" lightbox="images/device-registration.png":::
+    :::column-end:::
+:::row-end:::
+
+To provide more security and control for IT and a seamless experience for users, Microsoft Entra ID works with apps and services, including on-premises software and thousands of software-as-a-service (SaaS) applications. Microsoft Entra ID protections include single sign-on, multifactor authentication, conditional access policies, identity protection, identity governance, and privileged identity management.
 
 Windows 11 works with Microsoft Entra ID to provide secure access, identity management, and single sign-on to apps and services from anywhere. Windows has built-in settings to add work or school accounts by syncing the device configuration to an Active Directory domain or Microsoft Entra ID tenant.
 
 :::image type="content" source="images/access-work-or-school.png" alt-text="Screenshot of the add work or school account in Settings." border="false":::
 
-When a device is Microsoft Entra ID joined and managed with Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, it receives the following security benefits:
+When a device is Microsoft Entra ID joined and managed with Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, it receives the following security benefits:
 
 - Default managed user and device settings and policies
 - Single sign-in to all Microsoft Online Services
 - Full suite of authentication management capabilities using Windows Hello for Business
 - Single sign-on (SSO) to enterprise and SaaS applications
-- No use of consumer Microsoft Account identity
+- No use of consumer Microsoft account identity
 
-Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can setup Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication.
+Organizations and users can join or register their Windows devices with Microsoft Entra ID to get a seamless experience to both native and web applications. In addition, users can set up Windows Hello for Business or FIDO2 security keys with Microsoft Entra ID and benefit from greater security with passwordless authentication.
 
 In combination with Microsoft Intune, Microsoft Entra ID offers powerful security control through Conditional Access to restrict access to organizational resources to healthy and compliant devices. Note that Microsoft Entra ID is only supported on Windows Pro and Enterprise editions.
 
 Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Windows Local Administrator Password Solution with Microsoft Entra (Azure AD)](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487)
-- [Microsoft Entra plans and pricing](https://www.microsoft.com/security/business/microsoft-entra-pricing?rtc=1)
+- [Microsoft Entra ID documentation][LINK-1]
+- [Microsoft Entra plans and pricing][LINK-2]
 
-## Modern device management through (MDM)
+### :::image type="icon" source="images/microsoft-entra-private-access.svg" border="false":::  Microsoft Entra Private Access
 
-Windows 11 supports modern device management through mobile device management (MDM) protocols so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.
+Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need.
 
-Windows 11 built-in management features include:
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server
-- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT
+- [Microsoft Entra Private Access][LINK-4]
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+### :::image type="icon" source="images/microsoft-entra-internet-access.svg" border="false":::  Microsoft Entra Internet Access
 
-- [Mobile device management overview](/windows/client-management/mdm-overview)
+Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs.
 
-## Microsoft security baselines
+> [!NOTE]
+> Both Microsoft Entra Private Access and Microsoft Entra Internet Access requires Microsoft Entra ID and Microsoft Entra Joined devices for deployment. The two solutions use the Global Secure Access client for Windows, which secures and controls the features.
 
-Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company may focus on protecting its internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
+- [Microsoft Entra Internet Access][LINK-3]
+- [Global Secure Access client for Windows][LINK-6]
+- [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept][LINK-5]
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+### Enterprise State Roaming
 
-- [Windows security baselines you can deploy with Microsoft Intune](/mem/intune/protect/security-baselines)
+Available to any organization with a Microsoft Entra ID Premium<sup>[\[4\]](conclusion.md#footnote4)</sup> license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
 
-## MDM security baseline
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices.
+- [Enterprise State Roaming in Microsoft Entra ID][LINK-7]
 
-The security baseline includes policies for:
+## :::image type="icon" source="images/azure-attestation.svg" border="false"::: Azure Attestation service
 
-- Microsoft inbox security technology such as BitLocker, Microsoft Defender SmartScreen, virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall
-- Restricting remote access to devices
-- Setting credential requirements for passwords and PINs
-- Restricting use of legacy technology
+Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they're allowed to access resources. Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> integrates with Azure Attestation service to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>[\[4\]](conclusion.md#footnote4)</sup> Conditional Access.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [MDM security baseline](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)
-
-## Microsoft Intune
-
-Microsoft Intune15 is a comprehensive endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
-
-Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication.
-
-Organizations can cut costs while securing and managing remote PCs through the cloud in compliance with company policies.16 For example, organizations save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot for zerotouch deployment.
-
-Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for Group Policy administrative templates (ADMX-backed policies) in MDM solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
-
-### Endpoint Privilege Management (EPM)
-
-Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run tasks allowed by the organization to remain productive.
-
-### Local Administrator Password (LAPs)
-
-Local Administrator Password solution was a key consideration for many customers when deciding to make the transition from on-premises to cloud-managed devices using Intune. With LAPS (available in preview), organizations can automatically manage and back up the password of a local administrator account on Microsoft Entra ID joined or hybrid Microsoft Entra ID joined devices.
-
-### Mobile Application Management (MAM)
-
-With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
-
-Customers have asked for App Control for Business (previously called Windows Defender Application Control) to manage Installer support for a long time. Now customers will be able to enable allowlisting of Win32 apps within their enterprise to proactively reduce the number of malware infections.
-
-Finally, Config Refresh helps organizations move to cloud from on-premises by protecting against settings deviating from the admin's intent.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows LAPS overview](/windows-server/identity/laps/laps-overview)
-
-Microsoft Intune also has policies and settings to configure and manage the flow of operating system updates to devices, working with WUfB and WUfB-DS and giving admins great control over their deployments
-
-With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune)
-
-## Remote Wipe
-
-When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
-
-Windows 11 supports the Remote Wipe configuration service provider (CSP) so that MDM Solutions<sup>[\[9\]](conclusion.md#footnote9)</sup> can remotely initiate any of the following operations:
-
-- Reset the device and remove user accounts and data
-- Reset the device and clean the drive
-- Reset the device but persist user accounts and data
-
-Learn More: [Remote Wipe CSP](/windows/client-management/mdm/remotewipe-csp)
-
-## Microsoft Azure Attestation Service
-
-Remote attestation helps ensure that devices are compliant with security policies and are operating in a trusted state before they are allowed to access resources. Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> integrates with [Microsoft Azure Attestation Service](/azure/attestation/overview) to review Windows device health comprehensively and connect this information with Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> Conditional Access.
-
-**Attestation policies are configured in the Microsoft Azure Attestation Service which can then:**
+**Attestation policies are configured in the Azure Attestation service which can then:**
 
 - Verify the integrity of evidence provided by the Windows Attestation component by validating the signature and ensuring the Platform Configuration Registers (PCRs) match the values recomputed by replaying the measured boot log
 - Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM
@@ -140,130 +90,293 @@ Remote attestation helps ensure that devices are compliant with security policie
 
 Once this verification is complete, the attestation service returns a signed report with the security features state to the relying party - such as Microsoft Intune - to assess the trustworthiness of the platform relative to the admin-configured device compliance specifications. Conditional access is then granted or denied based on the device's compliance.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Azure Attestation overview](/azure/attestation/overview)
+- [Azure Attestation overview][LINK-8]
 
-## Windows Update for Business deployment service
+## :::image type="icon" source="images/defender-for-endpoint.svg" border="false"::: Microsoft Defender for Endpoint
 
-The Windows Update for Business deployment service, a core component of the Windows Update for Business product family, is a cloud-based solution that transforms the way update management is handled. Complementing existing [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) policies and [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), the service provides control over the approval, scheduling, and safeguarding of updates - delivered straight from Windows Update to managed devices.
+Microsoft Defender for Endpoint<sup>[\[4\]](conclusion.md#footnote4)</sup> is an enterprise endpoint detection and response solution that helps security teams detect, disrupt, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents.
 
-The Windows Update for Business deployment service powers Windows Update management via Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> and Autopatch. The deployment services currently allows the management of [drivers and firmware](/graph/windowsupdates-manage-driver-update), expedited [quality updates](/graph/windowsupdates-deploy-expedited-update) and [feature updates](/graph/windowsupdates-deploy-update).
+Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents:
 
-For an in-depth understanding of this service, including its benefits and prerequisites for use, practical guides on specific capabilities, Microsoft Graph training, and a behind-the-scenes look at how the deployment service functions, read [here](/windows/deployment/update/waas-manage-updates-wufb)[.](/windows/deployment/update/waas-manage-updates-wufb)
+- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint
+- With Automatic Attack Disruption uses AI, machine learning, and Microsoft Security Intelligence to analyze the entire attack and respond at the incident level, where it's able to contain a device, and/or a user which reduces the impact of attacks such as ransomware, human-operated attacks, and other advanced attacks.
+- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365<sup>[\[4\]](conclusion.md#footnote4)</sup>, and online assets
+- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked attacks that include 31 billion identity threats and 32 billion email threats
+- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing
+detailed investigation outcomes
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Defender for Endpoint is also part of Microsoft Defender XDR, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other
+platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources.
 
-- [Windows Update for Business - Windows Deployment](/windows/deployment/update/waas-manage-updates-wufb)
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-## Windows Autopatch
+- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint)
+- [Microsoft 365 Defender](/defender-xdr/microsoft-365-defender)
 
-Cybercriminals often target outdated or unpatched software to gain access to networks. Keeping endpoints up to date is critical in closing existing vulnerabilities, but planning, monitoring, and reporting on update compliance can take IT resources away from other important tasks.
+## Cloud-native device management
 
-Available as part of Windows Enterprise E3 and E5, Windows Autopatch automates update management for Windows, drivers, firmware, Microsoft 365, Edge, and Teams apps. The service can even manage the upgrade to Windows 11. While the service is designed to be simple by default, admins can customize the service to reflect their business organization with Autopatch groups. This allows custom content or deployment schedules to be applied to different populations of devices.
+Microsoft recommends cloud-based device management so that IT professionals can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With cloud-native device management solutions like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, IT can manage Windows 11 using industry standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate device management client.
 
-From a technical standpoint, Windows Autopatch configures the policies and deployment service of Windows Update for Business to deliver updates, all within Microsoft Intune.<sup>[\[9\]](conclusion.md#footnote9)</sup> The results for IT admins: up-to-date endpoints and detailed reports to demonstrate compliance or help identify issues. The goal is to help IT teams be more secure and update more efficiently with less effort.
+Windows 11 built-in management features include:
 
-There's a lot more to learn about Windows Autopatch:
+- The enrollment client, which enrolls and configures the device to securely communicate with the enterprise device management server
+- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT
 
-- This [Forrester study](https://aka.ms/AutopatchProductivity) commissioned by Microsoft, analyzes the impact of Windows Autopatch on real customers
-- [IT pro blogs](https://aka.ms/MoreAboutAutopatch) provide updates and background on Autopatch features and the future of the service
-- The [Windows Autopatch community](https://aka.ms/AutopatchCommunity) allows IT professionals to get answers to questions from their peers and the Autopatch team
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+- [Mobile device management overview][LINK-9]
 
-- [Windows Autopatch documentation](https://aka.ms/Autopatchdocs)
+### Remote wipe
 
-## Windows Autopilot and zero-touch deployment
+When a device is lost or stolen, IT administrators might want to remotely wipe data stored in memory and hard disks. A helpdesk agent might also want to reset devices to fix issues encountered by remote workers. A remote wipe can also be used to prepare a previously used device for a new user.
 
-Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach with a collection of technologies used to set up and preconfigure new devices, getting them ready for productive use and ensuring they are delivered locked down and compliant with corporate security policies.
+Windows 11 supports the Remote Wipe configuration service provider (CSP) so that device management solutions can remotely initiate any of the following operations:
 
-- From a user perspective, it only takes a few simple operations to get their device ready for use
-- From an IT professional perspective, the only interaction required from the end user is to connect to a network and verify their credentials. Setup is automated after that point
+- Reset the device and remove user accounts and data
+- Reset the device and clean the drive
+- Reset the device but persist user accounts and data
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Remote wipe CSP][LINK-10]
+
+## :::image type="icon" source="images/microsoft-intune.svg" border="false"::: Microsoft Intune
+
+Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> is a comprehensive cloud-native endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
+
+Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access.
+
+Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies<sup>[\[11\]](conclusion.md#footnote11)</sup>. For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot.
+
+Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
+
+Customers have asked for App Control for Business (previously called *Windows Defender Application Control*) to support manage installer for a long time. Now it's possible to enable allowlisting of Win32 apps to proactively reduce the number of malware infections.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [What is Microsoft Intune][LINK-12]
+
+### Windows enrollment attestation
+
+When a device enrolls into device management, the administrator expects it to receive the appropriate policies to secure and manage the PC. However, in some cases, malicious actors can remove enrollment certificates and use them on unmanaged PCs, making them appear enrolled but without the intended security and management policies.
+
+With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certificates are bound to a device using the Trusted Platform Module (TPM). This ensures that the certificates can't be transferred from one device to another, maintaining the integrity of the enrollment process.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows enrollment attestation][LINK-13]
+
+### :::image type="icon" source="images/microsoft-cloud-pki.svg" border="false"::: Microsoft Cloud PKI
+
+Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite<sup>[\[4\]](conclusion.md#footnote4)</sup> that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune.
+
+Key features include:
+
+- Certificate lifecycle management: automates the lifecycle of certificates, including issuance, renewal, and revocation, for all devices managed by Intune
+- Multi-platform support: supports certificate management for Windows, iOS/iPadOS, macOS, and Android devices
+- Enhanced security: enables certificate-based authentication for Wi-Fi, VPN, and other scenarios, improving security over traditional password-based methods. All certificate requests leverage Simple Certificate Enrollment Protocol (SCEP), making sure that the private key never leaves the requesting client
+- Simplified management: provides easy management of certification authorities (CAs), registration authorities (RAs), certificate revocation lists (CRLs), monitoring, and reporting
+
+With Microsoft Cloud PKI, organizations can accelerate their digital transformation and achieve a fully managed cloud PKI service with minimal effort.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Overview of Microsoft Cloud PKI for Microsoft Intune](/mem/intune/protect/microsoft-cloud-pki-overview)
+
+### :::image type="icon" source="images/endpoint-privilege-management.svg" border="false"::: Endpoint Privilege Management (EPM)
+
+Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Endpoint Privilege Management][LINK-14]
+
+### Mobile application management (MAM)
+
+With Intune, organizations can also extend MAM App Config, MAM App Protection, and App Protection Conditional Access capabilities to Windows. This enables people to access protected organizational content without having the device managed by IT. The first application to support MAM for Windows is Microsoft Edge.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Data protection for Windows MAM][LINK-15]
+
+## Security baselines
+
+Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company might focus on protecting its internet-facing web apps, while a hospital on confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
+
+A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Security baselines][LINK-11]
+
+### Security baseline for cloud-based device management solutions
+
+Windows 11 can be configured with Microsoft's security baseline, designed for cloud-based device management solutions like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>. These security baselines function similarly to group policy-based ones and can be easily integrated into existing device management tools.
+
+The security baseline includes policies for:
+
+- Microsoft inbox security technologies such as BitLocker, Microsoft Defender SmartScreen, Virtualization-based security, Exploit Guard, Microsoft Defender Antivirus, and Windows Firewall
+- Restricting remote access to devices
+- Setting credential requirements for passwords and PINs
+- Restricting the use of legacy technology
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Intune security baseline overview][LINK-16]
+- [List of the settings in the Windows security baseline in Intune][LINK-17]
+
+## Windows Local Administrator Password Solution (LAPS)
+
+Windows Local Administrator Password Solution (LAPS) is a feature that automatically manages and backs up the password of a local administrator account on Microsoft Entra joined and Active Directory-joined devices. It helps enhance security by regularly rotating and managing local administrator account passwords, protecting against pass-the-hash and lateral-traversal attacks.
+
+Windows LAPS can be configured via group policy or with a device management solution like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>.
+
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
+
+Several enhancements have been made to improve manageability and security. Administrators can now configure LAPS to automatically create managed local accounts, integrating with existing policies to enhance security and efficiency. Policy settings have been updated to generate more readable passwords by ignoring certain characters and to support the generation of readable passphrases, with options to choose from three separate word source list and control passphrase length. Additionally, LAPS can detect when a computer rolls back to a previous image, ensuring password consistency between the computer and Active Directory.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows LAPS overview][LINK-18]
+
+## Windows Autopilot
+
+Traditionally, IT professionals spend significant time building and customizing images that will later be deployed to devices. If you're purchasing new devices or managing device refresh cycles, you can use Windows Autopilot to set up and preconfigure new devices, getting them ready for productive use. Autopilot helps you ensure your devices are delivered locked down and compliant with corporate security policies. The solution can also be used to reset, repurpose, and recover devices with zero touch by your IT team and no infrastructure to manage, enhancing efficiency with a process that's both easy and simple.
+
+With Windows Autopilot, there's no need to reimage or manually set-up devices before giving them to the users. Your hardware vendor can ship them, ready to go, directly to the users. From a user perspective, they turn on their device, go online, and Windows Autopilot delivers apps and settings.
 
 Windows Autopilot enables you to:
 
-- Automatically join devices to Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> or Active Directory via hybrid Microsoft Entra ID Join. For more information about the differences between these two join options, see [Introduction to device management in Microsoft Entra ID](/azure/active-directory/device-management-introduction).
-- Auto-enroll devices into MDM services such as Microsoft Intune (requires an Microsoft Entra ID Premium subscription for configuration)
-- Automatic upgrade to Enterprise Edition if required
-- Restrict administrator account creation
-- Create and auto-assign devices to configuration groups based on a device's profile
-- Customize Out of Box Experience (OOBE) content specific to the organization
+- Automatically join devices to Microsoft Entra ID or Active Directory via Microsoft Entra hybrid join
+- Autoenroll devices into a device management solution like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> (requires a Microsoft Entra ID Premium subscription for configuration)
+- Create and autoassignment of devices to configuration groups based on a device's profile
+- Customize of the out-of-box experience (OOBE) content specific to your organization
 
-Existing devices can also be quickly prepared for a new user with [Windows Autopilot Reset](/mem/autopilot/windows-autopilot-reset). The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.
+Existing devices can also be quickly prepared for a new user with Windows Autopilot Reset. The reset capability is also useful in break/fix scenarios to quickly bring a device back to a business-ready state.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Windows Autopilot](https://aka.ms/WindowsAutopilot)
+- [Windows Autopilot][LINK-19]
+- [Windows Autopilot Reset][LINK-20]
 
-## Enterprise State Roaming with Azure
+## Windows Update for Business
 
-Available to any organization with a Microsoft Entra ID Premium<sup>[\[9\]](conclusion.md#footnote9)</sup> or Enterprise Mobility + Security (EMS)<sup>[\[9\]](conclusion.md#footnote9)</sup> license, Enterprise State Roaming provides users with a unified Windows Settings experience across their Windows devices and reduces the time needed for configuring a new device.
+Windows Update for Business empowers IT administrators to ensure that their organization's Windows client devices are consistently up to date with the latest security updates and features. By directly connecting these systems to the Windows Update service, administrators can maintain a high level of security and functionality.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Administrators can utilize group policy or a device management solution like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, to configure Windows Update for Business settings. These settings control the timing and manner in which updates are applied, allowing for thorough reliability and performance testing on a subset of devices before deploying updates across the entire organization.
 
-- [Enterprise State Roaming FAQ](/azure/active-directory/devices/enterprise-state-roaming-faqs)
+This approach not only provides control over the update process but also ensures a seamless and positive update experience for all users within the organization. By using Windows Update for Business, organizations can achieve a more secure and efficient operational environment.
 
-## Universal Print
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models](/universal-print/fundamentals/universal-print-partner-integrations). It also supports existing printers by using the connector software that comes with Universal Print.
+- [Windows Update for Business documentation][LINK-21]
 
-Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices do not need to be on the same local network as the printers or the Universal Print connector.
+## Windows Autopatch
 
-Universal Print supports Zero Trust security by requiring that:
+Cybercriminals commonly exploit obsolete or unpatched software to infiltrate networks. It's essential to maintain current updates to seal security gaps. Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates so your IT Admins can focus on other activities and tasks.
 
-- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup>. A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service
-- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data
-- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data
-- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it is highly recommended that only cloud applications use application authentication
-- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant
-- Each authentication with Microsoft Entra ID from an acting application cannot extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached
+There's a lot more to learn about Windows Autopatch: this [Forrester Consulting Total Economic Impact&trade; Study][LINK-22] commissioned by Microsoft, features insights from customers who deployed Windows Autopatch and its impact on their organizations. You can also find out more information about new Autopatch features and the future of the service in the regularly published Windows IT Pro Blog and Windows Autopatch community.
 
-Additionally, Windows 11 and Windows 10 include MDM support to simplify printer setup for users. With initial support from Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, admins can now configure policies to provision specific printers onto the user's Windows devices.
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft Office products.
+- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/)
+- [Windows updates API overview](/graph/windowsupdates-concept-overview)
+- [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows-ITPro-blog/label-name/Windows%20Autopatch)
+- [Windows Autopatch community](https://techcommunity.microsoft.com/t5/windows-autopatch/bd-p/Windows-Autopatch)
 
-More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here](/microsoft-365/enterprise/m365-dr-overview).
+## :::image type="icon" source="images/soon-button-title.svg" border="false"::: Windows Hotpatch
 
-The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here](/universal-print/fundamentals/universal-print-qrcode).
+Windows Hotpatch is a feature designed to enhance security and minimize disruptions. With Windows Hotpatch, organizations can apply critical security updates without requiring a system restart, reducing the time to adopt a security update by 60% from the moment the update is offered. Hotpatch updates streamline the installation process, enhance compliance efficiency, and provide a per-policy level view of update statuses for all devices.
 
-Universal Print has integrated with Administrative Units in Microsoft Entra ID to enable customers to assign a Printer Administrator role to their local IT team in the same way customers assign User Administrator or Groups Administrator roles. The local IT team can configure only the printers that are part of the same Administrative Unit.
+By utilizing hotpatching through Windows Autopatch, the number of system restarts for Windows updates can be reduced from 12 times a year to just 4, ensuring consistent protection and uninterrupted productivity. This means less downtime, a streamlined experience for users, and a reduction in security risks. This technology, proven in the Azure Server environment, is now expanding to Windows 11, offering immediate security from day one without the need for a restart.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Universal Print](https://www.microsoft.com/microsoft-365/windows/universal-print)
-- [Data handling in Universal Print](/universal-print/data-handling)
-- [Delegate Printer Administration with Administrative Units](/universal-print/portal/delegated-admin)
+- [Windows Autopatch documentation](/windows/deployment/windows-autopatch/)
 
-For customers who want to stay on Print Servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM.
+## :::image type="icon" source="images/onedrive.svg" border="false"::: OneDrive for work or school
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Print support app design guide](/windows-hardware/drivers/devapps/print-support-app-design-guide)
-
-## OneDrive for work or school
-
-Data in OneDrive for work or school is protected both in transit and at rest.
+OneDrive for work or school is a cloud storage service that allows users to store, share, and collaborate on files. It's a part of Microsoft 365 and is designed to help organizations protect their data and comply with regulations. OneDrive for work or school is protected both in transit and at rest.
 
 When data transits either into the service from clients or between datacenters, it's protected using transport layer security (TLS) encryption. OneDrive only permits secure access.
 
-Authenticated connections are not allowed over HTTP and instead redirect to HTTPS.
+Authenticated connections aren't allowed over HTTP and instead redirect to HTTPS.
 
 There are several ways that OneDrive for work or school is protected at rest:
 
-- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security)
+- Physical protection: Microsoft understands the importance of protecting customer data and is committed to securing the datacenters that contain it. Microsoft datacenters are designed, built, and operated to strictly limit physical access to the areas where customer data is stored. Physical security at datacenters is in alignment with the defense-in-depth principle. Multiple security measures are implemented to reduce the risk of unauthorized users accessing data and other datacenter resources. Learn more [here](/compliance/assurance/assurance-datacenter-physical-access-security).
 - Network protection: The networks and identities are isolated from the corporate network. Firewalls limit traffic into the environment from unauthorized locations
 - Application security: Engineers who build features follow the security development lifecycle. Automated and manual analyses help identify possible vulnerabilities. The [Microsoft Security Response Center](https://technet.microsoft.com/security/dn440717.aspx) helps triage incoming vulnerability reports and evaluate mitigations. Through the [Microsoft Cloud Bug Bounty Terms](https://technet.microsoft.com/dn800983), people across the world can earn money by reporting vulnerabilities
 - Content protection: Each file is encrypted at rest with a unique AES-256 key. These unique keys are encrypted with a set of master keys that are stored in Azure Key Vault
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/office/how-onedrive-safeguards-your-data-in-the-cloud-23c6ea94-3608-48d7-8bf0-80e142edd1e1)
+- [How OneDrive safeguards data in the cloud](https://support.microsoft.com/topic/23c6ea94-3608-48d7-8bf0-80e142edd1e1)
 
-## MDM enrollment certificate attestation
+## :::image type="icon" source="images/universal-print.svg" border="false"::: Universal Print
 
-When a device is enrolled into device management, the administrator assumes that the device will enroll and receive appropriate policies to secure and manage the PC as they expect. In some circumstances, enrollment certificates can be removed by malicious actors and then used on unmanaged PCs to appear as though they are enrolled, but without the security and management policies the administrator intended. With MDM enrollment certificate attestation, the certificate and keys are bound to a specific machine through the use of the Trusted Platform Module (TPM) to ensure that they can't be lifted from one device and applied to another. This capability has existed for physical PCs since Windows 11 22H2 and is now being extended to Windows 11-based Cloud PCs and Azure Virtual Desktop VMs.
+Universal Print eliminates the need for on-premises print servers. It also eliminates the need for print drivers from the users' Windows devices and makes the devices secure, reducing the malware attacks that typically exploit vulnerabilities in driver model. It enables Universal Print-ready printers (with native support) to connect directly to the Microsoft Cloud. All major printer OEMs have these [models][LINK-23]. It also supports existing printers by using the connector software that comes with Universal Print.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft-hosted cloud subscription service that supports a Zero Trust security model when using the Universal Print-ready printers. Customers can enable network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. Users and their devices don't need to be on the same local network as the printers or the Universal Print connector.
 
-- [Configuration Service Provider - Windows Client Management](/windows/client-management/mdm/)
+Universal Print supports Zero Trust security by requiring that:
+
+- Each connection and API call to Universal Print cloud service requires authentication validated by Microsoft Entra ID<sup>[\[4\]](conclusion.md#footnote4)</sup>. A hacker would have to have knowledge of the right credentials to successfully connect to the Universal Print service
+- Every connection established by the user's device (client), the printer, or another cloud service to the Universal Print cloud service uses SSL with TLS 1.2 protection. This protects network snooping of traffic to gain access to sensitive data
+- Each printer registered with Universal Print is created as a device object in the customer's Microsoft Entra ID tenant and issued its own device certificate. Every connection from the printer is authenticated using this certificate. The printer can access only its own data and no other device's data
+- Applications can connect to Universal Print using either user, device, or application authentication. To ensure data security, it's highly recommended that only cloud applications use application authentication
+- Each acting application must register with Microsoft Entra ID and specify the set of permission scopes it requires. Microsoft's own acting applications - for example, the Universal Print connector - are registered with the Microsoft Entra ID service. Customer administrators need to provide their consent to the required permission scopes as part of onboarding the application to their tenant
+- Each authentication with Microsoft Entra ID from an acting application can't extend the permission scope as defined by the acting client app. This prevents the app from requesting additional permissions if the app is breached
+
+Additionally, Windows 11 includes device management support to simplify printer setup for users. With support from Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, admins can now configure policy settings to provision specific printers onto the user's Windows devices.
+
+Universal Print stores the print data in cloud securely in Office Storage, the same storage used by other Microsoft 365 products.
+
+More information about handling of Microsoft 365 data (this includes Universal Print data) can be found [here][LINK-24].
+
+The Universal Print secure release platform ensures user privacy, secures organizational data, and reduces print wastage. It eliminates the need for people to rush to a shared printer as soon as they send a print job to ensure that no one sees the private or confidential content. Sometimes, printed documents are picked up by another person or not picked up at all and discarded. Detailed support and configuration information can be found [here][LINK-25].
+
+Universal Print supports Administrative Units in Microsoft Entra ID to enable the assignments of a *Printer Administrator* role to specific teams in the organization. The assigned team can configure only the printers that are part of the same Administrative Unit.
+
+For customers who want to stay on print servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Universal Print][LINK-26]
+- [Data handling in Universal Print][LINK-27]
+- [Delegate Printer Administration with Administrative Units][LINK-28]
+- [Print support app design guide][LINK-29]
+
+<!--links-->
+
+[LINK-1]: /entra
+[LINK-2]: https://www.microsoft.com/security/business/microsoft-entra-pricing
+[LINK-3]: /entra/global-secure-access/concept-internet-access
+[LINK-4]: /entra/global-secure-access/concept-private-access
+[LINK-5]: /entra/architecture/sse-deployment-guide-internet-access
+[LINK-6]: /entra/global-secure-access/how-to-install-windows-client
+[LINK-7]: /entra/identity/devices/enterprise-state-roaming-enable
+[LINK-8]: /azure/attestation/overview
+[LINK-9]: /windows/client-management/mdm-overview
+[LINK-10]: /windows/client-management/mdm/remotewipe-csp
+[LINK-11]: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
+[LINK-12]: /mem/intune/fundamentals/what-is-intune
+[LINK-13]: /mem/intune/enrollment/windows-enrollment-attestation
+[LINK-14]: /mem/intune/protect/epm-overview?formCode=MG0AV3
+[LINK-15]: /mem/intune/apps/protect-mam-windows?formCode=MG0AV3
+[LINK-16]: /mem/intune/protect/security-baselines
+[LINK-17]: /mem/intune/protect/security-baseline-settings-mdm-all
+[LINK-18]: /windows-server/identity/laps/laps-overview
+[LINK-19]: /autopilot/overview
+[LINK-20]: /mem/autopilot/windows-autopilot-reset
+[LINK-21]: /windows/deployment/update/waas-manage-updates-wufb
+[LINK-22]: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW10vlw
+[LINK-23]: /universal-print/fundamentals/universal-print-partner-integrations
+[LINK-24]: /microsoft-365/enterprise/m365-dr-overview
+[LINK-25]: /universal-print/fundamentals/universal-print-qrcode
+[LINK-26]: https://www.microsoft.com/microsoft-365/windows/universal-print
+[LINK-27]: /universal-print/data-handling
+[LINK-28]: /universal-print/portal/delegated-admin
+[LINK-29]: /windows-hardware/drivers/devapps/print-support-app-design-guide
diff --git a/windows/security/book/cloud-services.md b/windows/security/book/cloud-services.md
index 9c78f4867b..4b525daacc 100644
--- a/windows/security/book/cloud-services.md
+++ b/windows/security/book/cloud-services.md
@@ -2,15 +2,15 @@
 title: Cloud services
 description: Windows 11 security book - Cloud services chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Cloud services
 
 :::image type="content" source="images/cloud-services-cover.png" alt-text="Cover of the cloud services chapter." border="false":::
 
-:::image type="content" source="images/cloud-security-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/cloud-security.png" border="false":::
+The workplace is constantly evolving, with many users working outside the office at least some of the time. While remote work and cloud services provide more flexibility, they also result in more endpoints and locations for organizations to worry about.
 
-Today's workforce has more freedom and mobility than ever before, but the risk of data exposure is also at its highest. At Microsoft, we are focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on Zero Trust principles, Windows 11 works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
+Windows 11, combined with Microsoft Entra ID for identity management, and cloud-based device management solutions like Microsoft Intune, can be the foundation of a *Zero Trust* security model that enables flexible workstyles while controlling access, safeguarding sensitive information, and mitigating threats.
 
-From identity and device management to Office apps and data storage, Windows 11 and integrated cloud services can help improve productivity, security, and resilience anywhere.
+:::image type="content" source="images/cloud-security-on.png" alt-text="Diagram containing a list of security features." lightbox="images/cloud-security.png" border="false":::
diff --git a/windows/security/book/conclusion.md b/windows/security/book/conclusion.md
index c8137e0758..47c50c6916 100644
--- a/windows/security/book/conclusion.md
+++ b/windows/security/book/conclusion.md
@@ -1,13 +1,13 @@
 ---
 title: Conclusion
-description: Conclusion
+description: Windows 11 security book conclusion.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Conclusion
 
-We will continue to bring you new features to protect against evolving threats, simplify management, and securely enable new workstyles. With Windows 11 devices, organizations of all sizes can benefit from the security and performance to thrive anywhere.
+We will continue to innovate with security by design and security by default at the heart of every new Windows 11 PC and Windows 11 IoT device. This commitment ensures that our products not only meet, but exceed, the security expectations of our customers by providing robust protection against modern cyber threats while maintaining ease-of-use and performance. By integrating advanced security measures from the ground up, we aim to create a safer digital environment for everyone.
 
 :::image type="content" source="images/chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containing a list of security features." lightbox="images/chip-to-cloud.png" border="false":::
 
@@ -15,31 +15,30 @@ We will continue to bring you new features to protect against evolving threats,
 
 New:
 
-- Config Refresh
-- 5G and eSIM
-- Win32 apps in isolation (public preview)
-- Passkey
-- Sign-in Session Token Protection
-- Windows Local Administrator Password Solution (LAPS) (public preview)
-- Microsoft Intune Suite Endpoint Privilège Management (EPM)
-- Microsoft Intune Suite Endpoint Privilege Management (EPM)
+- [Administrator protection](application-security-application-and-driver-control.md#-administrator-protection)
+- [Config Refresh](operating-system-security-system-security.md#-config-refresh)
+- [Rust for Windows](operating-system-security-system-security.md#-rust-for-windows)
+- [Trusted Signing](application-security-application-and-driver-control.md#-trusted-signing)
+- [VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)
+- [Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)
+- [Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)
+- [Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch)
+- [Windows protected print](operating-system-security-system-security.md#-windows-protected-print)
 
 Enhanced:
 
-- Hardware security user experience
-- BitLocker to go
-- Device encryption
-- Windows Firewall
-- Server Message Block direct
-- Smart App Control (SAC) going into Enforcement mode
-- Application Control for Business
-- Enhanced Sign-in security (ESS)
-- Windows Hello for Business
-- Presence Detection
-- Wake on approach, lock on leave
-- Universal Print
-- Lockout policies for local admin
-- Enhanced Phishing protection
+- [BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
+- [Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
+- [Device encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
+- [Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
+- [Passkeys](identity-protection-passwordless-sign-in.md#passkeys)
+- [Personal data encryption](operating-system-security-encryption-and-data-protection.md#personal-data-encryption)
+- [Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
+- [Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
+- [Windows Hello PIN](identity-protection-passwordless-sign-in.md#windows-hello-pin)
+- [Windows Firewall](operating-system-security-network-security.md#windows-firewall)
+- [Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
+- [Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
 
 ## Document revision history
 
@@ -48,30 +47,27 @@ Enhanced:
 |November 2021 |Link updates and formatting.|
 |February 2022 |Revisions to Hardware root-of-trust, Virus and threat protection, and Windows Hello for Business content.|
 |April 2022| Added Upcoming features section.|
-| September 2022| Updates with Windows 11 2022 Update features and enhancements.|
+|September 2022| Updates with Windows 11, version 22H2, features and enhancements.|
 |April 2023| Minor edits and updates to edition availability.|
-|September 2023| Updates with Windows 11 2023 Update features and enhancement.|
-|May 2024| Move form PDF format to web format.|
+|September 2023| Updates with Windows 11, version 23H2, features and enhancements.|
+|May 2024| Move from PDF format to web format.|
+|November 2024| Updates with Windows 11, version 24H2, features and enhancements.|
 
 ## Endnotes
 
-<sup><a name="footnote1"></a>1</sup> "2023 Data Breach Investigations Report" - Verizon, 2023.\
-<sup><a name="footnote2"></a>2</sup> "Microsoft Digital Defense Report 2022" - Microsoft, 2022.\
-<sup><a name="footnote3"></a>3</sup> Compared to Windows 10 devices. "Improve your day-to-day experience with Windows 11 Pro laptops" - Principled Technologies, February 2023.\
-<sup><a name="footnote4"></a>4</sup> Based on Monthly Active Device data. "Earnings Release FY23 Q3" - Microsoft, April 2023.\
-<sup><a name="footnote5"></a>5</sup> Windows 11 results are in comparison with Windows 10 devices. "Windows 11 Survey Report," Techaisle, February 2022.\
-<sup><a name="footnote6"></a>6</sup> Requires developer enablement.\
-<sup><a name="footnote7"></a>7</sup> Requires Microsoft Entra ID and Microsoft Intune, or other modern device management solution product required; sold separately.\
-<sup><a name="footnote8"></a>8</sup> Commissioned study delivered by Forrester Consulting. "The Total Economic Impact&trade; of Windows 11 Pro Devices", December 2022. Note: quantified benefits reflect results over three years combined into a single composite organization that generates $1 billion in annual revenue, has 2,000 employees, refreshes hardware on a four-year cycle, and migrates the entirety of its workforce to Windows 11 devices.\
-<sup><a name="footnote9"></a>9</sup> Sold separately.\
-<sup><a name="footnote"></a>10</sup> Email encryption is supported on products such as Microsoft Exchange Server and Microsoft Exchange Online.\
-<sup><a name="footnote"></a>11</sup> Microsoft internal data.\
-<sup><a name="footnote"></a>12</sup> Microsoft Entra ID Basic is included with Microsoft Azure and Microsoft 365 subscriptions, and other commercial services subscriptions.\
-<sup><a name="footnote"></a>13</sup> Requires Microsoft Entra ID (formerly AAD) Premium; sold separately.\
-<sup><a name="footnote"></a>14</sup> Hardware dependent.\
-<sup><a name="footnote"></a>15</sup> Microsoft 365 E3 or E5 required; sold separately.\
-<sup><a name="footnote"></a>16</sup> The Total Economic Impact&trade; of Windows Pro Device, Forrester study commissioned by Microsoft, June 2020.\
-<sup><a name="footnote"></a>17</sup> All users with a Microsoft Account get 5GB of OneDrive storage free, and all Microsoft 365 subscriptions include 1TB of OneDrive storage. Additional OneDrive storage is sold separately.
+||Details|
+|-|-|
+|**<sup><a name="footnote1"></a>1</sup>**| [Microsoft digital defense report, CISO executive summary, October 2023](https://www.microsoft.com/security/security-insider/microsoft-digital-defense-report-2023).|
+|**<sup><a name="footnote2"></a>2</sup>**| Windows 11 Survey Report. Techaisle, September 2024. Windows 11 results are in comparison with Windows 10 devices.|
+|**<sup><a name="footnote3"></a>3</sup>**| Requires developer enablement.|
+|**<sup><a name="footnote4"></a>4</sup>**| Sold separately.|
+|**<sup><a name="footnote5"></a>5</sup>**| The Passkey can be saved locally to the Windows device and authenticated via Windows Hello or Windows Hello for Business. Hardware dependent.|
+|**<sup><a name="footnote6"></a>6</sup>**| Commissioned study delivered by Forrester Consulting "The Total Economic Impact&trade; of Windows 11 Pro Devices", December 2022. Note, quantified benefits reflect results over three years combined into a single composite organization that generates $1 billion in annual revenue, has 2,000 employees, refreshes hardware on a four-year cycle, and migrates the entirety of its workforce to Windows 11 devices.|
+|**<sup><a name="footnote7"></a>7</sup>**| Feature or functionality delivered using [servicing technology](https://support.microsoft.com/topic/b0aa0a27-ea9a-4365-9224-cb155e517f12).|
+|**<sup><a name="footnote8"></a>8</sup>**| Email encryption is supported on products such as Microsoft Exchange Server and Microsoft Exchange Online.|
+|**<sup><a name="footnote9"></a>9</sup>**| Hardware dependent.|
+|**<sup><a name="footnote10"></a>10</sup>**|All users with a Microsoft account get 5GB of OneDrive storage free, and all Microsoft 365 subscriptions include 1TB of OneDrive storage. Additional OneDrive storage is sold separately.|
+|**<sup><a name="footnote11"></a>11</sup>**|The Total Economic Impact&trade; of Windows Pro Device, Forrester study commissioned by Microsoft, June 2020.|
 
 ---
 
@@ -89,4 +85,4 @@ Enhanced:
 >
 > The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
 >
-> Part No. May 2024
+> Part No. November 2024
diff --git a/windows/security/book/features-index.md b/windows/security/book/features-index.md
new file mode 100644
index 0000000000..478367613e
--- /dev/null
+++ b/windows/security/book/features-index.md
@@ -0,0 +1,10 @@
+---
+title: Features index
+description: Windows security book features index.
+ms.topic: overview
+ms.date: 11/18/2024
+---
+
+# Features index
+
+[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)<br>[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)<br>[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)<br>[Administrator protection](application-security-application-and-driver-control.md#-administrator-protection)<br>[App containers](application-security-application-isolation.md#app-containers)<br>[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)<br>[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)<br>[Azure Attestation service](cloud-services-protect-your-work-information.md#-azure-attestation-service)<br>[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)<br>[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)<br>[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)<br>[Certificates](operating-system-security-system-security.md#certificates)<br>[Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management)<br>[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)<br>[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)<br>[Config Refresh](operating-system-security-system-security.md#-config-refresh)<br>[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)<br>[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)<br>[Cryptography](operating-system-security-system-security.md#cryptography)<br>[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)<br>[Device Health Attestation](operating-system-security-system-security.md#device-health-attestation)<br>[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)<br>[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)<br>[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)<br>[Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen)<br>[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)<br>[Exploit Protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)<br>[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)<br>[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)<br>[FIDO2](identity-protection-passwordless-sign-in.md#fido2)<br>[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)<br>[Kernel direct memory access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)<br>[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)<br>[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)<br>[Microsoft account](cloud-services-protect-your-personal-information.md#microsoft-account)<br>[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)<br>[Microsoft Cloud PKI](cloud-services-protect-your-work-information.md#-microsoft-cloud-pki)<br>[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)<br>[Microsoft Defender for Endpoint](cloud-services-protect-your-work-information.md#-microsoft-defender-for-endpoint)<br>[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)<br>[Microsoft Entra ID](cloud-services-protect-your-work-information.md#-microsoft-entra-id)<br>[Microsoft Intune](cloud-services-protect-your-work-information.md#-microsoft-intune)<br>[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)<br>[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)<br>[Microsoft Privacy Dashboard](privacy-controls.md#microsoft-privacy-dashboard)<br>[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)<br>[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)<br>[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)<br>[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)<br>[OneDrive for work or school](cloud-services-protect-your-work-information.md#-onedrive-for-work-or-school)<br>[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)<br>[Personal Data Encryption](operating-system-security-encryption-and-data-protection.md#personal-data-encryption)<br>[Personal Vault](cloud-services-protect-your-personal-information.md#personal-vault)<br>[Privacy resource usage](privacy-controls.md#privacy-resource-usage)<br>[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)<br>[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)<br>[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)<br>[Rust for Windows](operating-system-security-system-security.md#-rust-for-windows)<br>[Secure Future Initiative (SFI)](security-foundation-offensive-research.md#secure-future-initiative-sfi)<br>[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)<br>[Secured-core PC and Edge Secured-Core](hardware-security-silicon-assisted-security.md#secured-core-pc-and-edge-secured-core)<br>[Security baselines](cloud-services-protect-your-work-information.md#security-baselines)<br>[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)<br>[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)<br>[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)<br>[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)<br>[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)<br>[Token protection (preview)](identity-protection-advanced-credential-protection.md#token-protection-preview)<br>[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)<br>[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)<br>[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)<br>[Trusted Signing](application-security-application-and-driver-control.md#-trusted-signing)<br>[Universal Print](cloud-services-protect-your-work-information.md#-universal-print)<br>[VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)<br>[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)<br>[Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)<br>[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)<br>[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)<br>[Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)<br>[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)<br>[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)<br>[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)<br>[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)<br>[Windows Firewall](operating-system-security-network-security.md#windows-firewall)<br>[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)<br>[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)<br>[Windows Hotpatch](cloud-services-protect-your-work-information.md#-windows-hotpatch)<br>[Windows Insider and Microsoft Bug Bounty Programs](security-foundation-offensive-research.md#windows-insider-and-microsoft-bug-bounty-programs)<br>[Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)<br>[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)<br>[Windows protected print](operating-system-security-system-security.md#-windows-protected-print)<br>[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)<br>[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)<br>[Windows Security](operating-system-security-system-security.md#windows-security)<br>[Windows Software Development Kit (SDK)](security-foundation-secure-supply-chain.md#windows-software-development-kit-sdk)<br>[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)<br>[Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business)
\ No newline at end of file
diff --git a/windows/security/book/hardware-security-hardware-root-of-trust.md b/windows/security/book/hardware-security-hardware-root-of-trust.md
index 871680e2f4..fb31256cfc 100644
--- a/windows/security/book/hardware-security-hardware-root-of-trust.md
+++ b/windows/security/book/hardware-security-hardware-root-of-trust.md
@@ -2,34 +2,46 @@
 title: Hardware root-of-trust
 description: Windows 11 security book - Hardware root-of-trust.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Hardware root-of-trust
 
-:::image type="content" source="images/hardware.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
+:::image type="content" source="images/hardware.png" alt-text="Diagram containing a list of security features." lightbox="images/hardware.png" border="false":::
 
 ## Trusted Platform Module (TPM)
 
-Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard (previously called Windows Defender System Guard), and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust.
+Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. These capabilities in turn help organizations strengthen the protection of their identities and data. The 2.0 version of TPM includes support for newer algorithms, which provides improvements like support for stronger cryptography. To upgrade to Windows 11, existing Windows 10 devices much meet minimum system requirements for CPU, RAM, storage, firmware, TPM, and more. All new Windows 11 devices come with TPM 2.0 built-in. With Windows 11, both new and upgraded devices must have TPM 2.0. The requirement strengthens the security posture across all Windows 11 devices and helps ensure that these devices can benefit from future security capabilities that depend on a hardware root-of-trust.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Windows 11 TPM specifications](https://www.microsoft.com/windows/windows-11-specifications)
-- [Enabling TPM 2.0 on your PC](https://support.microsoft.com/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c)
-- [Trusted Platform Module Technology Overview](../hardware-security/tpm/trusted-platform-module-overview.md)
+- [Windows 11 TPM specifications][LINK-1]
+- [Enable TPM 2.0 on your PC][LINK-2]
+- [Trusted Platform Module Technology Overview][LINK-3]
 
 ## Microsoft Pluton security processor
 
-The Microsoft Pluton security processor is the result of Microsoft's close partnership with silicon partners. Pluton enhances the protection of Windows 11 devices, including Secured-core PCs, with a hardware security processor that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface by integrating the security chip directly into the processor. It can be used as a TPM 2.0 or as a standalone security processor. When a security processor is located on a separate, discrete chip on the motherboard, the communication path between the hardware root-of-trust and the CPU can be vulnerable to physical attack. Embedding Pluton into the CPU makes it harder to exploit the communication path.
+The Microsoft Pluton security processor is the result of Microsoft's close partnership with silicon partners. Pluton enhances the protection of Windows 11 devices with a hardware security processor that provides extra protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface by integrating the security chip directly into the processor. It can be used as a TPM 2.0 or as a standalone security processor. When a security processor is located on a separate, discrete chip on the motherboard, the communication path between the hardware root-of-trust and the CPU can be vulnerable to physical attack. Embedding Pluton into the CPU makes it harder to exploit the communication path.
 
-Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update.
+Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from enhanced security for Windows features that rely on TPMs, including BitLocker, Windows Hello, and System Guard. Pluton can also support other security functionality beyond what is possible with the TPM 2.0 specification. This extensibility allows for more Pluton firmware and OS features to be delivered over time via Windows Update.
 
-As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers cannot access sensitive data - even if attackers use emerging techniques like speculative execution.
+As with other TPMs, credentials, encryption keys, and other sensitive information can't be easily extracted from Pluton even if an attacker installed malware or has physical possession of the PC. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that attackers can't access sensitive data - even if attackers use emerging techniques like speculative execution.
 
-Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for customers to get alerts about security updates, keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs.
+Pluton also solves the major security challenge of keeping its own security processor firmware up to date across the entire PC ecosystem. Today customers receive security firmware updates from different sources, which might make it difficult to get alerts about security updates, and keeping systems in a vulnerable state. Pluton provides a flexible, updateable platform for its firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. Pluton is integrated with the Windows Update service, benefiting from over a decade of operational experience in reliably delivering updates across over a billion endpoint systems. Microsoft Pluton is available with select new Windows PCs.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Pluton aims to ensure long-term security resilience. With the rising threat landscape influenced by artificial intelligence, memory safety will become ever more critical. To meet these demands, in addition to facilitating reliable updates to security processor firmware, we chose the open-source Tock system as the Rust-based foundation to develop the Pluton security processor firmware and actively contribute back to the Tock community. This collaboration with an open community ensures rigorous security scrutiny, and using Rust mitigates memory safety threats.
 
-- [Meet the Microsoft Pluton processor - The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/)
-- [Microsoft Pluton security processor](../hardware-security/pluton/microsoft-pluton-security-processor.md)
+Ultimately, Pluton establishes the security backbone for Copilot + PC, thanks to tight partnerships with our silicon collaborators and OEMs. The Qualcomm Snapdragon X, AMD Ryzen AI, and Intel Core Ultra 200V mobile processors (codenamed Lunar Lake) processor platforms all incorporate Pluton as their security subsystem .
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Microsoft Pluton processor - The security chip designed for the future of Windows PCs][LINK-4]
+- [Microsoft Pluton security processor][LINK-5]
+
+<!--links-->
+
+[LINK-1]: https://www.microsoft.com/windows/windows-11-specifications
+[LINK-2]: https://support.microsoft.com/topic/1fd5a332-360d-4f46-a1e7-ae6b0c90645c
+[LINK-3]: /windows/security/hardware-security/tpm/trusted-platform-module-overview
+[LINK-4]: https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/
+[LINK-5]: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor
diff --git a/windows/security/book/hardware-security-silicon-assisted-security.md b/windows/security/book/hardware-security-silicon-assisted-security.md
index 8be924910a..40d2e4935b 100644
--- a/windows/security/book/hardware-security-silicon-assisted-security.md
+++ b/windows/security/book/hardware-security-silicon-assisted-security.md
@@ -2,81 +2,113 @@
 title: Silicon assisted security
 description: Windows 11 security book - Silicon assisted security.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Silicon assisted security
 
-:::image type="content" source="images/hardware.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
+:::image type="content" source="images/hardware.png" alt-text="Diagram containing a list of security features." lightbox="images/hardware.png" border="false":::
 
-In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats by protecting the boot process, safeguarding the integrity of memory, isolating security-sensitive compute logic, and more.
+In addition to a modern hardware root-of-trust, there are multiple capabilities in the latest chips that harden the operating system against threats. These capabilities protect the boot process, safeguard the integrity of memory, isolate security-sensitive compute logic, and more.
 
 ## Secured kernel
 
-To secure the kernel we have two key features: virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices will support HVCI and most new devices will come with VBS and HVCI protection turned on by default.
+To secure the kernel, we have two key features: Virtualization-based security (VBS) and hypervisor-protected code integrity (HVCI). All Windows 11 devices support HVCI and come with VBS and HVCI protection turned on by default on most/all devices.
 
-Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS
-implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel.
+### Virtualization-based security (VBS)
 
-Since more privileged VTLs can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
+:::row:::
+    :::column:::
+        Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel is still protected. The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory. Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment. VBS implements virtual trust level 1 (VTL1), which has higher privilege than the virtual trust level 0 (VTL0) implemented in the main kernel.
+    :::column-end:::
+    :::column:::
+:::image type="content" source="images/vbs-diagram.png" alt-text="Diagram of VBS architecture." lightbox="images/vbs-diagram.png" border="false":::
+    :::column-end:::
+:::row-end:::
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Since more privileged virtual trust levels (VTLs) can enforce their own memory protections, higher VTLs can effectively protect areas of memory from lower VTLs. In practice, this allows a lower VTL to protect isolated memory regions by securing them with a higher VTL. For example, VTL0 could store a secret in VTL1, at which point only VTL1 could access it. Even if VTL0 is compromised, the secret would be safe.
 
