diff --git a/windows/security/book/application-security-application-and-driver-control.md b/windows/security/book/application-security-application-and-driver-control.md
index 7a3756047f..3592a7649b 100644
--- a/windows/security/book/application-security-application-and-driver-control.md
+++ b/windows/security/book/application-security-application-and-driver-control.md
@@ -14,16 +14,15 @@ capabilities to build in security from the ground up to protect against breaches
 
 ## Smart App Control
 
-Smart App Control prevents users from running malicious applications on Windows devices by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, our new Smart App Control only allows processes to run if they are predicted to be safe based on existing and new intelligence updated daily.
+Smart App Control prevents users from running malicious applications by blocking untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections by adding another layer of security that is woven directly into the core of the OS at the process level. Using AI, Smart App Control only allows processes to run if they're predicted to be safe based on existing and new intelligence updated daily.
 
-Smart App Control builds on top of the same cloud-based AI used in App Control for Business to predict the safety of an application so that users can be confident that their applications are safe and reliable on their new Windows devices. Additionally, Smart App Control blocks unknown script files and macros from the web are blocked, greatly improving security for everyday users.
-Smart App Control will ship with new devices with Windows 11, version 22H2 installed.
+Smart App Control builds on top of the same cloud-based AI used in App Control for Business to predict the safety of an application so that users can be confident that their applications are safe and reliable on their new Windows devices. Additionally, Smart App Control blocks unknown script files and macros from the web, greatly improving security for everyday users.
 
-We have been making significant improvements to Smart App Control to increase the security, usability, and cloud intelligence response for apps in the Windows ecosystem. Users can get the latest and best experience with Smart App Control by keeping their PC up to date via Windows Update every month.
+We've been making significant improvements to Smart App Control to increase the security, usability, and cloud intelligence response for apps in the Windows ecosystem. Users can get the latest and best experience with Smart App Control by keeping their PC up to date via Windows Update every month.
 
-Additionally, evaluation mode will start automatically enabling devices that the cloud AI model predicts will have a good experience with Smart App Control in the coming months, first starting with users in North America and eventually expanding to other regions. Note that enterprise-enrolled devices will still have Smart App Control disabled by default, and we recommend enterprises running line-of-business applications continue to leverage App Control for Business.
+Additionally, evaluation mode starts automatically enabling devices that the cloud AI model predicts will have a good experience with Smart App Control in the coming months, first starting with users in North America and eventually expanding to other regions. Note that enterprise-enrolled devices have Smart App Control disabled by default, and we recommend enterprises running line-of-business applications continue to leverage App Control for Business.
 
-Devices running previous versions of Windows 11 will have to be reset with a clean installation of Windows 11, version 22H2 to take advantage of this feature. Smart App Control will be disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to leverage App Control for Business.
+Devices running previous versions of Windows 11, version 22H2 must be reset with a clean installation of Windows 11 to take advantage of this feature.
 
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 
@@ -54,7 +53,7 @@ apps and prevent inadvertent changes to system settings.
 
 Users with standard accounts, or those using administrative accounts with UAC enabled, run most programs with limited access rights. This includes the Windows shell and any apps started from the shell, such as Windows Explorer, a web browser, productivity suite, graphics programs, or games.
 
-Some apps require additional permissions and will not work properly (or at all) when running with limited permissions. When an app needs to run with more than standard user rights, UAC allows users to run apps with a "full" administrator token (with administrative groups and privileges) instead of their default user access token. Users continue to operate in the standard user security context while enabling certain executables to run with elevated privileges if needed.
+Some apps require more permissions and won't work properly (or at all) when running with limited permissions. When an app needs to run with more than standard user rights, UAC allows users to run apps with a *full* administrator token (with administrative groups and privileges) instead of their default user access token. Users continue to operate in the standard user security context while enabling certain executables to run with elevated privileges if needed.
 
 :::image type="content" source="images/uac-settings.png" alt-text="Screenshot of the UAC settings." border="false":::
 
diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md
index 31b6e6f27f..114b615745 100644
--- a/windows/security/book/application-security-application-isolation.md
+++ b/windows/security/book/application-security-application-isolation.md
@@ -55,21 +55,17 @@ Once Windows Sandbox is closed, nothing persists on the device. All the software
 running applications in isolation](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/windows-sandbox/ba-p/301849)
 
 ## Windows Subsystem for Linux (WSL)
-Windows Subsystem for Linux (WSL) is a feature of Windows that allows you to run a Linux environment on your Windows machine, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time. In Ge, we added 3 networking security features and Intune/MDM integration in WSL on Windows 11 (SV2 and Ge) for Enterprises:
-- **Hyper-V Firewall**: This new firewall setting is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows.
 
-- **DNS Tunneling**: This new networking setting improves compatibility in different networking environments and makes use of virtualization features to obtain DNS information rather than a networking packet.
+With Windows Subsystem for Linux (WSL) you can run a Linux environment on your Windows device, without the need for a separate virtual machine or dual booting. WSL is designed to provide a seamless and productive experience for developers who want to use both Windows and Linux at the same time. In Ge, we added 3 networking security features and Intune/MDM integration in WSL on Windows 11 (SV2 and Ge) for Enterprises:
 
-- **Auto proxy**: This new networking setting