-- [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor leverages processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that has not been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
+- [Virtualization-based security (VBS)][LINK-1]
+
+### Hypervisor-protected code integrity (HVCI)
+
+Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps prevent attacks that attempt to modify kernel-mode code for things like drivers. The KMCI checks that all kernel code is properly signed and hasn't been tampered with before it's allowed to run. HVCI ensures that only validated code can be executed in kernel mode. The hypervisor uses processor virtualization extensions to enforce memory protections that prevent kernel-mode software from executing code that hasn't been first validated by the code integrity subsystem. HVCI protects against common attacks like WannaCry that rely on the ability to inject malicious code into the kernel. HVCI can prevent injection of malicious kernel-mode code even when drivers and other kernel-mode software have bugs.
 
 With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Enable virtualization-based protection of code integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
-- [Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)
+- [Enable virtualization-based protection of code integrity][LINK-2]
 
-## Hardware-enforced stack protection
+### :::image type="icon" source="images/new-button-title.svg" border="false"::: Hypervisor-enforced Paging Translation (HVPT)
 
-Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control- flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack.
+Hypervisor-enforced Paging Translation (HVPT) is a security enhancement to enforce the integrity of guest virtual address to guest physical address translations. HVPT helps protect critical system data from write-what-where attacks where the attacker can write an arbitrary value to an arbitrary location often as the result of a buffer overflow. HVPT helps to protect page tables that configure critical system data structures.
 
-Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called stack smashing. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate "shadow stack" for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support.
+### Hardware-enforced stack protection
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats like memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack.
 
-- [Understanding Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)
-- [Developer Guidance for Hardware-enforced Stack Protection](https://techcommunity.microsoft.com/t5/windows-kernel-internals/developer-guidance-for-hardware-enforced-stack-protection/ba-p/2163340)
+Application code includes a program processing stack that hackers seek to corrupt or disrupt in a type of attack called *stack smashing*. When defenses like executable space protection began thwarting such attacks, hackers turned to new methods like return-oriented programming. Return-oriented programming, a form of advanced stack smashing, can bypass defenses, hijack the data stack, and ultimately force a device to perform harmful operations. To guard against these control-flow hijacking attacks, the Windows kernel creates a separate *shadow stack* for return addresses. Windows 11 extends stack protection capabilities to provide both user mode and kernel mode support.
 
-## Kernel Direct Memory Access (DMA) protection
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-Windows 11 protects against physical threats such as drive-by Direct Memory Access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that do not require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work.
+- [Understanding Hardware-enforced Stack Protection][LINK-3]
+- [Developer Guidance for hardware-enforced stack protection][LINK-4]
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+## Kernel direct memory access (DMA) protection
 
-- [Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)
+Windows 11 protects against physical threats such as drive-by direct memory access (DMA) attacks. Peripheral Component Interconnect Express (PCIe) hot-pluggable devices, including Thunderbolt, USB4, and CFexpress, enable users to connect a wide variety of external peripherals to their PCs with the same plug-and-play convenience as USB. These devices encompass graphics cards and other PCI components. Since PCI hot-plug ports are external and easily accessible, PCs are susceptible to drive-by DMA attacks. Memory access protection (also known as Kernel DMA Protection) protects against these attacks by preventing external peripherals from gaining unauthorized access to memory. Drive-by DMA attacks typically happen quickly while the system owner isn't present. The attacks are performed using simple to moderate attacking tools created with affordable, off-the-shelf hardware and software that don't require the disassembly of the PC. For example, a PC owner might leave a device for a quick coffee break. Meanwhile, an attacker plugs an external tool into a port to steal information or inject code that gives the attacker remote control over the PCs, including the ability to bypass the lock screen. With memory access protection built in and enabled, Windows 11 is protected against physical attack wherever people work.
 
-## Secured-core PC
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-The March 2021 Security Signals report found that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data-sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs (SCPCs). The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows.
+- [Kernel direct memory access (DMA) protection][LINK-5]
 
-Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root-of-trust. Virtualization-based security comes enabled by default. With built-in hypervisor-protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all kernel executable code is signed only by known and approved authorities. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks with kernel DMA protection.
+## Secured-core PC and Edge Secured-Core
 
-Secured-core PCs provide multiple layers of robust protection against hardware and firmware attacks. Sophisticated malware attacks may commonly attempt to install "bootkits" or "rootkits" on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows leverage virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard, a baseline security feature of all Windows 11 PCs. Secure Boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a non-repudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM).
+The March 2021 Security Signals report found that more than 80% of enterprises have experienced at least one firmware attack in the past two years. For customers in data-sensitive industries like financial services, government, and healthcare, Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs (SCPCs), and an equivalent category of embedded IoT devices called Edge Secured-Core (ESc). The devices ship with more security measures enabled at the firmware layer, or device core, that underpins Windows.
 
-Thousands of PC vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements.
+Secured-core PCs and edge devices help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root-of-trust. Virtualization-based security comes enabled by default. Built-in hypervisor-protected code integrity (HVCI) shield system memory, ensuring that all kernel executable code is signed only by known and approved authorities. Secured-core PCs and edge devices also protect against physical threats such as drive-by direct memory access (DMA) attacks with kernel DMA protection.
 
-In Secured-core PCs, [System Guard Secure Launch](/windows/security/hardware-security/system-guard-secure-launch-and-smm-protection) protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit or bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. [Firmware Attack Surface Reduction (FASR) technology](/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) can be used instead of DRTM on supported devices, such as Microsoft Surface.
+Secured-core PCs and edge devices provide multiple layers of robust protection against hardware and firmware attacks. Sophisticated malware attacks commonly attempt to install *bootkits* or *rootkits* on the system to evade detection and achieve persistence. This malicious software may run at the firmware level prior to Windows being loaded or during the Windows boot process itself, enabling the system to start with the highest level of privilege. Because critical subsystems in Windows use Virtualization-based security, protecting the hypervisor becomes increasingly important. To ensure that no unauthorized firmware or software can start before the Windows bootloader, Windows PCs rely on the Unified Extensible Firmware Interface (UEFI) Secure Boot standard, a baseline security feature of all Windows 11 PCs. Secure Boot helps ensure that only authorized firmware and software with trusted digital signatures can execute. In addition, measurements of all boot components are securely stored in the TPM to help establish a nonrepudiable audit log of the boot called the Static Root of Trust for Measurement (SRTM).
+
+Thousands of OEM vendors produce numerous device models with diverse UEFI firmware components, which in turn creates an incredibly large number of SRTM signatures and measurements at bootup. Because these signatures and measurements are inherently trusted by Secure Boot, it can be challenging to constrain trust to only what is needed to boot on any specific device. Traditionally, blocklists and allowlists were the two main techniques used to constrain trust, and they continue to expand if devices rely only on SRTM measurements.
+
+### Dynamic Root of Trust for Measurement (DRTM)
+
+In secured-core PCs and edge devices, System Guard Secure Launch protects bootup with a technology known as the *Dynamic Root of Trust for Measurement (DRTM)*. With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU down a hardware-secured code path. If a malware rootkit or bootkit bypasses UEFI Secure Boot and resides in memory, DRTM prevents it from accessing secrets and critical code protected by the Virtualization-based security environment. Firmware Attack Surface Reduction (FASR) technology can be used instead of DRTM on supported devices, such as Microsoft Surface.
 
 System Management Mode (SMM) isolation is an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor. SMM complements the protections provided by DRTM by helping to reduce the attack surface. Relying on capabilities provided by silicon providers like Intel and AMD, SMM isolation enforces policies that implement restrictions such as preventing SMM code from accessing OS memory. The SMM isolation policy is included as part of the DRTM measurements that can be sent to a verifier like Microsoft Azure Remote Attestation.
 
 :::image type="content" source="images/secure-launch.png" alt-text="Diagram of secure launch components." lightbox="images/secure-launch.png" border="false":::
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Dynamic Root of Trust measure and SMM isolation](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/)
-- [Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)
+- [System Guard Secure Launch][LINK-6]
+- [Firmware Attack Surface Reduction][LINK-7]
+- [Windows 11 secured-core PCs][LINK-8]
+- [Edge Secured-Core][LINK-9]
 
-## Secured-core configuration lock
+### Configuration lock
 
-In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync, when configuration is reset with the mobile device management (MDM) solution. Secured-core configuration lock (config lock) is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that are supported and reverts to the IT-desired SCPC state in seconds after detecting a drift.
+In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a noncompliant state can be vulnerable until the next sync, when configuration is reset with the device management solution.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Configuration lock is a secured-core PC and edge device feature that prevents users from making unwanted changes to security settings. With configuration lock, Windows monitors supported registry keys and reverts to the IT-desired state in seconds after detecting a drift.
 
-- [Windows 11 with config lock](/windows/client-management/mdm/config-lock)
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Secured-core PC configuration lock][LINK-10]
+
+<!--links-->
+
+[LINK-1]: /windows-hardware/design/device-experiences/oem-vbs
+[LINK-2]: /windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
+[LINK-3]: https://techcommunity.microsoft.com/blog/windowsosplatform/understanding-hardware-enforced-stack-protection/1247815
+[LINK-4]: https://techcommunity.microsoft.com/blog/windowsosplatform/developer-guidance-for-hardware-enforced-stack-protection/2163340
+[LINK-5]: /windows/security/hardware-security/kernel-dma-protection-for-thunderbolt
+[LINK-6]: /windows/security/hardware-security/system-guard-secure-launch-and-smm-protection
+[LINK-7]: /windows-hardware/drivers/bringup/firmware-attack-surface-reduction
+[LINK-8]: /windows-hardware/design/device-experiences/oem-highly-secure-11
+[LINK-9]: /en-us/azure/certification/overview
+[LINK-10]: /windows/client-management/mdm/config-lock
diff --git a/windows/security/book/hardware-security.md b/windows/security/book/hardware-security.md
index f6a8137aac..f9acd73d1e 100644
--- a/windows/security/book/hardware-security.md
+++ b/windows/security/book/hardware-security.md
@@ -2,15 +2,15 @@
 title: Hardware security
 description: Windows 11 security book - Hardware security chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Hardware security
 
 :::image type="content" source="images/hardware-security-cover.png" alt-text="Cover of the hardware security chapter." border="false":::
 
-:::image type="content" source="images/hardware-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/hardware.png" border="false":::
+Today's ever-evolving threats require strong alignment between hardware and software to keep users, data, and devices protected. The operating system and software alone can't defend against the wide range of tools used by cybercriminals to steal credentials, take data, and implant malware.
 
-Today's ever-evolving threats require strong alignment between hardware and software technologies to keep users, data, and devices protected. The operating system alone cannot defend against the wide range of tools and techniques cybercriminals use to compromise a computer. Once they gain a foothold, intruders can be difficult to detect as they engage in multiple nefarious activities ranging from stealing important data and credentials to implanting malware into low-level device firmware. Once malware is installed in firmware, it becomes difficult to identify and remove. These new threats call for computing hardware that is secure down to the very core, including the hardware chips and processors that store sensitive business information. With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone. Hardware-based protection can also improve the system's overall security without measurably slowing performance, compared to implementing the same capability in software.
+In partnership with our silicon and device manufacturing partners, Windows 11 devices shield software, hardware, and firmware with features like Trusted Platform Module (TPM) 2.0, Microsoft Pluton, and Virtualization-based security (VBS). Windows 11 devices provide hardware-backed protection by default to significantly improve security while maintaining the performance that users expect.
 
-With Windows 11, Microsoft has raised the hardware security bar to design the most secure version of Windows ever from chip to cloud. We have carefully chosen the hardware requirements and default security features based on threat intelligence, global regulatory requirements, and our own Microsoft Security team's expertise. We have worked with our chip and device manufacturing partners to integrate advanced security capabilities across software, firmware, and hardware. Through a powerful combination of hardware root-of-trust and silicon-assisted security, Windows 11 delivers built-in hardware protection out of the box.
+:::image type="content" source="images/hardware-on.png" alt-text="Diagram containing a list of security features." lightbox="images/hardware.png" border="false":::
diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md
index f5b1e3d1a4..7194409637 100644
--- a/windows/security/book/identity-protection-advanced-credential-protection.md
+++ b/windows/security/book/identity-protection-advanced-credential-protection.md
@@ -1,85 +1,98 @@
 ---
 title: Identity protection - Advanced credential protection
-description: Windows 11 security book -Identity protection chapter.
+description: Windows 11 security book - Identity protection chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Advanced credential protection
 
-:::image type="content" source="images/identity-protection.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
+:::image type="content" source="images/identity-protection.png" alt-text="Diagram containing a list of security features." lightbox="images/identity-protection.png" border="false":::
 
 In addition to adopting passwordless sign-in, organizations can strengthen security for user and domain credentials in Windows 11 with Credential Guard and Remote Credential Guard.
 
-## Enhanced phishing protection with Microsoft Defender SmartScreen
-
-As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing has emerged as a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business.
-
-However, people who are still using passwords can also benefit from powerful credential protection in Windows 11. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Enhanced phishing protection in Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)
-
 ## Local Security Authority (LSA) protection
 
-Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Azure services.
+Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users, and verifying Windows sign-ins. LSA handles tokens and credentials that are used for single sign-on to a Microsoft account and Entra ID account.
 
-To help keep these credentials safe, additional LSA protection will be enabled by default on new, enterprise-joined Windows 11 devices. By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection also now supports configuration using Group Policy and modern device management.
+By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection supports configuration using group policy and other device management solutions.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
 
-- [Configuring additional LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
+To help keep these credentials safe, LSA protection is enabled by default on all devices (MSA, Microsoft Entra joined, hybrid, and local). For new installs, it is enabled immediately. For upgrades, it is enabled after rebooting after an evaluation period of 10 days.
+
+Users have the ability to manage the LSA protection state in the Windows Security application under **Device Security** > **Core Isolation** > **Local Security Authority protection**.
+
+To ensure a seamless transition and enhanced security for all users, the enterprise policy for LSA protection takes precedence over enablement on upgrade.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Configuring additional LSA protection][LINK-2]
 
 ## Credential Guard
 
-Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-backed, virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+:::row:::
+    :::column:::
+        Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
 
-By protecting the LSA process with virtualization-based security, Credential Guard shields systems from credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges.
+By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from user credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges.
+    :::column-end:::
+    :::column:::
+:::image type="content" source="images/credential-guard-architecture.png" alt-text="Diagram of the Credential Guard's architecture."  lightbox="images/credential-guard-architecture.png" border="false":::
+    :::column-end:::
+:::row-end:::
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
 
-- [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)
+Credential Guard protections are expanded to optionally include machine account passwords for Active Directory-joined devices. Administrators can enable audit mode or enforcement of this capability using Credential Guard policy settings.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Protect derived domain credentials with Credential Guard][LINK-3]
 
 ## Remote Credential Guard
 
 Remote Credential Guard helps organizations protect credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions.
 
-Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured and enabled to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials aren't exposed.
+Administrator credentials are highly privileged and must be protected. When Remote Credential Guard is configured to connect during Remote Desktop sessions, the credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, the credentials aren't exposed.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Remote Credential Guard - Windows Security | Microsoft Learn](/windows/security/identity-protection/remote-credential-guard?tabs=intune)
+- [Remote Credential Guard][LINK-4]
 
-## Token protection
+## :::image type="icon" source="images/new-button-title.svg" border="false"::: VBS key protection
 
-Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies<sup>[\[9\]](conclusion.md#footnote9)</sup> can be configured to require token protection when using sign-in tokens for specific services.
+VBS key protection enables developers to secure cryptographic keys using Virtualization-based security (VBS). VBS uses the virtualization extension capability of the CPU to create an isolated runtime outside of the normal OS. When in use, VBS keys are isolated in a secure process, allowing key operations to occur without ever exposing the private key material outside of this space. At rest, private key material is encrypted by a TPM key, which binds VBS keys to the device. Keys protected in this way can't be dumped from process memory or exported in plain text from a user's machine, preventing exfiltration attacks by any admin-level attacker.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Token protection in Entra ID Conditional Access](/azure/active-directory/conditional-access/concept-token-protection)
+- [Advancing key protection in Windows using VBS][LINK-8]
 
-## Sign-in session token protection policy
+## Token protection (preview)
 
-At the inaugural Microsoft Secure event in March 2023, we announced the public preview of token protection for sign-ins. This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen.
+Token protection attempts to reduce attacks using Microsoft Entra ID token theft. Token protection makes tokens usable only from their intended device by cryptographically binding a token with a device secret. When using the token, both the token and proof of the device secret must be provided. Conditional Access policies<sup>[\[4\]](conclusion.md#footnote4)</sup> can be configured to require token protection when using sign-in tokens for specific services.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Conditional Access: Token protection (preview)](/azure/active-directory/conditional-access/concept-token-protection)
+- [Token protection in Entra ID Conditional Access][LINK-5]
+
+### Sign-in session token protection policy
+
+This feature allows applications and services to cryptographically bind security tokens to the device, restricting attackers' ability to impersonate users on a different device if tokens are stolen.
 
 ## Account lockout policies
 
-New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies will mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP).
+New devices with Windows 11 installed will have account lockout policies that are secure by default. These policies mitigate brute-force attacks such as hackers attempting to access Windows devices via the Remote Desktop Protocol (RDP).
 
-The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The Allow Administrator account lockout is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well.
+The account lockout threshold policy is now set to 10 failed sign-in attempts by default, with the account lockout duration set to 10 minutes. The *Allow Administrator account lockout* is now enabled by default. The Reset account lockout counter after is now set to 10 minutes by default as well.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Account lockout policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)
+- [Account lockout policy][LINK-6]
 
 ## Access management and control
 
-Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.
+Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage the access of users, groups, and computers to objects and assets on a network or computer. After a user is authenticated, Windows implements the second phase of protecting resources with built-in authorization and access control technologies. These technologies determine if an authenticated user has the correct permissions.
 
 Access Control Lists (ACLs) describe the permissions for a specific object and can also contain System Access Control Lists (SACLs). SACLs provide a way to audit specific system level events, such as when a user attempts to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack.
 
@@ -87,10 +100,20 @@ IT administrators can refine the application and management of access to:
 
 - Protect a greater number and variety of network resources from misuse
 - Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs. Organizations can implement the principle of least-privilege access, which asserts that users should be granted access only to the data and operations they require to perform their jobs
-- Update users' ability to access resources on a regular basis as an organization's policies change or as users' jobs change
-- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and mobile phones
+- Update users' ability to access resources regularly, as an organization's policies change or as users' jobs change
+- Support evolving workplace needs, including access from hybrid or remote locations, or from a rapidly expanding array of devices, including tablets and phones
 - Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Access control](/windows/security/identity-protection/access-control/access-control)
+- [Access control][LINK-7]
+
+<!--links-->
+
+[LINK-2]: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
+[LINK-3]: /windows/security/identity-protection/credential-guard
+[LINK-4]: /windows/security/identity-protection/remote-credential-guard
+[LINK-5]: /azure/active-directory/conditional-access/concept-token-protection
+[LINK-6]: /windows/security/threat-protection/security-policy-settings/account-lockout-policy
+[LINK-7]: /windows/security/identity-protection/access-control/access-control
+[LINK-8]: https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-key-protection-in-windows-using-vbs/4050988
\ No newline at end of file
diff --git a/windows/security/book/identity-protection-passwordless-sign-in.md b/windows/security/book/identity-protection-passwordless-sign-in.md
index 00ee61f822..a8a6104572 100644
--- a/windows/security/book/identity-protection-passwordless-sign-in.md
+++ b/windows/security/book/identity-protection-passwordless-sign-in.md
@@ -1,172 +1,243 @@
 ---
 title: Identity protection - Passwordless sign-in
-description: Windows 11 security book -Identity protection chapter.
+description: Windows 11 security book - Identity protection chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Passwordless sign-in
 
-:::image type="content" source="images/identity-protection.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
+:::image type="content" source="images/identity-protection.png" alt-text="Diagram containing a list of security features." lightbox="images/identity-protection.png" border="false":::
 
-Passwords are inconvenient to use and prime targets for cybercriminals - and they've been an important part of digital security for years. That changes with the passwordless protection available with Windows 11. After a secure authorization process, credentials are protected behind layers of hardware and software security, giving users secure, passwordless access to their apps and cloud services.
+Passwords are a fundamental part of digital security, but they're often inconvenient and vulnerable to cyberattacks. With Windows 11, users can enjoy passwordless protection, which offers a more secure and user-friendly alternative. After a secure authorization process, credentials are safeguarded by multiple layers of hardware and software security, providing users with seamless, passwordless access to their apps and cloud services.
 
 ## Windows Hello
 
-Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their employees and customers. Microsoft is committed to helping customers move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection.
+Too often, passwords are weak, stolen, or forgotten. Organizations are moving toward passwordless sign-in to reduce the risk of breaches, lower the cost of managing passwords, and improve productivity and satisfaction for their users and customers. Microsoft is committed to helping organizations move toward a secure, passwordless future with Windows Hello, a cornerstone of Windows security and identity protection.
 
-[Windows Hello](/windows/security/identity-protection/hello-for-business/passwordless-strategy) can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication.
+Windows Hello can enable passwordless sign-in using biometric or PIN verification and provides built-in support for the FIDO2 passwordless industry standard. As a result, people no longer need to carry external hardware like a security key for authentication.
 
 The secure, convenient sign-in experience can augment or replace passwords with a stronger authentication model based on a PIN or biometric data such as facial or fingerprint recognition secured by the Trusted Platform Module (TPM). Step-by-step guidance makes setup easy.
 
 Using asymmetric keys provisioned in the TPM, Windows Hello protects authentication by binding a user's credentials to their device. Windows Hello validates the user based on either a PIN or biometrics match and only then allows the use of cryptographic keys bound to that user in the TPM.
 
-PIN and biometric data stay on the device and cannot be stored or accessed externally. Since the data cannot be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks.
+PIN and biometric data stay on the device and can't be stored or accessed externally. Since the data can't be accessed by anyone without physical access to the device, credentials are protected against replay attacks, phishing, and spoofing as well as password reuse and leaks.
 
 Windows Hello can authenticate users to a Microsoft account (MSA), identity provider services, or the relying parties that also implement the FIDO2 or WebAuthn standards.
 
-## Windows Hello for Business
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-Windows Hello for Business extends Windows Hello to work with an organization's Active Directory and Microsoft Entra ID accounts. It provides single sign-on access to work or school resources such as OneDrive for Business, work email, and other business apps. Windows Hello for Business also give IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources.
+- [Configure Windows Hello][LINK-1]
 
-## Windows Hello for Business Passwordless
-
-Windows 11 devices with Windows Hello for Business can protect user identities by removing the need to use passwords from day one.
-
-IT can now set a policy for Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources.12 Once the policy is set, passwords are removed from the Windows user experience, both for device unlock as well as in-session authentication scenarios via CredUI. However, passwords are not eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can leverage passwordless recovery mechanisms such as Windows Hello for Business PIN reset or Web Sign-in.
-
-During a device's lifecycle, a password may only need to be used once during the provisioning process. After that, people can use a PIN, face, or fingerprint to unlock credentials and sign into the device.
-
-Provisioning methods include:
-
-- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID
-- Existing multifactor authentication with Microsoft Entra ID, including authentication methods like the Microsoft Authenticator app
-
-Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometric data and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business depending on an organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers.
-
-Organizations with hybrid scenarios can eliminate the need for on-premises domain controllers and simplify passwordless adoption by using Windows Hello for Business cloud Kerberos trust.13 This solution uses security keys and replaces on-premises domain controllers with a cloud-based root-of-trust. As a result, organizations can take advantage of Windows Hello for Business and deploy passwordless security keys with minimal additional setup or infrastructure.
-
-Users will authenticate directly with Microsoft Entra ID, helping speed access to on- premises applications and other resources.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows Hello for Business overview](/windows/security/identity-protection/hello-for-business/)
-
-## Windows Hello PIN
+### Windows Hello PIN
 
 The Windows Hello PIN, which can only be entered by someone with physical access to the device, can be used for strong multifactor authentication. The PIN is protected by the TPM and, like biometric data, never leaves the device. When a user enters their PIN, an authentication key is unlocked and used to sign a request sent to the authenticating server.
 
 The TPM protects against threats including PIN brute-force attacks on lost or stolen devices. After too many incorrect guesses, the device locks. IT admins can set security policies for PINs, such as complexity, length, and expiration requirements.
 
-## Windows Hello biometric sign-in
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
 
-Windows Hello biometric sign-in enhances both security and productivity with a quick, convenient sign-in experience. There's no need to enter a password every time when a face or fingerprint is the credential.
+If your device doesn't have built-in biometrics, Windows Hello has been enhanced to use Virtualization-based Security (VBS) by default to isolate credentials. This added layer of protection helps guard against admin-level attacks. Even when you sign in with a PIN, your credentials are stored in a secure container, ensuring protection on devices with or without built-in biometric sensors.
 
-Windows devices that support biometric hardware such as fingerprint or facial recognition cameras integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with [Microsoft](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) [Windows Hello biometric requirements](/windows-hardware/design/device-experiences/windows-hello-biometric-requirements). Windows Hello facial recognition is designed to only authenticate from trusted cameras used at the time of enrollment.
+### Windows Hello biometric
 
-If a peripheral camera is attached to the device after enrollment, that camera will only be allowed for facial authentication after it has been validated by signing in with the internal camera. For additional security, external cameras can be disabled for use with Windows Hello facial recognition.
+Windows Hello biometric sign-in enhances both security and productivity with a quick and convenient sign-in experience. There's no need to enter your PIN; just use your biometric data for an easy and delightful sign-in.
 
-## Windows Hello Enhanced Sign-in Security
+Windows devices that support biometric hardware, such as fingerprint or facial recognition cameras, integrate directly with Windows Hello, enabling access to Windows client resources and services. Biometric readers for both face and fingerprint must comply with Windows Hello biometric requirements. Windows Hello facial recognition is designed to authenticate only from trusted cameras used at the time of enrollment.
 
-Windows Hello biometrics also supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in.
+If a peripheral camera is attached to the device after enrollment, it can be used for facial authentication once validated by signing in with the internal camera. For added security, external cameras can be disabled for use with Windows Hello facial recognition.
 
-Enhanced Sign-in Security biometrics uses virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated.
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional attack classes.
-
-Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in Secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations - please check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Please reach out to specific OEMs for support details.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
-
-## Windows Hello for Business multi-factor unlock
-
-For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows by requiring a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi.
-
-Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Multi-factor unlock](/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock)
+- [Windows Hello biometric requirements][LINK-4]
 
 ## Windows presence sensing
 
-Windows presence sensing14 provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment.
+Windows presence sensing<sup>[\[9\]](conclusion.md#footnote9)</sup> provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to a user's presence to help them stay secure and productive, whether they're working at home, the office, or a public environment.
 
-Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers will be able to customize and build extensions for the presence sensor.
+Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to sign the user in hands-free and automatically locks the device when the user leaves. With adaptive dimming, the PC dims the screen when the user looks away on compatible devices with presence sensors. It's also easier than ever to configure presence sensors on devices, with easy enablement in the out-of-the-box experience and new links in Settings to help find presence sensing features. Device manufacturers can customize and build extensions for the presence sensor.
 
-## Developer APIs and app privacy support for presence sensing
+Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. The new app privacy settings enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup.
 
-Privacy is top of mind and more important than ever. Customers want to have greater transparency and control over the use of their information. We are pleased to announce new app privacy settings that enable users to allow or block access to their presence sensor information. Users can decide on these settings during the initial Windows 11 setup.
+Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We're also supporting developers with new APIs for presence sensing for third-party applications. Third-party applications can now access user presence information on devices with presence sensors.
 
-Users can also take advantage of more granular settings to easily enable and disable differentiated presence sensing features like wake on approach, lock on leave, and adaptive dimming. We are also supporting developers with new APIs for presence sensing for thirdparty applications. Third-party applications can now access user presence information on devices with modern presence sensors.
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+- [Presence sensing][LINK-7]
+- [Manage presence sensing settings in Windows 11][LINK-8]
 
-- [Presence sensing](/windows-hardware/design/device-experiences/sensors-presence-sensing)
-- [Manage presence sensing settings in Windows 11](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)
+## Windows Hello for Business
 
-## FIDO support
+Windows Hello for Business extends Windows Hello to work with an organization's Active Directory and Microsoft Entra ID accounts. It provides single sign-on access to work or school resources such as OneDrive, work email, and other business apps. Windows Hello for Business also gives IT admins the ability to manage PIN and other sign-in requirements for devices connecting to work or school resources.
 
-The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) have worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications, which are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
+After Windows Hello for Business is provisioned, users can use a PIN, face, or fingerprint to unlock credentials and sign into their Windows device.
 
-Windows 11 can also use passkeys from external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services.
+Provisioning methods include:
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+- Passkeys (preview), which provide a seamless way for users to authenticate to Microsoft Entra ID without entering a username or password
+- Temporary Access Pass (TAP), a time-limited passcode with strong authentication requirements issued through Microsoft Entra ID
+- Existing multifactor authentication with Microsoft Entra ID, including the Microsoft Authenticator app
 
-- [Passwordless security key sign-in](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
+Windows Hello for Business enhances security by replacing traditional usernames and passwords with a combination of a security key or certificate and a PIN or biometric data. This setup securely maps the credentials to a user account.
 
-## Passkeys
+There are various deployment models available for Windows Hello for Business, providing flexibility to meet the diverse needs of different organizations. Among these, the *Hybrid cloud Kerberos trust* model is recommended and considered the simplest for organizations operating in hybrid environments.
 
-Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the crossplatform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services.
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey from Windows Hello, an external security provider, or their mobile device.
+- [Windows Hello for Business overview][LINK-2]
+- [Enable passkeys (FIDO2) for your organization][LINK-9]
 
-Passkeys on Windows 11 are protected by Windows Hello or Windows Hello for Business. This enables users to sign in to the site or app using their face, fingerprint, or device PIN. Passkeys on Windows work in any browser or app that supports them for sign in. Users can manage passkeys on their device on Windows 11 account settings.
+### PIN reset
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+The Microsoft PIN Reset Service allows users to reset their forgotten Windows Hello PINs without requiring re-enrollment. After registering the service in the Microsoft Entra ID tenant, the capability must be enabled on the Windows devices using group policy or a device management solution like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>.
 
-- [Passkeys (passkey authentication)](https://fidoalliance.org/passkeys/)
+Users can initiate a PIN reset from the Windows lock screen or from the sign-in options in Settings. The process involves authenticating and completing multifactor authentication to reset the PIN.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [PIN reset][LINK-15]
+
+### Multi-factor unlock
+
+For organizations that need an extra layer of sign-in security, multi-factor unlock enables IT admins to configure Windows to require a combination of two unique trusted signals to sign in. Trusted signal examples include a PIN or biometric data (face or fingerprint) combined with either a PIN, Bluetooth, IP configuration, or Wi-Fi.
+
+Multi-factor unlock is useful for organizations who need to prevent information workers from sharing credentials or need to comply with regulatory requirements for a two-factor authentication policy.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Multi-factor unlock][LINK-6]
+
+### Windows passwordless experience
+
+**Windows Hello for Business now support a fully passwordless experience.**
+
+IT admins can configure a policy on Microsoft Entra ID joined machines so users no longer see the option to enter a password when accessing company resources. Once the policy is configured, passwords are removed from the Windows user experience, both for device unlock and in-session authentication scenarios. However, passwords aren't eliminated from the identity directory yet. Users are expected to navigate through their core authentication scenarios using strong, phish-resistant, possession-based credentials like Windows Hello for Business and FIDO2 security keys. If necessary, users can use passwordless recovery mechanisms such as Microsoft PIN reset service or web sign-in.
+
+Users authenticate directly with Microsoft Entra ID, helping speed access to on-premises applications and other resources.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows passwordless experience][LINK-3]
+
+## Enhanced Sign-in Security (ESS)
+
+Windows Hello supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in.
+
+Enhanced Sign-in Security biometrics uses Virtualization-based security (VBS) and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated.
+
+These specialized components protect against a class of attacks that includes biometric sample injection, replay, and tampering. For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent more attack classes.
+
+Enhanced Sign-in Security is configured by device manufacturers during the manufacturing process and is most typically supported in secured-core PCs. For facial recognition, Enhanced Sign-in Security is supported by specific silicon and camera combinations -  check with the specific device manufacturer. Fingerprint authentication is available across all processor types. Reach out to specific OEMs for support details.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows Hello Enhanced Sign-in Security][LINK-5]
+
+## FIDO2
+
+The FIDO Alliance, the Fast Identity Online industry standards body, was established to promote authentication technologies and standards that reduce reliance on passwords. FIDO Alliance and World Wide Web Consortium (W3C) worked together to define the Client to Authenticator Protocol (CTAP2) and Web Authentication (WebAuthn) specifications. These specifications are the industry standard for providing strong, phishing-resistant, user friendly, and privacy preserving authentication across the web and apps. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets.
+
+Windows 11 can also use external FIDO2 security keys for authentication alongside or in addition to Windows Hello and Windows Hello for Business, which is also a FIDO2-certified passwordless solution. As a result, Windows 11 can be used as a FIDO authenticator for many popular identity management services.
+
+### Passkeys
+
+Windows 11 makes it much harder for hackers who exploit stolen passwords via phishing attacks by empowering users to replace passwords with passkeys. Passkeys are the cross-platform future of secure sign-in. Microsoft and other technology leaders are supporting passkeys across their platforms and services.
+
+A passkey is a unique, unguessable cryptographic secret that is securely stored on the device. Instead of using a username and password to sign in to a website or application, Windows 11 users can create and use a passkey with Windows Hello, a third-party passkey provider, an external FIDO2 security key, or their mobile device. Passkeys on Windows work in any browsers or apps that support them for sign in.
+
+Passkeys created and saved with Windows Hello are protected by Windows Hello or Windows Hello for Business. Users can sign in to the site or app using their face, fingerprint, or device PIN. Users can manage their passkeys from **Settings** > **Accounts** > **Passkeys**.
+
+:::row:::
+    :::column span="2":::
+[!INCLUDE [coming-soon](includes/coming-soon.md)]
+
+The plug-in model for third-party passkey providers enables users to manage their passkeys with third-party passkey managers. This model ensures a seamless platform experience, regardless of whether passkeys are managed directly by Windows or by a third-party authenticator. When a third-party passkey provider is used, the passkeys are securely protected and managed by the third-party provider.
+    :::column-end:::
+    :::column span="2":::
+:::image type="content" border="false" source="images/passkey-save-3p.png" alt-text="Screenshot of the save passkey dialog box showing third-party providers."  lightbox="images/passkey-save-3p.png":::
+    :::column-end:::
+:::row-end:::
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Support for passkeys in Windows][LINK-10]
+- [Enable passkeys (FIDO2) for your organization][LINK-9]
 
 ## Microsoft Authenticator
 
-The Microsoft Authenticator app, which runs on iOS and Android devices, helps keep
+The Microsoft Authenticator app, which runs on iOS and Android devices, helps keeping Windows 11 users secure and productive. Microsoft Authenticator with Microsoft Entra passkeys can be used as a phish-resistant method to bootstrap Windows Hello for Business.
 
-Windows 11 users secure and productive. Microsoft Authenticator can be used to bootstrap Windows Hello for Business, which removes the need for a password to get started on Windows 11.
-
-Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can leverage different tools to nudge their users to set up the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they are actively using it.
+Microsoft Authenticator also enables easy, secure sign-in for all online accounts using multifactor authentication, passwordless phone sign-in, phishing-resistant authentication (passkeys), or password autofill. The accounts in the Authenticator app are secured with a public/private key pair in hardware-backed storage such as the Keychain in iOS and Keystore on Android. IT admins can use different tools to nudge their users to set up the Authenticator app, provide them with extra context about where the authentication is coming from, and ensure that they're actively using it.
 
 Individual users can back up their credentials to the cloud by enabling the encrypted backup option in settings. They can also see their sign-in history and security settings for Microsoft personal, work, or school accounts.
 
 Using this secure app for authentication and authorization enables people to be in control of how, where, and when their credentials are used. To keep up with an ever-changing security landscape, the app is constantly updated, and new capabilities are added to stay ahead of emerging threat vectors.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Microsoft Authenticator](/azure/active-directory/authentication/concept-authentication-authenticator-app)
+- [Authentication methods in Microsoft Entra ID - Microsoft Authenticator app][LINK-11]
 
-## Smart cards for Windows service
+## Web sign-in
 
-Organizations also have the option of using smart cards, an authentication method that predates biometric authentication. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating users, signing code, securing e-mail, and signing in with Windows domain accounts.
+With the support of web sign-in, users can sign in without a password using the Microsoft Authenticator app or a Temporary Access Pass (TAP). Web sign in also enables federated sign in with a SAML-P identity provider.
 
-**Smart cards provide:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- Ease of use in scenarios such as healthcare where employees need to sign in and out quickly without using their hands or when sharing a workstation
+- [Web sign-in for Windows][LINK-13]
+
+## Federated sign-in
+
+Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Configure federated sign-in for Windows devices][LINK-14]
+
+## Smart cards
+
+Organizations can also opt for smart cards, an authentication method that existed before biometric authentication. These tamper-resistant, portable storage devices enhance Windows security by authenticating users, signing code, securing e-mails, and signing in with Windows domain accounts.
+
+Smart cards provide:
+
+- Ease of use in scenarios such as healthcare, where users need to sign in and out quickly without using their hands or when sharing a workstation
 - Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card
 - Portability of credentials and other private information between computers at work, home, or on the road
 
 Smart cards can only be used to sign in to domain accounts or Microsoft Entra ID accounts.
 
-When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Entra ID certificate-based authentication. Smart cards cannot be used with local accounts.
+When a password is used to sign in to a domain account, Windows uses the Kerberos Version 5 (V5) protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 V3 certificates. On Microsoft Entra ID joined devices, a smart card can be used with Microsoft Entra ID certificate-based authentication. Smart cards can't be used with local accounts.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Windows Hello for Business and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys.
 
-- [Smart Card technical reference](/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference)
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-## Federated sign-in
+- [Smart Card technical reference][LINK-12]
 
-Windows 11 supports federated sign-in with external education identity management services. For students unable to type easily or remember complex passwords, this capability enables secure sign-in through methods like QR codes or pictures. Additionally, we have added shared device support. It allows multiple students (one at a time) to use the device throughout the school day.
+## Enhanced phishing protection in Microsoft Defender SmartScreen
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+As malware protection and other safeguards evolve, cybercriminals look for new ways to circumvent security measures. Phishing is a leading threat, with apps and websites designed to steal credentials by tricking people into voluntarily entering passwords. As a result, many organizations are transitioning to the ease and security of passwordless sign-in with Windows Hello or Windows Hello for Business.
 
-- [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in)
+We know that people are in different parts of their passwordless journey. To help on that journey for people still using passwords, Windows 11 offers powerful credential protection. Microsoft Defender SmartScreen now includes enhanced phishing protection to automatically detect when a user's Microsoft password is entered into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Because the user is alerted at the moment of potential credential theft, they can take preemptive action before the password is used against them or their organization.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Enhanced phishing protection in Microsoft Defender SmartScreen][LINK-16]
+
+<!--links-->
+
+[LINK-1]: https://support.microsoft.com/topic/dae28983-8242-bb2a-d3d1-87c9d265a5f0
+[LINK-2]: /windows/security/identity-protection/hello-for-business
+[LINK-3]: /windows/security/identity-protection/passwordless-experience
+[LINK-4]: /windows-hardware/design/device-experiences/windows-hello-biometric-requirements
+[LINK-5]: /windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security
+[LINK-6]: /windows/security/identity-protection/hello-for-business/feature-multifactor-unlock
+[LINK-7]: /windows-hardware/design/device-experiences/sensors-presence-sensing
+[LINK-8]: https://support.microsoft.com/topic/82285c93-440c-4e15-9081-c9e38c1290bb
+[LINK-9]: /entra/identity/authentication/how-to-enable-passkey-fido2
+[LINK-10]: /windows/security/identity-protection/passkeys
+[LINK-11]: /entra/identity/authentication/concept-authentication-authenticator-app
+[LINK-12]: /windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference
+[LINK-13]: /windows/security/identity-protection/web-sign-in
+[LINK-14]: /education/windows/federated-sign-in
+[LINK-15]: /windows/security/identity-protection/hello-for-business/pin-reset
+[LINK-16]: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
diff --git a/windows/security/book/identity-protection.md b/windows/security/book/identity-protection.md
index d614925654..03248b2db3 100644
--- a/windows/security/book/identity-protection.md
+++ b/windows/security/book/identity-protection.md
@@ -1,16 +1,16 @@
 ---
 title: Identity protection
-description: Windows 11 security book -Identity protection chapter.
+description: Windows 11 security book - Identity protection chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Identity protection
 
 :::image type="content" source="images/identity-protection-cover.png" alt-text="Cover of the identity protection chapter." border="false":::
 
-:::image type="content" source="images/identity-protection-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/identity-protection.png" border="false":::
+Employes are increasingly targets for cyberattacks in organizations, making identity protection a priority. Weak or reused passwords, password spraying, social engineering, and phishing are just a few of the risks businesses face today. 
 
-Today's flexible workstyles and the security of your organization depend on secure access to corporate resources, including strong identity protection. Weak or reused passwords, password spraying, social engineering, and phishing are some of the top attack vectors. In the last 12 months, we saw an average of more than 4,000 password attacks per second.11 And phishing threats have increased, making identity a continuous battleground. As Bret Arsenault, Chief Information Security Officer at Microsoft says, *Hackers don't break in, they log in.*
+Identity protection in Windows 11 continuously evolves to provide organizations with the latest defenses, including Windows Hello for Business passwordless and Windows Hello Enhanced Sign-in Security (ESS). By leveraging these powerful identity safeguards, organizations of all sizes can reduce the risk of credential theft and unauthorized access to devices, data, and other company resources.
 
-Because threats are constantly evolving and often difficult for employees to detect, organizations need proactive protection, including effortlessly secure authentication and features that defend users in real time while they work. Windows 11 is designed with powerful identity protection from chip to cloud, keeping identities and personal and business data safe anywhere people work.
+:::image type="content" source="images/identity-protection-on.png" alt-text="Diagram containing a list of security features." lightbox="images/identity-protection.png" border="false":::
diff --git a/windows/security/book/images/access-work-or-school.png b/windows/security/book/images/access-work-or-school.png
index 4c256ca182..69fca1f5fa 100644
Binary files a/windows/security/book/images/access-work-or-school.png and b/windows/security/book/images/access-work-or-school.png differ
diff --git a/windows/security/book/images/application-security-cover.png b/windows/security/book/images/application-security-cover.png
index 3d8d9aa3d9..d49cf4a173 100644
Binary files a/windows/security/book/images/application-security-cover.png and b/windows/security/book/images/application-security-cover.png differ
diff --git a/windows/security/book/images/application-security-on.png b/windows/security/book/images/application-security-on.png
index d15844943d..97b86789d5 100644
Binary files a/windows/security/book/images/application-security-on.png and b/windows/security/book/images/application-security-on.png differ
diff --git a/windows/security/book/images/application-security.png b/windows/security/book/images/application-security.png
index bebbcf3891..2188dd6a91 100644
Binary files a/windows/security/book/images/application-security.png and b/windows/security/book/images/application-security.png differ
diff --git a/windows/security/book/images/azure-attestation.svg b/windows/security/book/images/azure-attestation.svg
new file mode 100644
index 0000000000..0d5ef702de
--- /dev/null
+++ b/windows/security/book/images/azure-attestation.svg
@@ -0,0 +1,20 @@
+<svg width="49" height="32" viewBox="0 0 49 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M37.4071 14.9238C37.4071 23.516 27.0194 30.4344 24.7622 31.8367C24.6329 31.9175 24.4835 31.9603 24.331 31.9603C24.1787 31.9603 24.0293 31.9175 23.9 31.8367C21.6427 30.4344 11.2551 23.516 11.2551 14.9238V4.58328C11.256 4.36919 11.3403 4.16388 11.4902 4.01099C11.6401 3.85807 11.8436 3.76964 12.0577 3.76446C20.1373 3.54525 18.2768 0 24.331 0C30.3854 0 28.525 3.54525 36.6044 3.76446C36.8185 3.76964 37.0222 3.85807 37.172 4.01099C37.3219 4.16388 37.4062 4.36919 37.4071 4.58328V14.9238Z" fill="url(#paint0_linear_1073_1117)"/>
+<path d="M36.322 15.0107C36.322 22.891 26.7968 29.2352 24.7279 30.5214C24.6094 30.5951 24.4725 30.6341 24.3331 30.6341C24.1934 30.6341 24.0565 30.5951 23.938 30.5214C21.8674 29.2352 12.344 22.891 12.344 15.0107V5.52891C12.344 5.33247 12.421 5.14387 12.5585 5.00365C12.696 4.8634 12.8831 4.78271 13.0795 4.77892C20.4852 4.57783 18.7787 1.32605 24.3311 1.32605C29.8836 1.32605 28.1773 4.5869 35.5865 4.77892C35.7829 4.78271 35.97 4.8634 36.1075 5.00365C36.245 5.14387 36.322 5.33247 36.322 5.52891V15.0107Z" fill="url(#paint1_linear_1073_1117)"/>
+<path d="M30.1681 18.0669H18.4942C18.1656 18.0669 17.8504 18.1974 17.6181 18.4298C17.3857 18.6622 17.2551 18.9774 17.2551 19.306V20.8422C17.2551 20.897 17.2769 20.9495 17.3156 20.9883C17.3543 21.027 17.4069 21.0487 17.4616 21.0487H31.2007C31.2278 21.0487 31.2545 21.0434 31.2797 21.033C31.3048 21.0226 31.3276 21.0074 31.3468 20.9883C31.3657 20.9691 31.381 20.9463 31.3913 20.9213C31.4017 20.8962 31.4072 20.8693 31.4072 20.8422V19.306C31.4072 18.9774 31.2766 18.6622 31.0442 18.4298C30.8118 18.1974 30.4967 18.0669 30.1681 18.0669Z" fill="white"/>
+<path d="M30.1173 22.5795H18.545C18.506 22.5795 18.4687 22.5951 18.4412 22.6225C18.4137 22.6501 18.3982 22.6874 18.3982 22.7262V23.5017C18.3982 23.7357 18.4911 23.9601 18.6566 24.1254C18.8221 24.2909 19.0464 24.3838 19.2804 24.3838H29.3817C29.6159 24.3838 29.8401 24.2909 30.0056 24.1254C30.1711 23.9601 30.264 23.7357 30.264 23.5017V22.7262C30.264 22.6874 30.2486 22.6501 30.221 22.6225C30.1936 22.5951 30.1561 22.5795 30.1173 22.5795Z" fill="white"/>
+<path d="M27.0194 11.3205C27.8364 10.1339 28.4089 10.3586 27.9435 7.61765C27.4778 4.87673 24.429 4.90028 24.2423 4.90028C24.0558 4.90028 21.0068 4.8713 20.5413 7.61765C20.0757 10.364 20.6481 10.1339 21.4634 11.3205C21.9897 12.9829 22.2413 14.7201 22.2079 16.4636H26.2768C26.2435 14.7203 26.4944 12.9832 27.0194 11.3205Z" fill="white"/>
+<defs>
+<linearGradient id="paint0_linear_1073_1117" x1="24.331" y1="-1.57607" x2="24.331" y2="34.976" gradientUnits="userSpaceOnUse">
+<stop stop-color="#5E9624"/>
+<stop offset="0.316" stop-color="#619A25"/>
+<stop offset="0.659" stop-color="#69A728"/>
+<stop offset="0.999" stop-color="#76BC2D"/>
+</linearGradient>
+<linearGradient id="paint1_linear_1073_1117" x1="24.3311" y1="31.9" x2="24.3311" y2="-2.07428" gradientUnits="userSpaceOnUse">
+<stop stop-color="#5E9624"/>
+<stop offset="0.546" stop-color="#6DAD2A"/>
+<stop offset="0.999" stop-color="#76BC2D"/>
+</linearGradient>
+</defs>
+</svg>
diff --git a/windows/security/book/images/chip-to-cloud.png b/windows/security/book/images/chip-to-cloud.png
index 08f370e1f9..e26a786101 100644
Binary files a/windows/security/book/images/chip-to-cloud.png and b/windows/security/book/images/chip-to-cloud.png differ
diff --git a/windows/security/book/images/cloud-security-on.png b/windows/security/book/images/cloud-security-on.png
index eb2666b9fa..a902352b0e 100644
Binary files a/windows/security/book/images/cloud-security-on.png and b/windows/security/book/images/cloud-security-on.png differ
diff --git a/windows/security/book/images/cloud-security.png b/windows/security/book/images/cloud-security.png
index 2d1b118594..e483a71861 100644
Binary files a/windows/security/book/images/cloud-security.png and b/windows/security/book/images/cloud-security.png differ
diff --git a/windows/security/book/images/cloud-services-cover.png b/windows/security/book/images/cloud-services-cover.png
index d5961c347e..f33886677a 100644
Binary files a/windows/security/book/images/cloud-services-cover.png and b/windows/security/book/images/cloud-services-cover.png differ
diff --git a/windows/security/book/images/cover.png b/windows/security/book/images/cover.png
index 4d5b549c44..dd1c91f28b 100644
Binary files a/windows/security/book/images/cover.png and b/windows/security/book/images/cover.png differ
diff --git a/windows/security/book/images/credential-guard-architecture.png b/windows/security/book/images/credential-guard-architecture.png
new file mode 100644
index 0000000000..fd55100713
Binary files /dev/null and b/windows/security/book/images/credential-guard-architecture.png differ
diff --git a/windows/security/book/images/defender-for-endpoint.svg b/windows/security/book/images/defender-for-endpoint.svg
new file mode 100644
index 0000000000..35ff9ff372
--- /dev/null
+++ b/windows/security/book/images/defender-for-endpoint.svg
@@ -0,0 +1,3 @@
+<svg width="49" height="32" viewBox="0 0 49 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M22.4141 0.0289066C22.39 0.0679141 22.2084 0.123152 21.7305 0.236588C21.3079 0.336841 20.5998 0.558601 20.3694 0.66289C20.0203 0.820714 19.6904 0.988041 19.6795 1.0127C19.6728 1.0275 19.6511 1.0396 19.631 1.0396C19.6109 1.0396 19.268 1.25751 18.8692 1.52383C18.4703 1.79016 18.1352 2.00806 18.1246 2.00806C18.114 2.00806 17.9849 2.07944 17.8378 2.1667C17.5604 2.33106 16.6373 2.78588 16.418 2.86623C16.3491 2.89143 16.2606 2.92507 16.2212 2.94093C15.8401 3.09497 14.8546 3.41601 14.5577 3.48281C14.4888 3.49833 14.352 3.52953 14.2536 3.55222C13.8615 3.64244 13.7696 3.661 13.2698 3.75084C12.9845 3.80215 12.6062 3.85863 12.4291 3.87648C11.472 3.97261 10.736 4.02372 9.61186 4.07188L9.0484 4.096L9.04822 7.36528C9.04804 9.25109 9.0629 10.7864 9.08329 10.9932C9.10269 11.1905 9.1355 11.5698 9.15607 11.8362C9.17675 12.1025 9.20848 12.4172 9.22673 12.5356C9.24499 12.654 9.28542 12.9445 9.31671 13.1812C9.37663 13.6358 9.42672 13.9488 9.47733 14.1856C9.49423 14.2645 9.53528 14.4582 9.56856 14.616C9.68376 15.1626 9.87336 15.9146 10.0207 16.4094C10.1185 16.7379 10.4735 17.8239 10.5131 17.916C10.5301 17.9554 10.6205 18.1895 10.714 18.4361C10.8753 18.8618 10.9261 18.9834 11.1451 19.4673C11.1965 19.5807 11.2711 19.7462 11.3111 19.8349C11.4192 20.0755 11.8527 20.9436 11.9468 21.1083C11.9918 21.1872 12.0855 21.3567 12.1549 21.4849C12.2243 21.6132 12.3507 21.8272 12.4356 21.9605C12.5206 22.0939 12.5901 22.2106 12.5901 22.2197C12.5901 22.3607 13.9476 24.2428 14.6861 25.1255C15.382 25.9575 16.5521 27.1698 17.1446 27.6725C17.168 27.6926 17.3075 27.8135 17.4546 27.9415C17.8801 28.3121 17.8751 28.3079 18.2604 28.6157C18.6369 28.9165 18.5971 28.8861 19.0474 29.2175C19.2639 29.3769 19.618 29.6249 19.8344 29.7691C20.0509 29.9129 20.2716 30.061 20.3249 30.0979C20.3782 30.135 20.43 30.1652 20.4399 30.1652C20.4499 30.1652 20.5953 30.2539 20.763 30.3625C20.9308 30.4711 21.0751 30.5598 21.0839 30.5598C21.0926 30.5598 21.1773 30.6066 21.272 30.6639C21.6613 30.8996 22.6615 31.4125 23.4657 31.7888C24.0604 32.0671 24.1302 32.068 24.6819 31.8051C24.9081 31.6974 25.2543 31.5328 25.451 31.4397C26.8292 30.7869 27.3527 30.4938 28.4014 29.7876C29.4062 29.1114 30.8634 27.9848 31.3001 27.5467C31.3101 27.537 31.4147 27.4412 31.5327 27.334C31.9359 26.9674 32.5698 26.3387 32.9101 25.9675C33.097 25.7635 33.2883 25.5552 33.3353 25.5047C33.3823 25.4539 33.6322 25.1538 33.8906 24.8377C34.3686 24.2529 34.5719 23.981 35.0647 23.2667C35.2167 23.0462 35.3577 22.8465 35.3778 22.8226C35.3979 22.7988 35.4142 22.771 35.4142 22.7611C35.4142 22.7509 35.5058 22.601 35.6177 22.4278C36.0578 21.7457 37.2029 19.5736 37.2029 19.4209C37.2029 19.413 37.2415 19.3214 37.2886 19.2173C37.3356 19.1131 37.4097 18.9391 37.4532 18.8306C37.4967 18.7221 37.549 18.593 37.5693 18.5437C37.6348 18.3839 37.6609 18.3149 37.7575 18.0415C37.8098 17.8935 37.867 17.7402 37.8842 17.7007C37.9016 17.6613 37.9658 17.4676 38.027 17.2703C38.2181 16.6542 38.2494 16.555 38.277 16.4812C38.3119 16.3883 38.358 16.2195 38.4937 15.6921C38.5544 15.4553 38.6191 15.2052 38.6374 15.1361C38.6555 15.0671 38.7124 14.8088 38.7636 14.5622C38.8151 14.3156 38.8713 14.0493 38.8888 13.9704C38.9062 13.8915 38.9362 13.7462 38.9556 13.6475C38.9748 13.5489 39.0316 13.2745 39.0817 13.0378C39.1315 12.801 39.1867 12.5186 39.2041 12.4101C39.2216 12.3016 39.2463 10.3767 39.2593 8.1327L39.2827 4.05259L38.4842 4.05162C37.46 4.05036 36.852 4.01161 35.7362 3.87639C35.4047 3.83614 34.6531 3.7062 34.4842 3.65992C34.4154 3.641 34.2141 3.59115 34.0369 3.549C33.5031 3.42201 32.6227 3.13748 32.2125 2.95923C32.1535 2.93358 32.033 2.88534 31.9452 2.85206C31.7881 2.79252 30.8848 2.35043 30.6743 2.23C30.6151 2.19629 30.4703 2.11325 30.3523 2.04546C30.2342 1.97767 29.9363 1.79339 29.6904 1.63583C29.2265 1.33884 28.6909 1.0257 28.474 0.924822C27.9885 0.69894 27.8077 0.626483 27.3727 0.483547C26.7402 0.275595 26.7169 0.26878 26.3991 0.197491C26.1448 0.140549 26.0321 0.103693 25.8897 0.0310588C25.8114 -0.00893523 22.4388 -0.0109977 22.4141 0.0289066ZM25.1111 2.02681C26.0486 2.12383 26.8193 2.31815 27.4544 2.61758C27.5725 2.67317 27.7254 2.74419 27.7943 2.77522C27.8631 2.80633 27.9677 2.86067 28.0269 2.89609C28.0858 2.93142 28.2147 3.00683 28.3131 3.06359C28.4113 3.12035 28.6395 3.26124 28.82 3.37655C29.0006 3.49197 29.159 3.5863 29.1722 3.5863C29.1855 3.5863 29.2411 3.61823 29.2958 3.65731C29.4238 3.74879 30.5317 4.3051 30.8351 4.43039C30.9631 4.48311 31.1326 4.55574 31.2121 4.59171C31.2913 4.62766 31.4604 4.69169 31.5877 4.73401C31.7148 4.77634 31.8512 4.82531 31.8905 4.84279C31.9907 4.88735 32.4958 5.05181 32.7313 5.11665C32.8394 5.14642 32.9763 5.18462 33.0352 5.20148C33.3596 5.29439 33.443 5.31591 33.5898 5.3446C33.6783 5.36199 33.8634 5.40171 34.0012 5.43292C34.3214 5.50557 34.5551 5.55121 34.8241 5.59371C34.9422 5.61245 35.1432 5.64465 35.2712 5.66543C35.6393 5.72518 36.4378 5.81583 36.8167 5.84093C37.0076 5.85366 37.1815 5.88182 37.2034 5.90363C37.2554 5.95597 37.2305 9.65954 37.1718 10.5807C37.1341 11.1755 37.0685 11.8497 36.9889 12.4639C36.9734 12.5822 36.9505 12.7679 36.9374 12.8764C36.9246 12.9849 36.8988 13.1543 36.8801 13.253C36.8613 13.3516 36.8211 13.5695 36.7909 13.7372C36.7607 13.9049 36.7209 14.1067 36.7026 14.1856C36.5989 14.6363 36.4076 15.4179 36.3822 15.4948C36.3661 15.5441 36.3321 15.6571 36.3071 15.7459C36.1046 16.4617 35.6228 17.7737 35.3268 18.4165C35.2569 18.5682 35.1997 18.7001 35.1997 18.7094C35.1997 18.7798 34.3726 20.352 34.1453 20.7137C34.0833 20.8124 34.0234 20.9173 34.0122 20.9469C34.0009 20.9765 33.8531 21.2075 33.6836 21.4602C33.5139 21.7129 33.3751 21.9261 33.3751 21.9341C33.3751 21.942 33.3067 22.0438 33.223 22.1601C33.1396 22.2766 32.9681 22.5152 32.8421 22.6907C32.7163 22.8659 32.5342 23.1062 32.4374 23.2245C32.3407 23.343 32.2425 23.4639 32.2191 23.4935C32.0249 23.7396 31.8792 23.917 31.819 23.9806C31.7797 24.0223 31.6438 24.1759 31.5171 24.322C31.2719 24.6047 30.2576 25.6285 30.0482 25.8048C29.9793 25.8628 29.8021 26.0171 29.6547 26.1478C29.507 26.2784 29.2334 26.505 29.0465 26.6514C28.8595 26.7977 28.6984 26.9268 28.6887 26.938C28.6108 27.0279 26.8632 28.1924 26.8062 28.1924C26.795 28.1924 26.7431 28.2222 26.6908 28.2586C26.5924 28.3273 26.3593 28.4553 25.7193 28.7927C24.1569 29.6166 24.1765 29.609 23.8713 29.5025C23.7232 29.4506 22.8607 29.0194 22.5891 28.8614C22.5103 28.8155 22.3655 28.7327 22.2671 28.6775C22.1687 28.6221 22.019 28.5378 21.9343 28.4902C21.8496 28.4423 21.596 28.2831 21.3705 28.1364C21.1451 27.9896 20.9533 27.8696 20.9444 27.8696C20.9211 27.8696 20.2408 27.3907 19.9285 27.1543C19.7835 27.0446 19.6218 26.9226 19.5692 26.8831C19.4508 26.7944 18.9466 26.3883 18.9222 26.362C18.9124 26.3515 18.7192 26.1795 18.4929 25.98C17.0791 24.7331 15.8998 23.3691 14.8204 21.7317C14.5776 21.3633 14.3788 21.0511 14.3788 21.0378C14.3788 21.0244 14.3332 20.9462 14.2775 20.8637C14.2219 20.7812 14.1104 20.5927 14.0299 20.4447C13.9495 20.2968 13.8258 20.0708 13.7552 19.9426C13.525 19.5248 13.0806 18.599 12.8944 18.1491C12.7872 17.8901 12.7326 17.7613 12.6507 17.5752C12.6203 17.5061 12.5609 17.3528 12.5187 17.2345C12.4765 17.1161 12.4285 16.9869 12.412 16.9475C12.246 16.5493 11.9052 15.4971 11.802 15.0644C11.7855 14.9953 11.7541 14.8743 11.7322 14.7953C11.6483 14.4927 11.499 13.8045 11.4132 13.3247C11.3725 13.0971 11.2429 12.164 11.1965 11.7644C11.0946 10.8872 10.9876 6.80159 11.0567 6.43035C11.1154 6.11569 11.2395 6.05641 11.9819 5.9889C12.4042 5.95043 12.8694 5.89806 13.0909 5.86388C13.6693 5.77494 13.7473 5.7606 14.5756 5.5921C14.8043 5.54564 14.9819 5.50089 15.3447 5.39849C15.5317 5.34577 15.7248 5.29457 15.774 5.2847C15.8232 5.27484 15.8957 5.25277 15.935 5.23564C15.9744 5.21852 16.1756 5.1465 16.3822 5.07558C16.5888 5.00473 16.8786 4.89642 17.0262 4.83507C17.1737 4.77365 17.3508 4.70047 17.4197 4.6726C17.8853 4.48364 18.9194 3.93216 19.5153 3.55491C20.6397 2.84328 20.938 2.67756 21.4622 2.47311C22.0806 2.23188 22.846 2.04653 23.2447 2.04124C23.3564 2.03981 23.5202 2.02573 23.6087 2.00986C23.8761 1.96215 24.5616 1.96987 25.1111 2.02681ZM23.5014 4.03672C23.4522 4.04507 23.275 4.07009 23.1079 4.09231C22.1614 4.21839 21.864 4.33964 19.2799 5.6527C18.1895 6.20679 17.8232 6.38175 17.2944 6.60118C17.0977 6.68286 16.8562 6.78608 16.7578 6.83065C16.6595 6.87512 16.4904 6.93906 16.3822 6.9726C16.274 7.00615 16.1575 7.04883 16.1233 7.06748C16.0891 7.08621 16.0366 7.10146 16.0066 7.10146C15.9765 7.10146 15.924 7.11742 15.8898 7.13688C15.8303 7.17096 15.582 7.24063 14.7545 7.45549C14.6757 7.47593 14.4343 7.5343 14.2178 7.58524C14.0014 7.63617 13.768 7.6924 13.6991 7.71024C13.6302 7.72809 13.4853 7.76521 13.3771 7.79284L13.1804 7.84296L13.1849 9.04152C13.1874 9.7007 13.209 10.4579 13.2328 10.7242C13.2567 10.9905 13.2892 11.3618 13.3052 11.5492C13.3211 11.7366 13.3507 11.9868 13.3709 12.1052C13.3911 12.2235 13.4349 12.4899 13.4683 12.697C13.5624 13.2791 13.5963 13.4537 13.7154 13.9704C13.7472 14.1085 13.7876 14.2941 13.8051 14.3829C13.8226 14.4716 13.86 14.6169 13.8881 14.7057C13.9162 14.7945 13.9594 14.9397 13.9843 15.0285C14.0091 15.1173 14.0425 15.2303 14.0586 15.2796C14.0747 15.3289 14.1137 15.4661 14.1453 15.5845C14.1769 15.7028 14.2166 15.832 14.2335 15.8714C14.2504 15.9109 14.2837 15.9996 14.3073 16.0687C14.3309 16.1378 14.3631 16.2265 14.3786 16.266C14.3943 16.3054 14.4341 16.4184 14.4673 16.5171C14.5004 16.6157 14.5423 16.7327 14.5605 16.7771C14.5786 16.8215 14.6079 16.8941 14.6256 16.9385C14.9007 17.6305 15.0029 17.8598 15.3175 18.4899C15.5128 18.8808 15.6268 19.0964 15.8156 19.4314C15.8518 19.4955 15.9149 19.6085 15.9559 19.6825C16.04 19.834 16.2867 20.2331 16.3874 20.3805C16.4239 20.434 16.4537 20.4862 16.4537 20.4966C16.4537 20.5071 16.4765 20.5441 16.5044 20.5788C16.5322 20.6136 16.6936 20.8482 16.8631 21.1001C17.0325 21.3519 17.194 21.586 17.222 21.6202C17.25 21.6543 17.3985 21.8449 17.5519 22.0438C17.8785 22.4667 18.049 22.6737 18.2998 22.9511C18.4002 23.0621 18.537 23.2168 18.6039 23.2947C19.3899 24.2127 20.9968 25.5777 22.3207 26.4519C23.4769 27.2155 23.8258 27.4033 24.0869 27.4033C24.3094 27.4033 24.3071 27.4044 24.9681 26.9892C25.214 26.8348 25.6086 26.5878 25.8447 26.4408C26.5677 25.9904 27.4844 25.3378 27.9174 24.9651C29.4916 23.6109 30.5335 22.4408 31.7356 20.6779C32.0094 20.276 32.1487 20.0471 32.5868 19.279C32.7578 18.9788 33.2605 17.9503 33.4282 17.5573C33.4534 17.4981 33.5081 17.3732 33.5498 17.2796C33.5916 17.1862 33.6255 17.0999 33.6255 17.0878C33.6255 17.0758 33.6478 17.0151 33.6752 16.9529C33.8153 16.6335 34.1883 15.5569 34.3229 15.0823C34.3567 14.9639 34.3969 14.8267 34.4121 14.7774C34.4825 14.5521 34.6778 13.7599 34.735 13.4682C34.7581 13.3498 34.7914 13.1804 34.8091 13.0916C34.8663 12.801 34.9428 12.2913 34.9841 11.9258C35.0062 11.7286 35.0393 11.4622 35.0574 11.334C35.1507 10.6755 35.1843 7.91183 35.1002 7.81023C35.0748 7.77984 35.0106 7.74585 34.957 7.73464C34.9036 7.72352 34.7873 7.69913 34.6988 7.68038C34.6103 7.66164 34.3929 7.62066 34.2159 7.58928C34.0387 7.55798 33.765 7.4987 33.6077 7.45755C33.4503 7.41639 33.2652 7.36914 33.1963 7.35245C32.9233 7.28653 32.5175 7.17339 32.4272 7.13796C32.3877 7.12263 32.1624 7.04845 31.9262 6.97322C31.6901 6.89799 31.4729 6.82428 31.4434 6.80923C31.4138 6.79424 31.2609 6.73847 31.1035 6.68529C30.836 6.5948 30.7555 6.56263 30.3611 6.38875C30.2775 6.35189 30.1689 6.3093 30.1197 6.29414C30.0705 6.27897 29.9497 6.23029 29.8513 6.18591C29.7529 6.14151 29.592 6.06923 29.4936 6.02529C29.1124 5.85501 28.8092 5.70884 27.6654 5.14337C26.2099 4.42375 26.1477 4.39766 25.4064 4.19535C24.969 4.07592 23.8302 3.98113 23.5014 4.03672ZM27.6385 10.0252C27.6499 10.0551 27.6438 10.0995 27.6248 10.1239C27.6058 10.1483 27.5131 10.3135 27.4189 10.4911C27.1214 11.0513 26.9978 11.2791 26.9711 11.3161C26.957 11.3358 26.8524 11.5295 26.7383 11.7465C26.6244 11.9635 26.4911 12.2137 26.4419 12.3025C26.3929 12.3912 26.3112 12.5446 26.2605 12.6432C26.2097 12.7418 26.1598 12.8306 26.1492 12.8405C26.1389 12.8504 26.0813 12.9553 26.0212 13.0736C25.9612 13.192 25.8352 13.4301 25.7414 13.6027L25.5704 13.9166H27.5411C28.8787 13.9166 29.5114 13.9285 29.5114 13.9538C29.5114 13.987 27.4979 16.0269 22.6198 20.9359C20.5508 23.0177 20.5532 23.0177 21.6686 20.911C21.7574 20.7433 21.9665 20.3398 22.1331 20.0143C22.4684 19.3599 22.8994 18.5273 23.117 18.1132C23.4178 17.5408 23.6444 17.0899 23.6444 17.0641C23.6444 17.0493 22.9682 17.0372 22.142 17.0372C20.8889 17.0372 20.6394 17.0289 20.6394 16.9877C20.6394 16.9457 21.3555 15.5057 23.5809 11.0727C24.0284 10.1813 24.0865 10.099 24.3182 10.0275C24.5737 9.94865 27.6084 9.94659 27.6385 10.0252Z" fill="#4474D4"/>
+</svg>
diff --git a/windows/security/book/images/device-registration.png b/windows/security/book/images/device-registration.png
new file mode 100644
index 0000000000..b6ee9cebf1
Binary files /dev/null and b/windows/security/book/images/device-registration.png differ
diff --git a/windows/security/book/images/endpoint-privilege-management.svg b/windows/security/book/images/endpoint-privilege-management.svg
new file mode 100644
index 0000000000..7efbd9c1f1
--- /dev/null
+++ b/windows/security/book/images/endpoint-privilege-management.svg
@@ -0,0 +1,46 @@
+<svg width="56" height="32" viewBox="0 0 56 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_1073_1106)">
+<mask id="mask0_1073_1106" style="mask-type:luminance" maskUnits="userSpaceOnUse" x="0" y="0" width="56" height="32">
+<path d="M55.4331 0H0V32H55.4331V0Z" fill="white"/>
+</mask>
+<g mask="url(#mask0_1073_1106)">
+<path d="M11.3386 4.00317H39.361V21.3504C39.361 22.0583 39.0799 22.7371 38.5794 23.2376C38.079 23.7381 37.4002 24.0193 36.6925 24.0193H14.0074C13.2996 24.0193 12.6208 23.7381 12.1203 23.2376C11.6198 22.7371 11.3386 22.0583 11.3386 21.3504V4.00317Z" fill="url(#paint0_linear_1073_1106)"/>
+<path d="M11.3386 2.6688C11.3386 1.961 11.6198 1.28218 12.1203 0.781677C12.6208 0.281177 13.2996 0 14.0074 0H36.6925C37.4002 0 38.079 0.281177 38.5794 0.781677C39.0799 1.28218 39.361 1.961 39.361 2.6688V4.00323H11.3386V2.6688Z" fill="url(#paint1_linear_1073_1106)"/>
+<path d="M29.353 15.0112H41.3626V30.9279C41.3626 31.8567 40.2489 32.3639 39.5159 31.7695L36.0783 28.9835C35.874 28.8194 35.6197 28.73 35.3579 28.73C35.0959 28.73 34.8417 28.8194 34.6373 28.9835L31.1997 31.7695C30.4667 32.3639 29.353 31.8567 29.353 30.9279V15.0112Z" fill="url(#paint2_linear_1073_1106)"/>
+<path opacity="0.5" d="M35.3223 24.0353C40.3063 24.0353 44.3466 19.9951 44.3466 15.0112C44.3466 10.0273 40.3063 5.98706 35.3223 5.98706C30.3387 5.98706 26.2983 10.0273 26.2983 15.0112C26.2983 19.9951 30.3387 24.0353 35.3223 24.0353Z" fill="url(#paint3_radial_1073_1106)"/>
+<path opacity="0.5" d="M35.3226 23.5175C40.0206 23.5175 43.8288 19.7091 43.8288 15.0112C43.8288 10.3132 40.0206 6.50476 35.3226 6.50476C30.6247 6.50476 26.8162 10.3132 26.8162 15.0112C26.8162 19.7091 30.6247 23.5175 35.3226 23.5175Z" fill="url(#paint4_radial_1073_1106)"/>
+<path d="M35.3581 23.0176C39.7799 23.0176 43.3644 19.433 43.3644 15.0112C43.3644 10.5894 39.7799 7.00476 35.3581 7.00476C30.9361 7.00476 27.3516 10.5894 27.3516 15.0112C27.3516 19.433 30.9361 23.0176 35.3581 23.0176Z" fill="url(#paint5_linear_1073_1106)"/>
+</g>
+</g>
+<defs>
+<linearGradient id="paint0_linear_1073_1106" x1="25.3498" y1="24.0193" x2="25.3498" y2="4.00317" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0669BC"/>
+<stop offset="1" stop-color="#0078D4"/>
+</linearGradient>
+<linearGradient id="paint1_linear_1073_1106" x1="25.3498" y1="4.00323" x2="25.3498" y2="0" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0C59A4"/>
+<stop offset="1" stop-color="#1493DF"/>
+</linearGradient>
+<linearGradient id="paint2_linear_1073_1106" x1="35.3579" y1="32.0257" x2="35.3579" y2="15.0112" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0078D4"/>
+<stop offset="1" stop-color="#5EA0EF"/>
+</linearGradient>
+<radialGradient id="paint3_radial_1073_1106" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(35.3223 15.013) scale(9.02415)">
+<stop/>
+<stop offset="0.859" stop-opacity="0.532"/>
+<stop offset="1" stop-opacity="0"/>
+</radialGradient>
+<radialGradient id="paint4_radial_1073_1106" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(19.3452 15.0129) scale(8.50641)">
+<stop/>
+<stop offset="0.859" stop-opacity="0.532"/>
+<stop offset="1" stop-opacity="0"/>
+</radialGradient>
+<linearGradient id="paint5_linear_1073_1106" x1="35.3581" y1="23.0586" x2="35.3581" y2="6.48167" gradientUnits="userSpaceOnUse">
+<stop stop-color="#32BEDD"/>
+<stop offset="1" stop-color="#50E6FF"/>
+</linearGradient>
+<clipPath id="clip0_1073_1106">
+<rect width="55.4331" height="32" fill="white"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/windows/security/book/images/hardware-on.png b/windows/security/book/images/hardware-on.png
index 89bc3c7a69..79dbe2aee5 100644
Binary files a/windows/security/book/images/hardware-on.png and b/windows/security/book/images/hardware-on.png differ
diff --git a/windows/security/book/images/hardware-security-cover.png b/windows/security/book/images/hardware-security-cover.png
index 5328456231..da283d2f4f 100644
Binary files a/windows/security/book/images/hardware-security-cover.png and b/windows/security/book/images/hardware-security-cover.png differ
diff --git a/windows/security/book/images/hardware.png b/windows/security/book/images/hardware.png
index 9f526775df..a16761650c 100644
Binary files a/windows/security/book/images/hardware.png and b/windows/security/book/images/hardware.png differ
diff --git a/windows/security/book/images/identity-protection-cover.png b/windows/security/book/images/identity-protection-cover.png
index 6fe6084305..12dd9d85bd 100644
Binary files a/windows/security/book/images/identity-protection-cover.png and b/windows/security/book/images/identity-protection-cover.png differ
diff --git a/windows/security/book/images/identity-protection-on.png b/windows/security/book/images/identity-protection-on.png
index c099ebb82f..5c8f53c733 100644
Binary files a/windows/security/book/images/identity-protection-on.png and b/windows/security/book/images/identity-protection-on.png differ
diff --git a/windows/security/book/images/identity-protection.png b/windows/security/book/images/identity-protection.png
index 300e3d89ef..08f3192393 100644
Binary files a/windows/security/book/images/identity-protection.png and b/windows/security/book/images/identity-protection.png differ
diff --git a/windows/security/book/images/information.svg b/windows/security/book/images/information.svg
new file mode 100644
index 0000000000..570c319c9a
--- /dev/null
+++ b/windows/security/book/images/information.svg
@@ -0,0 +1,12 @@
+<svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_789_95)">
+<rect x="0.875" y="0.875" width="12.25" height="12.25" rx="4" fill="#00A6ED"/>
+<path d="M6.99996 4.36241C7.47793 4.36241 7.8654 3.97494 7.8654 3.49697C7.8654 3.019 7.47793 2.63153 6.99996 2.63153C6.52199 2.63153 6.13452 3.019 6.13452 3.49697C6.13452 3.97494 6.52199 4.36241 6.99996 4.36241Z" fill="white"/>
+<path d="M7.70444 6.00159C7.70444 5.57875 7.36166 5.23597 6.93881 5.23597C6.51597 5.23597 6.17319 5.57875 6.17319 6.00159L6.17319 10.635C6.17319 11.0578 6.51597 11.4006 6.93881 11.4006C7.36166 11.4006 7.70444 11.0578 7.70444 10.635L7.70444 6.00159Z" fill="white"/>
+</g>
+<defs>
+<clipPath id="clip0_789_95">
+<rect width="14" height="14" fill="white"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/windows/security/book/images/kiosk.png b/windows/security/book/images/kiosk.png
new file mode 100644
index 0000000000..01a7daaee9
Binary files /dev/null and b/windows/security/book/images/kiosk.png differ
diff --git a/windows/security/book/images/learn-more.svg b/windows/security/book/images/learn-more.svg
deleted file mode 100644
index 947593db41..0000000000
--- a/windows/security/book/images/learn-more.svg
+++ /dev/null
@@ -1,3 +0,0 @@
-<svg width="22" height="18" viewBox="0 0 22 18" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M0 2.25C0 1.00736 1.00736 0 2.25 0H12.6C13.8426 0 14.85 1.00736 14.85 2.25V15.075C14.85 15.4478 14.5478 15.75 14.175 15.75H1.35C1.35 16.2471 1.75295 16.65 2.25 16.65H14.175C14.5478 16.65 14.85 16.9522 14.85 17.325C14.85 17.6978 14.5478 18 14.175 18H2.25C1.00736 18 0 16.9926 0 15.75V2.25ZM7.425 5.4C7.92207 5.4 8.325 4.99705 8.325 4.5C8.325 4.00295 7.92207 3.6 7.425 3.6C6.92793 3.6 6.525 4.00295 6.525 4.5C6.525 4.99705 6.92793 5.4 7.425 5.4ZM6.75 6.975V11.475C6.75 11.8478 7.05222 12.15 7.425 12.15C7.79778 12.15 8.1 11.8478 8.1 11.475V6.975C8.1 6.60221 7.79778 6.3 7.425 6.3C7.05222 6.3 6.75 6.60221 6.75 6.975Z" fill="#0883D9"/>
-</svg>
diff --git a/windows/security/book/images/microsoft-cloud-pki.svg b/windows/security/book/images/microsoft-cloud-pki.svg
new file mode 100644
index 0000000000..e3e369770f
--- /dev/null
+++ b/windows/security/book/images/microsoft-cloud-pki.svg
@@ -0,0 +1,19 @@
+<svg width="40" height="32" viewBox="0 0 40 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M11.6613 10.951C11.8382 8.97945 12.7464 7.14542 14.2073 5.8097C15.6682 4.47399 17.576 3.73328 19.5555 3.73328C21.5351 3.73328 23.4428 4.47399 24.9038 5.8097C26.3648 7.14542 27.2729 8.97945 27.4498 10.951C28.91 11.1247 30.2485 11.8498 31.1916 12.978C32.1347 14.1062 32.611 15.5522 32.523 17.02C32.435 18.4878 31.7893 19.8666 30.7182 20.8739C29.6471 21.8814 28.2314 22.4414 26.7609 22.4394H12.3501C10.8797 22.4414 9.46401 21.8814 8.39288 20.8739C7.32174 19.8666 6.6761 18.4878 6.5881 17.02C6.50008 15.5522 6.97635 14.1062 7.91944 12.978C8.86252 11.8498 10.2011 11.1247 11.6613 10.951Z" fill="url(#paint0_linear_1073_1130)"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M32.5253 16.6751C32.5253 18.204 31.9181 19.6701 30.837 20.7512C29.7559 21.8321 28.2898 22.4395 26.7609 22.4395H24.3111C24.2544 22.4395 24.1981 22.4507 24.1456 22.4724C24.0932 22.4941 24.0455 22.5259 24.0053 22.5661C23.9653 22.6063 23.9333 22.6539 23.9117 22.7064C23.89 22.7588 23.8788 22.815 23.8788 22.8717V23.4482C23.8788 23.5629 23.8333 23.6728 23.7522 23.7538C23.6711 23.8349 23.5611 23.8806 23.4464 23.8806H22.8701C22.8133 23.8806 22.757 23.8918 22.7045 23.9135C22.6521 23.9352 22.6045 23.967 22.5643 24.0072C22.5243 24.0473 22.4923 24.095 22.4706 24.1474C22.4489 24.1999 22.4377 24.2561 22.4377 24.3129V24.8893C22.4377 25.004 22.3922 25.1138 22.3111 25.1951C22.2301 25.2761 22.12 25.3217 22.0053 25.3217H21.429C21.3143 25.3217 21.2043 25.3672 21.1232 25.4482C21.0421 25.5293 20.9966 25.6393 20.9966 25.754V26.3304C20.9966 26.445 20.9511 26.5551 20.8701 26.6361C20.789 26.7172 20.6789 26.7627 20.5643 26.7627H19.9879C19.8733 26.7627 19.7632 26.8082 19.6821 26.8893C19.6011 26.9704 19.5556 27.0804 19.5556 27.1951V27.7714C19.5556 27.8861 19.5101 27.9961 19.429 28.0772C19.3479 28.1583 19.2379 28.2038 19.1232 28.2038H15.6646C15.55 28.2038 15.44 28.1583 15.3589 28.0772C15.2778 27.9961 15.2323 27.8861 15.2323 27.7714V24.0593C15.2324 23.9446 15.278 23.8347 15.3591 23.7537L21.1408 17.9721C20.9605 17.1817 20.9492 16.3622 21.1074 15.5671C21.2654 14.772 21.5895 14.0191 22.0583 13.3578C22.5271 12.6964 23.1301 12.1414 23.8281 11.7289C24.5261 11.3164 25.3031 11.0558 26.1085 10.9641C26.914 10.8723 27.7298 10.9514 28.5026 11.1964C29.2754 11.4413 29.9877 11.8465 30.5933 12.3854C31.1989 12.9244 31.6839 13.585 32.0169 14.3242C32.3497 15.0634 32.523 15.8644 32.5253 16.6751ZM28.6487 16.2774C29.0309 16.2774 29.3975 16.1255 29.6677 15.8553C29.938 15.585 30.0898 15.2185 30.0898 14.8363C30.0898 14.4541 29.938 14.0876 29.6677 13.8173C29.3975 13.547 29.0309 13.3952 28.6487 13.3952C28.2665 13.3952 27.9001 13.547 27.6297 13.8173C27.3595 14.0876 27.2077 14.4541 27.2077 14.8363C27.2077 15.2185 27.3595 15.585 27.6297 15.8553C27.9001 16.1255 28.2665 16.2774 28.6487 16.2774Z" fill="url(#paint1_radial_1073_1130)"/>
+<defs>
+<linearGradient id="paint0_linear_1073_1130" x1="19.5555" y1="22.435" x2="19.5555" y2="3.74129" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0078D4"/>
+<stop offset="0.156" stop-color="#1380DA"/>
+<stop offset="0.528" stop-color="#3C91E5"/>
+<stop offset="0.822" stop-color="#559CEC"/>
+<stop offset="1" stop-color="#5EA0EF"/>
+</linearGradient>
+<radialGradient id="paint1_radial_1073_1130" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(22.4075 19.2072) rotate(121.131) scale(13.8778 9.46286)">
+<stop offset="0.266" stop-color="#FFD70F"/>
+<stop offset="0.487" stop-color="#FFCB12"/>
+<stop offset="0.884" stop-color="#FEAC19"/>
+<stop offset="1" stop-color="#FEA11B"/>
+</radialGradient>
+</defs>
+</svg>
diff --git a/windows/security/book/images/microsoft-entra-id.svg b/windows/security/book/images/microsoft-entra-id.svg
new file mode 100644
index 0000000000..7a9eff4282
--- /dev/null
+++ b/windows/security/book/images/microsoft-entra-id.svg
@@ -0,0 +1,8 @@
+<svg width="53" height="32" viewBox="0 0 53 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M15.5281 26.0077C16.3103 26.4912 17.6105 27.0288 18.9854 27.0288C20.2372 27.0288 21.4004 26.669 22.364 26.0558C22.364 26.0558 22.3661 26.0558 22.3681 26.0537L26.0067 23.7999V31.9379C25.4302 31.9379 24.8497 31.7819 24.3458 31.4702L15.5281 26.0077Z" fill="#225086"/>
+<path d="M23.7177 1.00992L8.76318 17.8619C7.60869 19.1647 7.90977 21.1327 9.40723 22.0669C9.40723 22.0669 14.9424 25.523 15.6403 25.9593C16.414 26.4412 17.7001 26.9772 19.06 26.9772C20.2982 26.9772 21.4487 26.6185 22.4018 26.007C22.4018 26.007 22.4038 26.007 22.4058 26.0051L26.0049 23.7582L17.3033 18.3241L26.0068 8.51563V0C25.1615 0 24.316 0.336642 23.7177 1.00992Z" fill="#66DDFF"/>
+<path d="M17.2561 18.3555L17.3604 18.4193L26.005 23.8002H26.0068V8.52995L26.005 8.52795L17.2561 18.3555Z" fill="#CBF8FF"/>
+<path d="M42.6063 22.1159C44.1041 21.1798 44.4052 19.2079 43.2506 17.9026L33.436 6.82337C32.6443 6.45413 31.7566 6.24255 30.8175 6.24255C28.9726 6.24255 27.3231 7.03893 26.2263 8.29034L26.009 8.53584L34.7125 18.3636L26.0068 23.8084V31.9376C26.5793 31.9376 27.1496 31.7821 27.6483 31.4707L42.6063 22.1139V22.1159Z" fill="#074793"/>
+<path d="M26.009 0V8.52788L26.2292 8.28252C27.3402 7.03177 29.0108 6.23583 30.8791 6.23583C31.8327 6.23583 32.7297 6.44928 33.5316 6.81633L28.322 1.01337C27.7178 0.339122 26.8614 0.00199492 26.0068 0.00199492L26.009 0Z" fill="#0294E4"/>
+<path d="M34.7578 18.356L26.0068 8.52795V23.8002L34.7578 18.356Z" fill="#96BCC2"/>
+</svg>
diff --git a/windows/security/book/images/microsoft-entra-internet-access.svg b/windows/security/book/images/microsoft-entra-internet-access.svg
new file mode 100644
index 0000000000..f4a72a686f
--- /dev/null
+++ b/windows/security/book/images/microsoft-entra-internet-access.svg
@@ -0,0 +1,28 @@
+<svg width="50" height="32" viewBox="0 0 50 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_1073_1077)">
+<path d="M0.680908 16.9677V16.2229L24.0141 3.15051L49.2215 16.2229V16.9677L25.1434 31.0252L0.680908 16.9677Z" fill="#50E6FF"/>
+<path d="M25.0233 30.2323L49.2215 16.2707L24.0141 3.15051L0.7771 16.1266L25.0233 30.2323Z" fill="#45CAF2"/>
+<path d="M34.2509 22.1342H34.2268C35.5243 20.2599 36.7498 18.3855 38.0957 16.583L39.225 17.5444H39.249V17.5685L41.4598 19.4428C39.7778 19.2506 38.1197 19.1544 36.4376 18.9381L36.2694 19.1544C38.0235 19.3947 39.7057 19.4669 41.4598 19.6832C40.9425 20.2415 40.4986 20.8632 40.1382 21.5335L40.7871 21.1488C41.1028 20.6574 41.4561 20.1914 41.8444 19.7551L42.373 20.2118L42.6615 20.0436L42.0605 19.5148C42.6222 18.9522 43.2159 18.4227 43.8389 17.9289C44.0792 17.7609 44.2714 17.4963 44.1993 17.2321C43.6945 16.1269 42.3249 15.646 41.0753 14.853C40.6668 14.6367 40.2583 14.3966 39.8979 14.1803C40.1382 13.8678 40.3545 13.5796 40.5948 13.2671C41.8204 13.5074 43.3582 13.7478 44.6799 13.8919L44.0792 13.5796C42.9687 13.4362 41.863 13.2598 40.763 13.0508C40.9793 12.7626 41.1956 12.4741 41.4359 12.1857L41.1234 12.0177C40.6427 12.6182 40.0901 13.3633 39.6094 13.9879C38.7686 13.4593 38.1438 13.0267 37.9034 12.4741C37.9034 12.0656 37.9034 11.6571 37.9275 11.2486C38.2879 11.1283 38.6242 11.0082 38.9608 10.8882L38.6242 10.7198C38.3884 10.7892 38.156 10.8695 37.9275 10.9604V10.3594L37.4949 10.1431C37.519 10.4797 37.519 10.7922 37.519 11.1283C37.0624 11.2967 36.5817 11.513 36.1253 11.7052C34.9957 11.237 33.8962 10.6993 32.8331 10.0952H32.785C33.6261 9.73459 34.4912 9.37419 35.3802 9.06191L35.0679 8.89351C34.2035 9.21923 33.346 9.56374 32.4966 9.92682V9.90299C32.1843 9.73459 31.8958 9.54236 31.6076 9.37419C32.384 8.92917 33.2165 8.58976 34.0827 8.36495L33.7462 8.19678C32.891 8.43203 32.0679 8.77096 31.2951 9.20602V9.18197C30.6944 8.82157 30.0696 8.41306 29.4929 8.05266L26.7534 8.58123L25.1915 10.7679L26.9218 11.3927H26.9456C26.8977 13.2911 26.9456 15.2134 26.6333 17.0878C25.2396 16.7996 24.783 16.7033 24.3745 16.6073L24.3023 16.7033C23.4719 17.7007 22.4401 18.5115 21.2746 19.0824C20.7941 19.3226 20.6257 19.3947 20.3375 19.5148C19.4964 17.8807 17.5739 16.5592 16.2524 15.3818C18.3909 14.5648 18.7995 13.7956 19.4243 11.6571C20.6019 8.58123 23.0048 6.03394 25.7922 4.06356L25.4799 3.89539C22.6923 5.84171 20.3134 8.34089 19.0879 11.3689C17.9622 11.3754 16.8528 11.6383 15.8439 12.1378C16.8531 10.5516 17.2616 8.6534 17.4779 6.75496L17.0454 6.9953C16.7329 9.51831 16.0361 11.9694 14.1377 13.6518C14.1377 13.6518 11.8069 11.6569 11.7828 11.6569L10.5814 10.6478L10.2929 10.816L11.158 11.5609C11.2783 11.9934 11.1821 13.8919 10.7014 14.1803L7.26516 12.5222L6.3038 13.051L5.19855 14.4685L4.23742 14.2282L3.92491 14.3966L5.03016 14.6848L3.75674 16.2948C2.87199 16.2031 1.99043 16.0829 1.11344 15.9344L0.7771 16.1266C1.8104 16.3189 2.8916 16.4149 3.97302 16.5592C4.06902 16.4389 5.27072 14.9252 5.41484 14.757L7.6015 15.3335C7.57745 15.7903 7.55339 16.6073 7.52956 17.0637C7.55339 17.1118 7.57745 17.16 7.67367 17.3281C6.56843 17.5925 5.46295 17.8807 4.38153 18.2173L4.69382 18.3855C5.71693 18.0686 6.75096 17.7881 7.79396 17.5444C8.39447 18.6258 9.428 19.9714 10.5332 20.5962C10.77 21.1777 11.0511 21.7401 11.3743 22.2784L12.0232 22.6628C11.6147 21.942 11.158 21.2451 10.8936 20.4762C10.413 19.5148 11.1819 18.6978 11.9989 18.1211L13.9454 18.3133C12.2154 19.2506 12.864 19.7792 13.2725 21.2932C13.4648 22.0621 13.6332 23.0472 13.7292 23.648L14.1858 23.9124C14.1136 23.4076 13.9454 22.3505 13.8013 21.7257C14.6184 22.0621 15.5073 22.3265 16.1562 22.855C16.2765 23.4798 15.8439 24.1287 15.5554 24.7053L15.8679 24.8976C16.2283 24.2247 16.7329 23.5039 16.5406 22.7829C15.7717 22.1102 14.7144 21.8458 13.7292 21.4373C13.2485 19.491 12.5758 19.2747 14.5943 18.3133C14.6184 18.2895 14.6424 18.2654 14.6424 18.2414L16.0602 15.6941C17.4539 16.8956 19.3042 18.2173 20.1453 19.9714C21.659 19.2987 23.5815 18.1933 24.5667 16.9196C25.4799 17.1118 27.5944 17.5685 28.844 17.8088C29.1806 20.8125 22.8367 20.0676 23.99 22.3024C23.3893 22.3024 23.0048 22.3265 22.5242 22.3265L22.4761 22.5668C23.2452 24.0324 23.966 25.5224 24.5667 26.9882C24.9752 27.8774 25.1193 28.6704 24.5908 29.5115C24.4707 29.6075 24.3264 29.6796 24.2063 29.7756L24.687 30.0641C24.7834 29.9336 24.8717 29.797 24.9512 29.6556C28.3636 27.3005 28.3636 24.465 24.7108 22.5428C25.8403 22.5187 26.9697 22.4946 28.1473 22.4706C28.6277 23.576 29.541 25.6665 30.0215 26.796C29.6611 27.1805 29.3247 27.589 28.9643 27.9734C29.2044 27.8293 30.0455 27.3968 30.1898 27.1324L30.2377 27.2286L30.5743 27.0364C29.9976 25.7387 29.1565 23.7442 28.5796 22.4465C31.7036 22.3984 35.5243 22.2784 38.4561 22.4946L38.8165 22.2784C37.9034 22.1821 36.4135 22.1342 34.2509 22.1342ZM15.2431 12.8345C15.2561 13.083 15.2481 13.3322 15.2191 13.5794C15.181 13.8548 15.0999 14.1225 14.9788 14.3728L14.378 13.772L15.2431 12.8345ZM10.7736 14.4685C11.5425 14.1322 11.6866 12.7864 11.6147 11.8972L13.8971 13.844L13.873 13.868C12.2152 15.2617 10.1245 16.0309 7.93762 16.271L7.98573 15.3099C8.49047 15.1896 10.2205 14.7332 10.7734 14.4688L10.7736 14.4685ZM5.55895 14.5407L7.02482 12.6904L10.437 14.3244C9.93251 14.5407 8.44258 14.9492 7.79373 15.1174L5.55895 14.5407ZM11.9991 17.6647C11.254 18.3133 10.0526 19.0103 10.3651 20.1396C9.32991 19.2896 8.49333 18.2234 7.91401 17.0158L7.93807 16.5111C10.1969 16.2708 12.4076 15.4778 14.1377 14.06L14.7865 14.6129C14.258 15.9344 13.0803 16.7755 11.9991 17.6647ZM15.6035 15.6221L14.2339 18.0732L12.2395 17.8807C13.3207 16.9677 14.4742 16.1266 15.0988 14.8771C15.1229 14.8771 15.6998 15.3818 15.6998 15.3818L15.6035 15.6221ZM15.988 15.2136C15.988 15.2136 15.2672 14.5888 15.2431 14.5888C15.4599 13.9976 15.542 13.3655 15.4835 12.7385C15.7958 12.3538 18.0065 11.537 19.0157 11.6333C18.5353 13.3633 18.0065 14.565 15.988 15.2136ZM37.4468 16.8477C36.9718 17.5108 36.4993 18.1756 36.0291 18.8421C35.6687 18.794 35.2601 18.7218 34.8757 18.6739C34.8035 17.977 33.9143 16.7274 33.602 16.0785H33.578V16.0545C32.785 14.757 32.2803 13.7718 34.0106 12.9788C35.2601 14.1082 36.5576 15.2134 37.8553 16.3189C37.7101 16.4879 37.5737 16.6644 37.4468 16.8477ZM39.7057 14.4204C41.0512 15.2856 42.9978 15.9825 43.7667 17.2081C43.8032 17.3108 43.8014 17.4232 43.7617 17.5248C43.722 17.6263 43.6469 17.71 43.5504 17.7607C42.9293 18.2389 42.343 18.7608 41.7963 19.3226L39.8257 17.6166L39.7538 17.5925H39.7778L38.2879 16.2948C38.7686 15.67 39.225 15.0452 39.7057 14.4204ZM36.1012 11.9934C36.5576 11.8012 37.0142 11.5849 37.4709 11.417C37.2546 13.051 38.0475 13.3152 39.3934 14.2765C39.3934 14.2765 38.4561 15.5021 37.9994 16.1026C36.7498 15.0452 35.5005 13.964 34.275 12.8586C34.8757 12.5463 35.4524 12.2819 36.1012 11.9934ZM32.2562 10.3594C32.3093 10.2875 32.3858 10.2365 32.4725 10.2153V10.2393C33.5276 10.8431 34.619 11.3808 35.7406 11.8493C35.1399 12.1137 34.6113 12.3781 34.0587 12.6423C33.3136 11.8734 32.3765 11.2486 32.2562 10.3594ZM31.3192 9.54236C31.6076 9.71076 31.8718 9.87893 32.1602 10.0471H32.1843C31.0548 10.5276 33.1935 12.1857 33.7702 12.7864C33.4747 12.9374 33.1933 13.1144 32.9291 13.3152L29.3247 11.9934C29.9255 11.1045 30.4061 10.2153 31.3192 9.54236ZM26.9218 11.1523L25.6722 10.6719L27.0418 8.77346L29.3488 8.31683C29.5891 8.46117 29.8533 8.62934 30.1177 8.79751C28.9881 9.37419 27.0899 9.71053 26.9218 11.1523ZM26.9696 17.184C27.3303 15.2375 27.2581 13.243 27.3062 11.2726C27.3782 9.83082 29.2766 9.54236 30.3821 8.98974C30.5984 9.11002 30.7906 9.25414 31.0069 9.37419H31.0307C30.0696 10.0471 29.5891 10.9601 28.9643 11.8734C27.8588 13.6277 28.3636 15.574 28.82 17.5685C28.1473 17.4244 27.5225 17.3041 26.9696 17.184ZM28.6999 14.5888C28.6575 13.773 28.8316 12.9606 29.2044 12.2338L32.7369 13.5315C32.0402 14.3004 32.7129 15.3096 33.1454 16.0066H33.1214C33.4098 16.6073 34.3469 17.9529 34.4431 18.6018C32.785 18.2895 30.9106 18.0251 29.2525 17.6166C29.0603 16.6314 28.6759 15.4297 28.6999 14.5888ZM24.9512 23.0232C27.7388 24.441 27.7388 27.1805 25.2396 29.0549C25.8163 27.6611 23.5334 24.0565 22.8845 22.5668C23.2452 22.5668 23.7016 22.5668 24.2304 22.5428C24.4226 22.6869 24.687 22.855 24.9512 23.0232ZM28.4836 22.2062C27.4022 22.2303 25.2637 22.2784 24.4466 22.3024C22.9808 20.428 29.4448 20.9566 29.2285 17.9048C32.2083 18.4817 33.6261 18.7459 35.8609 19.0824C35.1639 20.1158 34.4912 21.125 33.7702 22.1342C32.064 22.1342 30.2137 22.1583 28.4836 22.2062Z" fill="#84ECFD"/>
+<path d="M25.2636 8.55718C26.5182 7.50425 27.9183 6.63818 29.4207 5.98584L27.4743 4.95276C25.1433 6.20235 22.356 7.86045 21.6109 10.5757C21.5752 10.7421 21.5512 10.9107 21.5389 11.0804C21.5149 12.3779 21.9234 13.6994 21.6109 15.0214C21.1304 17.5444 18.3428 18.3855 16.1802 19.0584C15.7484 19.17 15.3465 19.3751 15.0028 19.6591C13.2005 21.9899 25.3837 24.2247 20.8179 27.7812L21.2264 28.0216C25.7681 24.6573 17.5498 22.4706 16.0601 20.2358C16.0842 19.9474 16.4927 19.8754 16.7328 19.7792C21.2505 18.674 24.2782 16.7993 23.5815 11.6812C23.5574 10.4316 24.3744 9.35038 25.2636 8.55718Z" fill="#50E6FF"/>
+<path d="M7.4849 8.06128C7.1544 7.84284 6.7553 7.75306 6.36309 7.80891C6.26986 7.82802 6.17985 7.86036 6.09574 7.90491C5.71968 8.10531 5.48706 8.55399 5.48706 9.20261C5.48706 11.5788 7.47174 12.8747 7.48717 15.3784C7.49171 14.6737 7.65239 14.2489 7.88502 13.9454C8.4676 13.1847 9.48729 13.2149 9.48729 11.5125C9.48275 10.2416 8.58924 8.6981 7.4849 8.06128ZM8.42629 11.4201C8.2697 11.7506 7.90658 11.8355 7.48286 11.5919C7.18517 11.3986 6.9373 11.1377 6.75934 10.8306C6.58137 10.5234 6.47836 10.1787 6.45864 9.82423C6.45864 9.33969 6.71532 9.07007 7.08048 9.10344C7.22278 9.12023 7.35986 9.16698 7.48286 9.24029C7.78051 9.43367 8.02834 9.69453 8.20627 10.0017C8.38417 10.3088 8.48716 10.6536 8.50686 11.008C8.51142 11.1497 8.48387 11.2906 8.42629 11.4201Z" fill="#2195DC"/>
+<path d="M7.48492 9.23958C7.34898 9.15715 7.19701 9.10468 7.03919 9.08571C6.63272 9.05121 6.3479 9.34897 6.3479 9.8882C6.36971 10.282 6.4843 10.6651 6.68229 11.0063C6.88026 11.3474 7.15605 11.637 7.48719 11.8513C7.95902 12.1232 8.36322 12.0274 8.53525 11.6591C8.599 11.5148 8.63016 11.3583 8.62648 11.2007C8.60249 10.8074 8.48677 10.4252 8.28853 10.0847C8.09029 9.74418 7.81507 9.45459 7.48492 9.23958Z" fill="#2195DC"/>
+<path d="M8.02417 7.74992C7.46746 7.42833 6.96522 7.40019 6.60437 7.6108L6.59234 7.61988L6.09668 7.90833C6.18079 7.86378 6.27082 7.83146 6.36403 7.81233C6.75622 7.75736 7.15502 7.8469 7.48607 8.06425C8.59132 8.7013 9.48618 10.2473 9.48618 11.5148C9.48618 13.2169 8.46649 13.1865 7.88391 13.9477C7.59373 14.3668 7.45355 14.8715 7.48607 15.3802L8.02394 15.0693C8.03733 12.5821 10.0243 13.5796 10.0243 11.2039C10.0243 9.93069 9.12874 8.38697 8.02417 7.74992Z" fill="#0078D4"/>
+<path d="M8.42189 12.092L7.9437 11.8158L7.80458 11.2375L7.11102 10.8374L6.97394 11.255L6.4978 10.9808L7.20657 9.15454L7.72629 9.4548L8.42189 12.092ZM7.70472 10.7943L7.49593 9.92209C7.47798 9.85008 7.46695 9.77652 7.46302 9.7024L7.45236 9.69604C7.44782 9.75596 7.43624 9.81519 7.41741 9.87216L7.20453 10.5069L7.70472 10.7943Z" fill="white"/>
+<path d="M39.4437 7.10176C39.1133 6.88355 38.7143 6.79395 38.3224 6.84985C38.2291 6.86893 38.1392 6.90125 38.0552 6.94585C37.6794 7.14556 37.4468 7.59447 37.4468 8.24332C37.4468 10.6184 39.4308 11.9131 39.4458 14.4141C39.4501 13.7101 39.611 13.2846 39.8436 12.9823C40.4257 12.222 41.445 12.2524 41.445 10.551C41.4427 9.28094 40.5467 7.73836 39.4437 7.10176ZM40.3867 10.4556C40.2301 10.7858 39.8674 10.8705 39.4437 10.6272C39.1462 10.4339 38.8986 10.1733 38.7207 9.86631C38.5427 9.55938 38.4399 9.21483 38.4202 8.86063C38.4202 8.37609 38.6766 8.1067 39.0416 8.13983C39.1839 8.15656 39.3209 8.2032 39.4437 8.27668C39.7412 8.46995 39.9888 8.73065 40.1665 9.0376C40.3445 9.34453 40.4473 9.68909 40.467 10.0433C40.472 10.185 40.4446 10.3261 40.3867 10.4556Z" fill="#2195DC"/>
+<path d="M39.4437 8.27937C39.308 8.19676 39.1559 8.14413 38.9982 8.12505C38.5917 8.09032 38.3074 8.38808 38.3074 8.92709C38.3292 9.32069 38.4435 9.70358 38.6414 10.0445C38.8391 10.3855 39.1149 10.6749 39.4458 10.8891C39.9174 11.1605 40.3216 11.065 40.4931 10.6968C40.5569 10.5526 40.588 10.3961 40.5844 10.2384C40.5612 9.84529 40.4459 9.46312 40.2478 9.12281C40.0497 8.7825 39.7742 8.49357 39.4437 8.27937Z" fill="#2195DC"/>
+<path d="M39.9845 6.78879C39.4282 6.46743 38.9271 6.43906 38.5667 6.64967L38.5538 6.65829L38.0583 6.94516C38.1423 6.90068 38.2322 6.86822 38.3255 6.84916C38.7174 6.79433 39.1159 6.88386 39.4466 7.10107C40.5505 7.73767 41.4458 9.28275 41.4458 10.5496C41.4458 12.2508 40.4266 12.2204 39.8444 12.9809C39.5542 13.3998 39.4141 13.9044 39.4466 14.413L39.9854 14.102C39.9988 11.6163 41.9846 12.6137 41.9846 10.2389C41.9814 8.97024 41.0884 7.42539 39.9845 6.78879Z" fill="#0078D4"/>
+<path d="M40.3105 10.4783C40.3105 10.6821 40.2476 10.8063 40.1194 10.8539C40.0284 10.8722 39.9346 10.8708 39.8443 10.8498C39.754 10.8287 39.6693 10.7886 39.5958 10.7321L38.8462 10.2997V8.06494L39.5545 8.47345C39.749 8.57969 39.9192 8.72539 40.0542 8.90125C40.1643 9.04015 40.2261 9.21081 40.2301 9.38784C40.2344 9.43545 40.2272 9.4834 40.209 9.52766C40.1909 9.57189 40.1625 9.61111 40.126 9.64202C40.0858 9.66873 40.04 9.68564 39.9918 9.69136C39.944 9.69706 39.8954 9.69145 39.85 9.67493V9.68128C39.9855 9.77742 40.0981 9.90208 40.1802 10.0464C40.2628 10.1755 40.3078 10.3252 40.3105 10.4783ZM39.7717 9.21558C39.7717 9.05059 39.6653 8.90693 39.4501 8.78301L39.2851 8.68701V9.21717L39.4773 9.32792C39.5073 9.35077 39.5418 9.36689 39.5786 9.37519C39.6153 9.3835 39.6535 9.38377 39.6902 9.37603C39.7458 9.35901 39.7717 9.30477 39.7717 9.21558ZM39.8498 10.2042C39.8489 10.1106 39.8194 10.0196 39.7649 9.94341C39.7032 9.85538 39.6221 9.78257 39.5279 9.73053L39.2878 9.59141V10.1803L39.5245 10.3174C39.5581 10.3424 39.5965 10.3602 39.6373 10.3699C39.678 10.3796 39.7202 10.381 39.7615 10.3739C39.8196 10.3562 39.8498 10.2999 39.8498 10.2042Z" fill="white"/>
+<path d="M17.0959 3.7991L18.5364 2.9621C19.2334 2.55813 20.1632 2.53385 21.2135 2.95144L19.7735 3.78843C18.7227 3.36948 17.7918 3.39376 17.0959 3.7991ZM30.8723 10.1333C30.8532 7.15637 28.6665 3.49861 25.9588 1.93537C24.541 1.11722 23.2513 1.03143 22.3417 1.56L20.9015 2.39677C21.8106 1.86797 23.101 1.95421 24.5181 2.7726C27.2259 4.3347 29.413 7.99337 29.4318 10.9705L29.4223 10.9757C31.3057 12.4262 32.7328 15.0411 32.7269 17.1942C32.7235 18.3493 32.308 19.1618 31.6321 19.5547L33.0825 18.7118C33.7586 18.3192 34.1742 17.5062 34.1773 16.3513C34.1823 14.1986 32.7555 11.5835 30.8723 10.1333Z" fill="#156AB3"/>
+<path d="M29.4857 10.9663C29.468 7.97686 27.2713 4.30185 24.5516 2.73181C22.3508 1.46135 20.4544 1.94975 19.8065 3.75854C17.5388 2.85686 15.8271 4.00591 15.8198 6.58679C15.8117 9.4559 17.9432 13.0147 20.5817 14.5378C20.7229 14.6195 20.8618 14.6937 21.0009 14.7588L28.7386 19.2259C28.8017 19.2629 28.8697 19.2908 28.9405 19.3092C31.0709 20.4367 32.7742 19.5053 32.781 17.1663C32.7851 15.0194 31.3635 12.4124 29.4857 10.9663Z" fill="url(#paint0_linear_1073_1077)"/>
+<path d="M27.2507 10.2729C27.4697 10.9172 27.5857 11.592 27.5946 12.2724C27.5946 14.5021 26.143 15.4633 24.2711 14.6177C24.1399 14.5613 24.0124 14.497 23.8889 14.4252C23.7339 14.3449 23.5923 14.2411 23.4688 14.1177H23.4307C21.5588 12.7719 20.1453 10.1574 20.1453 7.96597C20.1311 7.39154 20.2625 6.82282 20.5273 6.31286C21.062 5.39008 22.0937 5.08234 23.2777 5.54373C23.3492 5.54509 23.4175 5.57233 23.47 5.62089C23.5848 5.6976 23.7375 5.77454 23.8521 5.85147C23.9579 5.93 24.0734 5.99445 24.1957 6.0437C24.2722 6.08228 24.3104 6.12064 24.388 6.15899C25.7047 7.1827 26.6879 8.57442 27.2126 10.1576L27.2507 10.1962V10.2729ZM23.698 11.3879V8.54288L22.0937 7.6201C21.9964 8.0752 21.9452 8.53893 21.9407 9.00427C21.9553 9.50901 22.0197 10.0112 22.133 10.5035L23.698 11.3879ZM24.08 8.73488V11.5802L25.5697 12.426C25.6925 12.0141 25.7572 11.587 25.7622 11.1573C25.7699 10.6278 25.7186 10.0991 25.6092 9.58095L24.08 8.73488ZM24.8441 14.4252C25.2138 14.5278 25.6069 14.5085 25.9648 14.3699C26.3227 14.2314 26.6264 13.9811 26.8306 13.6563L25.7991 13.0413C25.621 13.5852 25.2894 14.0657 24.8441 14.4252ZM26.9827 13.3104C27.1429 12.9204 27.2208 12.5015 27.2119 12.0799C27.2165 11.5303 27.1261 10.984 26.9446 10.4651L25.9133 9.85011C26.0039 10.3709 26.0549 10.8978 26.066 11.4263C26.064 11.8564 25.9993 12.2838 25.8738 12.6952L26.9827 13.3104ZM20.4892 8.1582C20.4905 8.66657 20.5677 9.17221 20.7184 9.65766L21.7496 10.2729C21.6291 9.79571 21.5776 9.30366 21.5969 8.81181C21.5845 8.3457 21.6359 7.88007 21.7496 7.42787L20.7565 6.85096C20.5795 7.26401 20.4885 7.70881 20.4892 8.1582ZM20.8711 10.1962C21.2664 11.3305 21.9204 12.3571 22.7812 13.1949C22.3842 12.4251 22.0766 11.6124 21.8643 10.7727L20.8711 10.1962ZM23.698 13.8871V11.811L22.2464 10.9649C22.5519 12.0799 23.0104 13.1566 23.5072 13.7718C23.5834 13.8102 23.6218 13.8485 23.698 13.8871ZM23.698 8.11984V6.12041C23.5986 6.07563 23.4965 6.03714 23.3923 6.00512C23.0104 5.96654 22.5136 6.38957 22.2083 7.27377L23.698 8.11984ZM26.7925 9.92682C26.4217 8.92418 25.8493 8.00823 25.1104 7.23564C25.4453 7.92221 25.7016 8.64451 25.8743 9.38872L26.7925 9.92682ZM24.1563 14.1563C24.653 14.1177 25.1115 13.5796 25.417 12.8105L24.08 12.0415V14.1177C24.1004 14.1386 24.1274 14.1522 24.1563 14.1563ZM24.08 6.35145V8.3123L25.4934 9.15791C25.188 7.88926 24.6912 6.88955 24.3092 6.50486C24.2327 6.46651 24.1563 6.3898 24.08 6.35145ZM22.5519 5.77454C21.8643 5.73596 21.2912 5.96677 20.9474 6.50509L21.8273 7.04342C21.9694 6.57097 22.2172 6.13707 22.5519 5.77454Z" fill="#50E6FF"/>
+</g>
+<defs>
+<linearGradient id="paint0_linear_1073_1077" x1="23.3249" y1="3.8559" x2="25.0804" y2="18.3505" gradientUnits="userSpaceOnUse">
+<stop stop-color="#2195DC"/>
+<stop offset="1" stop-color="#156AB3"/>
+</linearGradient>
+<clipPath id="clip0_1073_1077">
+<rect width="49.9291" height="32" fill="white"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/windows/security/book/images/microsoft-entra-private-access.svg b/windows/security/book/images/microsoft-entra-private-access.svg
new file mode 100644
index 0000000000..e28e5fff69
--- /dev/null
+++ b/windows/security/book/images/microsoft-entra-private-access.svg
@@ -0,0 +1,49 @@
+<svg width="46" height="32" viewBox="0 0 46 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_1073_1049)">
+<mask id="mask0_1073_1049" style="mask-type:luminance" maskUnits="userSpaceOnUse" x="0" y="0" width="46" height="32">
+<path d="M45.4194 0H0V32H45.4194V0Z" fill="white"/>
+</mask>
+<g mask="url(#mask0_1073_1049)">
+<path d="M35.3276 10.4997L37.209 9.41296L37.1583 27.4758L35.2769 28.5624L35.3276 10.4997Z" fill="#D9D9D9"/>
+<path d="M31.147 18.0385V18.8864L25.3242 15.5511V14.7033L31.147 18.0385ZM31.147 20.0755V20.9234L25.3242 17.5882V16.7403L31.147 20.0755ZM31.8252 16.4556V17.3037L25.3242 13.5162V12.6678L31.8252 16.4556Z" fill="#E2E2E2"/>
+<path d="M35.6387 10.3205L35.9533 10.1388L35.9015 28.2008L35.5879 28.3825L35.6387 10.3205Z" fill="#C8C8C8"/>
+<path d="M36.2669 9.95719L36.5808 9.77551L36.53 27.8384L36.2153 28.0201L36.2669 9.95719Z" fill="#C8C8C8"/>
+<path d="M36.8954 9.59488L37.2092 9.41321L37.1584 27.475L36.8438 27.6567L36.8954 9.59488Z" fill="#C8C8C8"/>
+<path d="M33.0426 9.91029L33.6692 9.54858L33.6603 12.6827L33.0337 13.0444L33.0426 9.91049V9.91029Z" fill="#2195DC"/>
+<path d="M30.6233 8.52049L31.2507 8.15796L33.6693 9.54862L33.0429 9.91032L30.6233 8.52049Z" fill="#32B0E7"/>
+<path d="M16.8047 12.1751L18.1858 11.3724L20.4783 12.6964L19.0977 13.4983L16.8047 12.1751Z" fill="#0078D4"/>
+<path d="M19.9048 12.6414L21.2861 11.8394L23.5792 13.1631L22.1978 13.9652L19.9048 12.6414Z" fill="#0078D4"/>
+<path d="M22.9854 20.186L24.3667 19.3835L26.6592 20.7073L25.2784 21.51L22.9854 20.186Z" fill="#0078D4"/>
+<path d="M34.3124 18.209L34.2711 29.5845C34.2711 30.4723 33.6517 30.8232 32.8878 30.369L14.1008 19.5303C13.7017 19.2661 13.3696 18.9127 13.1304 18.4981C12.8914 18.081 12.7503 17.6151 12.7175 17.1355L12.7588 5.76001L34.3124 18.209Z" fill="#FBFBFB"/>
+<path d="M33.8789 30.4516L34.7254 29.9561C34.9731 29.8116 35.1176 29.5019 35.1176 29.0684L34.2712 29.5638C34.2712 30.018 34.106 30.3071 33.8789 30.4516Z" fill="#DCDCDC"/>
+<path d="M34.3123 18.2091L34.271 29.5846L35.1174 29.0891L35.1587 17.7136L34.3123 18.2091Z" fill="#DCDCDC"/>
+<path d="M32.929 13.1922C33.3281 13.4565 33.6603 13.8099 33.8993 14.2245C34.1384 14.6416 34.2794 15.1075 34.3122 15.5871V18.2916L12.738 5.84256V3.13804C12.738 2.2503 13.3574 1.89933 14.1213 2.33288L32.929 13.1922Z" fill="#F0F0F0"/>
+<path d="M34.7665 13.7084C34.5212 13.2984 34.1903 12.9462 33.7961 12.6761L15.009 1.83744C14.6168 1.61034 14.2658 1.5897 14.0181 1.73422L13.1716 2.22969C13.4194 2.08517 13.7703 2.10582 14.1626 2.33292L32.9497 13.1716C33.3488 13.4359 33.6809 13.7893 33.92 14.2039C34.1591 14.621 34.3001 15.0869 34.3329 15.5665V18.271L35.1794 17.7755V15.071C35.1368 14.5933 34.9962 14.1294 34.7665 13.7084Z" fill="#D2D2D2"/>
+<path d="M21.6156 13.8323C21.744 13.9157 21.8503 14.0291 21.9253 14.1626C22.0008 14.2964 22.05 14.4438 22.0698 14.5962C22.0698 14.9059 21.8633 14.9884 21.6156 14.8646L16.1446 11.7059C16.0095 11.6152 15.8966 11.4953 15.8143 11.3549C15.7327 11.2175 15.6899 11.0605 15.6904 10.9007C15.6904 10.591 15.8969 10.5084 16.1446 10.653L21.6156 13.8323ZM26.0543 15.4839L26.4259 16.1446L24.1756 17.4246L23.2466 15.8142L23.6182 15.5872L24.1756 16.5575L26.0543 15.4839Z" fill="#50E6FF"/>
+<path d="M21.5949 20.1084C21.7233 20.1918 21.8296 20.3052 21.9045 20.4388C21.9801 20.5725 22.0292 20.7197 22.0491 20.8723C22.0491 21.182 21.8426 21.2646 21.5949 21.1407L16.1239 17.982C15.9888 17.8914 15.8758 17.7714 15.7936 17.631C15.712 17.4936 15.6691 17.3366 15.6697 17.1768C15.6697 16.8671 15.8761 16.7846 16.1239 16.9291L21.5949 20.1084ZM26.0336 21.8426L26.4052 22.5033L24.1549 23.7833L23.2258 22.173L23.5974 21.9459L24.1549 22.9162L26.0336 21.8426Z" fill="#32B0E7"/>
+<path d="M21.6156 16.9497C21.744 17.0331 21.8503 17.1465 21.9253 17.2801C21.9948 17.4165 22.0436 17.5627 22.0698 17.7136C22.0698 18.0233 21.8633 18.1059 21.6156 17.982L16.1446 14.8233C16.0095 14.7327 15.8966 14.6127 15.8143 14.4723C15.7327 14.3349 15.6899 14.1779 15.6904 14.0181C15.6904 13.7085 15.8969 13.6259 16.1446 13.7704L21.6156 16.9497ZM26.0543 18.5807L26.4259 19.2414L24.1756 20.5214L23.2053 18.911L23.5769 18.6839L24.155 19.6543L26.0543 18.5807Z" fill="#45CAF2"/>
+<path d="M15.9382 25.2491C15.8236 24.2519 15.4384 23.3053 14.8243 22.5113C14.2102 21.7175 13.3906 21.1068 12.4543 20.7455C11.518 20.384 10.5006 20.2857 9.51243 20.4611C8.52423 20.6365 7.60286 21.0789 6.84809 21.7404C5.83685 22.6269 5.18537 23.853 5.01687 25.1871C4.97161 25.3833 4.95768 25.5854 4.97558 25.7858C5.03751 26.5497 5.59493 27.2929 6.5859 27.8916C8.75364 29.1304 12.222 29.1304 14.3691 27.8916C15.3601 27.3136 15.8969 26.5497 15.9588 25.8065C15.9734 25.6205 15.9665 25.4334 15.9382 25.2491Z" fill="url(#paint0_linear_1073_1049)"/>
+<path d="M10.4672 19.7987C11.1217 19.8016 11.762 19.6074 12.3046 19.2413C12.8471 18.8789 13.27 18.3639 13.5199 17.7613C13.7697 17.1586 13.8354 16.4954 13.7085 15.8555C13.5833 15.2125 13.2667 14.6224 12.8001 14.1626C12.3322 13.7069 11.7455 13.3921 11.1072 13.2542C10.4695 13.1287 9.80905 13.1933 9.20782 13.44C8.60606 13.6956 8.09019 14.1183 7.72137 14.6581C7.35254 15.1994 7.15804 15.8405 7.16395 16.4955C7.16232 16.9276 7.24653 17.3556 7.41169 17.7549C7.58148 18.1557 7.8268 18.5202 8.13427 18.8284C8.43881 19.1403 8.80423 19.3863 9.20782 19.551C9.60706 19.7162 10.0351 19.8004 10.4672 19.7987Z" fill="url(#paint1_linear_1073_1049)"/>
+<path d="M36.5283 20.538C36.6109 20.4968 36.6109 20.3316 36.5283 20.1664L36.0741 19.3613C35.9915 19.2168 35.9709 19.0516 36.0535 18.969L36.5489 18.68C36.6315 18.6387 36.6315 18.4735 36.5489 18.3084L35.9089 17.1935V16.9251L34.7735 17.5858V17.8542L35.4135 18.969C35.4517 19.0187 35.4742 19.0787 35.4779 19.1413C35.4816 19.2039 35.4663 19.2662 35.4341 19.32L34.9386 19.609C34.8354 19.6709 34.8354 19.8361 34.9386 20.0013L35.4135 20.8064C35.4517 20.8562 35.4742 20.9161 35.4779 20.9788C35.4816 21.0414 35.4663 21.1035 35.4341 21.1574L34.9593 21.4464C34.856 21.5084 34.856 21.6735 34.9593 21.8387L35.4341 22.6438C35.5167 22.7884 35.5167 22.9535 35.4341 23.0155L36.5696 22.3548C36.6522 22.3135 36.6522 22.1484 36.5696 21.9832L36.0948 21.178C36.0122 21.0129 35.9915 20.8477 36.0741 20.7858L36.5283 20.538ZM38.7718 12.4904L35.7989 7.32906C35.5117 6.79786 35.092 6.34984 34.5808 6.02842C34.1473 5.76003 33.6931 5.71874 33.3628 5.90454L32.2273 6.56519C32.5576 6.37938 33.0118 6.44132 33.4454 6.68906C33.9611 7.00497 34.382 7.45436 34.6634 7.98971L37.6363 13.151C38.3176 14.3278 38.3176 15.5871 37.6363 15.9794L38.7718 15.3187C39.4531 14.9265 39.4531 13.6465 38.7718 12.4904ZM33.5486 10.4258L33.6105 10.4465L33.6518 10.4671C33.6725 10.4671 33.6931 10.4878 33.7137 10.4878H34.0234C34.0441 10.4878 34.0441 10.4878 34.0647 10.4671C34.0854 10.4671 34.0854 10.4671 34.106 10.4465C34.1266 10.4465 34.1266 10.4258 34.1473 10.4258C34.2487 10.355 34.329 10.2582 34.3798 10.1456C34.4305 10.0329 34.4502 9.90865 34.4363 9.78584C34.4396 9.71639 34.4328 9.64681 34.4157 9.57938C33.985 9.23413 33.6981 8.74115 33.6105 8.19616C33.5604 8.15448 33.5048 8.11975 33.4454 8.09293C33.1563 7.92777 32.7744 7.89556 32.6092 8.01944L32.5886 8.04008C32.5832 8.04008 32.5778 8.04225 32.5739 8.04613C32.5702 8.04999 32.5679 8.05525 32.5679 8.06073L32.5473 8.08137C32.5473 8.10202 32.5266 8.10202 32.5266 8.12266L32.506 8.14331C32.506 8.16395 32.4854 8.16395 32.4854 8.1846C32.4854 8.20524 32.4647 8.20524 32.4647 8.22589C32.4624 8.24152 32.4552 8.25599 32.4441 8.26718C32.4441 8.28782 32.4234 8.28782 32.4234 8.30847C32.4234 8.32911 32.4028 8.34976 32.4028 8.3704V8.41169C32.4036 8.4406 32.3966 8.46919 32.3821 8.49427V8.61814C32.3943 8.97896 32.4823 9.33319 32.6402 9.65783C32.8132 9.951 33.5486 10.4258 33.5486 10.4258Z" fill="#32B0E7"/>
+<path d="M37.6361 15.9588L34.7871 17.5897V17.8581L35.4271 18.9729C35.5096 19.1175 35.5096 19.2826 35.4271 19.3446L34.9522 19.6129C34.849 19.6749 34.849 19.84 34.9522 20.0052L35.4271 20.8103C35.5096 20.9549 35.5096 21.12 35.4271 21.182L34.9522 21.4503C34.849 21.5123 34.849 21.6774 34.9522 21.8426L35.4271 22.6478C35.5096 22.7923 35.5096 22.9574 35.4271 23.0194L34.7664 23.391L33.6516 24.031C33.6053 24.0479 33.5562 24.0549 33.5071 24.0516C33.4567 24.0475 33.4076 24.0335 33.3625 24.0103C33.248 23.941 33.1549 23.8409 33.0942 23.7213L31.9587 21.76C31.8542 21.585 31.7972 21.3857 31.7935 21.182L31.8142 15.8555C31.8076 15.6875 31.7578 15.524 31.6696 15.3807L29.1922 11.0865C28.5109 9.90972 28.5316 8.65037 29.1922 8.25811L32.2064 6.54456C32.5367 6.35875 32.9909 6.42069 33.4245 6.66843C33.9402 6.98434 34.3612 7.43371 34.6425 7.96908L37.6154 13.1304C38.3174 14.3071 38.3174 15.5871 37.6361 15.9588ZM33.4245 8.09295C32.8877 7.78327 32.4335 8.03101 32.4335 8.65037C32.4566 8.99122 32.5553 9.32278 32.7225 9.62069C32.8956 9.91404 33.1363 10.1618 33.4245 10.3433C33.9613 10.6529 34.4154 10.4052 34.4154 9.78585C34.3923 9.44496 34.2936 9.11348 34.1264 8.81553C33.9534 8.52216 33.7127 8.2744 33.4245 8.09295ZM31.2774 12.3871L35.6542 14.9265C35.7987 15.0091 35.9225 14.9471 35.9225 14.782V14.72C35.924 14.6241 35.8951 14.5302 35.84 14.4517C35.7956 14.3689 35.7318 14.2981 35.6542 14.2452L31.2774 11.7059C31.1329 11.6233 31.009 11.6852 31.009 11.8504V11.9123C31.0076 12.0083 31.0365 12.1022 31.0916 12.1807C31.1484 12.254 31.2105 12.3231 31.2774 12.3871ZM31.0296 10.7768V10.8388C31.0282 10.9348 31.0571 11.0287 31.1122 11.1071C31.163 11.1852 31.2256 11.255 31.298 11.3136L35.6748 13.8323C35.8193 13.9149 35.9432 13.8529 35.9432 13.6878V13.6259C35.9446 13.5299 35.9157 13.436 35.8606 13.3575C35.8162 13.2747 35.7524 13.2038 35.6748 13.151L31.298 10.6117C31.1535 10.5497 31.0296 10.6117 31.0296 10.7768ZM32.9703 21.8013L32.9909 17.4865C32.988 17.3879 32.9517 17.2932 32.8877 17.2181C32.8617 17.1687 32.8171 17.1316 32.7638 17.1149C32.6606 17.0529 32.5574 17.0942 32.5574 17.2388L32.5367 21.5536C32.5351 21.6337 32.5566 21.7125 32.5987 21.7807C32.6301 21.8432 32.6806 21.8938 32.7432 21.9252C32.8671 22.0078 32.9703 21.9665 32.9703 21.8013Z" fill="url(#paint2_linear_1073_1049)"/>
+<path d="M31.2775 12.3871L35.6542 14.9264C35.7988 15.009 35.9226 14.9471 35.9226 14.7819V14.72C35.9241 14.624 35.8952 14.5301 35.8401 14.4516C35.7957 14.3688 35.7319 14.298 35.6542 14.2451L31.2775 11.7058C31.133 11.6232 31.0091 11.6851 31.0091 11.8503V11.9122C31.0076 12.0082 31.0365 12.1022 31.0917 12.1806C31.1484 12.2539 31.2106 12.3231 31.2775 12.3871ZM31.0297 10.7767V10.8387C31.0283 10.9347 31.0572 11.0286 31.1123 11.1071C31.1567 11.1898 31.2205 11.2607 31.2981 11.3135L35.6749 13.8322C35.8194 13.9148 35.9433 13.8529 35.9433 13.6877V13.6258C35.9447 13.5298 35.9158 13.4359 35.8607 13.3574C35.8163 13.2746 35.7525 13.2038 35.6749 13.1509L31.2981 10.6116C31.1536 10.5496 31.0297 10.6116 31.0297 10.7767ZM32.9704 21.8012L32.991 17.4864C32.9881 17.3878 32.9516 17.2932 32.8878 17.218C32.8465 17.1767 32.8259 17.1354 32.7639 17.1148C32.6607 17.0529 32.5575 17.0942 32.5575 17.2387L32.5368 21.5535C32.5352 21.6336 32.5566 21.7125 32.5988 21.7806C32.6301 21.8432 32.6807 21.8937 32.7433 21.9251C32.8672 22.0077 32.9704 21.9664 32.9704 21.8012Z" fill="#ACF3FD"/>
+</g>
+</g>
+<defs>
+<linearGradient id="paint0_linear_1073_1049" x1="10.4637" y1="20.3807" x2="10.4637" y2="28.819" gradientUnits="userSpaceOnUse">
+<stop stop-color="#4DC2EB"/>
+<stop offset="1" stop-color="#0078D4"/>
+</linearGradient>
+<linearGradient id="paint1_linear_1073_1049" x1="10.4649" y1="13.1929" x2="10.4649" y2="19.8" gradientUnits="userSpaceOnUse">
+<stop stop-color="#4DC2EB"/>
+<stop offset="1" stop-color="#0078D4"/>
+</linearGradient>
+<linearGradient id="paint2_linear_1073_1049" x1="33.4168" y1="1.05211" x2="33.4168" y2="25.6826" gradientUnits="userSpaceOnUse">
+<stop offset="0.09" stop-color="#50E6FF"/>
+<stop offset="1" stop-color="#45CAF2"/>
+</linearGradient>
+<clipPath id="clip0_1073_1049">
+<rect width="45.4194" height="32" fill="white"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/windows/security/book/images/microsoft-intune.svg b/windows/security/book/images/microsoft-intune.svg
new file mode 100644
index 0000000000..4651f1db01
--- /dev/null
+++ b/windows/security/book/images/microsoft-intune.svg
@@ -0,0 +1,23 @@
+<svg width="57" height="32" viewBox="0 0 57 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M40.9807 0.0206299H11.871C11.3009 0.0206299 10.8387 0.482788 10.8387 1.05289V19.7574C10.8387 20.3275 11.3009 20.7897 11.871 20.7897H40.9807C41.5507 20.7897 42.0129 20.3275 42.0129 19.7574V1.05289C42.0129 0.482788 41.5507 0.0206299 40.9807 0.0206299Z" fill="url(#paint0_linear_1073_1098)"/>
+<path d="M39.7006 1.75488H13.1509C12.8317 1.75488 12.5729 2.01369 12.5729 2.33295V18.4981C12.5729 18.8174 12.8317 19.0762 13.1509 19.0762H39.7006C40.0198 19.0762 40.2787 18.8174 40.2787 18.4981V2.33295C40.2787 2.01369 40.0198 1.75488 39.7006 1.75488Z" fill="white"/>
+<path d="M32.6813 27.0865C29.5845 26.6117 29.4606 24.382 29.4813 20.8929H23.2877C23.2877 24.4852 23.1638 26.7149 20.0877 27.0865C19.6697 27.1495 19.2873 27.358 19.0078 27.6751C18.7284 27.9926 18.5698 28.398 18.5599 28.8207H34.1264C34.1164 28.4109 33.9682 28.0168 33.7058 27.702C33.4436 27.3871 33.0823 27.1701 32.6813 27.0865Z" fill="url(#paint1_linear_1073_1098)"/>
+<path d="M45.2542 9.62062H31.0504C30.815 8.46209 30.1575 7.43231 29.206 6.73102C28.2542 6.02971 27.0759 5.70692 25.8997 5.82522C24.7233 5.94351 23.6329 6.49448 22.8399 7.37126C22.0469 8.24803 21.6078 9.38811 21.6078 10.5703C21.6078 11.7525 22.0469 12.8926 22.8399 13.7693C23.6329 14.6461 24.7233 15.1971 25.8997 15.3154C27.0759 15.4337 28.2542 15.1109 29.206 14.4096C30.1575 13.7083 30.815 12.6785 31.0504 11.52H32.5162V31.298C32.5162 31.4787 32.5879 31.6521 32.7157 31.7799C32.8434 31.9076 33.0168 31.9793 33.1975 31.9793H45.2336C45.4142 31.9793 45.5877 31.9076 45.7154 31.7799C45.8431 31.6521 45.9149 31.4787 45.9149 31.298V10.3019C45.9149 10.1248 45.846 9.95451 45.7226 9.82733C45.5993 9.70013 45.4313 9.62599 45.2542 9.62062Z" fill="#32BEDD"/>
+<path d="M44.4284 11.4994H34.0439C33.9071 11.4994 33.7961 11.6103 33.7961 11.7471V29.2129C33.7961 29.3497 33.9071 29.4607 34.0439 29.4607H44.4284C44.5652 29.4607 44.6761 29.3497 44.6761 29.2129V11.7471C44.6761 11.6103 44.5652 11.4994 44.4284 11.4994Z" fill="white"/>
+<path opacity="0.9" d="M26.4258 13.6671C28.0906 13.6671 29.44 12.3176 29.44 10.6529C29.44 8.98817 28.0906 7.63867 26.4258 7.63867C24.7611 7.63867 23.4116 8.98817 23.4116 10.6529C23.4116 12.3176 24.7611 13.6671 26.4258 13.6671Z" fill="url(#paint2_linear_1073_1098)"/>
+<path d="M40.5264 19.7575L38.2142 17.4452C38.1956 17.4285 38.1726 17.4177 38.1479 17.4144C38.1231 17.411 38.098 17.4151 38.0756 17.4263C38.0534 17.4374 38.0348 17.4551 38.023 17.4769C38.0108 17.4987 38.0054 17.5236 38.0077 17.5484V18.9523C38.0077 18.9852 37.9946 19.0167 37.9713 19.0399C37.9481 19.0631 37.9166 19.0762 37.8839 19.0762H32.5161V20.7897H37.8839C37.9166 20.7897 37.9481 20.8028 37.9713 20.826C37.9946 20.8492 38.0077 20.8808 38.0077 20.9136V22.3381C38.0191 22.3552 38.0343 22.3691 38.0524 22.3788C38.0704 22.3885 38.0906 22.3935 38.1109 22.3935C38.1313 22.3935 38.1515 22.3885 38.1695 22.3788C38.1876 22.3691 38.2028 22.3552 38.2142 22.3381L40.5264 20.1291C40.5528 20.1058 40.5739 20.0772 40.5884 20.0452C40.6028 20.0132 40.6103 19.9784 40.6103 19.9433C40.6103 19.9081 40.6028 19.8734 40.5884 19.8413C40.5739 19.8093 40.5528 19.7807 40.5264 19.7575Z" fill="#0078D4"/>
+<defs>
+<linearGradient id="paint0_linear_1073_1098" x1="26.4258" y1="20.7897" x2="26.4258" y2="0.0206299" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0078D4"/>
+<stop offset="0.82" stop-color="#5EA0EF"/>
+</linearGradient>
+<linearGradient id="paint1_linear_1073_1098" x1="26.4258" y1="28.8207" x2="26.4258" y2="20.7897" gradientUnits="userSpaceOnUse">
+<stop stop-color="#1490DF"/>
+<stop offset="0.98" stop-color="#1F56A3"/>
+</linearGradient>
+<linearGradient id="paint2_linear_1073_1098" x1="26.4258" y1="13.6671" x2="26.4258" y2="7.61803" gradientUnits="userSpaceOnUse">
+<stop stop-color="#D2EBFF"/>
+<stop offset="1" stop-color="#F0FFFD"/>
+</linearGradient>
+</defs>
+</svg>
diff --git a/windows/security/book/images/new-button-title.svg b/windows/security/book/images/new-button-title.svg
new file mode 100644
index 0000000000..15ea7247a2
--- /dev/null
+++ b/windows/security/book/images/new-button-title.svg
@@ -0,0 +1,6 @@
+<svg width="32" height="32" viewBox="0 0 32 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M2 6C2 3.79086 3.79086 2 6 2H26C28.2091 2 30 3.79086 30 6V26C30 28.2091 28.2091 30 26 30H6C3.79086 30 2 28.2091 2 26V6Z" fill="#00A6ED"/>
+<path d="M6.43434 12.4017C6.2578 12.1169 5.91373 11.9838 5.59145 12.0756C5.26917 12.1673 5.04688 12.4618 5.04688 12.7969V19.25C5.04688 19.6642 5.38266 20 5.79688 20C6.21109 20 6.54688 19.6642 6.54688 19.25V15.8693C6.54688 15.7435 6.71183 15.6965 6.77812 15.8035L9.15941 19.6451C9.33595 19.93 9.68002 20.0631 10.0023 19.9713C10.3246 19.8795 10.5469 19.5851 10.5469 19.25V12.7969C10.5469 12.3827 10.2111 12.0469 9.79688 12.0469C9.38266 12.0469 9.04688 12.3827 9.04688 12.7969V16.1776C9.04688 16.3034 8.88192 16.3504 8.81563 16.2434L6.43434 12.4017Z" fill="white"/>
+<path d="M12.7708 12.0866C12.3565 12.0866 12.0208 12.4224 12.0208 12.8366V19.2445C12.0208 19.6587 12.3565 19.9945 12.7708 19.9945H16.4034C16.8176 19.9945 17.1534 19.6587 17.1534 19.2445C17.1534 18.8302 16.8176 18.4945 16.4034 18.4945H13.6458C13.5767 18.4945 13.5208 18.4385 13.5208 18.3695V17.0394C13.5208 16.9704 13.5767 16.9144 13.6458 16.9144H16.3545C16.7687 16.9144 17.1045 16.5786 17.1045 16.1644C17.1045 15.7502 16.7687 15.4144 16.3545 15.4144H13.6458C13.5767 15.4144 13.5208 15.3585 13.5208 15.2894V13.7116C13.5208 13.6426 13.5767 13.5866 13.6458 13.5866H16.4034C16.8176 13.5866 17.1534 13.2508 17.1534 12.8366C17.1534 12.4224 16.8176 12.0866 16.4034 12.0866H12.7708Z" fill="white"/>
+<path d="M18.7518 12.1369C19.1508 12.0257 19.5644 12.2591 19.6756 12.6581L20.601 15.9799C20.6348 16.1011 20.8063 16.1021 20.8415 15.9813L21.8111 12.6498C21.9038 12.3311 22.195 12.1113 22.5269 12.1094C22.8588 12.1075 23.1525 12.324 23.2489 12.6416L24.2587 15.9692C24.2953 16.0898 24.4671 16.0866 24.4992 15.9648L25.3685 12.6682C25.4741 12.2676 25.8844 12.0286 26.2849 12.1342C26.6854 12.2398 26.9245 12.6501 26.8189 13.0506L25.1627 19.3319C25.0771 19.6562 24.7866 19.8843 24.4513 19.8905C24.1159 19.8967 23.8172 19.6794 23.7198 19.3584L22.6684 15.8939C22.6323 15.775 22.4635 15.7759 22.4287 15.8953L21.4232 19.3502C21.3295 19.672 21.0338 19.8925 20.6988 19.8906C20.3637 19.8887 20.0705 19.6647 19.9806 19.3419L18.2306 13.0607C18.1194 12.6617 18.3528 12.2481 18.7518 12.1369Z" fill="white"/>
+</svg>
diff --git a/windows/security/book/images/new-button.svg b/windows/security/book/images/new-button.svg
new file mode 100644
index 0000000000..49bd889d96
--- /dev/null
+++ b/windows/security/book/images/new-button.svg
@@ -0,0 +1,13 @@
+<svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_789_102)">
+<path d="M0.875 2.625C0.875 1.6585 1.6585 0.875 2.625 0.875H11.375C12.3415 0.875 13.125 1.6585 13.125 2.625V11.375C13.125 12.3415 12.3415 13.125 11.375 13.125H2.625C1.6585 13.125 0.875 12.3415 0.875 11.375V2.625Z" fill="#00A6ED"/>
+<path d="M2.81503 5.42576C2.73779 5.30115 2.58726 5.2429 2.44626 5.28305C2.30526 5.32321 2.20801 5.45202 2.20801 5.59863V8.42187C2.20801 8.60309 2.35491 8.75 2.53613 8.75C2.71735 8.75 2.86426 8.60309 2.86426 8.42187V6.94282C2.86426 6.88777 2.93642 6.86722 2.96543 6.91401L4.00724 8.59474C4.08448 8.71935 4.23501 8.7776 4.37601 8.73745C4.51701 8.69729 4.61426 8.56848 4.61426 8.42187V5.59863C4.61426 5.41741 4.46735 5.27051 4.28613 5.27051C4.10491 5.27051 3.95801 5.41741 3.95801 5.59863V7.07768C3.95801 7.13273 3.88584 7.15328 3.85684 7.10649L2.81503 5.42576Z" fill="white"/>
+<path d="M5.5872 5.28789C5.40599 5.28789 5.25908 5.43479 5.25908 5.61601V8.41945C5.25908 8.60067 5.40599 8.74757 5.5872 8.74757H7.17649C7.3577 8.74757 7.50461 8.60067 7.50461 8.41945C7.50461 8.23823 7.3577 8.09132 7.17649 8.09132H5.97002C5.93981 8.09132 5.91533 8.06684 5.91533 8.03663V7.45475C5.91533 7.42454 5.93981 7.40006 5.97002 7.40006H7.15508C7.33629 7.40006 7.4832 7.25315 7.4832 7.07193C7.4832 6.89072 7.33629 6.74381 7.15508 6.74381H5.97002C5.93981 6.74381 5.91533 6.71932 5.91533 6.68912V5.99883C5.91533 5.96862 5.93981 5.94414 5.97002 5.94414H7.17649C7.3577 5.94414 7.50461 5.79723 7.50461 5.61601C7.50461 5.43479 7.3577 5.28789 7.17649 5.28789H5.5872Z" fill="white"/>
+<path d="M8.20391 5.30989C8.37847 5.26125 8.55942 5.36334 8.60806 5.53791L9.01295 6.9912C9.02773 7.04423 9.10276 7.04466 9.11814 6.9918L9.54235 5.53428C9.58293 5.39486 9.71032 5.29869 9.85552 5.29786C10.0007 5.29703 10.1292 5.39174 10.1714 5.53069L10.6132 6.98652C10.6292 7.03926 10.7044 7.03788 10.7184 6.98458L11.0987 5.54231C11.1449 5.36709 11.3244 5.26249 11.4997 5.3087C11.6749 5.3549 11.7795 5.53441 11.7333 5.70964L11.0087 8.45768C10.9712 8.59959 10.8442 8.69939 10.6974 8.70209C10.5507 8.70479 10.42 8.60974 10.3774 8.46931L9.91741 6.9536C9.90161 6.90155 9.82777 6.90197 9.81257 6.9542L9.37265 8.46572C9.33168 8.60648 9.20231 8.70299 9.05571 8.70214C8.90911 8.7013 8.78085 8.60331 8.74151 8.46209L7.97588 5.71404C7.92725 5.53947 8.02934 5.35853 8.20391 5.30989Z" fill="white"/>
+</g>
+<defs>
+<clipPath id="clip0_789_102">
+<rect width="14" height="14" fill="white"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/windows/security/book/images/onedrive.svg b/windows/security/book/images/onedrive.svg
new file mode 100644
index 0000000000..2f9f35ede0
--- /dev/null
+++ b/windows/security/book/images/onedrive.svg
@@ -0,0 +1,24 @@
+<svg width="60" height="32" viewBox="0 0 60 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M25.1525 9.93401L33.428 14.8853L38.3601 12.8133C39.3326 12.3938 40.4067 12.1586 41.5316 12.1586C41.716 12.1586 41.8939 12.165 42.0721 12.1777C40.7118 6.85775 35.8877 2.92346 30.1418 2.92346C25.839 2.92346 22.0572 5.12894 19.858 8.46581C19.9025 8.46581 19.9407 8.46581 19.9851 8.46581C21.8856 8.46581 23.6589 9.00606 25.1589 9.93401H25.1525Z" fill="url(#paint0_linear_1073_1093)"/>
+<path d="M25.1525 9.93405C23.6461 9.00608 21.8792 8.46582 19.9788 8.46582C19.9343 8.46582 19.8961 8.46582 19.8516 8.46582C14.4681 8.53573 10.1271 12.915 10.1271 18.3175C10.1271 20.415 10.7817 22.3536 11.894 23.9489L19.1906 20.879L22.4322 19.5124L29.6526 16.4743L33.4215 14.8853L25.1461 9.9277L25.1525 9.93405Z" fill="url(#paint1_linear_1073_1093)"/>
+<path d="M42.0722 12.1776C41.894 12.1649 41.7161 12.1586 41.5317 12.1586C40.4068 12.1586 39.3326 12.3937 38.3602 12.8132L33.4281 14.8853L34.8581 15.7433L39.5423 18.5526L41.5889 19.7793L48.5806 23.9679C49.1908 22.8365 49.5404 21.5463 49.5404 20.1671C49.5404 15.9277 46.2417 12.4637 42.0784 12.184L42.0722 12.1776Z" fill="url(#paint2_linear_1073_1093)"/>
+<path d="M41.5889 19.773L39.5422 18.5463L34.858 15.7369L33.428 14.8789L29.6588 16.4679L22.4385 19.506L19.197 20.8725L11.9004 23.9424C13.6801 26.4912 16.6356 28.1627 19.9851 28.1627H41.5381C44.5825 28.1627 47.2331 26.4594 48.5868 23.9552L41.5954 19.7666L41.5889 19.773Z" fill="url(#paint3_linear_1073_1093)"/>
+<defs>
+<linearGradient id="paint0_linear_1073_1093" x1="-61.3072" y1="1.13744" x2="-55.5105" y2="11.1861" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0572C0"/>
+<stop offset="0.88" stop-color="#0364B8"/>
+</linearGradient>
+<linearGradient id="paint1_linear_1073_1093" x1="-68.9915" y1="5.61837" x2="-63.9385" y2="14.3578" gradientUnits="userSpaceOnUse">
+<stop stop-color="#1885D9"/>
+<stop offset="0.89" stop-color="#107AD5"/>
+</linearGradient>
+<linearGradient id="paint2_linear_1073_1093" x1="-52.5041" y1="7.75391" x2="-46.7775" y2="17.6692" gradientUnits="userSpaceOnUse">
+<stop stop-color="#138EDE"/>
+<stop offset="0.94" stop-color="#0D7AD5"/>
+</linearGradient>
+<linearGradient id="paint3_linear_1073_1093" x1="-62.2544" y1="10.881" x2="-55.0021" y2="23.4403" gradientUnits="userSpaceOnUse">
+<stop offset="0.1" stop-color="#29A9EA"/>
+<stop offset="0.79" stop-color="#1C94E3"/>
+</linearGradient>
+</defs>
+</svg>
diff --git a/windows/security/book/images/operating-system-on.png b/windows/security/book/images/operating-system-on.png
index d97bd2a9ba..524c7ac372 100644
Binary files a/windows/security/book/images/operating-system-on.png and b/windows/security/book/images/operating-system-on.png differ
diff --git a/windows/security/book/images/operating-system-security-cover.png b/windows/security/book/images/operating-system-security-cover.png
index 955891f34d..c3b24e0a2a 100644
Binary files a/windows/security/book/images/operating-system-security-cover.png and b/windows/security/book/images/operating-system-security-cover.png differ
diff --git a/windows/security/book/images/operating-system.png b/windows/security/book/images/operating-system.png
index 288e01fc73..c5bfb38b42 100644
Binary files a/windows/security/book/images/operating-system.png and b/windows/security/book/images/operating-system.png differ
diff --git a/windows/security/book/images/passkey-save-3p.png b/windows/security/book/images/passkey-save-3p.png
new file mode 100644
index 0000000000..747bdc074b
Binary files /dev/null and b/windows/security/book/images/passkey-save-3p.png differ
diff --git a/windows/security/book/images/pde.png b/windows/security/book/images/pde.png
new file mode 100644
index 0000000000..5ed0a99cf5
Binary files /dev/null and b/windows/security/book/images/pde.png differ
diff --git a/windows/security/book/images/privacy-cover.png b/windows/security/book/images/privacy-cover.png
index 09a4364bb0..e7a0a5825c 100644
Binary files a/windows/security/book/images/privacy-cover.png and b/windows/security/book/images/privacy-cover.png differ
diff --git a/windows/security/book/images/privacy-on.png b/windows/security/book/images/privacy-on.png
index 83e4d59c8b..be6f888dce 100644
Binary files a/windows/security/book/images/privacy-on.png and b/windows/security/book/images/privacy-on.png differ
diff --git a/windows/security/book/images/privacy.png b/windows/security/book/images/privacy.png
index f0772e28ba..4a87f077fb 100644
Binary files a/windows/security/book/images/privacy.png and b/windows/security/book/images/privacy.png differ
diff --git a/windows/security/book/images/secure-launch.png b/windows/security/book/images/secure-launch.png
index dd00cdc393..d83d884e44 100644
Binary files a/windows/security/book/images/secure-launch.png and b/windows/security/book/images/secure-launch.png differ
diff --git a/windows/security/book/images/security-foundation-cover.png b/windows/security/book/images/security-foundation-cover.png
index 5fdd9c7a92..9c97b0284c 100644
Binary files a/windows/security/book/images/security-foundation-cover.png and b/windows/security/book/images/security-foundation-cover.png differ
diff --git a/windows/security/book/images/security-foundation-on.png b/windows/security/book/images/security-foundation-on.png
index d6ddf2af1f..c0c23101bb 100644
Binary files a/windows/security/book/images/security-foundation-on.png and b/windows/security/book/images/security-foundation-on.png differ
diff --git a/windows/security/book/images/security-foundation.png b/windows/security/book/images/security-foundation.png
index 2810449234..ba54e5a0ba 100644
Binary files a/windows/security/book/images/security-foundation.png and b/windows/security/book/images/security-foundation.png differ
diff --git a/windows/security/book/images/sfi.png b/windows/security/book/images/sfi.png
new file mode 100644
index 0000000000..4bd6163fb2
Binary files /dev/null and b/windows/security/book/images/sfi.png differ
diff --git a/windows/security/book/images/soon-arrow.svg b/windows/security/book/images/soon-arrow.svg
new file mode 100644
index 0000000000..fc259c2605
--- /dev/null
+++ b/windows/security/book/images/soon-arrow.svg
@@ -0,0 +1,14 @@
+<svg width="14" height="14" viewBox="0 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_789_99)">
+<path d="M12.9588 4.29655L9.31875 0.98467C9.0475 0.73967 8.61875 0.93217 8.61875 1.29529V2.88779C8.61875 3.04092 8.49187 3.16779 8.33875 3.16779H1.39125C1.10687 3.16342 0.875 3.39967 0.875 3.68405V5.5303C0.875 5.81905 1.10688 6.05092 1.39563 6.05092H8.34312C8.49625 6.05092 8.62312 6.17779 8.62312 6.33092V7.92342C8.62312 8.28655 9.05625 8.47905 9.32312 8.23405L12.9631 4.92217C13.1425 4.75154 13.1425 4.46279 12.9588 4.29655Z" fill="#785DC8"/>
+<path d="M5.26313 13.1253C4.50626 13.1253 3.88938 12.5084 3.88938 11.7515V10.4915C3.88938 9.73467 4.50626 9.1178 5.26313 9.1178C6.02001 9.1178 6.63688 9.73467 6.63688 10.4915V11.7515C6.63688 12.5084 6.02001 13.1253 5.26313 13.1253ZM5.26313 9.98842C4.98751 9.98842 4.76001 10.2115 4.76001 10.4915V11.7515C4.76001 12.0272 4.98313 12.2547 5.26313 12.2547C5.53876 12.2547 5.76626 12.0315 5.76626 11.7515V10.4915C5.76626 10.2115 5.53876 9.98842 5.26313 9.98842Z" fill="#785DC8"/>
+<path d="M6.99124 11.7515C6.99124 12.5084 7.60812 13.1253 8.36499 13.1253C9.12187 13.1253 9.73874 12.5084 9.73874 11.7515V10.4915C9.73874 9.73467 9.12187 9.1178 8.36499 9.1178C7.60812 9.1178 6.99124 9.73467 6.99124 10.4915V11.7515ZM7.86187 10.4915C7.86187 10.2115 8.08937 9.98842 8.36499 9.98842C8.64062 9.98842 8.86812 10.2115 8.86812 10.4915V11.7515C8.86812 12.0315 8.64062 12.2547 8.36499 12.2547C8.08499 12.2547 7.86187 12.0272 7.86187 11.7515V10.4915Z" fill="#785DC8"/>
+<path d="M2.35374 13.1253C1.86374 13.1253 1.39124 12.9459 1.02811 12.6178C0.848739 12.4559 0.831239 12.1803 0.993114 12.0009C1.15499 11.8215 1.43061 11.804 1.60999 11.9659C1.81561 12.1497 2.07811 12.2503 2.35374 12.2503H2.41936C2.54186 12.2415 2.62499 12.1978 2.67749 12.119C2.73874 12.0228 2.72124 11.9309 2.70374 11.8828C2.67311 11.7953 2.60749 11.7253 2.51999 11.6947L1.65374 11.3709C1.32124 11.244 1.06311 10.9815 0.949364 10.6403C0.839989 10.3078 0.879364 9.94905 1.06749 9.6603C1.27311 9.33655 1.60561 9.14842 2.01249 9.12217C2.05186 9.1178 2.09124 9.1178 2.13061 9.1178C2.62061 9.1178 3.09311 9.29717 3.45624 9.6253C3.63561 9.78717 3.65311 10.0628 3.49124 10.2422C3.32936 10.4215 3.05374 10.439 2.87436 10.2772C2.66874 10.0934 2.40624 9.9928 2.13061 9.9928H2.06499C1.94249 10.0015 1.85936 10.0453 1.80686 10.124C1.74561 10.2203 1.76311 10.3122 1.78061 10.3603C1.81124 10.4478 1.87686 10.5178 1.96436 10.5484L2.83061 10.8722C3.16311 10.999 3.42124 11.2615 3.53499 11.6028C3.64436 11.9353 3.60499 12.294 3.41686 12.5828C3.21124 12.9065 2.87874 13.0947 2.47186 13.1209C2.43249 13.1253 2.39311 13.1253 2.35374 13.1253Z" fill="#785DC8"/>
+<path d="M12.2981 12.9284C12.3769 13.0553 12.5169 13.1253 12.6612 13.1253C12.7006 13.1253 12.7444 13.1209 12.7881 13.1078C12.9719 13.0509 13.0987 12.8803 13.0987 12.6878V9.55092C13.0987 9.31029 12.9019 9.11342 12.6612 9.11342C12.4206 9.11342 12.2237 9.31029 12.2237 9.55092V11.2265L10.9681 9.31029C10.8631 9.14842 10.6619 9.07404 10.4781 9.13092C10.2944 9.18779 10.1675 9.35842 10.1675 9.55092V12.6878C10.1675 12.9284 10.3644 13.1253 10.605 13.1253C10.8456 13.1253 11.0425 12.9284 11.0425 12.6878V11.0122L12.2981 12.9284Z" fill="#785DC8"/>
+</g>
+<defs>
+<clipPath id="clip0_789_99">
+<rect width="14" height="14" fill="white"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/windows/security/book/images/soon-button-title.svg b/windows/security/book/images/soon-button-title.svg
new file mode 100644
index 0000000000..c0b233518c
--- /dev/null
+++ b/windows/security/book/images/soon-button-title.svg
@@ -0,0 +1,7 @@
+<svg width="32" height="32" viewBox="0 0 32 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M29.62 9.82067L21.3 2.25067C20.68 1.69067 19.7 2.13067 19.7 2.96067V6.60067C19.7 6.95067 19.41 7.24067 19.06 7.24067H3.18C2.53 7.23067 2 7.77067 2 8.42067V12.6407C2 13.3007 2.53 13.8307 3.19 13.8307H19.07C19.42 13.8307 19.71 14.1207 19.71 14.4707V18.1107C19.71 18.9407 20.7 19.3807 21.31 18.8207L29.63 11.2507C30.04 10.8607 30.04 10.2007 29.62 9.82067Z" fill="#785DC8"/>
+<path d="M12.03 30.0007C10.3 30.0007 8.89001 28.5907 8.89001 26.8607V23.9807C8.89001 22.2507 10.3 20.8407 12.03 20.8407C13.76 20.8407 15.17 22.2507 15.17 23.9807V26.8607C15.17 28.5907 13.76 30.0007 12.03 30.0007ZM12.03 22.8307C11.4 22.8307 10.88 23.3407 10.88 23.9807V26.8607C10.88 27.4907 11.39 28.0107 12.03 28.0107C12.66 28.0107 13.18 27.5007 13.18 26.8607V23.9807C13.18 23.3407 12.66 22.8307 12.03 22.8307Z" fill="#785DC8"/>
+<path d="M15.98 26.8607C15.98 28.5907 17.39 30.0007 19.12 30.0007C20.85 30.0007 22.26 28.5907 22.26 26.8607V23.9807C22.26 22.2507 20.85 20.8407 19.12 20.8407C17.39 20.8407 15.98 22.2507 15.98 23.9807V26.8607ZM17.97 23.9807C17.97 23.3407 18.49 22.8307 19.12 22.8307C19.75 22.8307 20.27 23.3407 20.27 23.9807V26.8607C20.27 27.5007 19.75 28.0107 19.12 28.0107C18.48 28.0107 17.97 27.4907 17.97 26.8607V23.9807Z" fill="#785DC8"/>
+<path d="M5.37998 30.0007C4.25998 30.0007 3.17998 29.5907 2.34998 28.8407C1.93998 28.4707 1.89998 27.8407 2.26998 27.4307C2.63998 27.0207 3.26998 26.9807 3.67998 27.3507C4.14998 27.7707 4.74998 28.0007 5.37998 28.0007H5.52998C5.80998 27.9807 5.99998 27.8807 6.11998 27.7007C6.25998 27.4807 6.21998 27.2707 6.17998 27.1607C6.10998 26.9607 5.95998 26.8007 5.75998 26.7307L3.77998 25.9907C3.01998 25.7007 2.42998 25.1007 2.16998 24.3207C1.91998 23.5607 2.00998 22.7407 2.43998 22.0807C2.90998 21.3407 3.66998 20.9107 4.59998 20.8507C4.68998 20.8407 4.77998 20.8407 4.86998 20.8407C5.98998 20.8407 7.06998 21.2507 7.89998 22.0007C8.30998 22.3707 8.34998 23.0007 7.97998 23.4107C7.60998 23.8207 6.97998 23.8607 6.56998 23.4907C6.09998 23.0707 5.49998 22.8407 4.86998 22.8407H4.71998C4.43998 22.8607 4.24998 22.9607 4.12998 23.1407C3.98998 23.3607 4.02998 23.5707 4.06998 23.6807C4.13998 23.8807 4.28998 24.0407 4.48998 24.1107L6.46998 24.8507C7.22998 25.1407 7.81998 25.7407 8.07998 26.5207C8.32998 27.2807 8.23998 28.1007 7.80998 28.7607C7.33998 29.5007 6.57998 29.9307 5.64998 29.9907C5.55998 30.0007 5.46998 30.0007 5.37998 30.0007Z" fill="#785DC8"/>
+<path d="M28.11 29.5507C28.29 29.8407 28.61 30.0007 28.94 30.0007C29.03 30.0007 29.13 29.9907 29.23 29.9607C29.65 29.8307 29.94 29.4407 29.94 29.0007V21.8307C29.94 21.2807 29.49 20.8307 28.94 20.8307C28.39 20.8307 27.94 21.2807 27.94 21.8307V25.6607L25.07 21.2807C24.83 20.9107 24.37 20.7407 23.95 20.8707C23.53 21.0007 23.24 21.3907 23.24 21.8307V29.0007C23.24 29.5507 23.69 30.0007 24.24 30.0007C24.79 30.0007 25.24 29.5507 25.24 29.0007V25.1707L28.11 29.5507Z" fill="#785DC8"/>
+</svg>
diff --git a/windows/security/book/images/uac-settings.png b/windows/security/book/images/uac-settings.png
deleted file mode 100644
index d4a8fc4bb0..0000000000
Binary files a/windows/security/book/images/uac-settings.png and /dev/null differ
diff --git a/windows/security/book/images/universal-print.svg b/windows/security/book/images/universal-print.svg
new file mode 100644
index 0000000000..d91cd2a276
--- /dev/null
+++ b/windows/security/book/images/universal-print.svg
@@ -0,0 +1,24 @@
+<svg width="40" height="32" viewBox="0 0 40 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M32.8622 17.5932C32.8622 16.3814 31.0947 15.9828 30.4147 15.0495C29.4785 13.7651 29.3777 12.1206 27.6666 11.8406C27.5815 9.85776 26.718 7.98839 25.2638 6.63782C23.8095 5.28726 21.8815 4.56434 19.8977 4.62582C18.2951 4.59613 16.7225 5.06477 15.3975 5.96704C14.0725 6.8693 13.0603 8.16068 12.5007 9.66285C10.8045 9.86903 9.23838 10.6764 8.08645 11.9383C6.93454 13.2004 6.27312 14.8334 6.22217 16.5414C6.29662 18.4583 7.12789 20.2675 8.53385 21.5726C9.93979 22.8778 11.8058 23.5724 13.7229 23.5043C13.9466 23.5043 14.1674 23.494 14.3836 23.4762H26.5319C26.6401 23.4748 26.7477 23.459 26.8519 23.4288C28.4124 23.4176 29.9086 22.8046 31.0282 21.7173C32.148 20.6302 32.8049 19.1529 32.8622 17.5932Z" fill="url(#paint0_linear_1073_1040)"/>
+<path d="M30.729 12.3118H18.0209C17.7754 12.3118 17.5764 12.5108 17.5764 12.7562V17.3177C17.5764 17.5631 17.7754 17.7621 18.0209 17.7621H30.729C30.9745 17.7621 31.1734 17.5631 31.1734 17.3177V12.7562C31.1734 12.5108 30.9745 12.3118 30.729 12.3118Z" fill="#005BA1"/>
+<path d="M29.388 8.89404H19.3629C19.1174 8.89404 18.9185 9.09303 18.9185 9.33849V16.6718C18.9185 16.9173 19.1174 17.1163 19.3629 17.1163H29.388C29.6335 17.1163 29.8324 16.9173 29.8324 16.6718V9.33849C29.8324 9.09303 29.6335 8.89404 29.388 8.89404Z" fill="url(#paint1_linear_1073_1040)"/>
+<path d="M16.7497 14.7222H32.0001C32.2358 14.7222 32.4619 14.8158 32.6287 14.9825C32.7953 15.1492 32.889 15.3753 32.889 15.6111V24.648H15.8623V15.6111C15.8623 15.3756 15.9557 15.1497 16.1221 14.983C16.2885 14.8164 16.5142 14.7226 16.7497 14.7222Z" fill="#5EA0EF"/>
+<path d="M32.889 23.4822H15.8623V24.9933H32.889V23.4822Z" fill="#0078D4"/>
+<path d="M30.231 20.8333H18.514C18.2685 20.8333 18.0696 21.0322 18.0696 21.2777V22.1547C18.0696 22.4002 18.2685 22.5991 18.514 22.5991H30.231C30.4765 22.5991 30.6754 22.4002 30.6754 22.1547V21.2777C30.6754 21.0322 30.4765 20.8333 30.231 20.8333Z" fill="#83B9F9"/>
+<path d="M29.9925 17.9621C30.2258 17.9621 30.4148 17.7731 30.4148 17.5399C30.4148 17.3067 30.2258 17.1177 29.9925 17.1177C29.7595 17.1177 29.5703 17.3067 29.5703 17.5399C29.5703 17.7731 29.7595 17.9621 29.9925 17.9621Z" fill="#C3F1FF"/>
+<path d="M18.9186 21.1399H29.8325V26.8035C29.8325 26.9214 29.7858 27.0345 29.7024 27.1178C29.619 27.2012 29.506 27.248 29.3881 27.248H19.3614C19.2436 27.248 19.1307 27.2012 19.0473 27.1178C18.9639 27.0345 18.917 26.9214 18.917 26.8035V21.1399H18.9186Z" fill="url(#paint2_linear_1073_1040)"/>
+<defs>
+<linearGradient id="paint0_linear_1073_1040" x1="19.5422" y1="23.5073" x2="19.5422" y2="4.62582" gradientUnits="userSpaceOnUse">
+<stop stop-color="#773ADC"/>
+<stop offset="0.817" stop-color="#A67AF4"/>
+</linearGradient>
+<linearGradient id="paint1_linear_1073_1040" x1="24.3746" y1="8.89404" x2="24.3746" y2="17.1177" gradientUnits="userSpaceOnUse">
+<stop stop-color="#C3F1FF"/>
+<stop offset="0.999" stop-color="#9CEBFF"/>
+</linearGradient>
+<linearGradient id="paint2_linear_1073_1040" x1="24.3748" y1="27.248" x2="24.3748" y2="21.1399" gradientUnits="userSpaceOnUse">
+<stop stop-color="#C3F1FF"/>
+<stop offset="0.999" stop-color="#9CEBFF"/>
+</linearGradient>
+</defs>
+</svg>
diff --git a/windows/security/book/images/vbs-diagram.png b/windows/security/book/images/vbs-diagram.png
new file mode 100644
index 0000000000..c8a27ea370
Binary files /dev/null and b/windows/security/book/images/vbs-diagram.png differ
diff --git a/windows/security/book/images/windows-security.png b/windows/security/book/images/windows-security.png
new file mode 100644
index 0000000000..558b4790e0
Binary files /dev/null and b/windows/security/book/images/windows-security.png differ
diff --git a/windows/security/book/images/windows-security.svg b/windows/security/book/images/windows-security.svg
new file mode 100644
index 0000000000..f8574a500f
--- /dev/null
+++ b/windows/security/book/images/windows-security.svg
@@ -0,0 +1,24 @@
+<svg width="49" height="32" viewBox="0 0 49 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M24.2765 31.8354L21.9288 22.8553L24.2765 15.5891L31.1894 12.573L38.2976 15.5891C37.1237 22.2385 32.1675 27.2426 24.7331 31.7667C24.6027 31.7667 24.4722 31.8354 24.2765 31.8354Z" fill="url(#paint0_linear_1073_1125)"/>
+<path d="M24.2765 15.5232V31.838C24.081 31.838 23.9506 31.7693 23.7548 31.7007C16.3205 27.1765 11.4294 22.1724 10.1903 15.5232L16.9726 13.1925L24.2765 15.5232Z" fill="url(#paint1_linear_1073_1125)"/>
+<path d="M24.2765 0.441528C26.2982 0.441528 28.0589 1.05849 29.4285 2.08673C31.6458 3.66336 33.2109 4.48593 37.7107 4.55448C38.2325 4.55448 38.6888 5.03432 38.6888 5.58272V12.3691C38.6888 13.4659 38.5584 14.4941 38.428 15.5224H24.2765L21.9288 7.84483L24.2765 0.441528Z" fill="url(#paint2_linear_1073_1125)"/>
+<path d="M10.1919 15.5222C9.99624 14.494 9.93103 13.3972 9.93103 12.369V5.58259C9.93103 5.0342 10.3223 4.55436 10.9092 4.55436C15.409 4.48581 16.9742 3.66323 19.1915 2.0866C20.4958 1.05837 22.3219 0.441406 24.3434 0.441406V15.5222H10.1919Z" fill="url(#paint3_linear_1073_1125)"/>
+<defs>
+<linearGradient id="paint0_linear_1073_1125" x1="32.9701" y1="26.7136" x2="25.6719" y2="14.6876" gradientUnits="userSpaceOnUse">
+<stop stop-color="#114A8B"/>
+<stop offset="1" stop-color="#0C59A4"/>
+</linearGradient>
+<linearGradient id="paint1_linear_1073_1125" x1="25.3418" y1="31.1801" x2="14.3342" y2="13.0417" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0669BC"/>
+<stop offset="1" stop-color="#0078D4"/>
+</linearGradient>
+<linearGradient id="paint2_linear_1073_1125" x1="35.2768" y1="17.3893" x2="24.8053" y2="0.134459" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0078D4"/>
+<stop offset="1" stop-color="#1493DF"/>
+</linearGradient>
+<linearGradient id="paint3_linear_1073_1125" x1="22.1142" y1="16.8492" x2="13.5749" y2="2.77815" gradientUnits="userSpaceOnUse">
+<stop stop-color="#28AFEA"/>
+<stop offset="1" stop-color="#3CCBF4"/>
+</linearGradient>
+</defs>
+</svg>
diff --git a/windows/security/book/includes/coming-soon.md b/windows/security/book/includes/coming-soon.md
new file mode 100644
index 0000000000..4122be1932
--- /dev/null
+++ b/windows/security/book/includes/coming-soon.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/18/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+:::image type="icon" source="../images/soon-arrow.svg" border="false"::: **Coming soon<sup>[\[7\]](..\conclusion.md#footnote7)</sup>**
diff --git a/windows/security/book/includes/learn-more.md b/windows/security/book/includes/learn-more.md
new file mode 100644
index 0000000000..7ed46da843
--- /dev/null
+++ b/windows/security/book/includes/learn-more.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/18/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+:::image type="icon" source="../images/information.svg" border="false"::: **Learn more**
diff --git a/windows/security/book/includes/new-24h2.md b/windows/security/book/includes/new-24h2.md
new file mode 100644
index 0000000000..b90019f189
--- /dev/null
+++ b/windows/security/book/includes/new-24h2.md
@@ -0,0 +1,9 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/18/2024
+ms.topic: include
+ms.service: windows-client
+---
+
+:::image type="icon" source="../images/new-button.svg" border="false"::: **New in Windows 11, version 24H2**
diff --git a/windows/security/book/index.md b/windows/security/book/index.md
index 3fddf8be3c..350e25f172 100644
--- a/windows/security/book/index.md
+++ b/windows/security/book/index.md
@@ -2,54 +2,60 @@
 title: Windows security book introduction
 description: Windows security book introduction
 ms.topic: overview
-ms.date: 04/09/2024
-ROBOTS:
+ms.date: 11/18/2024
 ---
 
 # Windows 11 Security Book
 
-:::image type="content" source="images/cover.png" alt-text="Cover of the Windows 11 security book.":::
+:::image type="content" source="images/cover.png" alt-text="Cover of the Windows 11 security book." border="false":::
 
 ## Introduction
 
-Emerging technologies and evolving business trends bring new opportunities and challenges for organizations of all sizes. As technology and workstyles transform, so does the threat landscape with growing numbers of increasingly sophisticated attacks on organizations and employees.
+Today's organizations face a world of accelerated change, from marketplace fluctuation and sociopolitical events to the rapid adoption of new AI technologies. However, as organizations and industries innovate, so do increasingly sophisticated cybercriminals. Research shows that employees, including their devices, services, and identities, are at the center of attacks on businesses of all sizes. Some leading threats include identity attacks, ransomware, targeted phishing attempts, and business email compromise<sup>[\[1\]](conclusion.md#footnote1)</sup>.
 
-To thrive, organizations need security to work anywhere. [Microsoft's 2022 Work Trend Index](https://www.microsoft.com/security/blog/2022/04/05/new-security-features-for-windows-11-will-help-protect-hybrid-work/) shows *cybersecurity issues and risks* are top concerns for business decision-makers, who worry about issues like malware, stolen credentials, devices that lack security updates, and physical attacks on lost or stolen devices.
+To address the ever-growing and changing threat landscape, we announced the [Secure Future Initiative (SFI)][LINK-1] in November 2023. The SFI endeavors to advance cybersecurity protection across all our company and products.
 
-In the past, a corporate network and software-based security were the first lines of defense. With an increasingly distributed and mobile workforce, attention has shifted to hardware-based endpoint security. People are now the top target for cybercriminals, with 74% of all breaches due to human error, privilege misuses, stolen credentials, or social engineering. Most attacks are financially motivated, and credential theft, phishing, and exploitation of vulnerabilities are the primary attack vectors. Credential theft is the most prevalent attack vector, accounting for 50% of breaches <sup>[\[1\]](conclusion.md#footnote1)</sup>.
+Microsoft is committed to putting security above all else, with products and services that are secure by design and secure by default. We synthesize more than 65 trillion signals daily to understand digital threats and criminal cyberactivity<sup>[\[1\]](conclusion.md#footnote1)</sup>. Through the SFI initiative, we've dedicated the equivalent of 34,000 full-time engineers to the highest priority security tasks. We continuously apply what we learn from incidents to improve our security and privacy models, security architecture, and technical controls.
 
-At Microsoft, we work hard to help organizations evolve and stay agile while protecting against modern threats. We're committed to helping businesses and their employees get secure, and stay secure. We [synthesize 43 trillion signals daily](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE5bcRe?culture=en-us&country=us) to understand and protect against digital threats. We have more than 8,500 dedicated security professionals across 77 countries and over 15,000 partners in our security ecosystem striving to increase resilience for our customers <sup>[\[2\]](conclusion.md#footnote2)</sup>.
+### Security by design. Security by default.
 
-Businesses worldwide are moving toward [secure-by-design and secure-by-default strategies](https://www.cisa.gov/securebydesign). With these models, organizations choose products from manufacturers that consider security as a business requirement, not just a technical feature. With a secure-by-default strategy, businesses can proactively reduce risk and exposure to threats across their organization because products are shipped with security features already built in and enabled.
+Working together with a shared focus is key to improving global security, from individuals and organizations to governments and industries. The world is moving toward a [secure by design and secure by default][LINK-2] approach, where technology producers are tasked with incorporating security during the initial design phase, and offering products that deliver protection right out of the box. As part of our commitment to making the world a safer place, we build security into every innovation. Windows 11 is secure by design and secure by default, with layers of defense enabled on day one to enhance your protection without the need to first configure settings. This secure-by-design approach spans the Windows edition range including Pro, Enterprise, IoT Enterprise, and Education editions. Copilot+ PCs are the fastest, most intelligent Windows devices ever, and they're also the most secure. These groundbreaking AI PCs come with secured-core PC protection and the latest safeguards like Microsoft Pluton and Windows Enhanced Sign-in Security enabled by default.
 
-To help businesses transform and thrive in a new era, we built Windows 11 to be secure by design and secure by default. Windows 11 devices arrive with more security features enabled out of the box. In contrast, Windows 10 devices came with many safeguards turned off unless enabled by IT or employees. The default security provided by Windows 11 elevates protection without needing to configure settings. In addition, Windows 11 devices have been shown to increase malware resistance without impacting performance <sup>[\[3\]](conclusion.md#footnote3)</sup>. Windows 11 is the most secure Windows ever, built in deep partnership with original equipment manufacturers (OEMs) and silicon manufacturers. Discover why organizations of all sizes, including 90% of Fortune 500 companies, are taking advantage of the powerful default protection of Windows 11 <sup>[\[4\]](conclusion.md#footnote4)</sup>.
+Except for Windows IoT Long-Term Servicing Channel (LTSC) editions, support for Windows 10 is ending soon on October 14, 2025. Upgrading or replacing outdated devices before Windows 10 support ends is a critical priority for building a strong security posture. Discover why organizations of all sizes, including 90% of Fortune 500 companies, are relying on Windows 11.
 
-## Security priorities and benefits
+### Security priorities and benefits
 
-### Security by design and security by default
+Windows 11 enables you to focus on your work, not your security settings. Out-of-the-box features such as credential safeguards, malware shields, and application protection led to a reported 62% drop in security incidents, including a 3.0x reduction in firmware attacks<sup>[\[2\]](conclusion.md#footnote2)</sup>.
 
-Windows 11 is designed with layers of security enabled by default, so you can focus on your work, not your security settings. **Out-of-the-box features such as credential safeguards, malware shields, and application protection led to a reported 58% drop in security incidents, including a 3.1x reduction in firmware attacks** <sup>[\[5\]](conclusion.md#footnote5)</sup>.
+In Windows 11, hardware and software work together to shrink the attack surface, protect system integrity, and shield valuable data. New and enhanced features are designed for security by default. For example, Win32 apps in isolation<sup>[\[3\]](conclusion.md#footnote3)</sup>, token protection<sup>[\[3\]](conclusion.md#footnote3)</sup>, passkeys, and Microsoft Intune Endpoint Privilege Management<sup>[\[4\]](conclusion.md#footnote4)</sup> are some of the latest capabilities that help protect organizations and individual users against attack. Windows Hello and Windows Hello for Business work with hardware-based features like Trusted Platform Module (TPM) 2.0, biometric scanners, and Windows presence sensing to enable easier, secure sign-on and protection of your data and credentials.
 
-In Windows 11, hardware and software work together to shrink the attack surface, protect system integrity, and shield valuable data. New and enhanced features are designed for security by default. For example, Win32 apps in isolation <sup>[\[6\]](conclusion.md#footnote6)</sup>, token protection <sup>[\[6\]](conclusion.md#footnote6)</sup>, and Microsoft Intune Endpoint Privilege Management <sup>[\[7\]](conclusion.md#footnote7)</sup> are some of the latest capabilities that help protect your organization and employees against attack. Windows Hello and Windows Hello for Business work with hardware-based features like TPM 2.0 and biometric scanners for credential protection and easier, secure sign-on. Existing security features like BitLocker encryption have also been enhanced to optimize both security and performance.
+Existing security features are also continuously enhanced across Windows 11.  For example, BitLocker encryption has been optimized for additional security and performance, and is available on more devices.
 
-### Protect employees against evolving threats
+### Identity protection
 
-With attackers targeting employees and their devices, organizations need stronger security against increasingly sophisticated cyberthreats. Windows 11 provides proactive protection against credential theft. Windows Hello and TPM 2.0 work together to shield identities. Secure biometric sign-in virtually eliminates the risk of lost or stolen passwords. And enhanced phishing protection increases safety. In fact, **businesses reported 2.8x fewer instances of identity theft with the hardware-backed protection in Windows 11** <sup>[\[5\]](conclusion.md#footnote5)</sup>.
+Attackers are increasingly targeting employees and their devices, so organizations need stronger security against increasingly sophisticated cyberthreats. Windows 11 provides proactive protection against credential theft. Windows Hello and TPM 2.0 work together to shield identities, and features like passkeys and secure biometric sign-in virtually eliminate the risk of lost or stolen passwords<sup>[\[5\]](conclusion.md#footnote5)</sup>. Enhanced phishing protection also increases safety; in fact, businesses reported 2.9x fewer instances of identity theft with the hardware-backed protection in Windows 11<sup>[\[2\]](conclusion.md#footnote2)</sup>.
 
-### Gain mission-critical application safeguards
+### Application safeguards
 
-Help keep business data secure and employees productive with robust safeguards and control for applications. Windows 11 has multiple layers of application security that shield critical data and code integrity. Application protection, privacy controls, and least-privilege principles enable developers to build in security by design. This integrated security protects against breaches and malware, helps keep data private, and gives IT administrators the controls they need. As a result, organizations and regulators can be confident that critical data is protected.
+Help keep business data secure and employees productive with robust safeguards and control for applications. Windows 11 has multiple layers of security that shield critical data and defend code integrity. Application protection, privacy controls, and least-privilege principles enable developers to build in security by design. This integrated defense helps protect against breaches and malware, assists in keeping data private, and gives IT administrators the controls they need. As a result, organizations and regulators can be confident that critical data is protected.
 
-### End-to-end protection with modern management
+With Trusted Signing, developers can effortlessly sign their applications. This process ensures the authenticity and integrity of the applications while enhancing security features to prevent and mitigate the impacts of malware on Windows.
 
-Increase protection and efficiency with Windows 11 and chip-to-cloud security. Microsoft offers comprehensive cloud services for identity, storage, and access management. In addition, Microsoft also provides the tools needed to attest that Windows 11 devices connecting to your network or accessing your data and resources are trustworthy. You can also enforce compliance and conditional access with modern device management (MDM) solutions such as Microsoft Intune and Microsoft Entra ID. Security by default not only enables people to work securely anywhere, but it also simplifies IT. A streamlined, chip-to-cloud security solution based on Windows 11 has improved productivity for IT and security teams by a reported 25% <sup>[\[8\]](conclusion.md#footnote8)</sup>.
+### Device health and access control
 
-## Security by design and default
+Increase protection and efficiency with Windows 11 and chip-to-cloud security. Microsoft provides the tools needed to attest that the devices connecting to your network, or accessing your data and resources, are trustworthy. You can enforce security policies and conditional access with cloud-based device management solutions such as Microsoft Intune, Microsoft Entra ID, and a comprehensive security baseline. Security by default not only enables people to work securely anywhere, but it also simplifies IT. A streamlined, chip-to-cloud security solution based on Windows 11 improves productivity for IT and security teams by a reported 25%<sup>[\[6\]](conclusion.md#footnote6)</sup>.
 
-In Windows 11, hardware and software work together to protect sensitive data from the core of your PC all the way to the cloud. Comprehensive protection helps keep your organization secure, no matter where people work. This simple diagram shows the layers of protection in Windows 11, while each chapter provides a layer-by-layer deep dive into features.
+### Chip-to-cloud security
+
+In Windows 11, hardware and software work together to protect sensitive data, from the core of the device all the way to the cloud. Comprehensive protection helps keep organizations secure, no matter where people work. The following diagram shows the layers of protection in Windows 11, while each chapter provides a layer-by-layer deep dive into features.
 
 :::image type="content" source="images/chip-to-cloud.png" alt-text="Diagram of chip-to-cloud containing a list of security features." lightbox="images/chip-to-cloud.png" border="false":::
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Windows security features licensing and edition requirements](/windows/security/licensing-and-edition-requirements?tabs=edition)
+- [Windows security features licensing and edition requirements](../licensing-and-edition-requirements.md)
+
+<!--links-->
+
+[LINK-1]: https://www.microsoft.com/trust-center/security/secure-future-initiative
+[LINK-2]: https://www.cisa.gov/resources-tools/resources/secure-by-design
diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md
index c574d203f1..238afa439c 100644
--- a/windows/security/book/operating-system-security-encryption-and-data-protection.md
+++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md
@@ -2,73 +2,94 @@
 title: Operating System security
 description: Windows 11 security book - Operating System security chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Encryption and data protection
 
-:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+:::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
 
 When people travel with their PCs, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications.
 
 ## BitLocker
 
-BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure<sup>[\[9\]](conclusion.md#footnote9)</sup> can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune<sup>[\[6\]](conclusion.md#footnote6)</sup>> using a configuration service provider (CSP)<sup>[\[9\]](conclusion.md#footnote9)</sup>. BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), leveraging technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. Windows consistently improves data protection by expanding existing options and providing new strategies.
+BitLocker is a data protection feature that integrates with the operating system to address the threats of data theft or exposure from lost, stolen, or improperly decommissioned devices. It uses the AES algorithm in XTS or CBC mode with 128-bit or 256-bit key lengths to encrypt data on the volume. During the initial setup, when BitLocker is enabled during OOBE and the user signs into their Microsoft account for the first time, BitLocker automatically saves its recovery password to the Microsoft account for retrieval if needed. Users also have the option to export the recovery password if they manually enable BitLocker. Recovery key content can be saved to cloud storage on OneDrive or Azure<sup>[\[4\]](conclusion.md#footnote4)</sup>.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+For organizations, BitLocker can be managed via group policy or with a device management solution like Microsoft Intune<sup>[\[3\]](conclusion.md#footnote3)</sup>. It provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies such as Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
+
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
+
+The BitLocker preboot recovery screen includes the Microsoft account (MSA) hint, if the recovery password is saved to an MSA. This hint helps the user to understand which MSA account was used to store recovery key information.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
 - [BitLocker overview](../operating-system-security/data-protection/bitlocker/index.md)
 
-## BitLocker To Go
+### BitLocker To Go
 
-BitLocker To Go refers to BitLocker Drive Encryption on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password.
+BitLocker To Go refers to BitLocker on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
 - [BitLocker FAQ](../operating-system-security/data-protection/bitlocker/faq.yml)
 
-## Device Encryption
+## Device encryption
 
-Device Encryption is consumer-level device encryption that can't be managed. Device Encryption is turned on by default for devices with the right hardware components (for example, TPM 2.0, UEFI Secure Boot, Hardware Security Test Interface, and Modern Standby). However, for a commercial scenario, it's possible for commercial customers to disable Device Encryption in favor of BitLocker Drive Encryption. BitLocker Drive Encryption is manageable through MDM.
+Device encryption is a Windows feature that simplifies the process of enabling BitLocker encryption on certain devices. It ensures that only the OS drive and fixed drives are encrypted, while external/USB drives remain unencrypted. Additionally, devices with externally accessible ports that allow DMA access are not eligible for device encryption. Unlike standard BitLocker implementation, device encryption is enabled automatically to ensure continuous protection. Once a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use with encryption already in place.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Organizations have the option to disable device encryption in favor of a full BitLocker implementation. This allows for more granular control over encryption policies and settings, ensuring that the organization's specific security requirements are met.
+
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
+
+The Device encryption prerequisites of DMA and HSTI/Modern Standby are removed. This change makes more devices eligible for both automatic and manual device encryption.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
 - [Device encryption](../operating-system-security/data-protection/bitlocker/index.md#device-encryption)
 
 ## Encrypted hard drive
 
-Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full-disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.
+Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level. They allow for full-disk hardware encryption and are transparent to the user. These drives combine the security and management benefits provided by BitLocker, with the power of self-encrypting drives.
 
 By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity.
 
 Encrypted hard drives enable:
 
-- Smooth performance: Encryption hardware integrated into the drive controller allows the drive to operate at full data rate without performance degradation
-- Strong security based in hardware: Encryption is always "on," and the keys for encryption never leave the hard drive. The drive authenticates the user independently from the operating system before it unlocks
-- Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using an onboard encryption key. There's no need
-to re-encrypt data on the drive
-- Lower cost of ownership: There's no need for new infrastructure to manage encryption keys since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process
+- Smooth performance: encryption hardware integrated into the drive controller allows the drive to operate at full data rate without performance degradation
+- Strong security based in hardware: encryption is always-on, and the keys for encryption never leave the hard drive. The drive authenticates the user independently from the operating system before it unlocks
+- Ease of use: encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using an onboard encryption key. There's no need to re-encrypt data on the drive
+- Lower cost of ownership: there's no need for new infrastructure to manage encryption keys since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
 - [Encrypted hard drive](../operating-system-security/data-protection/encrypted-hard-drive.md)
 
-## Personal data encryption
+## Personal Data Encryption
 
-Personal Data Encryption refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism, which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container, which houses the encryption keys used by Personal Data Encryption (PDE). When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content.
+Personal Data Encryption is a user-authenticated encryption mechanism designed to protect user's content. Personal Data Encryption uses Windows Hello for Business as its modern authentication scheme, with PIN or biometric authentication methods. The encryption keys used by Personal Data Encryption are securely stored within the Windows Hello container. When a user signs in with Windows Hello, the container is unlocked, making the keys available to decrypt the user's content.
 
-With the first release of PDE (Windows 11 22H2), the PDE API was available, which when adopted by applications can protect data under the purview of the applications. With the platform release of the next Windows version, PDE for Folders will be released, this feature would require no updates to any applications and protects the contents in the Known Windows Folders from bootup till first login. This reduces the barrier for entry for customers and they'll be able to get PDE security as part of the OS.
+The initial release of Personal Data Encryption in Windows 11, version 22H2, introduced a set of public APIs that applications can adopt to safeguard content.
 
-PDE requires Microsoft Entra ID.
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+Personal Data Encryption is further enhanced with *Personal Data Encryption for known folders*, which extends protection to the Windows folders: Documents, Pictures, and Desktop.
 
-- [Personal Data Encryption (PDE)](../operating-system-security/data-protection/personal-data-encryption/index.md)
+:::image type="content" source="images/pde.png" alt-text="Screenshot of files encrypted with Personal Data Encryption showing a padlock." border="false":::
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Personal Data Encryption](../operating-system-security/data-protection/personal-data-encryption/index.md)
 
 ## Email encryption
 
-Email encryption enables users to encrypt outgoing email messages and attachments so that only intended recipients with a digital identification (ID) - also called a certificate - can read them.10 Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.
+Email encryption allows users to secure email messages and attachments so that only the intended recipients with a digital identification (ID), or certificate, can read them<sup>[\[8\]](conclusion.md#footnote8)</sup>. Users can also *digitally sign* a message, which verifies the sender's identity and ensures the message hasn't been tampered with.
 
-These encrypted messages can be sent by a user to people within their organization as well as external contacts who have proper encryption certificates.
+The new Outlook app included in Windows 11 supports various types of email encryption, including Microsoft Purview Message Encryption, S/MIME, and Information Rights Management (IRM).
 
-However, recipients using Windows 11 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. Encrypted messages can be read only by recipients who have a certificate. If an encrypted message is sent to recipients whose encryption certificates are not available, the app will prompt you to remove these recipients before sending the email.
+When using Secure/Multipurpose Internet Mail Extensions (S/MIME), users can send encrypted messages to people within their organization and to external contacts who have the proper encryption certificates. Recipients can only read encrypted messages if they have the corresponding decryption keys. If an encrypted message is sent to recipients whose encryption certificates aren't available, Outlook asks you to remove these recipients before sending the email.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [S/MIME for message signing and encryption in Exchange Online](/exchange/security-and-compliance/smime-exo/smime-exo)
+- [Get started with the new Outlook for Windows](https://support.microsoft.com/topic/656bb8d9-5a60-49b2-a98b-ba7822bc7627)
+- [Email encryption](/purview/email-encryption)
diff --git a/windows/security/book/operating-system-security-network-security.md b/windows/security/book/operating-system-security-network-security.md
index 5638c71bce..5be1a004aa 100644
--- a/windows/security/book/operating-system-security-network-security.md
+++ b/windows/security/book/operating-system-security-network-security.md
@@ -2,57 +2,55 @@
 title: Operating System security
 description: Windows 11 security book - Operating System security chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Network security
 
-:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+:::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
 
 Windows 11 raises the bar for network security, offering comprehensive protection to help people work with confidence from almost anywhere. To help reduce an organization's attack
 surface, network protection in Windows prevents people from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content.
 Using reputation-based services, network protection blocks access to potentially harmful, low-reputation domains and IP addresses.
 
-New DNS and TLS protocol versions strengthen the end-to-end protections needed for applications, web services, and Zero Trust networking. File access adds an untrusted network scenario with Server Message Block over QUIC, as well as new encryption and signing capabilities. Wi-Fi and Bluetooth advancements also provide greater trust in connections to other devices. In addition, VPN and Windows Firewall (previously called Windows Defender Firewall) platforms offer new ways to easily configure and debug software.
+New DNS and TLS protocol versions strengthen the end-to-end protections needed for applications, web services, and Zero Trust networking. File access adds an untrusted network scenario with Server Message Block over QUIC, and new encryption and signing capabilities. Wi-Fi and Bluetooth advancements also provide greater trust in connections to other devices. In addition, VPN and Windows Firewall platforms offer new ways to easily configure and debug software.
 
 In enterprise environments, network protection works best with Microsoft Defender for Endpoint, which provides detailed reporting on protection events as part of larger investigation scenarios.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [How to protect your network](/defender-endpoint/network-protection)
+- [How to protect your network][LINK-1]
 
-## Transport layer security (TLS)
+## Transport Layer Security (TLS)
 
-Transport Layer Security (TLS) is the internet's most deployed security protocol, encrypting data in transit to provide a secure communication channel between two endpoints. Windows defaults to the latest protocol versions and strong cipher suites unless policies are in effect to limit them. There are many extensions available, such as client authentication for enhanced server security and session resumption for improved application performance.
+Transport Layer Security (TLS) is a popular security protocol, encrypting data in transit to help provide a more secure communication channel between two endpoints. Windows enables the latest protocol versions and strong cipher suites by default and offers a full suite of extensions such as client authentication for enhanced server security, or session resumption for improved application performance. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows. This version helps to eliminate obsolete cryptographic algorithms, enhance security over older versions, and aim to encrypt as much of the TLS handshake as possible. The handshake is more performant with one less round trip per connection on average and supports only strong cipher suites which provide perfect forward secrecy and less operational risk. Using TLS 1.3 provides more privacy and lower latencies for encrypted online connections. If the client or server application on either side of the connection doesn't support TLS 1.3, the connection falls back to TLS 1.2. Windows uses the latest Datagram Transport Layer Security (DTLS) 1.2 for UDP communications.
 
-TLS 1.3 is the latest version of the protocol and is enabled by default starting with Windows 11 and Windows Server 2022. TLS 1.3 eliminates obsolete cryptographic algorithms, enhances security over older versions, and encrypts as much of the TLS handshake as possible. The handshake is more performant, with one fewer round trip per connection on average, and supports only five strong cipher suites, which provide perfect forward secrecy and reduced operational risk.
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-Customers using TLS 1.3 (or Windows components that support it, including HTTP.SYS, WinInet, .NET, MsQuic, and more) will get enhanced privacy and lower latencies for their encrypted online connections. Note that if either the client or server does not support TLS 1.3, Windows will fall back to TLS 1.2.
+- [TLS/SSL overview (Schannel SSP)][LINK-2]
+- [TLS 1.0 and TLS 1.1 soon to be disabled in Windows][LINK-3]
 
-Legacy protocol versions TLS 1.0 and 1.1 are officially deprecated and will be disabled by default in future OS versions only. This change will come to Windows Insider Preview in September 2023. Organizations and application developers are strongly encouraged to begin to identify and remove code dependencies on TLS 1.0/1.1 if they have not done so already.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [TLS/SSL overview (Schannel SSP)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)
-- [TLS 1.0 and TLS 1.1 soon to be disabled in Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/bc-p/3894928/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExMM0hCN0VURDk3OU9OfDM4OTQ5Mjh8U1VCU0NSSVBUSU9OU3xoSw#M6180)
-
-## DNS security
+## Domain Name System (DNS) security
 
 In Windows 11, the Windows DNS client supports DNS over HTTPS and DNS over TLS, two encrypted DNS protocols. These allow administrators to ensure their devices protect their
-name queries from on-path attackers, whether they are passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust
+name queries from on-path attackers, whether they're passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust
 model where no trust is placed in a network boundary, having a secure connection to a trusted name resolver is required.
 
-Windows 11 provides Group Policy as well as programmatic controls to configure DNS over HTTPS behavior. As a result, IT administrators can extend existing security to adopt new models such as Zero Trust. IT administrators can mandate DNS over HTTPS protocol, ensuring that devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option not to use DNS over HTTPS or DNS over TLS for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. By default, Windows 11 will defer to the local administrator on which resolvers should use encrypted DNS.
+Windows 11 provides group policy and programmatic controls to configure DNS over HTTPS behavior. As a result, IT administrators can extend existing security to adopt new models such as Zero Trust. IT administrators can mandate DNS over HTTPS protocol, ensuring that devices that use insecure DNS will fail to connect to network resources. IT administrators also have the option not to use DNS over HTTPS or DNS over TLS for legacy deployments where network edge appliances are trusted to inspect plain-text DNS traffic. By default, Windows 11 will defer to the local administrator on which resolvers should use encrypted DNS.
 
-Support for DNS encryption integrates with existing Windows DNS configurations such as the Name Resolution Policy Table (NRPT) and the system Hosts file, as well as resolvers specified per network adapter or network profile. The integration helps Windows 11 ensure that the benefits of greater DNS security do not regress existing DNS control mechanisms.
+Support for DNS encryption integrates with existing Windows DNS configurations such as the Name Resolution Policy Table (NRPT), the system Hosts file, and resolvers specified per network adapter or network profile. The integration helps Windows 11 ensure that the benefits of greater DNS security do not regress existing DNS control mechanisms.
 
 ## Bluetooth protection
 
 The number of Bluetooth devices connected to Windows 11 continues to increase. Windows users connect their Bluetooth headsets, mice, keyboards, and other accessories and improve their day-to-day PC experience by enjoying streaming, productivity, and gaming. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host-based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG) and Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that Bluetooth accessories' firmware and software are kept up to date.
 
-IT-managed environments have a number of [Bluetooth policies](/windows/client-management/mdm/policy-csp-bluetooth) (MDM, Group Policy, and PowerShell) that can be managed through MDM tools such as Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>. You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
+IT-managed environments have a number policy settings available via configuration service providers, group policy, and PowerShell. These settings can be managed through device management solutions like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>. You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
 
-## Securing Wi-Fi connections
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Policy CSP - Bluetooth][LINK-4]
+
+## Wi-Fi connections
 
 Windows Wi-Fi supports industry-standard authentication and encryption methods when connecting to Wi-Fi networks. WPA (Wi-Fi Protected Access) is a security standard defined by the Wi-Fi Alliance (WFA) to provide sophisticated data encryption and better user authentication.
 
@@ -66,30 +64,33 @@ Opportunistic Wireless Encryption (OWE), a technology that allows wireless devic
 
 5G networks use stronger encryption and better network segmentation compared to previous generations of cellular protocols. Unlike Wi-Fi, 5G access is always mutually authenticated. Access credentials are stored in an EAL4-certified eSIM that is physically embedded in the device, making it much harder for attackers to tamper with. Together, 5G and eSIM provide a strong foundation for security.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [eSIM configuration of a download server](/mem/intune/configuration/esim-device-configuration-download-server)
+- [eSIM configuration of a download server][LINK-5]
 
 ## Windows Firewall
 
-Windows Firewall with Advanced Security (previously called Windows Defender Firewall) is an important part of a layered security model. It provides host-based, two-way network traffic
+Windows Firewall is an important part of a layered security model. It provides host-based, two-way network traffic
 filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks the device is connected to.
 
-Windows Firewall in Windows 11 offers the following benefits:
+Windows Firewall offers the following benefits:
 
-- Reduces the risk of network security threats: Windows Firewall reduces the attack surface of a device with rules that restrict or allow traffic by many properties, such as IP addresses,
-ports, or program paths. This functionality increases manageability and decreases the likelihood of a successful attack
+- Reduces the risk of network security threats: Windows Firewall reduces the attack surface of a device with rules that restrict or allow traffic by many properties, such as IP addresses, ports, or program paths. This functionality increases manageability and decreases the likelihood of a successful attack
 - Safeguards sensitive data and intellectual property: By integrating with Internet Protocol Security (IPSec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data
-- Extends the value of existing investments: Because Windows Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API)
+- Extends the value of existing investments: Because Windows Firewall is a host-based firewall that is included with the operating system, there's no extra hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API)
 
-Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior has been integrated with Packet Monitor (pktmon), an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools.
+Windows 11 makes the Windows Firewall easier to analyze and debug. IPSec behavior is integrated with Packet Monitor, an in-box, cross-component network diagnostic tool for Windows. Additionally, the Windows Firewall event logs are enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on third-party tools.
 
-Admins can now configure additional settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, leveraging the platform
-support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints.
+Admins can configure more settings through the Firewall and Firewall Rule policy templates in the Endpoint Security node in Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, using the platform support from the Firewall configuration service provider (CSP) and applying these settings to Windows endpoints.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
 
-- [Windows Firewall overview](../operating-system-security/network-security/windows-firewall/index.md)
+The Firewall Configuration Service Provider (CSP) in Windows now enforces an all-or-nothing approach to applying firewall rules within each atomic block. Previously, if the CSP encountered an issue with any rule in a block, it would not only stop processing that rule but also cease processing subsequent rules, potentially leaving a security gap with partially deployed rule blocks. Now, if any rule in the block cannot be successfully applied, the CSP stops processing subsequent rules and roll back all rules from that atomic block, eliminating the ambiguity of partially deployed rule blocks.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows Firewall overview][LINK-6]
+- [Firewall CSP][LINK-7]
 
 ## Virtual private networks (VPN)
 
@@ -97,32 +98,42 @@ Organizations have long relied on Windows to provide reliable, secured, and mana
 protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and
 consumer VPNs, including apps for the most popular enterprise VPN gateways.
 
-In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and with one click, go to the modern Settings app for more control.
+In Windows 11, we've integrated the most commonly used VPN controls right into the Windows 11 Quick Actions pane. From the Quick Actions pane, users can verify the status of their VPN, start and stop the connection, and easily open Settings for more controls.
 
-The Windows VPN platform connects to Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune and other modern device management (MDM) providers. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites.
+The Windows VPN platform connects to Microsoft Entra ID<sup>[\[4\]](conclusion.md#footnote4)</sup> and Conditional Access for single sign-on, including multifactor authentication (MFA) through Microsoft Entra ID. The VPN platform also supports classic domain-joined authentication. It's supported by Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> and other device management solutions. The flexible VPN profile supports both built-in protocols and custom protocols. It can configure multiple authentication methods and can be automatically started as needed or manually started by the end user. It also supports split-tunnel VPN and exclusive VPN with exceptions for trusted external sites.
 
 With Universal Windows Platform (UWP) VPN apps, end users never get stuck on an old version of their VPN client. VPN apps from the store will be automatically updated as needed. Naturally, the updates are in the control of your IT admins.
 
-The Windows VPN platform has been tuned and hardened for cloud-based VPN providers like Azure VPN. Features like Microsoft Entra ID authentication, Windows user interface integration, plumbing IKE traffic selectors, and server support are all built into the Windows VPN platform. The integration into the Windows VPN platform leads to a simpler IT admin experience. User authentication is more consistent, and users can easily find and control their VPN.
+The Windows VPN platform is tuned and hardened for cloud-based VPN providers like Azure VPN. Features like Microsoft Entra ID authentication, Windows user interface integration, plumbing IKE traffic selectors, and server support are all built into the Windows VPN platform. The integration into the Windows VPN platform leads to a simpler IT admin experience. User authentication is more consistent, and users can easily find and control their VPN.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Windows VPN technical guide](../operating-system-security/network-security/vpn/vpn-guide.md)
+- [Windows VPN technical guide][LINK-8]
 
 ## Server Message Block file services
 
-Server Message Block (SMB) and file services are the most common Windows workloads in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations of all sizes. In Windows 11, the SMB protocol has significant security updates to meet today's threats, including AES-256 encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and an entirely new scenario, SMB over QUIC for untrusted networks.
+Server Message Block (SMB) and file services are the most common Windows workloads in the commercial and public sector ecosystem. Users and applications rely on SMB to access the files that run organizations of all sizes.
 
-SMB encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of this more advanced security or continue to use the more compatible and still-safe AES-128 encryption.
+Windows 11 introduced significant security updates to meet today's threats, including AES-256 SMB encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks.
 
-In Windows 11 Enterprise, Education, Pro, and Pro Workstation, SMB Direct now supports encryption. For demanding workloads like video rendering, data science, or extremely large files, you can now operate with the same safety as traditional Transmission Control Protocol (TCP) and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now, data is encrypted before placement, leading to relatively minor performance degradation while adding packet privacy with AES-128 and AES-256 protection.
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
 
-Windows 11 also introduces AES-128-GMAC for SMB signing. Windows will automatically negotiate this better-performing cipher method when connecting to another computer that supports it. Signing prevents common attacks like relay and spoofing, and it is required by default when clients communicate with Active Directory domain controllers.
+New security options include mandatory SMB signing by default, NTLM blocking, authentication rate limiting, and several other enhancements.
 
-Finally, Windows 11 introduces SMB over QUIC, an alternative to the TCP network transport that provides secure, reliable connectivity to edge file servers over untrusted networks like the internet, as well as highly secure communications on internal networks. QUIC is an Internet Engineering Task Force (IETF)-standardized protocol with many benefits when compared with TCP, but most importantly, it always requires TLS 1.3 and encryption. SMB over QUIC offers an SMB VPN for telecommuters, mobile device users, and high-security organizations. All SMB traffic, including authentication and authorization within the tunnel, is never exposed to the underlying network. SMB behaves normally within the QUIC tunnel, meaning the user experience doesn't change. SMB over QUIC will be a game-changing feature for Windows 11 accessing Windows file servers and eventually Azure Files and third parties.
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-Newly installed Windows 11 Home editions that contain the February 2023 cumulative update no longer install the SMB 1.0 client by default, meaning the Home edition now operates like all other editions of Windows 11. SMB 1.0 is an unsafe and deprecated protocol that Microsoft superseded by later versions of SMB starting with Windows Vista. Microsoft began uninstalling SMB 1.0 by  default in certain Windows 10 editions in 2017. No versions of Windows 11 now install SMB 1.0 by default.
+- [Server Message Block (SMB) protocol changes in Windows 11, version 24H2][LINK-9]
+- [File sharing using the SMB 3 protocol][LINK-10]
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+<!--links-->
 
-- [File sharing using the SMB 3 protocol](/windows-server/storage/file-server/file-server-smb-overview)
+[LINK-1]: /defender-endpoint/network-protection
+[LINK-2]: /windows-server/security/tls/tls-ssl-schannel-ssp-overview
+[LINK-3]: https://techcommunity.microsoft.com/blog/windows-itpro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/3887947
+[LINK-4]: /windows/client-management/mdm/policy-csp-bluetooth
+[LINK-5]: /mem/intune/configuration/esim-device-configuration-download-server
+[LINK-6]: /windows/security/operating-system-security/network-security/windows-firewall
+[LINK-7]: /windows/client-management/mdm/firewall-csp
+[LINK-8]: /windows/security/operating-system-security/network-security/vpn/vpn-guide
+[LINK-9]: /windows/whats-new/whats-new-windows-11-version-24h2#server-message-block-smb-protocol-changes
+[LINK-10]: /windows-server/storage/file-server/file-server-smb-overview
\ No newline at end of file
diff --git a/windows/security/book/operating-system-security-system-security.md b/windows/security/book/operating-system-security-system-security.md
index a3d5e5e95b..649ebdbe4b 100644
--- a/windows/security/book/operating-system-security-system-security.md
+++ b/windows/security/book/operating-system-security-system-security.md
@@ -2,12 +2,12 @@
 title: Operating System security
 description: Windows 11 security book - Operating System security chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # System security
 
-:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+:::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
 
 ## Trusted Boot (Secure Boot + Measured Boot)
 
@@ -15,23 +15,22 @@ Windows 11 requires all PCs to use Unified Extensible Firmware Interface (UEFI)'
 
 Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
 
-To reduce the risk of firmware rootkits, the PC verifies that firmware is digitally signed as it begins the boot process. Then Secure Boot checks the OS bootloader's digital signature as well as all code that runs prior to the operating system starting to ensure the signature and code are uncompromised and trusted by the Secure Boot policy.
+To mitigate the risk of firmware rootkits, the PC verifies the digital signature of the firmware at the start of the boot process. Secure Boot then checks the digital signature of the OS bootloader and all code that runs before the operating system starts, ensuring that the signature and code are uncompromised and trusted according to the Secure Boot policy.
 
 Trusted Boot picks up the process that begins with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and any anti-malware product's early-launch anti-malware (ELAM) driver. If any of these files have been tampered with, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
 
-Tampering or malware attacks on the Windows boot sequence are blocked by the signature enforcement handshakes between the UEFI, bootloader, kernel, and application environments.
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-For more information about these features and how they help prevent rootkits and bootkits from loading during the startup process, see [Secure the Windows boot process](../operating-system-security/system-security/secure-the-windows-10-boot-process.md)
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Secure Boot and Trusted Boot](../operating-system-security/system-security/trusted-boot.md)
+- [Secure the Windows boot process][LINK-1]
+- [Secure Boot and Trusted Boot][LINK-2]
 
 ## Cryptography
 
 Cryptography is designed to protect user and system data. The cryptography stack in Windows 11 extends from the chip to the cloud, enabling Windows, applications, and services to protect system and user secrets. For example, data can be encrypted so that only a specific reader with a unique key can read it. As a basis for data security, cryptography helps prevent anyone except the intended recipient from reading data, performs integrity checks to ensure data is free of tampering, and authenticates identity to ensure that communication is secure. Windows 11 cryptography is certified to meet the Federal Information Processing Standard (FIPS) 140. FIPS 140 certification ensures that US government-approved algorithms are correctly implemented.
 
-Learn more: FIPS 140 validation
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- FIPS 140 validation
 
 Windows cryptographic modules provide low-level primitives such as:
 
@@ -43,7 +42,9 @@ Windows cryptographic modules provide low-level primitives such as:
 
 Application developers can use these cryptographic modules to perform low-level cryptographic operations (Bcrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
 
-Learn more: Cryptography and certificate management
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- Cryptography and certificate management
 
 Developers can access the modules on Windows through the Cryptography Next Generation API (CNG), which is powered by Microsoft's open-source cryptographic library, SymCrypt. SymCrypt supports complete transparency through its open-source code. In addition, SymCrypt offers performance optimization for cryptographic operations by taking advantage of assembly and hardware acceleration when available.
 
@@ -52,30 +53,30 @@ exchange, opportunities to engage with technical content about Microsoft's produ
 
 ## Certificates
 
-To help safeguard and authenticate information, Windows provides comprehensive support for certificates and certificate management. The built-in certificate management command-line utility (certmgr.exe) or MMC snap-in (certmgr.msc) can be used to view and manage certificates, certificate trust lists (CTLs), and
-certificate revocation lists (CRLs). Whenever a certificate is used in Windows, we validate that the leaf certificate and all the certificates in its chain of trust have not been revoked or compromised. The CTLs and CRLs on the machine are used as a reference for PKI trust and are updated monthly by the Microsoft Trusted Root program. If a trusted certificate or root is revoked, all global devices will be updated, meaning users can trust that Windows will automatically protect against vulnerabilities in public key infrastructure. For cloud and enterprise deployments, Windows also offers users the ability to autoenroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Additionally, enterprise certificate pinning can be used to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificate authorities. Any web application triggering a name mismatch will start event logging and prevent user access from Microsoft Edge.
+To help safeguard and authenticate information, Windows provides comprehensive support for certificates and certificate management. The built-in certificate management command-line utility (certmgr.exe) or Microsoft Management Console (MMC) snap-in (certmgr.msc) can be used to view and manage certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs). Whenever a certificate is used in Windows, we validate that the leaf certificate and all the certificates in its chain of trust haven't been revoked or compromised. The trusted root and intermediate certificates and publicly revoked certificates on the machine are used as a reference for Public Key Infrastructure (PKI) trust and are updated monthly by the Microsoft Trusted Root program. If a trusted certificate or root is revoked, all global devices are updated, meaning users can trust that Windows will automatically protect against vulnerabilities in public key infrastructure. For cloud and enterprise deployments, Windows also offers users the ability to autoenroll and renew certificates in Active Directory with group policy to reduce the risk of potential outages due to certificate expiration or misconfiguration.
 
 ## Code signing and integrity
 
 To ensure that Windows files haven't been tampered with, the Windows Code Integrity process verifies the signature of each file in Windows. Code signing is core to establishing the integrity of firmware, drivers, and software across the Windows platform. Code signing creates a digital signature by encrypting the hash of the file with the private key portion of a code-signing certificate and embedding the signature into the file. The Windows code integrity process verifies the signed file by decrypting the signature to check the integrity of the file and confirm that it is from a reputable publisher, ensuring that the file hasn't been tampered with.
 
-The digital signature is evaluated across the Windows environment on Windows boot code, Windows kernel code, and Windows user mode applications. Secure Boot and Code Integrity verify the signature on bootloaders, Option ROMs, and other boot components to ensure that it's trusted and from a reputable publisher. For drivers not published by Microsoft, Kernel Code Integrity verifies the signature on kernel drivers and requires that drivers be signed by Windows or certified by the Windows Hardware Compatibility Program (WHCP). This program ensures that third-party drivers are compatible with various hardware and Windows and that the drivers are from vetted driver developers.
+The digital signature is evaluated across the Windows environment on Windows boot code, Windows kernel code, and Windows user mode applications. Secure Boot and Code Integrity verify the signature on bootloaders, Option ROMs, and other boot components to ensure that it's trusted and from a reputable publisher. For drivers not published by Microsoft, Kernel Code Integrity verifies the signature on kernel drivers and requires that drivers be signed by Windows or certified by the [Windows Hardware Compatibility Program (WHCP)][LINK-3]. This program ensures that third-party drivers are compatible with various hardware and Windows and that the drivers are from vetted driver developers.
 
-## Device health attestation
+## Device Health Attestation
 
-The Windows device health attestation process supports a Zero Trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. These
-determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a modern device management (MDM) tool like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> reviews device health and connects this information with Microsoft Entra ID<sup>[\[9\]](conclusion.md#footnote9)</sup> for conditional access.
+The Windows Device Health Attestation process supports a Zero Trust paradigm that shifts the focus from static, network-based perimeters to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. These determinations are made with data stored in the TPM, which provides a secure root-of-trust. The information is sent to an attestation service such as Azure Attestation to verify that the device is in a trusted state. Then a cloud-native device management solution like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup> reviews device health and connects this information with Microsoft Entra ID<sup>[\[4\]](conclusion.md#footnote4)</sup> for conditional access.
 
-Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and isn't tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your antimalware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured Boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM, that functions as a hardware root-of-trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper-resilient report. Remote attestation is the trusted auditor of your system's boot, allowing reliant parties to bind trust to the device and its security.
+Windows includes many security features to help protect users from malware and attacks. However, security components are trustworthy only if the platform boots as expected and isn't tampered with. As noted above, Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, ELAM, DRTM, Trusted Boot, and other low-level hardware and firmware security features to protect your PC from attacks. From the moment you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configurations that help keep you safe. Measured Boot, implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to the TPM, that functions as a hardware root-of-trust. Remote attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper-resilient report. Remote attestation is the trusted auditor of your system's boot, allowing reliant parties to bind trust to the device and its security.
 
 A summary of the steps involved in attestation and Zero-Trust on a Windows device are as follows:
 
 - During each step of the boot process - such as a file load, update of special variables, and more - information such as file hashes and signature(s) are measured in the TPM Platform Configuration Register (PCRs). The measurements are bound by a Trusted Computing Group specification that dictates which events can be recorded and the format of each event. The data provides important information about device security from the moment it powers on
-- Once Windows has booted, the attestor (or verifier) requests the TPM get the measurements stored in its PCRs alongside the Measured Boot log. Together, these form the attestation evidence that's sent to the Microsoft Azure Attestation Service
+- Once Windows has booted, the attestor (or verifier) requests the TPM get the measurements stored in its PCRs alongside the Measured Boot log. Together, these form the attestation evidence that's sent to the Azure Attestation service
 - The TPM is verified by using the keys or cryptographic material available on the chipset with an Azure Certificate Service
 - The above information is sent to the Azure Attestation Service to verify that the device is in a trusted state.
 
-Learn more: Control the health of Windows devices
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Control the health of Windows devices][LINK-4]
 
 ## Windows security policy settings and auditing
 
@@ -86,7 +87,7 @@ Security policy settings are a critical part of your overall security strategy.
 - Whether to record a user or group's actions in the event log
 - Membership in a group
 
-Security auditing is one of the most powerful tools that you can use to maintain the integrity of your network and assets. Auditing can help identify attacks, network vulnerabilities, and attacks against high-value targets. You can specify categories of security-related events to create an audit policy tailored to the needs of your organization.
+Security auditing is one of the most powerful tools that you can use to maintain the integrity of your network and assets. Auditing can help identify attacks, network vulnerabilities, and attacks against high-value targets. You can specify categories of security-related events to create an audit policy tailored to the needs of your organization using configuration service providers (CSP) or group policies.
 
 All auditing categories are disabled when Windows is first installed. Before enabling them, follow these steps to create an effective security auditing policy:
 
@@ -96,34 +97,93 @@ All auditing categories are disabled when Windows is first installed. Before ena
 1. Test these settings to validate your choices.
 1. Develop plans for deploying and managing your audit policy.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Security policy settings](/windows/security/threat-protection/security-policy-settings/security-policy-settings)
-- [Security auditing](/windows/security/threat-protection/auditing/security-auditing-overview)
+- [Security policy settings][LINK-5]
+- [Security auditing][LINK-6]
 
-## Assigned Access
+## Windows Security
 
-With Assigned Access, Windows devices restrict functionality to pre-selected applications depending on the user and keep individual identities separate, which is ideal for public-facing or shared devices. Configuring a device in Kiosk Mode is a straightforward process. You can do this locally on the device or remotely using modern device management.
+:::row:::
+    :::column span="2":::
+        Visibility and awareness of device security and health are key to any action taken. The Windows Security app provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and act to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
+    :::column-end:::
+    :::column span="2":::
+:::image type="content" source="images/windows-security.png" alt-text="Screenshot of the Windows Security app." border="false" lightbox="images/windows-security.png" :::
+    :::column-end:::
+:::row-end:::
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Stay protected with Windows Security][LINK-7]
+- [Windows Security][LINK-8]
+
+## :::image type="icon" source="images/new-button-title.svg" border="false"::: Config Refresh
+
+With traditional group policy, policy settings are refreshed on a PC when a user signs in and every 90 minutes by default. Administrators can adjust that timing to be shorter to ensure that the policy settings are compliant with the management settings set by IT.
+
+By contrast, with a device management solution like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, policies are refreshed when a user signs in and then at eight-hours interval by default. But policy settings are migrated from GPO to a device management solution, one remaining gap is the longer period between the reapplication of a changed policy.
+
+Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It's configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with group policy and are now set through Mobile Device Management (MDM) protocols.
+
+Config Refresh can also be paused for a configurable period of time, after which it will be reenabled. This is to support scenarios where a helpdesk technician might need to reconfigure a device for troubleshooting purposes. It can also be resumed at any time by an administrator.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Config Refresh][LINK-9]
+
+## Kiosk mode
+
+:::row:::
+    :::column span="2":::
+        Windows allows you to restrict functionality to specific applications using built-in features, making it ideal for public-facing or shared devices like kiosks. You can set up Windows as a kiosk either locally on the device, or through a cloud-based device management solution like Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>. Kiosk mode can be configured to run a single app, multiple apps, or a full-screen web browser. You can also configure the device to automatically sign in and launch the designated kiosk app at startup.
+    :::column-end:::
+    :::column span="2":::
+:::image type="content" source="images/kiosk.png" alt-text="Screenshot of the Windows Security app." border="false" lightbox="images/kiosk.png" :::
+    :::column-end:::
+:::row-end:::
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
 - [Windows kiosks and restricted user experiences](/windows/configuration/assigned-access)
 
-## Config Refresh
+## :::image type="icon" source="images/new-button-title.svg" border="false"::: Windows protected print
 
-With traditional Group Policy, policies were refreshed on a PC when a user signed in and every 90 minutes by default. Administrators could adjust that timing to be shorter to ensure that the PC's policies were compliant with the management settings set by IT.
+Windows protected print is built to provide a more modern and secure print system that maximizes compatibility and puts users first. It simplifies the printing experience by allowing devices to exclusively print using the Windows modern print stack.
 
-By contrast, with an MDM solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, policies are refreshed when a user signs in and then at eight-hour intervals by default. But as more available group policies were implemented through MDM, one remaining gap was the longer period between the reapplication of a changed policy.
+The benefits of Windows protected print include:
 
-Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It is configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with Group Policy and are now set through MDM.
+- Increased PC security
+- Simplified and consistent printing experience, regardless of PC architecture
+- Removes the need to manage print drivers
 
-Config Refresh can also be *paused* for a configurable period of time, after which it will be reenabled. This is to support scenarios where a helpdesk technician might need to reconfigure a PC for troubleshooting purposes. It can also be resumed at any time by an administrator.
+Windows protected print is designed to work with Mopria certified printers only. Many existing printers are already compatible.
 
-## Windows security settings
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-Visibility and awareness of device security and health are key to any action taken. The Windows built-in security settings provide an at-a-glance view of the security status and health of your device. These insights help you identify issues and act to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
+- [Windows protected print][LINK-10]
+- [New, modern, and secure print experience from Windows][LINK-11]
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+## :::image type="icon" source="images/new-button-title.svg" border="false"::: Rust for Windows
 
-- [Windows security settings](https://support.microsoft.com/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963)
-- [Windows Security](../operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md)
+Rust is a modern programming language known for its focus on safety, performance, and concurrency. It was designed to prevent common programming errors such as null pointer dereferencing and buffer overflows, which can lead to security vulnerabilities and crashes. Rust achieves this through its unique ownership system, which ensures memory safety without needing a garbage collector.
+We're expanding the integration of Rust into the Windows kernel to enhance the safety and reliability of Windows' codebase. This strategic move underscores our commitment to adopting modern technologies to improve the quality and security of Windows.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Rust for Windows, and the windows crate][LINK-12]
+
+<!--links-->
+
+[LINK-1]: /windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process
+[LINK-2]: /windows/security/operating-system-security/system-security/trusted-boot
+[LINK-3]: /windows-hardware/design/compatibility/
+[LINK-4]: /windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices
+[LINK-5]: /windows/security/threat-protection/security-policy-settings/security-policy-settings
+[LINK-6]: /windows/security/threat-protection/auditing/security-auditing-overview
+[LINK-7]: https://support.microsoft.com/topic/2ae0363d-0ada-c064-8b56-6a39afb6a963
+[LINK-8]:  /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
+[LINK-9]: https://techcommunity.microsoft.com/blog/windows-itpro-blog/intro-to-config-refresh-%e2%80%93-a-refreshingly-new-mdm-feature/4176921
+[LINK-10]: /windows-hardware/drivers/print/modern-print-platform
+[LINK-11]: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645
+[LINK-12]: /windows/dev-environment/rust/rust-for-windows
diff --git a/windows/security/book/operating-system-security-virus-and-threat-protection.md b/windows/security/book/operating-system-security-virus-and-threat-protection.md
index c5873bd86f..44eb24d2c9 100644
--- a/windows/security/book/operating-system-security-virus-and-threat-protection.md
+++ b/windows/security/book/operating-system-security-virus-and-threat-protection.md
@@ -2,12 +2,12 @@
 title: Operating System security
 description: Windows 11 security book - Operating System security chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Virus and threat protection
 
-:::image type="content" source="images/operating-system.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+:::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
 
 Today's threat landscape is more complex than ever. This new world requires a new approach to threat prevention, detection, and response. Microsoft Defender Antivirus, along with many other features that are built into Windows 11, is at the frontlines, protecting customers against current and emerging threats.
 
@@ -25,29 +25,59 @@ SmartScreen also determines whether a downloaded app or app installer is potenti
 - Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen warns that the file might be malicious
 - Checking downloaded files against a list of well-known files. If the file is of a dangerous type and not well-known, SmartScreen displays a caution alert
 
-With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they are entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>. This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement.
+With enhanced phishing protection in Windows 11, SmartScreen also alerts people when they're entering their Microsoft credentials into a potentially risky location, regardless of which application or browser is used. IT can customize which notifications appear through Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>. This protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement.
 
 Because Windows 11 comes with these enhancements already built in and enabled, users have extra security from the moment they turn on their device.
 
-The app and browser control section contains information and settings for Microsoft Defender SmartScreen. IT administrators and IT pros can get configuration guidance in the [Microsoft Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview).
+The app and browser control section contains information and settings for Microsoft Defender SmartScreen. IT administrators and IT pros can get configuration guidance in the [Microsoft Defender SmartScreen documentation library](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/).
+
+## Network protection
+
+While Microsoft Defender Smartscreen works with Microsoft Edge, for third-party browsers and processes, Windows 11 has Network protection that protects against phishing scams, malware websites, and the downloading of potentially malicious files.
+
+When using Network Protection with Microsoft Defender for Endpoint, you'll be able to use Indicators of Compromise to block specific URL's and/or ip addresses.
+Also integrates with Microsoft Defender for Cloud Apps to block unsactioned web apps in your organization.  Allow or block access to websites based on category with Microsoft Defender for Endpoint's Web Content Filtering.
+
+[Network Protection library](/defender-endpoint/network-protection)
+[Web protection library](/defender-endpoint/web-protection-overview)
+
+## Tamper protection
+
+Attacks like ransomware attempt to disable security features, such as anti-virus protection. Bad actors like to disable security features to get easier access to user's data, to install malware, or otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.
+
+With tamper protection, malware is prevented from taking actions such as:
+
+- Disabling real-time protection
+- Turning off behavior monitoring
+- Disabling antivirus protection, such as Scan all downloaded files and attachments (IOfficeAntivirus (IOAV))
+- Disabling cloud-delivered protection
+- Removing security intelligence updates
+- Disabling automatic actions on detected threats
+- Disabling archived files
+- Altering exclusions
+- Disabling notifications in the Windows Security app
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Tamper protection](/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)
 
 ## Microsoft Defender Antivirus
 
-Microsoft Defender Antivirus is a next-generation protection solution included in all versions of Windows 10 and Windows 11. From the moment you turn on Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. In addition to real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.
+Microsoft Defender Antivirus is a next-generation protection solution included in all versions of Windows 10 and Windows 11. From the moment you turn on Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. In addition to real-time protection, updates are downloaded automatically to help keep your device safe and protect it from threats. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus turns off automatically. If you uninstall the other app, Microsoft Defender Antivirus turns back on.
 
-Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection. This combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA), applications deemed to negatively impact your device but are not considered malware.
+Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection. This combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA), applications deemed to negatively impact your device but aren't considered malware.
 
-Microsoft Defender Antivirus always-on protection is integrated with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats. This combination of local and cloud-delivered technologies provides award-winning protection at home and at work.
+Microsoft Defender Antivirus always-on protection is integrated with cloud-delivered protection, which helps ensure near-instant detection and blocking of new and emerging threats. This combination of local and cloud-delivered technologies including advanced memory scanning, behavior monitoring, and machine learning, provides award-winning protection at home and at work.
 
 :::image type="content" source="images/defender-antivirus.png" alt-text="Diagram of the Microsoft Defender Antivirus components." border="false":::
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Next-generation protection with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).
+- [Microsoft Defender Antivirus in Windows Overview](/defender-endpoint/microsoft-defender-antivirus-windows).
 
-## Attack surface reduction
+## Attack surface reduction rules
 
-Attack surface reduction rules help prevent software behaviors that are often abused to compromise devices and networks. By reducing the attack surface, you can reduce the overall vulnerability of your organization. Administrators can configure specific attack surface reduction rules to help block certain behaviors, such as:
+Attack surface reduction rules help prevent actions and applications or scripts that are often abused to compromise devices and networks. By controlling when and how executables and/or script can run, thereby reducing the attack surface, you can reduce the overall vulnerability of your organization. Administrators can configure specific attack surface reduction rules to help block certain behaviors, such as:
 
 - Launching executable files and scripts that attempt to download or run files
 - Running obfuscated or otherwise suspicious scripts
@@ -58,69 +88,32 @@ For example, an attacker might try to run an unsigned script from a USB drive or
 For Microsoft Edge and reducing the attack surface across applications, folders, device,
 network, and firewall.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)
-
-## Tamper protection
-
-Attacks like ransomware attempt to disable security features, such as anti-virus protection. Bad actors like to disable security features to get easier access to user's data, to install malware, or otherwise exploit user's data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.
-
-With tamper protection, malware is prevented from taking actions such as:
-
-- Disabling real-time protection
-- Turning off behavior monitoring
-- Disabling antivirus, such as IOfficeAntivirus (IOAV)
-- Disabling cloud-delivered protection
-- Removing security intelligence updates
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)
-
-## Exploit protection
-
-Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint<sup>[\[9\]](conclusion.md#footnote9)</sup>, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device and then use Group Policy in Active Directory or Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup> to distribute the configuration XML file to multiple devices simultaneously.
-
-When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.
-
-You can use audit mode to evaluate how exploit protection would impact your organization if it were enabled.
-
-Windows 11 provides configuration options for exploit protection. You can prevent users from modifying these specific options with Group Policy.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Protecting devices from exploits](/microsoft-365/security/defender-endpoint/enable-exploit-protection)
+- [Attack surface reduction](/defender-endpoint/overview-attack-surface-reduction)
 
 ## Controlled folder access
 
 You can protect your valuable information in specific folders by managing app access to them. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, and downloads, are included in the list of controlled folders.
 
-Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the trusted list are prevented from making any changes to files inside protected folders.
+Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that aren't included in the trusted list are prevented from making any changes to files inside protected folders.
 
 Controlled folder access helps protect user's valuable data from malicious apps and threats such as ransomware.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)
+- [Controlled folder access](/defender-endpoint/controlled-folders)
 
-## Microsoft Defender for Endpoint
+## Exploit Protection
 
-Microsoft Defender for Endpoint<sup>[\[9\]](conclusion.md#footnote9)</sup> is an enterprise endpoint detection and response solution that helps security teams detect, investigate, and respond to advanced threats.
+Exploit Protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit Protection works best with Microsoft Defender for Endpoint<sup>[\[4\]](conclusion.md#footnote4)</sup>, which gives organizations detailed reporting into Exploit Protection events and blocks as part of typical alert investigation scenarios. You can enable Exploit Protection on an individual device and then use policy settings to distribute the configuration XML file to multiple devices simultaneously.
 
-Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents:
+When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.
 
-- Endpoint behavioral sensors: Embedded in Windows, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated cloud instance of Microsoft Defender for Endpoint
-- Cloud security analytics: Behavioral signals are translated into insights, detections, and recommended responses to advanced threats. These analytics leverage big data, device learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products such as Microsoft 365<sup>[\[9\]](conclusion.md#footnote9)</sup>, and online assets
-- Threat intelligence: Microsoft processes over 43 trillion security signals every 24 hours, yielding a deep and broad view into the evolving threat landscape. Combined with our global team of security experts and cutting-edge artificial intelligence and machine learning, we can see threats that others miss. This threat intelligence helps provide unparalleled protection for our customers. The protections built into our platforms and products blocked
-attacks that include 31 billion identity threats and 32 billion email threats
-- Rich response capabilities: Defender for Endpoint empowers SecOps teams to isolate, remediate, and remote into machines to further investigate and stop active threats in their environment, as well as block files, network destinations, and create alerts for them. In addition, Automated Investigation and Remediation can help reduce the load on the SOC by automatically performing otherwise manual steps towards remediation and providing
-detailed investigation outcomes
+You can use audit mode to evaluate how Exploit Protection would impact your organization if it were enabled. And go through safe deployment practices (SDP).
 
-Defender for Endpoint is also part of Microsoft 365 Defender, our end-to-end, cloud-native extended detection and response (XDR) solution that combines best-of-breed endpoint, email, and identity security products. It enables organizations to prevent, detect, investigate, and remediate attacks by delivering deep visibility, granular context, and actionable insights generated from raw signals harnessed across the Microsoft 365 environment and other
-platforms, all synthesized into a single dashboard. This solution offers tremendous value to organizations of any size, especially those that are looking to break away from the added complexity of multiple point solutions, keeping them protected from sophisticated attacks and saving IT and security teams' time and resources.
+Windows 11 provides configuration options for Exploit Protection. You can prevent users from modifying these specific options with device management solutions like Microsoft Intune or group policy.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-- [Microsoft Defender for Endpoint](/defender-endpoint/microsoft-defender-endpoint)
-- [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)
+- [Protecting devices from exploits](/defender-endpoint/enable-exploit-protection)
\ No newline at end of file
diff --git a/windows/security/book/operating-system-security.md b/windows/security/book/operating-system-security.md
index f5bf82d057..cd1f79d3e9 100644
--- a/windows/security/book/operating-system-security.md
+++ b/windows/security/book/operating-system-security.md
@@ -2,13 +2,15 @@
 title: Operating System security
 description: Windows 11 security book - Operating System security chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Operating System security
 
 :::image type="content" source="images/operating-system-security-cover.png" alt-text="Cover of the operating system security chapter." border="false":::
 
-:::image type="content" source="images/operating-system-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/operating-system.png" border="false":::
+Operating systems face an onslaught of security threats, from malware and exploits to unauthorized access and privilege escalation. Windows 11 is the most secure Windows yet, with strong operating system safeguards to help keep devices, identities, and data safe.
 
-Windows 11 is the most secure Windows yet with extensive security measures in the operating system designed to help keep devices, identities, and information safe. These measures include built-in advanced encryption and data protection, robust network system security, and intelligent safeguards against ever-evolving viruses and threats.
+Defenses include a trusted boot process, layers of encryption, network security, and virus and threat protection. These comprehensive security features ensure that Windows 11 provides robust protection against modern cyber threats.
+
+:::image type="content" source="images/operating-system-on.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::
diff --git a/windows/security/book/privacy-controls.md b/windows/security/book/privacy-controls.md
index 01caad195d..21377d5d8a 100644
--- a/windows/security/book/privacy-controls.md
+++ b/windows/security/book/privacy-controls.md
@@ -2,16 +2,19 @@
 title: Privacy
 description: Windows 11 security book - Privacy chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Privacy controls
 
-:::image type="content" source="images/privacy.png" alt-text="Diagram of containing a list of security features." lightbox="images/privacy.png" border="false":::
+## Microsoft Privacy Dashboard
 
-## Privacy dashboard and report
+Customers can use the Microsoft Privacy Dashboard to view, export, and delete their information, giving them further transparency and control. They can also use the Microsoft Privacy Report to learn more about Windows data collection and how to manage it. For organizations, we provide a guide for Windows Privacy Compliance that includes more details on the available controls and transparency.
 
-Customers can use the [Microsoft Privacy dashboard](https://account.microsoft.com/privacy) to view, export, and delete their information, giving them further transparency and control. They can also use the [Microsoft Privacy Report](https://privacy.microsoft.com/privacy-report) to learn more about Windows data collection and how to manage it. For enterprises we provide a guide for Windows Privacy Compliance that includes additional details on the available controls and transparency.
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Microsoft Privacy Dashboard](https://account.microsoft.com/privacy)
+- [Microsoft Privacy Report](https://privacy.microsoft.com/privacy-report)
 
 ## Privacy transparency and controls
 
@@ -19,7 +22,7 @@ Prominent system tray icons show users when resources and apps like microphones
 
 ## Privacy resource usage
 
-Every Microsoft customer should be able to use our products secure in the knowledge that we will protect their privacy and give them the information and tools they need to easily make privacy decisions with confidence. Accessed in Settings, the new app usage history feature gives users a seven-day history of resource access for Location, Camera, Microphone, Phone Calls, Messaging, Contacts, Pictures, Videos, Music library, Screenshots, and other apps.
+Every Microsoft customer should be able to use our products secure in the knowledge that we protect their privacy, and give them the information and tools they need to easily make privacy decisions with confidence. From Settings, the app usage history feature provides users with a seven-day history of resource access for Location, Camera, Microphone, Phone Calls, Messaging, Contacts, Pictures, Videos, Music library, Screenshots, and other apps.
 
 This information helps you determine if an app is behaving as expected so that you can change the app's access to resources as desired.
 
@@ -27,6 +30,6 @@ This information helps you determine if an app is behaving as expected so that y
 
 The Windows diagnostic data processor configuration enables the user to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that meet the configuration requirements.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
 - [Windows diagnostic data processor configuration](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration)
diff --git a/windows/security/book/privacy.md b/windows/security/book/privacy.md
index 19cae8027a..ef5c623ebb 100644
--- a/windows/security/book/privacy.md
+++ b/windows/security/book/privacy.md
@@ -2,15 +2,13 @@
 title: Privacy
 description: Windows 11 security book - Privacy chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Privacy
 
 :::image type="content" source="images/privacy-cover.png" alt-text="Cover of the privacy chapter." border="false":::
 
-:::image type="content" source="images/privacy-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/privacy.png" border="false":::
+Privacy is an important priority for individuals and organizations, and the rise of AI is bringing it into even sharper focus. Windows provides privacy controls that can be easily accessed in the Settings app or desktop system tray for speech, location, calendar, microphone, call history, and more. Users can also find more information and manage privacy settings for Microsoft apps and services by signing into their [account dashboard](https://privacy.microsoft.com/).
 
-[Privacy: Your data, powering your experiences, controlled by you](https://privacy.microsoft.com/).
-
-Privacy is becoming top of mind for customers, who want to know who is using their data and why. They also need to know how to control and manage the data that is being collected - so providing transparency and control over this personal data is essential. At Microsoft we are focused on protecting the privacy and confidentiality of your data and will only use it in a way that is consistent with your expectations.
+:::image type="content" source="images/privacy-on.png" alt-text="Diagram containing a list of security features." lightbox="images/privacy.png" border="false":::
diff --git a/windows/security/book/security-foundation-certification.md b/windows/security/book/security-foundation-certification.md
index fe9fa899fc..d83dfb1231 100644
--- a/windows/security/book/security-foundation-certification.md
+++ b/windows/security/book/security-foundation-certification.md
@@ -2,18 +2,22 @@
 title: Security foundation
 description: Windows 11 security book - Security foundation chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Certification
 
-:::image type="content" source="images/security-foundation.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+:::image type="content" source="images/security-foundation.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false":::
 
 Microsoft is committed to supporting product security standards and certifications, including FIPS 140 and Common Criteria, as an external validation of security assurance.
 
 ## Federal Information Processing Standard (FIPS)
 
-The Federal Information Processing Standard (FIPS) Publication 140 is a US government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established. Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules.
+The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that specifies the minimum security requirements for cryptographic modules in IT products. Microsoft is dedicated to adhering to the requirements in the FIPS 140 standard, consistently validating its cryptographic modules against FIPS 140 since the standard's inception. Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows FIPS 140 validation][LINK-1]
 
 ## Common Criteria (CC)
 
@@ -21,4 +25,11 @@ Common Criteria (CC) is an international standard currently maintained by nation
 
 Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products.
 
-Microsoft publishes the list of FIPS 140 and Common Criteria certified products at [Federal](/windows/security/security-foundations/certification/fips-140-validation) [Information Processing Standard (FIPS)](/windows/security/security-foundations/certification/fips-140-validation) 140 Validation and [Common Criteria Certifications.](/windows/security/threat-protection/windows-platform-common-criteria)
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Common Criteria certifications][LINK-2]
+
+<!--links-->
+
+[LINK-1]: /windows/security/security-foundations/certification/fips-140-validation
+[LINK-2]: /windows/security/threat-protection/windows-platform-common-criteria
\ No newline at end of file
diff --git a/windows/security/book/security-foundation-offensive-research.md b/windows/security/book/security-foundation-offensive-research.md
index 965ecba6c0..4a1fdf3bbf 100644
--- a/windows/security/book/security-foundation-offensive-research.md
+++ b/windows/security/book/security-foundation-offensive-research.md
@@ -2,12 +2,27 @@
 title: Security foundation
 description: Windows 11 security book - Security foundation chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
-# Offensive research
+# Secure Future Initiative and offensive research
 
-:::image type="content" source="images/security-foundation.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+:::image type="content" source="images/security-foundation.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+
+## Secure Future Initiative (SFI)
+
+Launched in November 2023, the Microsoft Secure Future Initiative (SFI) is a multiyear commitment dedicated to advancing the way we design, build, test, and operate our technology. Our goal is to ensure that our solutions meet the highest possible standards for security.
+
+The increasing scale and high stakes of cyberattacks prompted the launch of SFI. This program brings together every part of Microsoft to enhance cybersecurity protection across our company and products. We carefully considered our internal observations and feedback from customers, governments, and partners to identify the greatest opportunities to impact the future of security.
+
+To maintain accountability and keep our customers, partners, and the security community informed, Microsoft provides regular updates on the progress of SFI.
+
+:::image type="content" source="images/sfi.png" alt-text="Diagram of the SFI initiative." lightbox="images/sfi.png" border="false":::
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Microsoft Secure Future Initiative][LINK-6]
+- [September 2024 progress update on SFI][LINK-5]
 
 ## Microsoft Security Development Lifecycle (SDL)
 
@@ -15,28 +30,35 @@ The Microsoft Security Development Lifecycle (SDL) introduces security best prac
 
 ## OneFuzz service
 
-A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released.
-
-Microsoft is dedicated to working with the community and our customers to continuously improve and tune our platform and products to help defend against the dynamic and sophisticated threat landscape. Project OneFuzz - an extensible fuzz testing framework used by Microsoft Edge, Windows, and teams across Microsoft - is now available to developers around the world through GitHub as an open-source tool.
-
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
-
-- [Project OneFuzz framework, an open source developer tool to find and fix bugs at scale](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)
-- [OneFuzz on GitHub](https://github.com/microsoft/onefuzz)
+A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code is released.
 
 ## Microsoft Offensive Research and Security Engineering
 
-[Microsoft Offensive Research and Security Engineering](https://github.com/microsoft/WindowsAppSDK-Samples?msclkid=1a6280c6c73d11ecab82868efae04e5c) performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle.
+Microsoft Offensive Research and Security Engineering (MORSE) performs targeted design reviews, audits, and deep penetration testing of Windows features using Microsoft's open-source OneFuzz platform as part of their development and testing cycle.
 
-## Windows Insider and Bug Bounty program
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel.
+- [MORSE security team takes proactive approach to finding bugs][LINK-1]
+- [MORSE Blog][LINK-2]
 
-The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.
+## Windows Insider and Microsoft Bug Bounty Programs
 
-Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quick fix the issues before releasing our final Windows.
+As part of our secure development process, the Windows Insider Preview Program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel.
 
-:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+The goal of the Windows Insider Preview Program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.
 
-- [Windows Insider Program](/windows-insider/get-started)
-- [Microsoft bounty programs](https://www.microsoft.com/msrc/bounty)
+Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities and quickly fix the issues before releasing our final Windows.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows Insider Program][LINK-3]
+- [Microsoft Bug Bounty Programs][LINK-4]
+
+<!--links-->
+
+[LINK-1]: https://news.microsoft.com/source/features/innovation/morse-microsoft-offensive-research-security-engineering
+[LINK-2]: https://www.microsoft.com/security/blog/author/microsoft-offensive-research-security-engineering-team
+[LINK-3]: /windows-insider/get-started
+[LINK-4]: https://www.microsoft.com/msrc/bounty
+[LINK-5]: https://www.microsoft.com/security/blog/2024/09/23/securing-our-future-september-2024-progress-update-on-microsofts-secure-future-initiative-sfi/
+[LINK-6]: https://www.microsoft.com/trust-center/security/secure-future-initiative
diff --git a/windows/security/book/security-foundation-secure-supply-chain.md b/windows/security/book/security-foundation-secure-supply-chain.md
index ee2f6ef548..9cfdaec1f9 100644
--- a/windows/security/book/security-foundation-secure-supply-chain.md
+++ b/windows/security/book/security-foundation-secure-supply-chain.md
@@ -2,21 +2,21 @@
 title: Secure supply chain
 description: Windows 11 security book - Security foundation chapter - Secure supply chain.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Secure supply chain
 
-:::image type="content" source="images/security-foundation.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+:::image type="content" source="images/security-foundation.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false":::
 
-The end-to-end Windows 11 supply chain is complex, extending from the entire development process to components such as chips, firmware, drivers, operating system, and apps from other organizations, manufacturing, and security updates. Microsoft invests significantly in Windows 11 supply chain security, as well as the security of features and components. In 2021, the United States issued an executive order on enhancing the nation's cybersecurity. The executive order, along with various attacks like SolarWinds and WannaCry, elevated the urgency and importance of ensuring a secure supply chain.
+The end-to-end Windows 11 supply chain is complex. It extends from the entire development process, to components such as chips, firmware, drivers, operating system, and apps from other organizations, manufacturing, and security updates. Microsoft invests significantly in Windows 11 supply chain security, and the security of features and components. In 2021, the United States issued an executive order on enhancing the nation's cybersecurity. The executive order, along with various attacks like SolarWinds and WannaCry, elevated the urgency and importance of ensuring a secure supply chain.
 
 Microsoft requires the Windows 11 supply chain to comply with controls including:
 
 - Identity management and user access control
   - Access control
   - Principles of least privilege
-  - RBAC
+  - Role-based access control (role-based access control)
   - Segregation of duties
   - MFAs
   - Account management
@@ -42,7 +42,7 @@ Microsoft requires the Windows 11 supply chain to comply with controls including
   - Manufacturing security
   - Physical security monitoring
 - Supplier security control
-  - SSPA
+  - Supplier Security and Privacy Assurance (SSPA)
   - Supplier screening
   - Supplier inventory
 - Logistics security control
@@ -53,14 +53,22 @@ Microsoft requires the Windows 11 supply chain to comply with controls including
 
 ## Software bill of materials (SBOM)
 
-In addition to following the above supply chain security controls, SBOMs are leveraged to provide the transparency and provenance of the content as it moves through various stages of the Windows supply chain. This enables trust between each supply chain segment, ensures that tampering has not taken place during ingestion and along the way, and provides a provable chain of custody for the product that we ship to customers.
+In the Windows ecosystem, ensuring the integrity and authenticity of software components is paramount. To achieve this, we utilize Software Bill of Materials (SBOMs) and COSE (CBOR Object Signing and Encryption) sign all evidence. SBOMs provide a comprehensive inventory of software components, including their dependencies and associated metadata. Transparency is crucial for vulnerability management and compliance with security standards.
 
-Code-signing software is the best way to guarantee application integrity and authenticity and helps users distinguish between trusted applications and malware before downloading or installing. Code signing proprietary applications and software from other organizations greatly reduces the complexity of creating and managing application control policies. Code signing enables the creation and deployment of certificate chain-based application control policies, which can then be cryptographically enforced.
+The COSE signing process enhances the trustworthiness of SBOMs by providing cryptographic signatures that verify the integrity and authenticity of the SBOM content. The CoseSignTool, a platform-agnostic command line application, is employed to apply and verify these digital signatures. This tool ensures that all SBOMs and other build evidence are signed and validated, maintaining a high level of security within the software supply chain.
 
-Traditionally, code signing has been a difficult undertaking due to the complexities involved in obtaining certificates, securely managing those certificates, and integrating a proper signing process into the development and continuous integration and continuous deployment (CI/CD) pipelines.
+By integrating SBOMs and COSE signing evidence, we offer stakeholders visibility into the components they use, ensuring that all software artifacts are trustworthy and secure. This approach aligns with our commitment to end-to-end supply chain security, providing a robust framework for managing and verifying software components across the Windows ecosystem.
 
-## Windows App software development kit (SDK)
+[!INCLUDE [learn-more](includes/learn-more.md)]
 
-Developers can design highly secure applications that benefit from the latest Windows 11 safeguards using the Windows App SDK. The SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows 11 and Windows 10. To help create apps that are up to date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system.
+- [SBOM tool](https://github.com/microsoft/sbom-tool)
+- [Code Sign Tool](https://github.com/microsoft/CoseSignTool)
 
-If you are a developer, you can find security best practices and information at [Windows application development - best practices](/windows/security/threat-protection/windows-platform-common-criteria#security-and-privacy). You can get started with [Windows App SDK samples on GitHub](/windows/security/threat-protection/fips-140-validation#windows-app-sdk-samples). For an example of the continuous security process in action with the Windows App SDK, see the [most recent release](https://insider.windows.com/#version-11).
+## Windows Software Development Kit (SDK)
+
+Developers can design highly secure applications that benefit from the latest Windows 11 safeguards using the Windows SDK. The SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows 11 and Windows 10. To help create apps that are up to date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system.
+
+[!INCLUDE [learn-more](includes/learn-more.md)]
+
+- [Windows application development - best practices](/windows/apps/get-started/best-practices)
+- [Windows SDK samples on GitHub](https://github.com/microsoft/WindowsAppSDK-Samples)
\ No newline at end of file
diff --git a/windows/security/book/security-foundation.md b/windows/security/book/security-foundation.md
index f0fb340c8a..2a370ff6d5 100644
--- a/windows/security/book/security-foundation.md
+++ b/windows/security/book/security-foundation.md
@@ -2,17 +2,13 @@
 title: Security foundation
 description: Windows 11 security book - Security foundation chapter.
 ms.topic: overview
-ms.date: 04/09/2024
+ms.date: 11/18/2024
 ---
 
 # Security foundation
 
 :::image type="content" source="images/security-foundation-cover.png" alt-text="Cover of the security foundation chapter." border="false":::
 
-Microsoft is committed to continuously investing in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest lifecycle phases of all our product design and software development processes. We build in security from the ground up for powerful defense in today's threat environment and have the infrastructure to protect and react quickly to future threats.
+Microsoft is committed to continuously investing in improving the development process, building highly secure-by-design software, and addressing security compliance requirements. Security and privacy considerations informed by offensive research are built into each phase of our product design and software development process. Microsoft’s security foundation includes not only our development and certification processes, but also our end-to-end supply chain. The comprehensive Windows 11 security foundation also reflects our deep commitment to principles of security by design and security by default.
 
-Every component of the Windows 11 technology stack, from chip-to-cloud, is purposefully built secure by design. Windows 11 meets the modern threats of today's flexible work environments by delivering hardware-based isolation, end-to-end encryption, and advanced malware protection.
-
-With Windows 11, organizations can improve productivity and gain intuitive new experiences without compromising security.
-
-:::image type="content" source="images/security-foundation-on.png" alt-text="Diagram of containing a list of security features." lightbox="images/security-foundation.png" border="false":::
+:::image type="content" source="images/security-foundation-on.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false":::
diff --git a/windows/security/book/toc.yml b/windows/security/book/toc.yml
index e1135516e9..928d02f50f 100644
--- a/windows/security/book/toc.yml
+++ b/windows/security/book/toc.yml
@@ -55,11 +55,13 @@ items:
   items:
   - name: Overview
     href: security-foundation.md
-  - name: Offensive research
+  - name: Secure Future Initiative and offensive research
     href: security-foundation-offensive-research.md
   - name: Certification
     href: security-foundation-certification.md
   - name: Secure supply chain
     href: security-foundation-secure-supply-chain.md
 - name: Conclusion
-  href: conclusion.md
\ No newline at end of file
+  href: conclusion.md
+- name: Features index
+  href: features-index.md
\ No newline at end of file
diff --git a/windows/security/cloud-services/index.md b/windows/security/cloud-services/index.md
deleted file mode 100644
index 9124be688f..0000000000
--- a/windows/security/cloud-services/index.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: Windows and cloud services
-description: Get an overview of cloud-based services in Windows.
-ms.date: 05/06/2024
-ms.topic: overview
-author: paolomatarazzo
-ms.author: paoloma
----
-
-# Windows and cloud services
-
-Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We're focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
-
-From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere.
-
-Learn more about cloud-based services in Windows.
-
-[!INCLUDE [cloud-services](../includes/sections/cloud-services.md)]
diff --git a/windows/security/cloud-services/toc.yml b/windows/security/cloud-services/toc.yml
index 4132706858..92d3eaac86 100644
--- a/windows/security/cloud-services/toc.yml
+++ b/windows/security/cloud-services/toc.yml
@@ -1,6 +1,4 @@
 items:
-- name: Overview
-  href: index.md
 - name: Join Active Directory and Microsoft Entra ID with single sign-on (SSO) 🔗
   href: /azure/active-directory/devices/concept-azure-ad-join
 - name: Security baselines with Intune 🔗
diff --git a/windows/security/hardware-security/index.md b/windows/security/hardware-security/index.md
deleted file mode 100644
index e8cfb27d50..0000000000
--- a/windows/security/hardware-security/index.md
+++ /dev/null
@@ -1,15 +0,0 @@
----
-title: Windows hardware security
-description: Learn more about hardware security features support in Windows.
-ms.date: 07/10/2024
-ms.topic: overview
-appliesto:
----
-
-# Windows hardware security
-
-:::image type="content" source="..\book\images\hardware.png" alt-text="Diagram of containing a list of security features." lightbox="..\book\images\hardware.png" border="false":::
-
-Learn more about hardware security features support in Windows.
-
-[!INCLUDE [hardware](../includes/sections/hardware.md)]
diff --git a/windows/security/hardware-security/toc.yml b/windows/security/hardware-security/toc.yml
index 92e9f40c56..7cacd9e8a8 100644
--- a/windows/security/hardware-security/toc.yml
+++ b/windows/security/hardware-security/toc.yml
@@ -1,7 +1,5 @@
 items:
-  - name: Overview
-    href: index.md
-  - name: Hardware root of trust
+  - name: Hardware root-of-trust
     items:
       - name: System Guard
         href: how-hardware-based-root-of-trust-helps-protect-windows.md
diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md
index e838ad5167..d7af366d19 100644
--- a/windows/security/identity-protection/hello-for-business/index.md
+++ b/windows/security/identity-protection/hello-for-business/index.md
@@ -15,13 +15,15 @@ ms.date: 04/23/2024
 
 The following table lists the main authentication and security differences between Windows Hello and Windows Hello for business:
 
-||Windows Hello for Business|Windows Hello|
+||Windows Hello|Windows Hello for Business|
 |-|-|-|
-|**Authentication**|Users can authenticate to:<br>- A Microsoft Entra ID account<br>- An Active Directory account<br>- Identity provider (IdP) or relying party (RP) services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication.|Users can authenticate to:<br>- A Microsoft account<br>- Identity provider (IdP) or relying party (RP) services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication.|
-|**Security**|It uses **key-based** or **certificate-based** authentication. There's no symmetric secret (password) which can be stolen from a server or phished from a user and used remotely.<br>Enhanced security is available on devices with a Trusted Platform Module (TPM).|Users can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on the account type. This configuration isn't backed by asymmetric (public/private key) or certificate-based authentication.|
+|**Authentication**|Users can authenticate to:<br>- A Microsoft account (MSA)<br>- Identity providers (IdPs) that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication|Users can authenticate to:<br>- A Microsoft Entra ID account<br>- An Active Directory account<br>- Identity provider (IdP) or relying party (RP) services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication|
+|**Security**|It uses **key-based** authentication.<br>There's no symmetric secret (password) which can be stolen from a server or phished from a user and used remotely. |It uses **key-based** or **certificate-based** authentication.<br>There's no symmetric secret (password) which can be stolen from a server or phished from a user and used remotely.|
+
+Windows Hello can also be used with local accounts for convenient sign-ins, instead of entering a password. This configuration isn't backed by asymmetric (public/private) key, so it doesn't offer the same level of security as key-based or certificate-based authentication that is available with MSA or Microsoft Entra accounts. In all other aspects, using Windows Hello with a local account is like using it with MSA or Entra ID. For enhanced security, it's recommended to use Windows Hello with a Microsoft account (MSA) or identity providers (IdPs) that support FIDO2 authentication.
 
 > [!NOTE]
-> FIDO2 (Fast Identity Online) authentication is an open standard for passwordless authentication. It allows users to sign in to their devices and apps using biometric authentication or a physical security key, without the need for a traditional password. FIDO2 support in Windows Hello for Business provides an additional layer of security and convenience for users, while also reducing the risk of password-related attacks.
+> FIDO2 (Fast Identity Online) authentication is an open standard for passwordless authentication. It allows users to sign in to their devices and apps using biometric authentication or a physical security key, without the need for a traditional password. FIDO2 support in Windows Hello and Windows Hello for Business provides an additional layer of security and convenience for users, while also reducing the risk of password-related attacks.
 
 ## Benefits
 
@@ -52,7 +54,7 @@ On devices that support Windows Hello, an easy biometric gesture unlocks users'
 
 - **Facial recognition**: this type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors offer external cameras that incorporate this technology, and many laptop manufacturers incorporate it into their devices
 - **Fingerprint recognition**: this type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Most existing fingerprint readers work with Windows, whether they're external or integrated into laptops or USB keyboards
-- **Iris Recognition**: this type of biometric recognition uses cameras to perform scan of your iris. HoloLens 2 is the first Microsoft device to introduce an Iris scanner
+- **Iris Recognition**: this type of biometric recognition uses cameras to perform scan of your iris
 
 Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data.
 
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
deleted file mode 100644
index b9dc9037e7..0000000000
--- a/windows/security/identity-protection/index.md
+++ /dev/null
@@ -1,14 +0,0 @@
----
-title: Windows identity protection
-description: Learn more about identity protection technologies in Windows.
-ms.topic: overview
-ms.date: 03/12/2024
----
-
-# Windows identity protection
-
-Learn more about identity protection technologies in Windows.
-
-[!INCLUDE [virtual-smart-card-deprecation-notice](../includes/virtual-smart-card-deprecation-notice.md)]
-
-[!INCLUDE [identity](../includes/sections/identity.md)]
diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml
index 9d0a3a0397..ac6a619963 100644
--- a/windows/security/identity-protection/toc.yml
+++ b/windows/security/identity-protection/toc.yml
@@ -1,6 +1,4 @@
 items:
-  - name: Overview
-    href: index.md
   - name: Passwordless sign-in
     items:
     - name: Passwordless strategy
@@ -28,6 +26,12 @@ items:
     href: /education/windows/federated-sign-in
   - name: Advanced credential protection
     items:
+    - name: LSA Protection 🔗
+      href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
+    - name: Credential Guard
+      href: credential-guard/toc.yml
+    - name: Remote Credential Guard
+      href: remote-credential-guard.md
     - name: Windows LAPS 🔗
       displayName: Local Administrator Password Solution
       href: /windows-server/identity/laps/laps-overview
@@ -39,11 +43,5 @@ items:
     - name: Access Control
       href: access-control/access-control.md
       displayName: ACL/SACL
-    - name: Credential Guard
-      href: credential-guard/toc.yml
-    - name: Remote Credential Guard
-      href: remote-credential-guard.md
-  - name: LSA Protection 🔗
-    href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
   - name: Local Accounts
     href: access-control/local-accounts.md
diff --git a/windows/security/includes/sections/application.md b/windows/security/includes/sections/application.md
deleted file mode 100644
index 75e29b9470..0000000000
--- a/windows/security/includes/sections/application.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 09/18/2023
-ms.topic: include
----
-
-## Application and driver control
-
-| Feature name | Description |
-|:---|:---|
-| **[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections, by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run that are predicted to be safe based on existing and new intelligence processed daily. Smart App Control builds on top of the same cloud-based AI used in App Control for Business to predict the safety of an application, so people can be confident they're using safe and reliable applications on their new Windows 11 devices, or Windows 11 devices that have been reset. |
-| **[App Control for Business](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)** | Your organization is only as secure as the applications that run on your devices. With application control, apps must earn trust to run, in contrast to an application trust model where all code is assumed trustworthy. By helping prevent unwanted or malicious code from running, application control is an important part of an effective security strategy. Many organizations cite application control as one of the most effective means for addressing the threat of executable file-based malware.<br><br>Windows 10 and above include App Control for Business and AppLocker. App Control is the next generation app control solution for Windows and provides powerful control over what runs in your environment. Customers who were using AppLocker on previous versions of Windows can continue to use the feature as they consider whether to switch to App Control for the stronger protection. |
-| **[AppLocker](/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview)** |  |
-| **[User Account Control (UAC)](/windows/security/application-security/application-control/user-account-control/)** | User Account Control (UAC) helps prevent malware from damaging a device. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevents inadvertent changes to system settings. Enabling UAC helps to prevent malware from altering device settings and potentially gaining access to networks and sensitive data. UAC can also block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings. |
-| **[Microsoft vulnerable driver blocklist](/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules)** | The Windows kernel is the most privileged software and is therefore a compelling target for malware authors. Since Windows has strict requirements for code running in the kernel, cybercriminals commonly exploit vulnerabilities in kernel drivers to get access. Microsoft works with the ecosystem partners to constantly identify and respond to potentially vulnerable kernel drivers.<br><br>Prior to Windows 11, version 22H2, the operating system enforced a block policy when HVCI is enabled to prevent vulnerable versions of drivers from running. Starting in Windows 11, version 22H2, the block policy is enabled by default for all new Windows devices, and users can opt-in to enforce the policy from the Windows Security app. |
-
-## Application isolation
-
-| Feature name | Description |
-|:---|:---|
-| **[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview)** | Standalone mode allows Windows users to use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, user must manually start Microsoft Edge in Application Guard from Edge menu for browsing untrusted sites. |
-| **[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard)** | Microsoft Defender Application Guard protects users' desktop while they browse the Internet using Microsoft Edge browser. Application Guard in enterprise mode automatically redirects untrusted website navigation in an anonymous and isolated Hyper-V based container, which is separate from the host operating system. With Enterprise mode, you can define your corporate boundaries by explicitly adding trusted domains and can customizing the Application Guard experience to meet and enforce your organization needs on Windows devices. |
-| **Microsoft Defender Application Guard (MDAG) public APIs** | Enable applications using them to be isolated Hyper-V based container, which is separate from the host operating system. |
-| **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. |
-| **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. |
-| **[App containers](/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. |
-| **[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. |
diff --git a/windows/security/includes/sections/cloud-services.md b/windows/security/includes/sections/cloud-services.md
deleted file mode 100644
index efde3a725d..0000000000
--- a/windows/security/includes/sections/cloud-services.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 09/18/2023
-ms.topic: include
----
-
-## Protect your work information
-
-| Feature name | Description |
-|:---|:---|
-| **[Active Directory domain join, Microsoft Entra join, and Microsoft Entra hybrid join with single sign-on (SSO)](/azure/active-directory/devices/concept-directory-join)** | Microsoft Entra ID is a comprehensive cloud-based identity management solution that helps enable secure access to applications, networks, and other resources and guard against threats. |
-| **[Security baselines](/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines)** | Windows 11 supports modern device management so that IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols. To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client. <br><br>Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices. |
-| **[Remote wipe](/windows/client-management/mdm/remotewipe-csp)** | When a device is lost or stolen, IT administrators may want to remotely wipe data stored on the device. A helpdesk agent may also want to reset devices to fix issues encountered by remote workers. <br><br>With the Remote Wipe configuration service provider (CSP), an MDM solution can remotely initiate any of the following operations on a Windows device: reset the device and remove user accounts and data, reset the device and clean the drive, reset the device but persist user accounts and data. |
-| **[Modern device management through (MDM)](/windows/client-management/mdm-overview)** | Windows 11 supports modern device management through mobile device management (MDM) protocols.<br><br>IT pros can manage company security policies and business applications without compromising user privacy on corporate or employee-owned devices. With MDM solutions, IT can manage Windows 11 using industry-standard protocols.<br><br>To simplify setup for users, management features are built directly into Windows, eliminating the need for a separate MDM client.  |
-| **[Universal Print](/universal-print/)** | Unlike traditional print solutions that rely on Windows print servers, Universal Print is a Microsoft hosted cloud subscription service that supports a zero-trust security model by enabling network isolation of printers, including the Universal Print connector software, from the rest of the organization's resources. |
-| **[Windows Autopatch](/windows/deployment/windows-autopatch/)** | With the Autopatch service, IT teams can delegate management of updates to Windows 10/11, Microsoft Edge, and Microsoft 365 apps to Microsoft. Under the hood, Autopatch takes over configuration of the policies and deployment service of Windows Update for Business. What the customer gets are endpoints that are up to date, thanks to dynamically generated rings for progressive deployment that will pause and/or roll back updates (where possible) when issues arise. <br><br>The goal is to provide peace of mind to IT pros, encourage rapid adoption of updates, and to reduce bandwidth required to deploy them successfully, thereby closing gaps in protection that may have been open to exploitation by malicious actors.  |
-| **[Windows Autopilot](/autopilot/)** | Windows Autopilot simplifies the way devices get deployed, reset, and repurposed, with an experience that is zero touch for IT. |
diff --git a/windows/security/includes/sections/hardware.md b/windows/security/includes/sections/hardware.md
deleted file mode 100644
index fa6c065293..0000000000
--- a/windows/security/includes/sections/hardware.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 09/18/2023
-ms.topic: include
----
-
-## Hardware root-of-trust
-
-| Feature name | Description |
-|:---|:---|
-| **[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)** | In Secured-core PCs, Windows Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface. |
-| **[Trusted Platform Module (TPM)](/windows/security/hardware-security/tpm/trusted-platform-module-overview)** | TPMs provide security and privacy benefits for system hardware, platform owners, and users. Windows Hello, BitLocker, Windows Defender System Guard, and other Windows features rely on the TPM for capabilities such as key generation, secure storage, encryption, boot integrity measurements, and attestation. The 2.0 version of the specification includes support for newer algorithms, which can improve driver signing and key generation performance.<br><br>Starting with Windows 10, Microsoft's hardware certification requires all new Windows PCs to include TPM 2.0 built in and enabled by default. With Windows 11, both new and upgraded devices must have TPM 2.0. |
-| **[Microsoft Pluton](/windows/security/hardware-security/pluton/microsoft-pluton-security-processor)** | Microsoft Pluton security processors are designed by Microsoft in partnership with silicon partners. Pluton enhances the protection of Windows devices with a hardware root-of-trust that provides additional protection for cryptographic keys and other secrets. Pluton is designed to reduce the attack surface as it integrates the security chip directly into the processor. It can be used with a discreet TPM 2.0, or as a standalone security processor. When root of trust is located on a separate, discrete chip on the motherboard, the communication path between the root-of-trust and the CPU can be vulnerable to physical attack. Pluton supports the TPM 2.0 industry standard, allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPMs including BitLocker, Windows Hello, and Windows Defender System Guard.<br><br>In addition to providing root-of trust, Pluton also supports other security functionality beyond what is possible with the TPM 2.0 specification, and this extensibility allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. Pluton-enabled Windows 11 devices are available and the selection of options with Pluton is growing. |
-
-## Silicon assisted security
-
-| Feature name | Description |
-|:---|:---|
-| **[Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs)** | In addition to a modern hardware root-of-trust, there are numerous other capabilities in the latest chips that harden the operating system against threats, such as by protecting the boot process, safeguarding the integrity of memory, isolating security sensitive compute logic, and more. Two examples include Virtualization-based security (VBS) and Hypervisor-protected code integrity (HVCI). Virtualization-based security (VBS), also known as core isolation, is a critical building block in a secure system. VBS uses hardware virtualization features to host a secure kernel separated from the operating system. This means that even if the operating system is compromised, the secure kernel remains protected.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
-| **[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)** | Hypervisor-protected code integrity (HVCI), also called memory integrity, uses VBS to run Kernel Mode Code Integrity (KMCI) inside the secure VBS environment instead of the main Windows kernel. This helps to prevent attacks that attempt to modify kernel mode code, such as drivers. The KMCI role is to check that all kernel code is properly signed and hasn't been tampered with before it is allowed to run. HVCI helps to ensure that only validated code can be executed in kernel-mode.<br><br>Starting with Windows 10, all new devices are required to ship with firmware support for VBS and HCVI enabled by default in the BIOS. Customers can then enable the OS support in Windows.<br>With new installs of Windows 11, OS support for VBS and HVCI is turned on by default for all devices that meet prerequisites. |
-| **[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)** | Hardware-enforced stack protection integrates software and hardware for a modern defense against cyberthreats such as memory corruption and zero-day exploits. Based on Control-flow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack. |
-| **[Kernel Direct Memory Access (DMA) protection](/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt)** | Kernel DMA Protection protects against external peripherals from gaining unauthorized access to memory. Physical threats such as drive-by Direct Memory Access (DMA) attacks typically happen quickly while the system owner isn't present. PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with the plug-and-play ease of USB. Because PCI hot plug ports are external and easily accessible, devices are susceptible to drive-by DMA attacks. |
-
-## Secured-core PC
-
-| Feature name | Description |
-|:---|:---|
-| **[Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)** | Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks. |
-| **[Secured-core configuration lock](/windows/client-management/config-lock)** | Secured-core configuration lock is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired SCPC state in seconds.  |
diff --git a/windows/security/includes/sections/identity.md b/windows/security/includes/sections/identity.md
deleted file mode 100644
index f50a087c3c..0000000000
--- a/windows/security/includes/sections/identity.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 09/18/2023
-ms.topic: include
----
-
-## Passwordless sign in
-
-| Feature name | Description |
-|:---|:---|
-| **[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/)** | Windows 11 devices can protect user identities by removing the need to use passwords from day one. It's easy to get started with the method that's right for your organization. A password may only need to be used once during the provisioning process, after which people use a PIN, face, or fingerprint to unlock credentials and sign into the device.<br><br>Windows Hello for Business replaces the username and password by combining a security key or certificate with a PIN or biometrics data, and then mapping the credentials to a user account during setup. There are multiple ways to deploy Windows Hello for Business, depending on your organization's needs. Organizations that rely on certificates typically use on-premises public key infrastructure (PKI) to support authentication through Certificate Trust. Organizations using key trust deployment require root-of-trust provided by certificates on domain controllers. |
-| **[Windows presence sensing](https://support.microsoft.com/windows/managing-presence-sensing-settings-in-windows-11-82285c93-440c-4e15-9081-c9e38c1290bb)** | Windows presence sensing provides another layer of data security protection for hybrid workers. Windows 11 devices can intelligently adapt to your presence to help you stay secure and productive, whether you're working at home, the office, or a public environment. Windows presence sensing combines presence detection sensors with Windows Hello facial recognition to automatically lock your device when you leave, and then unlock your device and sign you in using Windows Hello facial recognition when you return. Requires OEM supporting hardware. |
-| **[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)** | Windows Hello biometrics also supports enhanced sign-in security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign in. <br><br>Enhanced sign-in security biometrics uses VBS and the TPM to isolate user authentication processes and data and secure the pathway by which the information is communicated. These specialized components protect against a class of attacks that include biometric sample injection, replay, tampering, and more. <br><br>For example, fingerprint readers must implement Secure Device Connection Protocol, which uses key negotiation and a Microsoft-issued certificate to protect and securely store user authentication data. For facial recognition, components such as the Secure Devices (SDEV) table and process isolation with trustlets help prevent additional class of attacks. |
-| **[Windows passwordless experience](/windows/security/identity-protection/passwordless-experience)** | Windows passwordless experience is a security policy that aims to create a more user-friendly experience for Microsoft Entra joined devices by eliminating the need for passwords in certain authentication scenarios. By enabling this policy, users will not be given the option to use a password in these scenarios, which helps organizations transition away from passwords over time. |
-| **[Passkeys](/windows/security/identity-protection/passkeys)** | Passkeys provide a more secure and convenient method to logging into websites and applications compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device's unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other sign in challenges, making the authentication process faster, secure, and more convenient. |
-| **[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)** | Fast Identity Online (FIDO) defined CTAP and WebAuthN specifications are becoming the open standard for providing strong authentication that is non-phishable, user-friendly, and privacy-respecting with implementations from major platform providers and relying parties. FIDO standards and certifications are becoming recognized as the leading standard for creating secure authentication solutions across enterprises, governments, and consumer markets. <br><br>Windows 11 can use external FIDO2 security keys for authentication alongside or in addition to Windows Hello which is also a FIDO2 certified passwordless solution. Windows 11 can be used as a FIDO authenticator for many popular identity management services. |
-| **[Smart Cards for Windows Service](/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service)** | Organizations also have the option of using smart cards, an authentication method that pre-dates biometric sign in. Smart cards are tamper-resistant, portable storage devices that can enhance Windows security when authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Smart cards can only be used to sign into domain accounts, not local accounts. When a password is used to sign into a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. |
-
-## Advanced credential protection
-
-| Feature name | Description |
-|:---|:---|
-| **[Web sign-in](/windows/security/identity-protection/web-sign-in)** | Web sign-in is a credential provider initially introduced in Windows 10 with support for Temporary Access Pass (TAP) only. With the release of Windows 11, the supported scenarios and capabilities of Web sign-in have been expanded. For example, users can sign-in to Windows using the Microsoft Authenticator app or with a federated identity. |
-| **[Federated sign-in](/education/windows/federated-sign-in)** | Windows 11 Education editions support federated sign-in with non-Microsoft identity providers. Federated sign-in enables secure sign in through methods like QR codes or pictures. |
-| **[Windows LAPS](/windows-server/identity/laps/laps-overview)** | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. You also can use Windows LAPS to automatically manage and back up the Directory Services Restore Mode (DSRM) account password on your Windows Server Active Directory domain controllers. An authorized administrator can retrieve the DSRM password and use it. |
-| **[Account Lockout Policy](/windows/security/threat-protection/security-policy-settings/account-lockout-policy)** | Account Lockout Policy settings control the response threshold for failed logon attempts and the actions to be taken after the threshold is reached. |
-| **[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)** | Users who are still using passwords can benefit from powerful credential protection. Microsoft Defender SmartScreen includes enhanced phishing protection to automatically detect when a user enters their Microsoft password into any app or website. Windows then identifies if the app or site is securely authenticating to Microsoft and warns if the credentials are at risk. Since users are alerted at the moment of potential credential theft, they can take preemptive action before their password is used against them or their organization. |
-| **[Access Control (ACL/SACL)](/windows/security/identity-protection/access-control/access-control)** | Access control in Windows ensures that shared resources are available to users and groups other than the resource's owner and are protected from unauthorized use. IT administrators can manage users', groups', and computers' access to objects and assets on a network or computer. After a user is authenticated, the Windows operating system implements the second phase of protecting resources by using built-in authorization and access control technologies to determine if an authenticated user has the correct permissions.<br><br>Access Control Lists (ACL) describe the permissions for a specific object and can also contain System Access Control Lists (SACL). SACLs provide a way to audit specific system level events, such as when a user attempt to access file system objects. These events are essential for tracking activity for objects that are sensitive or valuable and require extra monitoring. Being able to audit when a resource attempts to read or write part of the operating system is critical to understanding a potential attack. |
-| **[Credential Guard](/windows/security/identity-protection/credential-guard/)** | Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. <br><br>By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. |
-| **[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)** | Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that is requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. <br><br>Administrator credentials are highly privileged and must be protected. When you use Remote Credential Guard to connect during Remote Desktop sessions, your credential and credential derivatives are never passed over the network to the target device. If the target device is compromised, your credentials aren't exposed. |
diff --git a/windows/security/includes/sections/operating-system-security.md b/windows/security/includes/sections/operating-system-security.md
deleted file mode 100644
index 4fa55308cf..0000000000
--- a/windows/security/includes/sections/operating-system-security.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 11/21/2023
-ms.topic: include
----
-
-## System security
-
-| Feature name | Description |
-|:---|:---|
-| **[Secure Boot and Trusted Boot](/windows/security/operating-system-security/system-security/trusted-boot)** | Secure Boot and Trusted Boot help to prevent malware and corrupted components from loading when a device starts. <br><br>Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure the system boots up safely and securely. |
-| **[Measured boot](/windows/compatibility/measured-boot)** | Measured Boot measures all important code and configuration settings during the boot of Windows. This includes: the firmware, boot manager, hypervisor, kernel, secure kernel and operating system. Measured Boot stores the measurements in the TPM on the machine, and makes them available in a log that can be tested remotely to verify the boot state of the client.<br><br>The Measured Boot feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components that started before it. The anti-malware software can use the log to determine whether components that ran before it are trustworthy, or if they're infected with malware. The anti-malware software on the local machine can send the log to a remote server for evaluation. The remote server may initiate remediation actions, either by interacting with software on the client, or through out-of-band mechanisms, as appropriate. |
-| **[Device health attestation service](/windows/security/operating-system-security/system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices)** | The Windows device health attestation process supports a zero-trust paradigm that shifts the focus from static, network-based perimeters, to users, assets, and resources. The attestation process confirms the device, firmware, and boot process are in a good state and haven't been tampered with before they can access corporate resources. The determinations are made with data stored in the TPM, which provides a secure root of trust. The information is sent to an attestation service, such as Azure Attestation, to verify the device is in a trusted state. Then, an MDM tool like Microsoft Intune reviews device health and connects this information with Microsoft Entra ID for conditional access. |
-| **[Windows security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)** | Microsoft provides a robust set of security settings policies that IT administrators can use to protect Windows devices and other resources in their organization. |
-| **[Assigned Access](/windows/configuration/)** | Some desktop devices in an enterprise serve a special purpose. For example, a PC in the lobby that customers use to see your product catalog. Or, a PC displaying visual content as a digital sign. Windows client offers two different locked-down experiences for public or specialized use: A single-app kiosk that runs a single Universal Windows Platform (UWP) app in full screen above the lock screen, or A multi-app kiosk that runs one or more apps from the desktop.<br><br>Kiosk configurations are based on Assigned Access, a feature in Windows that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. |
-
-## Virus and threat protection
-
-| Feature name | Description |
-|:---|:---|
-| **[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)** | Microsoft Defender Antivirus is a protection solution included in all versions of Windows. From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help keep your device safe and protect it from threats. Microsoft Defender Antivirus includes real-time, behavior-based, and heuristic antivirus protection.<br><br>The combination of always-on content scanning, file and process behavior monitoring, and other heuristics effectively prevents security threats. Microsoft Defender Antivirus continually scans for malware and threats and also detects and blocks potentially unwanted applications (PUA) which are applications that are deemed to negatively impact your device but aren't considered malware. |
-| **[Local Security Authority (LSA) Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)** | Windows has several critical processes to verify a user's identity. Verification processes include Local Security Authority (LSA), which is responsible for authenticating users and verifying Windows logins. LSA handles tokens and credentials such as passwords that are used for single sign-on to a Microsoft account and Azure services. To help protect these credentials, additional LSA protection only allows loading of trusted, signed code and provides significant protection against Credential theft.<br><br>LSA protection is enabled by default on new, enterprise joined Windows 11 devices with added support for non-UEFI lock and policy management controls via MDM and group policy. |
-| **[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)** | Attack surface reduction (ASR) rules help to prevent software behaviors that are often abused to compromise your device or network. By reducing the number of attack surfaces, you can reduce the overall vulnerability of your organization.<br><br>Administrators can configure specific ASR rules to help block certain behaviors, such as launching executable files and scripts that attempt to download or run files, running obfuscated or otherwise suspicious scripts, performing behaviors that apps don't usually initiate during normal day-to-day work. |
-| **[Tamper protection settings for MDE](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection)** | Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings, such as virus and threat protection, from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities. |
-| **[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)** | You can protect your valuable information in specific folders by managing app access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Commonly used folders, such as those used for documents, pictures, downloads, are typically included in the list of controlled folders. Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that aren't included in the trusted list are prevented from making any changes to files inside protected folders. <br><br>Controlled folder access helps to protect user's valuable data from malicious apps and threats, such as ransomware.  |
-| **[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)** | Exploit protection automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios. You can enable exploit protection on an individual device, and then use MDM or group policy to distribute the configuration file to multiple devices. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors. |
-| **[Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/)** | Microsoft Defender SmartScreen protects against phishing, malware websites and applications, and the downloading of potentially malicious files. For enhanced phishing protection, SmartScreen also alerts people when they're entering their credentials into a potentially risky location. IT can customize which notifications appear via MDM or group policy. The protection runs in audit mode by default, giving IT admins full control to make decisions around policy creation and enforcement. |
-| **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)** | Microsoft Defender for Endpoint is an enterprise endpoint detection and response solution that helps security teams to detect, investigate, and respond to advanced threats. Organizations can use the rich event data and attack insights Defender for Endpoint provides to investigate incidents. Defender for Endpoint brings together the following elements to provide a more complete picture of security incidents: endpoint behavioral sensors, cloud security analytics, threat intelligence and rich response capabilities. |
-
-## Network security
-
-| Feature name | Description |
-|:---|:---|
-| **[Transport Layer Security (TLS)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)** | Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a network. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows 11. This version eliminates obsolete cryptographic algorithms, enhances security over older versions, and aims to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average, and supports only five strong cipher suites which provide perfect forward secrecy and less operational risk. |
-| **[Domain Name System (DNS) security](/windows-server/networking/dns/doh-client-support)** | Starting in Windows 11, the Windows DNS client supports DNS over HTTPS (DoH), an encrypted DNS protocol. This allows administrators to ensure their devices protect DNS queries from on-path attackers, whether they're passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites.<br><br>In a zero-trust model where there is no trust placed in a network boundary, having a secure connection to a trusted name resolver is required. |
-| **Bluetooth pairing and connection protection** | The number of Bluetooth devices connected to Windows continues to increase. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG), Standard Vulnerability Reports, and issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that users ensure their firmware and/ or software of their Bluetooth accessories are kept up to date. |
-| **[WiFi Security](https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09)** | Wi-Fi Protected Access (WPA) is a security certification program designed to secure wireless networks. WPA3 is the latest version of the certification and provides a more secure and reliable connection method as compared to WPA2 and older security protocols. Windows supports three WPA3 modes: WPA3 personal with the Hash-to-Element (H2E) protocol, WPA3 Enterprise, and WPA3 Enterprise 192-bit Suite B.<br><br>Windows 11 also supports WFA defined WPA3 Enterprise that includes enhanced Server Cert validation and TLS 1.3 for authentication using EAP-TLS Authentication. |
-| **Opportunistic Wireless Encryption (OWE)** | Opportunistic Wireless Encryption (OWE) is a technology that allows wireless devices to establish encrypted connections to public Wi-Fi hotspots.  |
-| **[Windows Firewall](/windows/security/operating-system-security/network-security/windows-firewall)** | Windows Firewall provides host-based, two-way network traffic filtering, blocking unauthorized traffic flowing into or out of the local device based on the types of networks to which the device is connected. Windows Firewall reduces the attack surface of a device with rules to restrict or allow traffic by many properties such as IP addresses, ports, or program paths. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.<br><br>With its integration with Internet Protocol Security (IPsec), Windows Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data. Windows Firewall is a host-based firewall that is included with the operating system, there's no additional hardware or software required. Windows Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). |
-| **[Virtual private network (VPN)](/windows/security/operating-system-security/network-security/vpn/vpn-guide)** | The Windows VPN client platform includes built in VPN protocols, configuration support, a common VPN user interface, and programming support for custom VPN protocols. VPN apps are available in the Microsoft Store for both enterprise and consumer VPNs, including apps for the most popular enterprise VPN gateways.<br><br>In Windows 11, the most commonly used VPN controls are integrated right into the Quick Actions pane. From the Quick Actions pane, users can see the status of their VPN, start and stop the VPN tunnels, and access the Settings app for more controls.  |
-| **[Always On VPN (device tunnel)](/Windows-server/remote/remote-access/overview-always-on-vpn)** | With Always On VPN, you can create a dedicated VPN profile for the device. Unlike User Tunnel, which only connects after a user logs on to the device, Device Tunnel allows the VPN to establish connectivity before a user sign-in. Both Device Tunnel and User Tunnel operate independently with their VPN profiles, can be connected at the same time, and can use different authentication methods and other VPN configuration settings as appropriate. |
-| **[Direct Access](/windows-server/remote/remote-access/directaccess/directaccess)** | DirectAccess allows connectivity for remote users to organization network resources without the need for traditional Virtual Private Network (VPN) connections.<br><br>With DirectAccess connections, remote devices are always connected to the organization and there's no need for remote users to start and stop connections. |
-| **[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)** | SMB Encryption provides end-to-end encryption of SMB data and protects data from eavesdropping occurrences on internal networks. In Windows 11, the SMB protocol has significant security updates, including AES-256 bits encryption, accelerated SMB signing, Remote Directory Memory Access (RDMA) network encryption, and SMB over QUIC for untrusted networks. Windows 11 introduces AES-256-GCM and AES-256-CCM cryptographic suites for SMB 3.1.1 encryption. Windows administrators can mandate the use of more advanced security or continue to use the more compatible, and still-safe, AES-128 encryption. |
-| **[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)** | SMB Direct (SMB over remote direct memory access) is a storage protocol that enables direct memory-to-memory data transfers between device and storage, with minimal CPU usage, while using standard RDMA-capable network adapters.<br><br>SMB Direct supports encryption, and now you can operate with the same safety as traditional TCP and the performance of RDMA. Previously, enabling SMB encryption disabled direct data placement, making RDMA as slow as TCP. Now data is encrypted before placement, leading to relatively minor performance degradation while adding AES-128 and AES-256 protected packet privacy. |
-
-## Encryption and data protection
-
-| Feature name | Description |
-|:---|:---|
-| **[BitLocker management](/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises)** | The BitLocker CSP allows an MDM solution, like Microsoft Intune, to manage the BitLocker encryption features on Windows devices. This includes OS volumes, fixed drives and removeable storage, and recovery key management into Microsoft Entra ID.  |
-| **[BitLocker enablement](/windows/security/operating-system-security/data-protection/bitlocker/)** | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune, using a configuration service provider (CSP).<br><br>BitLocker provides encryption for the OS, fixed data, and removable data drives leveraging technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot and TPM. |
-| **[Encrypted hard drive](/windows/security/operating-system-security/data-protection/encrypted-hard-drive)** | Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level and allow for full disk hardware encryption while being transparent to the device user. These drives combine the security and management benefits provided by BitLocker Drive Encryption with the power of self-encrypting drives.<br><br>By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity. |
-| **[Personal data encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)** | Personal data encryption (PDE) works with BitLocker and Windows Hello for Business to further protect user documents and other files, including when the device is turned on and locked. Files are encrypted automatically and seamlessly to give users more security without interrupting their workflow. <br><br>Windows Hello for Business is used to protect the container, which houses the encryption keys used by PDE. When the user signs in, the container gets authenticated to release the keys in the container to decrypt user content.  |
-| **[Email Encryption (S/MIME)](/windows/security/operating-system-security/data-protection/configure-s-mime)** | Email encryption enables users to encrypt outgoing email messages and attachments, so only intended recipients with a digital ID (certificate) can read them. Users can digitally sign a message, which verifies the identity of the sender and confirms the message hasn't been tampered with. The encrypted messages can be sent by a user to other users within their organization or external contacts if they have proper encryption certificates. |
diff --git a/windows/security/includes/sections/security-foundations.md b/windows/security/includes/sections/security-foundations.md
deleted file mode 100644
index 905fb63998..0000000000
--- a/windows/security/includes/sections/security-foundations.md
+++ /dev/null
@@ -1,29 +0,0 @@
----
-author: paolomatarazzo
-ms.author: paoloma
-ms.date: 09/18/2023
-ms.topic: include
----
-
-## Offensive research
-
-| Feature name | Description |
-|:---|:---|
-| **[Microsoft Security Development Lifecycle (SDL)](/windows/security/security-foundations/msft-security-dev-lifecycle)** | The Microsoft Security Development Lifecycle (SDL) introduces security best practices, tools, and processes throughout all phases of engineering and development. |
-| **[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)** | A range of tools and techniques - such as threat modeling, static analysis, fuzz testing, and code quality checks - enable continued security value to be embedded into Windows by every engineer on the team from day one. Through the SDL practices, Microsoft engineers are continuously provided with actionable and up-to-date methods to improve development workflows and overall product security before the code has been released.  |
-| **[Microsoft Windows Insider Preview bounty program](https://www.microsoft.com/msrc/bounty-windows-insider-preview)** | As part of our secure development process, the Microsoft Windows Insider Preview bounty program invites eligible researchers across the globe to find and submit vulnerabilities that reproduce in the latest Windows Insider Preview (WIP) Dev Channel. The goal of the Windows Insider Preview bounty program is to uncover significant vulnerabilities that have a direct and demonstrable impact on the security of customers using the latest version of Windows.<br><br>Through this collaboration with researchers across the globe, our teams identify critical vulnerabilities that were not previously found during development and quicky fix the issues before releasing the final Windows.  |
-
-## Certification
-
-| Feature name | Description |
-|:---|:---|
-| **[Common Criteria certifications](/windows/security/security-foundations/certification/windows-platform-common-criteria)** | Common Criteria (CC) is an international standard currently maintained by national governments who participate in the Common Criteria Recognition Arrangement. CC defines a common taxonomy for security functional requirements, security assurance requirements, and an evaluation methodology used to ensure products undergoing evaluation satisfy the functional and assurance requirements. Microsoft ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles and completes Common Criteria certifications of Microsoft Windows products. |
-| **[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)** | The Federal Information Processing Standard (FIPS) Publication 140 is a U.S. government standard that defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140 standard, having validated cryptographic modules against FIPS 140-2 since it was first established in 2001. Multiple Microsoft products, including Windows 11, Windows 10, Windows Server, and many cloud services, use these cryptographic modules. |
-
-## Secure supply chain
-
-| Feature name | Description |
-|:---|:---|
-| **Software Bill of Materials (SBOM)** | SBOMs are leveraged to provide the transparency and provenance of the content as it moves through various stages of the Windows supply chain. This enables trust between each supply chain segment, ensures that tampering has not taken place during ingestion and along the way, and provides a provable chain of custody for the product that we ship to customers. |
-| **[Azure Code Signing](/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection)** | App Control for Business enables customers to define policies for controlling what is allowed to run on their devices. App Control policies can be remotely applied to devices using an MDM solution like Microsoft Intune. <br><br>To simplify App Control enablement, organizations can take advantage of Azure Code Signing, a secure and fully managed service for signing App Control policies and apps. <br><br>Azure Code Signing minimizes the complexity of code signing with a turnkey service backed by a Microsoft managed certificate authority, eliminating the need to procure and self-manage any signing certificates. The service is managed just as any other Azure resource and integrates easily with the leading development and CI/CD toolsets.  |
-| **[Windows application software development kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-sdk/)** | Developers have an opportunity to design highly secure applications that benefit from the latest Windows safeguards. The Windows App SDK provides a unified set of APIs and tools for developing secure desktop apps for Windows. To help create apps that are up-to-date and protected, the SDK follows the same security standards, protocols, and compliance as the core Windows operating system.  |
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 9738ace595..43817f6227 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -10,15 +10,36 @@ metadata:
   author: paolomatarazzo
   ms.author: paoloma
   manager: aaroncz
-  ms.date: 03/12/2024
+  ms.date: 10/18/2024
 
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new
 
 landingContent:
 
-  - title: Learn about hardware security
+  - title: Windows 11 security book
     linkLists:
       - linkListType: overview
+        links:
+          - text: Introduction
+            url: /windows/security/book
+          - text: Hardware security
+            url: /windows/security/book/hardware-security
+          - text: Operating system security
+            url: /windows/security/book/operating-system-security
+          - text: Application security
+            url: /windows/security/book/application-security
+          - text: Identity protection
+            url: /windows/security/book/identity-protection
+          - text: Privacy
+            url: /windows/security/book/privacy
+          - text: Cloud services
+            url: /windows/security/book/cloud-services
+          - text: Security foundation
+            url: /windows/security/book/security-foundation
+
+  - title: Learn about hardware security
+    linkLists:
+      - linkListType: get-started
         links:
           - text: Trusted Platform Module (TPM)
             url: /windows/security/hardware-security/tpm/trusted-platform-module-overview
@@ -33,7 +54,7 @@ landingContent:
 
   - title: Learn about OS security
     linkLists:
-      - linkListType: overview
+      - linkListType: get-started
         links:
           - text: Trusted boot
             url: /windows/security/operating-system-security
@@ -41,7 +62,7 @@ landingContent:
             url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
           - text: BitLocker
             url: /windows/security/operating-system-security/data-protection/bitlocker/
-          - text: Personal Data Encryption (PDE)
+          - text: Personal Data Encryption
             url: /windows/security/operating-system-security/data-protection/personal-data-encryption
           - text: Windows security baselines
             url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
@@ -57,7 +78,7 @@ landingContent:
         links:
           - text: Configure BitLocker
             url: /windows/security/operating-system-security/data-protection/bitlocker/configure
-          - text: Configure PDE
+          - text: Configure Personal Data Encryption
             url: /windows/security/operating-system-security/data-protection/personal-data-encryption/configure
       - linkListType: whats-new
         links:
@@ -66,7 +87,7 @@ landingContent:
 
   - title: Learn about identity protection
     linkLists:
-      - linkListType: overview
+      - linkListType: get-started
         links:
           - text: Passwordless strategy
             url: /windows/security/identity-protection/passwordless-strategy
@@ -99,7 +120,7 @@ landingContent:
 
   - title: Learn about application security
     linkLists:
-      - linkListType: overview
+      - linkListType: get-started
         links:
           - text: App Control for Business
             url: /windows/security/application-security/application-control/windows-defender-application-control/
@@ -118,7 +139,7 @@ landingContent:
 
   - title: Learn about security foundations
     linkLists:
-      - linkListType: overview
+      - linkListType: get-started
         links:
           - text: Zero trust
             url: /windows/security/security-foundations/zero-trust-windows-device-health
@@ -141,7 +162,7 @@ landingContent:
 
   - title: Learn about cloud security
     linkLists:
-      - linkListType: overview
+      - linkListType: get-started
         links:
           - text: Security baselines with Intune
             url: /mem/intune/protect/security-baselines
diff --git a/windows/security/introduction.md b/windows/security/introduction.md
deleted file mode 100644
index 53edc2cc2c..0000000000
--- a/windows/security/introduction.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Introduction to Windows security
-description: System security book.
-ms.date: 07/22/2024
-ms.topic: overview
-ms.author: paoloma
-author: paolomatarazzo
----
-
-# Introduction to Windows security
-
-The acceleration of digital transformation and the expansion of both remote and hybrid work brings new opportunities to organizations, communities, and individuals. This expansion introduces new threats and risks.
-
-Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the security baselines with new requirements for advanced hardware and software protection that extends from chip to cloud.
-
-## How Windows 11 enables Zero Trust protection
-
-A Zero Trust security model gives the right people the right access at the right time. Zero Trust security is based on three principles:
-
-1. Reduce risk by explicitly verifying data points such as user identity, location, and device health for every access request, without exception
-1. When verified, give people and devices access to only necessary resources for the necessary amount of time
-1. Use continuous analytics to drive threat detection and improve defenses
-
-For Windows 11, the Zero Trust principle of *verify explicitly* applies to risks introduced by both devices and people. Windows 11 provides *chip-to-cloud security*, enabling IT administrators to implement strong authorization and authentication processes with features like [Windows Hello for Business](identity-protection/hello-for-business/index.md). IT administrators also gain attestation and measurements for determining if a device meets requirements and can be trusted. Windows 11 works out-of-the-box with Microsoft Intune and Microsoft Entra ID, which enables timely and seamless access decisions. Furthermore, IT administrators can easily customize Windows to meet specific user and policy requirements for access, privacy, compliance, and more.
-
-### Security, by default
-
-Windows 11 is a natural evolution of its predecessor, Windows 10. We have collaborated with our manufacturer and silicon partners to incorporate extra hardware security measures that address the increasingly complex security threats of today. These measures not only enable the hybrid work and learning that many organizations now embrace but also help bolster our already strong foundation and resilience against attacks.
-
-### Enhanced hardware and operating system security
-
-With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind other barriers separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering.
-
-In Windows 11, hardware and software work together to protect the operating system. For example, new devices come with [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) and [Secure Boot](operating-system-security/system-security/trusted-boot.md) built-in and enabled by default to contain and limit malware exploits.
-
-### Robust application security and privacy controls
-
-To help keep personal and business information protected and private, Windows 11 has multiple layers of application security that safeguard critical data and code integrity. Application isolation and controls, code integrity, privacy controls, and least-privilege principles enable developers to build in security and privacy from the ground up. This integrated security protects against breaches and malware, helps keep data private, and gives IT administrators the controls they need.
-
-In Windows 11, [Microsoft Defender Application Guard](application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md) uses Hyper-V virtualization technology to isolate untrusted websites and Microsoft Office files in containers, separate from and unable to access the host operating system and enterprise data. To protect privacy, Windows 11 also provides more controls over which apps and features can collect and use data such as the device's location, or access resources like camera and microphone.
-
-### Secured identities
-
-Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Credential Guard](identity-protection/credential-guard/index.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) and [passkeys](identity-protection/passkeys/index.md) for passwordless authentication.
-
-### Connecting to cloud services
-
-Microsoft offers comprehensive cloud services for identity, storage, and access management in addition to the tools needed to attest that Windows devices connecting to your network are trustworthy. You can also enforce compliance and conditional access with a modern device management (MDM) service such as Microsoft Intune, which works with Microsoft Entra ID and Microsoft Azure Attestation to control access to applications and data through the cloud.
-
-## Next steps
-
-To learn more about the security features included in Windows 11, read the [Windows 11 Security Book](book/index.md).
-
-<!--(https://aka.ms/Windows11SecurityBook) PDF version-->
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 34c2ed5f4a..c39add4606 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -1,42 +1,42 @@
 ---
-title: PDE settings and configuration
-description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
+title: Personal Data Encryption settings and configuration
+description: Learn about the available options to configure Personal Data Encryption (Personal Data Encryption) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
 ms.topic: how-to
 ms.date: 09/24/2024
 ---
 
-# PDE settings and configuration
+# Personal Data Encryption settings and configuration
 
-This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
+This article describes the Personal Data Encryption settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
 
 > [!NOTE]
-> PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
+> Personal Data Encryption can be configured using MDM policies. The content to be protected by Personal Data Encryption can be specified using [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable Personal Data Encryption or protect content using Personal Data Encryption.
 >
-> The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
+> The Personal Data Encryption APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the Personal Data Encryption APIs can't be used to protect content until the Personal Data Encryption policy has been enabled.
 
-## PDE settings
+## Personal Data Encryption settings
 
-The following table lists the required settings to enable PDE.
+The following table lists the required settings to enable Personal Data Encryption.
 
 | Setting name | Description |
 |-|-|
-|Enable Personal Data Encryption|PDE isn't enabled by default. Before PDE can be used, you must enable it.|
-|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with PDE. To use PDE, ARSO must be disabled.|
+|Enable Personal Data Encryption|Personal Data Encryption isn't enabled by default. Before Personal Data Encryption can be used, you must enable it.|
+|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption. To use Personal Data Encryption, ARSO must be disabled.|
 
-## PDE hardening recommendations
+## Personal Data Encryption hardening recommendations
 
-The following table lists the recommended settings to improve PDE's security.
+The following table lists the recommended settings to improve Personal Data Encryption's security.
 
 | Setting name | Description |
 |-|-|
-|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
-|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
-|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
-|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Microsoft Entra joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Microsoft Entra joined devices.|
+|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
+|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by Personal Data Encryption to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
+|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption to protect content to be exposed. For greatest security, disable hibernation.|
+|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Microsoft Entra joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by Personal Data Encryption to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Microsoft Entra joined devices.|
 
-## Configure PDE with Microsoft Intune
+## Configure Personal Data Encryption with Microsoft Intune
 
-If you use Microsoft Intune to manage your devices, you can configure PDE using a disk encryption policy, a settings catalog policy, or a custom profile.
+If you use Microsoft Intune to manage your devices, you can configure Personal Data Encryption using a disk encryption policy, a settings catalog policy, or a custom profile.
 
 ### Disk encryption policy
 
@@ -77,9 +77,9 @@ Content-Type: application/json
 { "id": "00-0000-0000-0000-000000000000", "name": "_MSLearn_PDE", "description": "", "platforms": "windows10", "technologies": "mdm", "roleScopeTagIds": [ "0" ], "settings": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "user_vendor_msft_pde_enablepersonaldataencryption_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_power_allowhibernate_0", "children": [] } } } ] }
 ```
 
-## Configure PDE with CSP
+## Configure Personal Data Encryption with CSP
 
-Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE CSP][CSP-2].
+Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [Personal Data Encryption CSP][CSP-2].
 
 |OMA-URI|Format|Value|
 |-|-|-|
@@ -91,13 +91,13 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE
 |`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`|
 |`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|`<disabled/>`|
 
-## Disable PDE
+## Disable Personal Data Encryption
 
-Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps.
+Once Personal Data Encryption is enabled, it isn't recommended to disable it. However if you need to disable Personal Data Encryption, you can do so using the following steps.
 
-### Disable PDE with a disk encryption policy
+### Disable Personal Data Encryption with a disk encryption policy
 
-To disable PDE devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
+To disable Personal Data Encryption devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
 
 - **Platform** > **Windows**
 - **Profile** > **Personal Data Encryption**
@@ -106,7 +106,7 @@ Provide a name, and select **Next**. In the **Configuration settings** page, sel
 
 Assign the policy to a group that contains as members the devices or users that you want to configure.
 
-### Disable PDE with a settings catalog policy in Intune
+### Disable Personal Data Encryption with a settings catalog policy in Intune
 
 [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
 
@@ -116,24 +116,24 @@ Assign the policy to a group that contains as members the devices or users that
 
 [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
 
-### Disable PDE with CSP
+### Disable Personal Data Encryption with CSP
 
-You can disable PDE with CSP using the following setting:
+You can disable Personal Data Encryption with CSP using the following setting:
 
 |OMA-URI|Format|Value|
 |-|-|-|
 |`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`0`|
 
-## Decrypt PDE-encrypted content
+## Decrypt encrypted content
 
-Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE-protected files can be manually decrypted using the following steps:
+Disabling Personal Data Encryption doesn't decrypt any Personal Data Encryption protected content. It only prevents the Personal Data Encryption API from being able to protect any additional content. Pprotected files can be manually decrypted using the following steps:
 
 1. Open the properties of the file
 1. Under the **General** tab, select **Advanced...**
 1. Uncheck the option **Encrypt contents to secure data**
 1. Select **OK**, and then **OK** again
 
-PDE-protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios:
+Protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios:
 
 - Decrypting a large number of files on a device
 - Decrypting files on multiple of devices
@@ -153,11 +153,11 @@ To decrypt files on a device using `cipher.exe`:
   ```
 
 > [!IMPORTANT]
-> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using PDE.
+> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using Personal Data Encryption.
 
 ## Next steps
 
-- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+- Review the [Personal Data Encryption FAQ](faq.yml)
 
 <!--links used in this document-->
 
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
index 8aeed21090..2be94a9a24 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
@@ -1,51 +1,51 @@
 ### YamlMime:FAQ
 
 metadata:
-  title: Frequently asked questions for Personal Data Encryption (PDE)
-  description: Answers to common questions regarding Personal Data Encryption (PDE).
+  title: Frequently asked questions for Personal Data Encryption
+  description: Answers to common questions regarding Personal Data Encryption.
   ms.topic: faq
   ms.date: 09/24/2024
 
-title: Frequently asked questions for Personal Data Encryption (PDE)
+title: Frequently asked questions for Personal Data Encryption
 summary: |
-  Here are some answers to common questions regarding Personal Data Encryption (PDE)
+  Here are some answers to common questions regarding Personal Data Encryption
 
 sections:
   - name: General
     questions:
-      - question: Can PDE encrypt entire volumes or drives?
+      - question: Can Personal Data Encryption encrypt entire volumes or drives?
         answer: |
-          No, PDE only encrypts specified files and content.
-      - question: How are files and content protected by PDE selected?
+          No, Personal Data Encryption only encrypts specified files and content.
+      - question: How are files and content protected by Personal Data Encryption selected?
         answer: |
-          [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using PDE.
-      - question: Can users manually encrypt and decrypt files with PDE?
+          [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using Personal Data Encryption.
+      - question: Can users manually encrypt and decrypt files with Personal Data Encryption?
         answer: |
-          Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content).
-      - question: Can PDE protected content be accessed after signing on via a Remote Desktop connection (RDP)?
+          Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt encrypted content](configure.md#decrypt-encrypted-content).
+      - question: Can Personal Data Encryption protected content be accessed after signing on via a Remote Desktop connection (RDP)?
         answer: |
-          No, it's not supported to access PDE-protected content over RDP.
-      - question: Can PDE protected content be accessed via a network share?
+          No, it's not supported to access protected content over RDP.
+      - question: Can Personal Data Encryption protected content be accessed via a network share?
         answer: |
-          No, PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
-      - question: What encryption method and strength does PDE use?
+          No, Personal Data Encryption protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
+      - question: What encryption method and strength does Personal Data Encryption use?
         answer: |
-          PDE uses AES-CBC with a 256-bit key to encrypt content.
+          Personal Data Encryption uses AES-CBC with a 256-bit key to encrypt content.
 
-  - name: PDE and other Windows features
+  - name: Personal Data Encryption and other Windows features
     questions:
-      - question: What is the relation between Windows Hello for Business and PDE?
+      - question: What is the relation between Windows Hello for Business and Personal Data Encryption?
         answer: |
-          During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to protect content.
-      - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
+          During user sign-on, Windows Hello for Business unlocks the keys that Personal Data Encryption uses to protect content.
+      - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their Personal Data Encryption protected content?
         answer: |
-          No, the keys used by PDE to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
-      - question: Can a file be protected with both PDE and EFS at the same time?
+          No, the keys used by Personal Data Encryption to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+      - question: Can a file be protected with both Personal Data Encryption and EFS at the same time?
         answer: |
-          No, PDE and EFS are mutually exclusive.
-      - question: Is PDE a replacement for BitLocker?
+          No, Personal Data Encryption and EFS are mutually exclusive.
+      - question: Is Personal Data Encryption a replacement for BitLocker?
         answer: |
           No, it's recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
       - question: Do I need to use OneDrive in Microsoft 365 as my backup provider?
         answer: |
-          No, PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
+          No, Personal Data Encryption doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by Personal Data Encryption to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index 7e28595993..03607ce506 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -1,104 +1,104 @@
 ---
-title: Personal Data Encryption (PDE)
+title: Personal Data Encryption
 description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
 ms.topic: how-to
 ms.date: 09/24/2024
 ---
 
-# Personal Data Encryption (PDE)
+# Personal Data Encryption
 
-Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides file-based data encryption capabilities to Windows.
+Starting in Windows 11, version 22H2, Personal Data Encryption is a security feature that provides file-based data encryption capabilities to Windows.
 
-PDE utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
+Personal Data Encryption utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
 When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs into the device.
 
 The use of Windows Hello for Business offers the following advantages:
 
 - It reduces the number of credentials to access encrypted content: users only need to sign-in with Windows Hello for Business
-- The accessibility features available when using Windows Hello for Business extend to PDE protected content
+- The accessibility features available when using Windows Hello for Business extend to Personal Data Encryption protected content
 
-PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.\
-Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business.
+Personal Data Encryption differs from BitLocker in that it encrypts files instead of whole volumes and disks. Personal Data Encryption occurs in addition to other encryption methods such as BitLocker.\
+Unlike BitLocker that releases data encryption keys at boot, Personal Data Encryption doesn't release data encryption keys until a user signs in using Windows Hello for Business.
 
 ## Prerequisites
 
-To use PDE, the following prerequisites must be met:
+To use Personal Data Encryption, the following prerequisites must be met:
 
 - Windows 11, version 22H2 and later
 - The devices must be [Microsoft Entra joined][AAD-1]. Domain-joined and Microsoft Entra hybrid joined devices aren't supported
 - Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
 
 > [!IMPORTANT]
-> If you sign in with a password or a [security key][AAD-2], you can't access PDE protected content.
+> If you sign in with a password or a [security key][AAD-2], you can't access Personal Data Encryption protected content.
 
 [!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
 
-## PDE protection levels
+## Personal Data Encryption protection levels
 
-PDE uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+Personal Data Encryption uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
 
 | Item | Level 1 | Level 2 |
 |---|---|---|
-| PDE protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
-| PDE protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
-| PDE protected data is accessible after user signs out of Windows | No | No |
-| PDE protected data is accessible when device is shut down | No | No |
-| PDE protected data is accessible via UNC paths | No | No |
-| PDE protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
-| PDE protected data is accessible via Remote Desktop session | No | No |
-| Decryption keys used by PDE discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
+| Protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
+| Protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
+| Protected data is accessible after user signs out of Windows | No | No |
+| Protected data is accessible when device is shut down | No | No |
+| Protected data is accessible via UNC paths | No | No |
+| Protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
+| Protected data is accessible via Remote Desktop session | No | No |
+| Decryption keys used by Personal Data Encryption discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
 
-## PDE protected content accessibility
+## Personal Data Encryption protected content accessibility
 
-When a file is protected with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access PDE protected content, they'll be denied access to the content.
+When a file is protected with Personal Data Encryption, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access Personal Data Encryption protected content, they'll be denied access to the content.
 
-Scenarios where a user will be denied access to PDE protected content include:
+Scenarios where a user will be denied access to Personal Data Encryption protected content include:
 
 - User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN
 - If protected via level 2 protection, when the device is locked
 - When trying to access content on the device remotely. For example, UNC network paths
 - Remote Desktop sessions
-- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content
+- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the Personal Data Encryption protected content
 
-## Differences between PDE and BitLocker
+## Differences between Personal Data Encryption and BitLocker
 
-PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. However there are differences between BitLocker and PDE and how they work. These differences are why using them together offers better security.
+Personal Data Encryption is meant to work alongside BitLocker. Personal Data Encryption isn't a replacement for BitLocker, nor is BitLocker a replacement for Personal Data Encryption. Using both features together provides better security than using either BitLocker or Personal Data Encryption alone. However there are differences between BitLocker and Personal Data Encryption and how they work. These differences are why using them together offers better security.
 
-| Item | PDE | BitLocker |
+| Item | Personal Data Encryption | BitLocker |
 |--|--|--|
 | Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
 | Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At shutdown |
 | Protected content | All files in protected folders | Entire volume/drive |
 | Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
 
-## Differences between PDE and EFS
+## Differences between Personal Data Encryption and EFS
 
-The main difference between protecting files with PDE instead of EFS is the method they use to protect the file. PDE uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.
+The main difference between protecting files with Personal Data Encryption instead of EFS is the method they use to protect the file. Personal Data Encryption uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.
 
-To see if a file is protected with PDE or with EFS:
+To see if a file is protected with Personal Data Encryption or with EFS:
 
 1. Open the properties of the file
 1. Under the **General** tab, select **Advanced...**
 1. In the **Advanced Attributes** windows, select **Details**
 
-For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
+For Personal Data Encryption protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
 
 For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
 
 Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
 
-## Recommendations for using PDE
+## Recommendations for using Personal Data Encryption
 
-The following are recommendations for using PDE:
+The following are recommendations for using Personal Data Encryption:
 
-- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
-- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
-- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible. After a destructive PIN reset, content protected with PDE must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
+- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although Personal Data Encryption works without BitLocker, it's recommended to enable BitLocker. Personal Data Encryption is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
+- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by Personal Data Encryption to protect content will be lost making any protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
+- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by Personal Data Encryption to protect content to be lost, making any content protected with Personal Data Encryption inaccessible. After a destructive PIN reset, content protected with Personal Data Encryption must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
 - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN
 
-## Windows out of box applications that support PDE
+## Windows out of box applications that support Personal Data Encryption
 
-Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE:
+Certain Windows applications support Personal Data Encryption out of the box. If Personal Data Encryption is enabled on a device, these applications will utilize Personal Data Encryption:
 
 | App name | Details |
 |-|-|
@@ -106,8 +106,8 @@ Certain Windows applications support PDE out of the box. If PDE is enabled on a
 
 ## Next steps
 
-- Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [PDE settings and configuration](configure.md)
-- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+- Learn about the available options to configure Personal Data Encryption and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [Personal Data Encryption settings and configuration](configure.md)
+- Review the [Personal Data Encryption FAQ](faq.yml)
 
 <!--links used in this document-->
 
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
index f526600bd4..ac20c878c3 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
@@ -1,7 +1,7 @@
 items:
-- name: PDE overview
+- name: Overview
   href: index.md
-- name: Configure PDE
+- name: Configure Personal Data Encryption
   href: configure.md
-- name: PDE frequently asked questions (FAQ)
+- name: Frequently asked questions (FAQ)
   href: faq.yml
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/toc.yml b/windows/security/operating-system-security/data-protection/toc.yml
index 81f918fba2..ee4a57ab27 100644
--- a/windows/security/operating-system-security/data-protection/toc.yml
+++ b/windows/security/operating-system-security/data-protection/toc.yml
@@ -3,9 +3,7 @@ items:
   href: bitlocker/toc.yml
 - name: Encrypted hard drives
   href: encrypted-hard-drive.md
-- name: Personal data encryption (PDE)
+- name: Personal data encryption
   href: personal-data-encryption/toc.yml
 - name: Email Encryption (S/MIME)
   href: configure-s-mime.md
-- name: Windows Information Protection (WIP)
-  href: /previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip
diff --git a/windows/security/operating-system-security/index.md b/windows/security/operating-system-security/index.md
deleted file mode 100644
index e8c0197c75..0000000000
--- a/windows/security/operating-system-security/index.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-title: Windows operating system security
-description: Securing the operating system includes system security, encryption, network security, and threat protection.
-ms.date: 07/10/2024
-ms.topic: overview
----
-
-# Windows operating system security
-
-Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
-
-Watch the latest [Microsoft Mechanics Windows 11 security](https://youtu.be/tg9QUrnVFho) video that shows off some of the latest Windows 11 security technology.
-
-Use the links in the following sections to learn more about the operating system security features and capabilities in Windows.
-
-[!INCLUDE [operating-system-security](../includes/sections/operating-system-security.md)]
diff --git a/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md b/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md
index 5cff1aedaa..0d9d62c33e 100644
--- a/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md
+++ b/windows/security/operating-system-security/system-security/cryptography-certificate-mgmt.md
@@ -3,7 +3,7 @@ title: Cryptography and Certificate Management
 description: Get an overview of cryptography and certificate management in Windows
 ms.topic: conceptual
 ms.date: 07/10/2024
-ms.reviewer: skhadeer, raverma
+ms.reviewer: skhadeer, aathipsa
 ---
 
 # Cryptography and Certificate Management
@@ -17,13 +17,19 @@ Cryptography in Windows is Federal Information Processing Standards (FIPS) 140 c
 Windows cryptographic modules provide low-level primitives such as:
 
 - Random number generators (RNG)
-- Symmetric and asymmetric encryption (support for  AES 128/256 and RSA 512 to 16384, in 64-bit increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521)
-- Hashing (support for SHA-256, SHA-384, and SHA-512)
+- Symmetric and asymmetric encryption (support for AES 128/256 and RSA 512 to 16384, in 64-bit increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521)
+- Hashing (support for SHA-256, SHA-384, SHA-512, and SHA-3*)
 - Signing and verification (padding support for OAEP, PSS, PKCS1)
 - Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521, and HKDF)
 
 These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
 
+*With this release we added support for the SHA-3 family of hash functions and SHA-3 derived functions (SHAKE, cSHAKE, and KMAC). These are the latest standardized hash functions by the National Institute of Standards and Technology (NIST) and can be leveraged through the Windows CNG library. Below is a list of the supported SHA-3 functions:
+
+Supported SHA-3 hash functions: SHA3-256, SHA3-384, SHA3-512 (SHA3-224 is not supported)
+Supported SHA-3 HMAC algorithms: HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512
+Supported SHA-3 derived algorithms: extendable-output functions (XOF) (SHAKE128, SHAKE256), customizable XOFs (cSHAKE128, cSHAKE256), and KMAC (KMAC128, KMAC256, KMACXOF128, KMACXOF256).
+
 ## Certificate management
 
 Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to autoenroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately.
diff --git a/windows/security/operating-system-security/system-security/toc.yml b/windows/security/operating-system-security/system-security/toc.yml
index 657b99e5df..0309711be5 100644
--- a/windows/security/operating-system-security/system-security/toc.yml
+++ b/windows/security/operating-system-security/system-security/toc.yml
@@ -13,7 +13,7 @@ items:
   href: ../../threat-protection/security-policy-settings/security-policy-settings.md
 - name: Security auditing
   href: ../../threat-protection/auditing/security-auditing-overview.md
-- name: Assigned Access 🔗
+- name: Kiosks and restricted user experiences 🔗
   href: /windows/configuration/assigned-access
 - name: Windows Security settings
   href: windows-defender-security-center/windows-defender-security-center.md
diff --git a/windows/security/operating-system-security/toc.yml b/windows/security/operating-system-security/toc.yml
index 1e8df2650f..5c37753d30 100644
--- a/windows/security/operating-system-security/toc.yml
+++ b/windows/security/operating-system-security/toc.yml
@@ -1,13 +1,11 @@
 items:
-- name: Overview
-  href: index.md
 - name: System security
   href: system-security/toc.yml
 - name: Encryption and data protection
   href: data-protection/toc.yml
-- name: Device management
-  href: device-management/toc.yml
 - name: Network security
   href: network-security/toc.yml
 - name: Virus and threat protection
-  href: virus-and-threat-protection/toc.yml
\ No newline at end of file
+  href: virus-and-threat-protection/toc.yml
+- name: Device management
+  href: device-management/toc.yml
\ No newline at end of file
diff --git a/windows/security/security-foundations/index.md b/windows/security/security-foundations/index.md
deleted file mode 100644
index 0275431b52..0000000000
--- a/windows/security/security-foundations/index.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: Windows security foundations
-description: Get an overview of security foundations, including the security development lifecycle, common criteria, and the bug bounty program.
-ms.topic: overview
-ms.date: 04/10/2024
-author: paolomatarazzo
-ms.author: paoloma
----
-
-# Windows security foundations
-
-Microsoft is committed to continuously invest in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest life-cycle phases of all our software development processes. We build in security from the ground for powerful defense in today's threat environment.
-
-Our strong security foundation uses Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified.
-
-Use the links in the following table to learn more about the security foundations:
-
-[!INCLUDE [security-foundations](../includes/sections/security-foundations.md)]
diff --git a/windows/security/security-foundations/toc.yml b/windows/security/security-foundations/toc.yml
index 7fc4c3adff..e8439d170b 100644
--- a/windows/security/security-foundations/toc.yml
+++ b/windows/security/security-foundations/toc.yml
@@ -1,8 +1,4 @@
 items:
-- name: Overview
-  href: index.md
-- name: Zero Trust and Windows
-  href: zero-trust-windows-device-health.md
 - name: Offensive research
   items:
   - name: Microsoft Security Development Lifecycle 🔗
diff --git a/windows/security/security-foundations/zero-trust-windows-device-health.md b/windows/security/security-foundations/zero-trust-windows-device-health.md
deleted file mode 100644
index cacb76f47d..0000000000
--- a/windows/security/security-foundations/zero-trust-windows-device-health.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Zero Trust and Windows device health
-description: Describes the process of Windows device health attestation
-ms.topic: concept-article
-manager: aaroncz
-ms.author: paoloma
-author: paolomatarazzo
-ms.date: 09/06/2024
----
-
-# Zero Trust and Windows device health
-
-Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they're located. Implementing a Zero Trust model for security helps address today's complex environments.
-
-The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:
-
-- **Verify explicitly**. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and monitor anomalies
-- **Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection to help secure data and maintain productivity
-- **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses
-
-The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources.
-
-[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they're granted access to corporate resources.
-
-Windows 11 supports device health attestation, helping to confirm that devices are in a good state and haven't been tampered with. This capability helps users access corporate resources whether they're in the office, at home, or when they're traveling.
-
-Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process haven't been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources.
-
-## Device health attestation on Windows
-
- Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device's health. Remote attestation determines:
-
-- If the device can be trusted
-- If the operating system booted correctly
-- If the OS has the right set of security features enabled
-
-These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device hasn't been tampered with.
-
-Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](../operating-system-security/system-security/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
-
-A summary of the steps involved in attestation and Zero Trust on the device side are as follows:
-
-1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event
-1. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. The measurements in both these components together form the attestation evidence that is then sent to the attestation service
-1. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation)
-1. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Microsoft Entra Conditional Access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device
-1. The attestation service does the following tasks:
-
-    - Verify the integrity of the evidence. This verification is done by validating the PCRs that match the values recomputed by replaying the TCG log
-    - Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM
-    - Verify that the security features are in the expected states
-
-1. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service
-1. The device then sends the report to the Microsoft Intune cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules
-1. Conditional access, along with device-compliance state then decides to allow or deny access
-
-## Other Resources
-
-Learn more about Microsoft Zero Trust solutions in the [Zero Trust Guidance Center](/security/zero-trust/).
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 5b5fb3e06e..327b1336ab 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -56,7 +56,7 @@ Windows 10 mitigations that you can configure are listed in the following two ta
 | **Windows Defender SmartScreen**<br> helps prevent<br>malicious applications<br>from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.<br><br>**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic |
 | **Credential Guard**<br> helps keep attackers<br>from gaining access through<br>Pass-the-Hash or<br>Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.<br>Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) |
 | **Enterprise certificate pinning**<br> helps prevent <br>man-in-the-middle attacks<br>that use PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can "pin" (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf. <br><br>**More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) |
-| **Device Guard**<br> helps keep a device<br>from running malware or<br>other untrusted apps | Device Guard includes a Code Integrity policy that you create; an allowlist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which uses virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.<br>Device Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) |
+| **Device Guard**<br> helps keep a device<br>from running malware or<br>other untrusted apps | Device Guard includes a Code Integrity policy that you create; an allowlist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which uses virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.<br>Device Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-virtualization-based-security-and-appcontrol) |
 | **Microsoft Defender Antivirus**,<br>which helps keep devices<br>free of viruses and other<br>malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox anti-malware solution. Microsoft Defender Antivirus has been improved significantly since it was introduced in Windows 8.<br><br>**More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic |
 | **Blocking of untrusted fonts**<br> helps prevent fonts<br>from being used in<br>elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](/windows/win32/secauthz/appcontainer-isolation) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).<br><br>**More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) |
 | **Memory protections**<br> help prevent malware<br>from using memory manipulation<br>techniques such as buffer<br>overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:<br>A subset of apps won't be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.<br><br>**More information**: [Table 2](#table-2), later in this topic |
@@ -88,14 +88,14 @@ For more information, see [Microsoft Defender SmartScreen overview](/windows/sec
 
 Microsoft Defender Antivirus in Windows 10 uses a multi-pronged approach to improve anti-malware:
 
+- **Tamper proofing** helps guard Microsoft Defender Antivirus itself against malware attacks. For example, Microsoft Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Microsoft Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.)
+
 - **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates.
 
-- **Rich local context** improves how malware is identified. Windows 10 informs Microsoft Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Microsoft Defender Antivirus to apply different levels of scrutiny to different content.
+- **Rich local context** improves how malware is identified. Windows 11 informs Microsoft Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Microsoft Defender Antivirus to apply different levels of scrutiny to different content.
 
 - **Extensive global sensors** help keep Microsoft Defender Antivirus current and aware of even the newest malware. This up-to-date status is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data.
 
-- **Tamper proofing** helps guard Microsoft Defender Antivirus itself against malware attacks. For example, Microsoft Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Microsoft Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.)
-
 - **Enterprise-level features** give IT pros the tools and configuration options necessary to make Microsoft Defender Antivirus an enterprise-class anti-malware solution.
 
 <!-- Watch the link text for the following links - try to keep it in sync with the actual topic. -->
diff --git a/windows/security/toc.yml b/windows/security/toc.yml
index 6fbbd83941..bb89fd8728 100644
--- a/windows/security/toc.yml
+++ b/windows/security/toc.yml
@@ -1,6 +1,4 @@
 items:
-- name: Introduction to Windows security
-  href: introduction.md
 - name: Windows 11 security book 🔗
   href: book/index.md
 - name: Security features licensing and edition requirements
diff --git a/windows/whats-new/ltsc/whats-new-windows-11-2024.md b/windows/whats-new/ltsc/whats-new-windows-11-2024.md
index 3fbb4a3529..2e098597d2 100644
--- a/windows/whats-new/ltsc/whats-new-windows-11-2024.md
+++ b/windows/whats-new/ltsc/whats-new-windows-11-2024.md
@@ -18,7 +18,7 @@ appliesto:
 This article lists some of the new and updated features and content that is of interest to IT Pros for Windows 11 Enterprise long-term servicing channel (LTSC) 2024, compared to Windows 10 Enterprise LTSC 2021. For a brief description of the LTSC servicing channel and associated support, see [Windows Enterprise LTSC](overview.md). <!--8891336-->
 
 
-Windows 11 Enterprise LTSC 2024 builds on Windows 10 Enterprise LTSC 2021, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities. 
+Windows 11 Enterprise LTSC 2024 builds on Windows 10 Enterprise LTSC 2021, adding premium features such as advanced protection against modern security threats and comprehensive device management, app management, and control capabilities.
 
 The Windows 11 Enterprise LTSC 2024 release includes the cumulative enhancements provided in Windows 11 versions 21H2, 22H2, 23H2, and 24H2. Details about these enhancements are provided below.
 
@@ -37,7 +37,7 @@ Windows 11 Enterprise LTSC 2024 was first available on October 1, 2024. Features
 
 | Feature </br> [Release] | Description |
 | --- | --- |
-| **Windows accessibility** </br> [22H2][22H2] | Improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator.</br> For more information, see:</br>&nbsp;&nbsp;• [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/)</br>&nbsp;&nbsp;• [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554)</br>&nbsp;&nbsp;• [Accessibility information for IT professionals](/windows/configuration/windows-10-accessibility-for-itpros). |
+| **Windows accessibility** </br> [22H2][22H2] | Improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator.</br> For more information, see:</br>&nbsp;&nbsp;* [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/)</br>&nbsp;&nbsp;* [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554)</br>&nbsp;&nbsp;* [Accessibility information for IT professionals](/windows/configuration/windows-10-accessibility-for-itpros). |
 | **Braille displays**  </br> [23H2][23H2] <!--7579823-->        | Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience. We also added support for new braille displays and new braille input and output languages in Narrator. For more information, see [Accessibility information for IT professionals](/windows/configuration/windows-accessibility-for-ITPros). |
 | **Narrator improvements**  </br> [23H2][23H2] <!--kb5019509--> | Scripting functionality was added to Narrator. Narrator includes more natural voices. For more information, see [Complete guide to Narrator](https://support.microsoft.com/topic/e4397a0d-ef4f-b386-d8ae-c172f109bdb1).<!--8138352, 8138357--> |
 | **Bluetooth &#174; LE audio support for assistive devices** </br> [24H2][24H2] | Windows has taken a significant step forward in accessibility by supporting the use of assistive hearing devices equipped with the latest Bluetooth &#174; Low Energy Audio technology. For more information, see [Using hearing devices with your Windows 11 PC](https://support.microsoft.com/topic/fcb566e7-13c3-491a-ad5b-8219b098d647). |
@@ -95,15 +95,15 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
 | --- | --- |
 | **Windows Security app** </br> [21H2][21H2] | Windows Security app is an easy-to-use interface, and combines commonly used security features. For example, your get access to virus & threat protection, firewall & network protection, account protection, and more. For more information, see [the Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center). |
 | **Security baselines** </br> [21H2][21H2] | Security baselines include security settings that are already configured, and ready to be deployed to your devices. If you don't know where to start, or it's too time consuming to go through all the settings, then you should look at Security Baselines. For more information, see [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines). |
-| **Microsoft Defender Antivirus** </br> [21H2][21H2] | Microsoft Defender Antivirus helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If you use Intune to manage devices, then you can create policies based on threat levels in Microsoft Defender for Endpoint. For more information, see:</br>&nbsp;&nbsp;• [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)</br>&nbsp;&nbsp;• [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)</br>&nbsp;&nbsp;• [Enforce compliance for Microsoft Defender for Endpoint](/mem/intune/protect/advanced-threat-protection) |
+| **Microsoft Defender Antivirus** </br> [21H2][21H2] | Microsoft Defender Antivirus helps protect devices using next-generation security. When used with Microsoft Defender for Endpoint, your organization gets strong endpoint protection, and advanced endpoint protection & response. If you use Intune to manage devices, then you can create policies based on threat levels in Microsoft Defender for Endpoint. For more information, see:</br>&nbsp;&nbsp;* [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)</br>&nbsp;&nbsp;* [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)</br>&nbsp;&nbsp;* [Enforce compliance for Microsoft Defender for Endpoint](/mem/intune/protect/advanced-threat-protection) |
 | **Application Security** </br> [21H2][21H2] | The Application Security features help prevent unwanted or malicious code from running, isolate untrusted websites & untrusted Office files, protect against phishing or malware websites, and more. For more information, see  [Windows application security](/windows/security/apps). |
 | **Microsoft Pluton** </br> [22H2][22H2] | Pluton, designed by Microsoft and built by silicon partners,  is a secure crypto-processor built into the CPU. Pluton provides security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data, and encryption keys. Information is harder to be removed even if an attacker installed malware or has complete physical possession. For more information, see [Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor). |
-| **Enhanced Phishing Protection** </br> [22H2][22H2] | Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft passwords against phishing and unsafe usage. Enhanced Phishing Protection works alongside Windows security protections to help protect sign-in passwords. For more information, see:</br>&nbsp;&nbsp;• [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)</br>&nbsp;&nbsp;• [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog. |
+| **Enhanced Phishing Protection** </br> [22H2][22H2] | Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft passwords against phishing and unsafe usage. Enhanced Phishing Protection works alongside Windows security protections to help protect sign-in passwords. For more information, see:</br>&nbsp;&nbsp;* [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen)</br>&nbsp;&nbsp;* [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog. |
 | **Smart App Control** </br> [22H2][22H2] | Smart App Control adds significant protection from malware, including new and emerging threats, by blocking apps that are malicious or untrusted. Smart App Control helps block unwanted apps that affect performance, display unexpected ads, offer extra software you didn't want, and other things you don't expect. For more information, see [Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control#wdac-and-smart-app-control). |
 | **Credential Guard** </br> [22H2][22H2] | Credential Guard, enabled by default, uses Virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks like pass the hash and pass the ticket. For more information, see [Configure Credential Guard](/windows/security/identity-protection/credential-guard/configure).|
 | **Malicious and vulnerable driver blocking** </br> [22H2][22H2] | The vulnerable driver blocklist is automatically enabled on devices when Smart App Control is enabled and for clean installs of Windows. For more information, see [recommended block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules#microsoft-vulnerable-driver-blocklist).|
 | **Security hardening and threat protection** </br> [22H2][22H2] | Enhanced support with Local Security Authority (LSA) to prevent code injection that could compromise credentials. For more information, see [Configuring Additional LSA Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json). |
-| **Personal Data Encryption (PDE)** </br> [22H2][22H2] | [Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/) is a security feature that provides file-based data encryption capabilities to Windows. PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user. |
+| **Personal Data Encryption** </br> [22H2][22H2] | [Personal Data Encryption](/windows/security/operating-system-security/data-protection/personal-data-encryption/) is a security feature that provides file-based data encryption capabilities to Windows. Personal Data Encryption utilizes Windows Hello for Business to link data encryption keys with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user. |
 | **Passkeys in Windows** </br> [23H2][23H2] <!--8138341--> | Windows provides a native experience for passkey management. You can use the Settings app to view and manage passkeys saved for apps or websites. For more information, see [Support for passkeys in Windows](/windows/security/identity-protection/passkeys). |
 | **Windows passwordless experience** </br> [23H2][23H2] <!--8138336--> | Windows passwordless experience is a security policy that promotes a user experience without passwords on [Microsoft Entra](https://www.microsoft.com/security/business/microsoft-entra?ef_id=_k_910ee369e9a812f6048b86296a6a402c_k_&OCID=AIDcmmdamuj0pc_SEM__k_910ee369e9a812f6048b86296a6a402c_k_&msclkid=910ee369e9a812f6048b86296a6a402c) joined devices. </br>When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords. For more information, see [Windows passwordless experience](/windows/security/identity-protection/passwordless-experience/). |
 | **Web sign-in for Windows** </br> [23H2][23H2] <!--8344016--> | You can enable a web-based sign-in experience on [Microsoft Entra](https://www.microsoft.com/security/business/microsoft-entra?ef_id=_k_910ee369e9a812f6048b86296a6a402c_k_&OCID=AIDcmmdamuj0pc_SEM__k_910ee369e9a812f6048b86296a6a402c_k_&msclkid=910ee369e9a812f6048b86296a6a402c) joined devices, unlocking new sign-in options, and capabilities. For more information, see [Web sign-in for Windows](/windows/security/identity-protection/web-sign-in). |
@@ -112,10 +112,10 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
 | **App Control for Business** </br> [24H2][24H2]<!--8223790--> | Customers can now use App Control for Business (formerly called Windows Defender Application Control) and its next-generation capabilities to protect their digital property from malicious code. With App Control for Business, IT teams can configure what runs in a business environment through Microsoft Intune or other MDMs in the admin console, including setting up Intune as a managed installer. For more information, see [Application Control for Windows](/windows/security/application-security/application-control/app-control-for-business/appcontrol).|
 | **Local Security Authority (LSA) protection enablement** </br> [24H2][24H2]| An audit occurs for incompatibilities with [LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection) for a period of time, starting with this upgrade. If incompatibilities aren't detected, LSA protection is automatically enabled. You can check and change the enablement state of LSA protection in the Windows Security application under the **Device Security** > **Core Isolation** page. In the event log, [LSA protection logs](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#identify-plug-ins-and-drivers-that-lsassexe-fails-to-load) whether programs are blocked from loading into LSA. |
 | **Rust in the Windows kernel** </br> [24H2][24H2] | There's a new implementation of [GDI region](/windows/win32/gdi/regions) in `win32kbase_rs.sys`. Since Rust offers advantages in reliability and security over traditional programs written in C/C++, you'll continue to see more use of it in the kernel. |
-| **SHA-3 support** </br> [24H2][24H2] | Support for the SHA-3 family of hash functions and SHA-3 derived functions (SHAKE, cSHAKE, KMAC) was added. The SHA-3 family of algorithms is the latest standardized hash functions by the National Institute of Standards and Technology (NIST). Support for these functions is enabled through the Windows [CNG](/windows/win32/seccng/cng-portal) library. | 
+| **SHA-3 support** </br> [24H2][24H2] | Support for the SHA-3 family of hash functions and SHA-3 derived functions (SHAKE, cSHAKE, KMAC) was added. The SHA-3 family of algorithms is the latest standardized hash functions by the National Institute of Standards and Technology (NIST). Support for these functions is enabled through the Windows [CNG](/windows/win32/seccng/cng-portal) library. |
 | **Windows Local Admin Password Solution (LAPS)** </br> [24H2][24H2] | Windows Local Administrator Password Solution (Windows LAPS) is a Windows feature that automatically manages and backs up the password of a local administrator account on your Microsoft Entra joined or Windows Server Active Directory-joined devices. Windows LAPS is the successor for the now deprecated legacy Microsoft LAPS product. For more information, see [What is Windows LAPS?](/windows-server/identity/laps/laps-overview)|
-| **Windows&nbsp;LAPS** </br> Automatic account management </br> [24H2][24H2] | [Windows Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview) has a new automatic account management feature. Admins can configure Windows LAPS to:</br>&nbsp;&nbsp;• Automatically create the managed local account</br>&nbsp;&nbsp;• Configure name of account</br>&nbsp;&nbsp;• Enable or disable the account</br>&nbsp;&nbsp;• Randomize the name of the account |
-| **Windows&nbsp;LAPS** </br> Policy improvements </br> [24H2][24H2]| &nbsp;&nbsp;• Added passphrase settings for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy </br> &nbsp;&nbsp;• Use [PassphraseLength](/windows/client-management/mdm/laps-csp#policiespassphraselength) to control the number of words in a new passphrase </br> &nbsp;&nbsp;• Added an improved readability setting for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy, which generates passwords without using characters that are easily confused with another character. For example, the number <kbd>0</kbd> and the letter <kbd>O</kbd> aren't used in the password since the characters can be confused. </br>&nbsp;&nbsp;• Added the `Reset the password, logoff the managed account, and terminate any remaining processes` setting to the [PostAuthenticationActions](/windows/client-management/mdm/laps-csp#policiespostauthenticationactions) policy. The event logging messages that are emitted during post-authentication-action execution were also expanded, to give insights into exactly what was done during the operation. |
+| **Windows&nbsp;LAPS** </br> Automatic account management </br> [24H2][24H2] | [Windows Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview) has a new automatic account management feature. Admins can configure Windows LAPS to:</br>&nbsp;&nbsp;* Automatically create the managed local account</br>&nbsp;&nbsp;* Configure name of account</br>&nbsp;&nbsp;* Enable or disable the account</br>&nbsp;&nbsp;* Randomize the name of the account |
+| **Windows&nbsp;LAPS** </br> Policy improvements </br> [24H2][24H2]| &nbsp;&nbsp;* Added passphrase settings for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy </br> &nbsp;&nbsp;* Use [PassphraseLength](/windows/client-management/mdm/laps-csp#policiespassphraselength) to control the number of words in a new passphrase </br> &nbsp;&nbsp;* Added an improved readability setting for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy, which generates passwords without using characters that are easily confused with another character. For example, the number <kbd>0</kbd> and the letter <kbd>O</kbd> aren't used in the password since the characters can be confused. </br>&nbsp;&nbsp;* Added the `Reset the password, logoff the managed account, and terminate any remaining processes` setting to the [PostAuthenticationActions](/windows/client-management/mdm/laps-csp#policiespostauthenticationactions) policy. The event logging messages that are emitted during post-authentication-action execution were also expanded, to give insights into exactly what was done during the operation. |
 | **Windows&nbsp;LAPS** </br> Image rollback detection </br> [24H2][24H2] | Image rollback detection was introduced for LAPS. LAPS can detect when a device was rolled back to a previous image. When a device is rolled back, the password in Active Directory might not match the password on the device that was rolled back. This new feature adds an Active Directory attribute, `msLAPS-CurrentPasswordVersion`, to the [Windows LAPS schema](/windows-server/identity/laps/laps-technical-reference#mslaps-currentpasswordversion). This attribute contains a random GUID that Windows LAPS writes every time a new password is persisted in Active Directory, followed by saving a local copy. During every processing cycle, the GUID stored in `msLAPS-CurrentPasswordVersion` is queried and compared to the locally persisted copy. If the GUIDs are different, the password is immediately rotated. To enable this feature, you need to run the latest version of the [Update-LapsADSchema PowerShell cmdlet](/powershell/module/laps/update-lapsadschema). |
 | **Windows protected print mode** </br> [24H2][24H2] | Windows protected print mode (WPP) enables a modern print stack which is designed to work exclusively with [Mopria certified printers](https://mopria.org/certified-products). For more information, see [What is Windows protected print mode (WPP)](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/a-new-modern-and-secure-print-experience-from-windows/ba-p/4002645) and [Windows Insider WPP announcement](https://blogs.windows.com/windows-insider/2023/12/13/announcing-windows-11-insider-preview-build-26016-canary-channel/). |
 | **SMB signing requirement changes** </br> [24H2][24H2] | [SMB signing is now required](/windows-server/storage/file-server/smb-signing) by default for all connections. SMB signing ensures every message contains a signature generated using session key and cipher suite. The client puts a hash of the entire message into the signature field of the SMB header. If anyone changes the message itself later on the wire, the hash won't match and SMB knows that someone tampered with the data. It also confirms to sender and receiver that they are who they say they are, breaking relay attacks. For more information about SMB signing being required by default, see [https://aka.ms/SMBSigningOBD](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-required-by-default-in-windows-insider/ba-p/3831704). |
@@ -123,8 +123,8 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
 | **SMB signing and encryption auditing** </br> [24H2][24H2] | Administrators can now [enable auditing](/windows-server/storage/file-server/smb-signing-overview#smb-signing-and-encryption-auditing) of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn't support SMB encryption or signing. The SMB signing and encryption auditing settings can be modified in Group Policy or through PowerShell. |
 | **SMB alternative client and server ports** </br> [24H2][24H2] | The SMB client now supports connecting to an SMB server over TCP, QUIC, or RDMA using [alternative network ports](/windows-server/storage/file-server/smb-ports) to the hardcoded defaults. However, you can only connect to alternative ports if the SMB server is configured to support listening on that port. Starting in [Windows Server Insider build 26040](https://techcommunity.microsoft.com/t5/windows-server-insiders/announcing-windows-server-preview-build-26040/m-p/4040858), the SMB server now supports listening on an alternative network port for SMB over QUIC. Windows Server doesn't support configuring alternative SMB server TCP ports, but some third parties do. For more information about this change, see [https://aka.ms/SMBAlternativePorts](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-alternative-ports-now-supported-in-windows-insider/ba-p/3974509). |
 | **SMB NTLM blocking exception list** </br> [24H2][24H2] |The SMB client now supports [blocking NTLM](/windows-server/storage/file-server/smb-ntlm-blocking) for remote outbound connections. With this new option, administrators can intentionally block Windows from offering NTLM via SMB and specify exceptions for NTLM usage. An attacker who tricks a user or application into sending NTLM challenge responses to a malicious server will no longer receive any NTLM data and can't brute force, crack, or pass hashes. This change adds a new level of protection for enterprises without a requirement to entirely disable NTLM usage in the OS. For more information about this change, see [https://aka.ms/SmbNtlmBlock](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-ntlm-blocking-now-supported-in-windows-insider/ba-p/3916206). |
-| **SMB dialect management** </br> [24H2][24H2] | The SMB server now supports controlling which [SMB 2 and 3 dialects](/windows-server/storage/file-server/manage-smb-dialects) it negotiates. With this new option, an administrator can remove specific SMB protocols from use in the organization, blocking older, less secure, and less capable Windows devices and third parties from connecting. For example, admins can specify to only use SMB 3.1.1, the most secure dialect of the protocol. For more information about this change, see [https://aka.ms/SmbDialectManage](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-dialect-management-now-supported-in-windows-insider/ba-p/3916368).| 
-| **SMB over QUIC client access control** </br> [24H2][24H2] | [SMB over QUIC](/windows-server/storage/file-server/smb-over-quic), which introduced an alternative to TCP and RDMA, supplies secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords. SMB over QUIC [client access control](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control) improves the existing SMB over QUIC feature. Administrators now have more options for SMB over QUIC such as: </br>&nbsp;&nbsp;• [Specifying which clients](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#grant-individual-clients) can access SMB over QUIC servers. This gives organizations more protection but doesn't change the Windows authentication used to make the SMB connection or the end user experience. </br>&nbsp;&nbsp;• [Disabling SMB over QUIC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#disable-smb-over-quic) for client with Group Policy and PowerShell </br>&nbsp;&nbsp;• [Auditing client connection events](/windows-server/storage/file-server/smb-over-quic#smb-over-quic-client-auditing) for SMB over QUIC </br></br> For more information about these changes, see [https://aka.ms/SmbOverQUICCAC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control). |
+| **SMB dialect management** </br> [24H2][24H2] | The SMB server now supports controlling which [SMB 2 and 3 dialects](/windows-server/storage/file-server/manage-smb-dialects) it negotiates. With this new option, an administrator can remove specific SMB protocols from use in the organization, blocking older, less secure, and less capable Windows devices and third parties from connecting. For example, admins can specify to only use SMB 3.1.1, the most secure dialect of the protocol. For more information about this change, see [https://aka.ms/SmbDialectManage](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-dialect-management-now-supported-in-windows-insider/ba-p/3916368).|
+| **SMB over QUIC client access control** </br> [24H2][24H2] | [SMB over QUIC](/windows-server/storage/file-server/smb-over-quic), which introduced an alternative to TCP and RDMA, supplies secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords. SMB over QUIC [client access control](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control) improves the existing SMB over QUIC feature. Administrators now have more options for SMB over QUIC such as: </br>&nbsp;&nbsp;* [Specifying which clients](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#grant-individual-clients) can access SMB over QUIC servers. This gives organizations more protection but doesn't change the Windows authentication used to make the SMB connection or the end user experience. </br>&nbsp;&nbsp;* [Disabling SMB over QUIC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#disable-smb-over-quic) for client with Group Policy and PowerShell </br>&nbsp;&nbsp;* [Auditing client connection events](/windows-server/storage/file-server/smb-over-quic#smb-over-quic-client-auditing) for SMB over QUIC </br></br> For more information about these changes, see [https://aka.ms/SmbOverQUICCAC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control). |
 | **SMB firewall rule changes** </br> [24H2][24H2] | The Windows Firewall [default behavior has changed](/windows-server/storage/file-server/smb-secure-traffic#updated-firewall-rules-preview). Previously, creating an SMB share automatically configured the firewall to enable the rules in the **File and Printer Sharing** group for the given firewall profiles. Now, Windows automatically configures the new **File and Printer Sharing (Restrictive)** group, which no longer contains inbound NetBIOS ports 137-139. </br></br> This change enforces a higher degree of default of network security and brings SMB firewall rules closer to the Windows Server **File Server** role behavior, which only opens the minimum ports needed to connect and manage sharing. Administrators can still configure the **File and Printer Sharing** group if necessary as well as modify this new firewall group, these are just default behaviors. For more information about this change, see [https://aka.ms/SMBfirewall](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-firewall-rule-changes-in-windows-insider/ba-p/3974496). For more information about SMB network security, see [Secure SMB Traffic in Windows Server](/windows-server/storage/file-server/smb-secure-traffic). |
 
 ## Servicing
@@ -132,7 +132,7 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
 
 | Feature </br> [Release] | Description |
 | --- | --- |
-| **Windows Updates and Delivery optimization** </br> [21H2][21H2] | Delivery optimization helps reduce bandwidth consumption. It shares the work of downloading the update packages with multiple devices in your deployment. Windows 11 updates are smaller, as they only pull down source files that are different. You can create policies that configure delivery optimization settings. For example, set the maximum upload and download bandwidth, set caching sizes, and more. For more information, see:</br>&nbsp;&nbsp;• [Delivery Optimization for Windows updates](/windows/deployment/update/waas-delivery-optimization)</br>&nbsp;&nbsp;• [Installation & updates](https://support.microsoft.com/topic/2f9c1819-310d-48a7-ac12-25191269903c#PickTab=Windows_11)</br>&nbsp;&nbsp;• [Manage updates in Windows](https://support.microsoft.com/topic/643e9ea7-3cf6-7da6-a25c-95d4f7f099fe)|
+| **Windows Updates and Delivery optimization** </br> [21H2][21H2] | Delivery optimization helps reduce bandwidth consumption. It shares the work of downloading the update packages with multiple devices in your deployment. Windows 11 updates are smaller, as they only pull down source files that are different. You can create policies that configure delivery optimization settings. For example, set the maximum upload and download bandwidth, set caching sizes, and more. For more information, see:</br>&nbsp;&nbsp;* [Delivery Optimization for Windows updates](/windows/deployment/update/waas-delivery-optimization)</br>&nbsp;&nbsp;* [Installation & updates](https://support.microsoft.com/topic/2f9c1819-310d-48a7-ac12-25191269903c#PickTab=Windows_11)</br>&nbsp;&nbsp;* [Manage updates in Windows](https://support.microsoft.com/topic/643e9ea7-3cf6-7da6-a25c-95d4f7f099fe)|
 | **Control Windows Update notifications** </br> [22H2][22H2] | You can now block user notifications for Windows Updates during active hours. This setting is especially useful for organizations that want to prevent Windows Update notifications from occurring during business hours. For more information, see [Control restart notifications](/windows/deployment/update/waas-restart#control-restart-notifications).|
 | **Organization name in update notifications** |The organization name now appears in the Windows Update notifications when Windows clients are associated with a Microsoft Entra ID tenant. For more information, see [Display organization name in Windows Update notifications](/windows/deployment/update/waas-wu-settings#bkmk_display-name). |
 | **Checkpoint cumulative updates** </br> [24H2][24H2] | Windows quality updates are provided as cumulative updates throughout the life cycle of a Windows release. Checkpoint cumulative updates introduce periodic baselines that reduce the size of future cumulative updates making the distribution of monthly quality updates more efficient. For more information, see [https://aka.ms/CheckpointCumulativeUpdates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-windows-11-checkpoint-cumulative-updates/ba-p/4182552). |
@@ -152,7 +152,7 @@ The security and privacy features in Windows 11 are similar to Windows 10. Secur
 
 ## Features Removed
 
-Each version of Windows client adds new features and functionality. Occasionally, [features and functionality are removed](/windows/whats-new/removed-features), often because a newer option was added. For a list of features no longer in active development that might be removed in a future release, see [deprecated features](/windows/whats-new/deprecated-features). The following features are removed in Windows 11 Enterprise LTSC 2024: 
+Each version of Windows client adds new features and functionality. Occasionally, [features and functionality are removed](/windows/whats-new/removed-features), often because a newer option was added. For a list of features no longer in active development that might be removed in a future release, see [deprecated features](/windows/whats-new/deprecated-features). The following features are removed in Windows 11 Enterprise LTSC 2024:
 
 | Feature | Description |
 |---------|-------------|
@@ -170,5 +170,5 @@ Each version of Windows client adds new features and functionality. Occasionally
 
 [21H2]: ..\windows-11-overview.md
 [22H2]: ..\whats-new-windows-11-version-22H2.md
-[23H2]: ..\whats-new-windows-11-version-23h2.md 
+[23H2]: ..\whats-new-windows-11-version-23h2.md
 [24H2]: ..\whats-new-windows-11-version-24H2.md
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
index a76a1b6abb..3b1f47426d 100644
--- a/windows/whats-new/whats-new-windows-11-version-22H2.md
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -70,9 +70,9 @@ For more information, see [Configuring Additional LSA Protection](/windows-serve
 
 ## Personal Data Encryption
 <!--5963468 -->
-Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
+Personal Data Encryption is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. Personal Data Encryption differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. Personal Data Encryption occurs in addition to other encryption methods such as BitLocker.
 
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
+Personal Data Encryption utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With Personal Data Encryption, users only need to enter one set of credentials via Windows Hello for Business.
 
 For more information, see [Personal Data Encryption](/windows/security/information-protection/personal-data-encryption/overview-pde).
 
diff --git a/windows/whats-new/whats-new-windows-11-version-24h2.md b/windows/whats-new/whats-new-windows-11-version-24h2.md
index 5c492a24d8..a812a10180 100644
--- a/windows/whats-new/whats-new-windows-11-version-24h2.md
+++ b/windows/whats-new/whats-new-windows-11-version-24h2.md
@@ -18,7 +18,7 @@ appliesto:
 
 # What's new in Windows 11, version 24H2
 <!--8631988-->
-Windows 11, version 24H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 23H2. This article lists the new and updated features IT Pros should know. 
+Windows 11, version 24H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 23H2. This article lists the new and updated features IT Pros should know.
 
 >**Looking for consumer information?** See [Windows 11 2024 update](https://support.microsoft.com/topic/93c5c27c-f96e-43c2-a08e-5812d92f220d#windowsupdate=26100).
 
@@ -42,21 +42,21 @@ To learn more about the status of the update rollout, known issues, and new info
 
 There aren't any features under temporary enterprise control between Windows 11, version 23H2 and Windows 11, version 24H2. For a list of features that were under temporary enterprise control between Windows 11, version 22H2 and Windows 11, version 23H2, see, [Windows 11 features behind temporary enterprise feature control](temporary-enterprise-feature-control.md).
 <!--
-| Feature | KB article where the feature was introduced | 
+| Feature | KB article where the feature was introduced |
 |---|---|
-| PLACEHOLDER | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913)  | 
+| PLACEHOLDER | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913)  |
 -->
 
 
 ## Checkpoint cumulative updates
-<!--8769182--> 
+<!--8769182-->
 Microsoft is introducing checkpoint cumulative updates, a new servicing model that enables devices running Windows 11, version 24H2 or later to save time, bandwidth and hard drive space when getting features and security enhancements via the latest cumulative update. Previously, the cumulative updates contained all changes to the binaries since the last release to manufacturing (RTM) version. The size of the cumulative updates could grow large over time since RTM was used as the baseline for each update.
 
 With checkpoint cumulative updates, the update file level differentials are based on a previous cumulative update instead of the RTM release. Cumulative updates that serve as a checkpoint will be released periodically. Using a checkpoint rather than RTM means the subsequent update packages are smaller, which makes downloads and installations faster. Using a checkpoint also means that in order for a device to install the latest cumulative update, the installation of a prerequisite cumulative update might be required. For more information about checkpoint cumulative updates, see [https://aka.ms/CheckpointCumulativeUpdates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-windows-11-checkpoint-cumulative-updates/ba-p/4182552).
 
 ## Features exclusive to Copilot+ PCs in 24H2
 
-Copilot+ PCs are a new class of Windows 11 AI PCs that are powered by a neural processing unit (NPU) that can perform more than 40 trillion operations per second (TOPS). The following features are exclusive to [Copilot+ PCs](https://www.microsoft.com/windows/copilot-plus-pcs) in Windows 11, version 24H2: 
+Copilot+ PCs are a new class of Windows 11 AI PCs that are powered by a neural processing unit (NPU) that can perform more than 40 trillion operations per second (TOPS). The following features are exclusive to [Copilot+ PCs](https://www.microsoft.com/windows/copilot-plus-pcs) in Windows 11, version 24H2:
 
 - Live Captions allow you to translate audio and video content into English subtitles from 44 languages. For more information, see [Use live captions to better understand audio](https://support.microsoft.com/topic/b52da59c-14b8-4031-aeeb-f6a47e6055df).
 - Windows Studio Effects is the collective name of AI-powered video call and audio effects that are available on Copilot+ PCs and select Windows 11 devices with compatible NPUs. Windows Studio Effects automatically improves lighting and cancels noises during video calls. For more information, see [Windows Studio Effects](https://support.microsoft.com/topic/273c1fa8-2b3f-41b1-a587-7cc7a24b62d8).
@@ -80,7 +80,7 @@ The following changes were made for SMB signing and encryption:
 
 - **SMB client encryption**: SMB now supports [requiring encryption](/windows-server/storage/file-server/configure-smb-client-require-encryption) on all outbound SMB client connections. Encryption of all outbound SMB client connections enforces the highest level of network security and brings management parity to SMB signing, which allows both client and server requirements. With this new option, administrators can mandate that all destination servers use SMB 3 and encryption, and if missing those capabilities, the client won't connect. For more information about this change, see [https://aka.ms/SmbClientEncrypt](https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-client-encryption-mandate-now-supported-in-windows-insider/ba-p/3964037).
 
-- **SMB signing and encryption auditing**: Administrators can now [enable auditing](/windows-server/storage/file-server/smb-signing-overview#smb-signing-and-encryption-auditing) of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn't support SMB encryption or signing. The SMB signing and encryption auditing settings can be modified in Group Policy or through PowerShell. 
+- **SMB signing and encryption auditing**: Administrators can now [enable auditing](/windows-server/storage/file-server/smb-signing-overview#smb-signing-and-encryption-auditing) of the SMB server and client for support of SMB signing and encryption. This shows if a third-party client or server doesn't support SMB encryption or signing. The SMB signing and encryption auditing settings can be modified in Group Policy or through PowerShell.
 
 #### SMB alternative client and server ports
 
@@ -104,7 +104,7 @@ For more information about this change, see [https://aka.ms/SmbDialectManage](ht
 
 [SMB over QUIC](/windows-server/storage/file-server/smb-over-quic), which introduced an alternative to TCP and RDMA, supplies secure connectivity to edge file servers over untrusted networks like the Internet. QUIC has significant advantages, the largest being mandatory certificate-based encryption instead of relying on passwords. SMB over QUIC [client access control](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control) improves the existing SMB over QUIC feature.
 
-Administrators now have more options for SMB over QUIC such as: 
+Administrators now have more options for SMB over QUIC such as:
 
 - [Specifying which clients](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#grant-individual-clients) can access SMB over QUIC servers. This gives organizations more protection but doesn't change the Windows authentication used to make the SMB connection or the end user experience.
 - [Disabling SMB over QUIC](/windows-server/storage/file-server/configure-smb-over-quic-client-access-control#disable-smb-over-quic) for client with Group Policy and PowerShell
@@ -124,7 +124,7 @@ For more information about this change, see [https://aka.ms/SMBfirewall](https:/
 
 [LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection) helps protect against theft of secrets and credentials used for logon by preventing unauthorized code from running in the LSA process and by preventing dumping of process memory. An audit occurs for incompatibilities with LSA protection for a period of time, starting with this upgrade. If incompatibilities aren't detected, LSA protection is automatically enabled. You can check and change the enablement state of LSA protection in the Windows Security application under the **Device Security** > **Core Isolation** page. In the event log, LSA protection records whether programs are blocked from loading into LSA. If you would like to check if something was blocked, review the [logging](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#identify-plug-ins-and-drivers-that-lsassexe-fails-to-load).
 
- 
+
 ### Remote Mailslot protocol disabled by default
 
 [Remote Mailslot protocol](/openspecs/windows_protocols/ms-mail/47ac910f-1dec-4791-8486-9b3e8fd542da) was [deprecated](deprecated-features.md#deprecated-features) in November 2023 and is now disabled by default starting in Windows 11, version 24H2. For more information on Remote Mailslots, see [About Mailslots](/windows/win32/ipc/about-mailslots).
@@ -144,18 +144,18 @@ LAPS has the following policy improvements:
 - Added an improved readability setting for the [PasswordComplexity](/windows/client-management/mdm/laps-csp#policiespasswordcomplexity) policy, which generates passwords without using characters that are easily confused with another character. For example, the zero and the letter O aren't used in the password since the characters can be confused.
 - Added the `Reset the password, logoff the managed account, and terminate any remaining processes` setting to the [PostAuthenticationActions](/windows/client-management/mdm/laps-csp#policiespostauthenticationactions) policy. The event logging messages that are emitted during post-authentication-action execution were also expanded, to give insights into exactly what was done during the operation.
 
-Image rollback detection was introduced for LAPS. LAPS can detect when a device was rolled back to a previous image. When a device is rolled back, the password in Active Directory might not match the password on the device that was rolled back. This new feature adds an Active Directory attribute, `msLAPS-CurrentPasswordVersion`, to the [Windows LAPS schema](/windows-server/identity/laps/laps-technical-reference#mslaps-currentpasswordversion). This attribute contains a random GUID that Windows LAPS writes every time a new password is persisted in Active Directory, followed by saving a local copy. During every processing cycle, the GUID stored in `msLAPS-CurrentPasswordVersion` is queried and compared to the locally persisted copy. If the GUIDs are different, the password is immediately rotated. To enable this feature, you need to run the latest version of the [Update-LapsADSchema PowerShell cmdlet](/powershell/module/laps/update-lapsadschema). 
+Image rollback detection was introduced for LAPS. LAPS can detect when a device was rolled back to a previous image. When a device is rolled back, the password in Active Directory might not match the password on the device that was rolled back. This new feature adds an Active Directory attribute, `msLAPS-CurrentPasswordVersion`, to the [Windows LAPS schema](/windows-server/identity/laps/laps-technical-reference#mslaps-currentpasswordversion). This attribute contains a random GUID that Windows LAPS writes every time a new password is persisted in Active Directory, followed by saving a local copy. During every processing cycle, the GUID stored in `msLAPS-CurrentPasswordVersion` is queried and compared to the locally persisted copy. If the GUIDs are different, the password is immediately rotated. To enable this feature, you need to run the latest version of the [Update-LapsADSchema PowerShell cmdlet](/powershell/module/laps/update-lapsadschema).
 
 ### Rust in the Windows kernel
 
 There's a new implementation of [GDI region](/windows/win32/gdi/regions) in `win32kbase_rs.sys`. Since Rust offers advantages in reliability and security over traditional programs written in C/C++, you'll continue to see more use of it in the kernel.
 
-### Personal Data Encryption (PDE) for folders
+### Personal Data Encryption for folders
 
-PDE for folders is a security feature where the contents of the known Windows folders (Documents, Desktop and Pictures) are protected using a user authenticated encryption mechanism. Windows Hello is the user authentication used to provide the keys for encrypting user data in the folders. PDE for folders can be [enabled from a policy in Intune](/mem/intune/protect/endpoint-security-disk-encryption-policy). IT admins can select all of the folders, or a subset, then apply the policy to a group of users in their organization.
-PDE for Folders settings is available on Intune under **Endpoint Security** > **Disk encryption**.
+Personal Data Encryption for folders is a security feature where the contents of the known Windows folders (Documents, Desktop and Pictures) are protected using a user authenticated encryption mechanism. Windows Hello is the user authentication used to provide the keys for encrypting user data in the folders. Personal Data Encryption for folders can be [enabled from a policy in Intune](/mem/intune/protect/endpoint-security-disk-encryption-policy). IT admins can select all of the folders, or a subset, then apply the policy to a group of users in their organization.
+Personal Data Encryption for Folders settings is available on Intune under **Endpoint Security** > **Disk encryption**.
 
-For more information about PDE, see [PDE overview](/windows/security/operating-system-security/data-protection/personal-data-encryption)
+For more information about Personal Data Encryption, see [Personal Data Encryption overview](/windows/security/operating-system-security/data-protection/personal-data-encryption)
 
 
 ### Windows protected print mode
@@ -184,7 +184,7 @@ Support  for Wi-Fi 7 was added for consumer access points. Wi-Fi 7, also known a
 
 ### Bluetooth &#174; LE audio support for assistive devices
 
-Customers who use these assistive hearing devices are now able to directly pair, stream audio, take calls, and control audio presets when they use an LE Audio-compatible PC. Users who have Bluetooth LE Audio capable assistive hearing devices can determine if their PC is LE Audio-compatible, set up, and manage their devices via **Settings** > **Accessibility** > **Hearing devices**. For more information, see [Using hearing devices with your Windows 11 PC](https://support.microsoft.com/topic/fcb566e7-13c3-491a-ad5b-8219b098d647).  
+Customers who use these assistive hearing devices are now able to directly pair, stream audio, take calls, and control audio presets when they use an LE Audio-compatible PC. Users who have Bluetooth LE Audio capable assistive hearing devices can determine if their PC is LE Audio-compatible, set up, and manage their devices via **Settings** > **Accessibility** > **Hearing devices**. For more information, see [Using hearing devices with your Windows 11 PC](https://support.microsoft.com/topic/fcb566e7-13c3-491a-ad5b-8219b098d647).
 
 ### Windows location improvements
 
@@ -213,7 +213,7 @@ In addition to the monthly cumulative update, optional updates are available to
 ### Remote Desktop Connection improvements
 
 Remote Desktop Connection has the following improvements:
-- The Remote Desktop Connection setup window (mstsc.exe) follows the text scaling settings under **Settings** > **Accessibility** > **Text size**. 
+- The Remote Desktop Connection setup window (mstsc.exe) follows the text scaling settings under **Settings** > **Accessibility** > **Text size**.
 - Remote Desktop Connection supports zoom options of 350, 400, 450, and 500%
 - Improvements to the connection bar design
 
@@ -223,11 +223,11 @@ Remote Desktop Connection has the following improvements:
 
 - **File Explorer**: The following changes were made to File Explorer context menu:
   - Support for creating 7-zip and TAR archives
-  - **Compress to** > **Additional options** allows you to compress individual files with gzip, BZip2, xz, or Zstandard 
+  - **Compress to** > **Additional options** allows you to compress individual files with gzip, BZip2, xz, or Zstandard
   - Labels were added to the context menu icons for actions like copy, paste, delete, and rename
 - **OOBE improvement**: when you need to connect to a network and there's no Wi-Fi drivers, you're given an *Install drivers* option to install drivers that are already downloaded
 - **Registry Editor**: The Registry Editor supports limiting a search to the currently selected key and its descendants
-- **Task Manager**: The Task Manager settings page has [Mica material](/windows/apps/design/style/mica) and a redesigned icon 
+- **Task Manager**: The Task Manager settings page has [Mica material](/windows/apps/design/style/mica) and a redesigned icon
 
 
 ### Developer APIs
diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md
index 40e15cb0a2..fef13ecd5b 100644
--- a/windows/whats-new/windows-licensing.md
+++ b/windows/whats-new/windows-licensing.md
@@ -143,7 +143,7 @@ The following table lists the Windows 11 Enterprise features and their Windows e
 |**[Credential Guard][WIN-1]**|❌|Yes|
 |**[Microsoft Defender Application Guard (MDAG) for Microsoft Edge][WIN-11]**|Yes|Yes|
 |**[Modern BitLocker Management][WIN-2]**|Yes|Yes|
-|**[Personal data encryption (PDE)][WIN-3]**|❌|Yes|
+|**[Personal Data Encryption][WIN-3]**|❌|Yes|
 |**[Direct Access][WINS-1]**|Yes|Yes|
 |**[Always On VPN][WINS-2]**|Yes|Yes|
 |**[Windows Experience customization][WIN-4]**|❌|Yes|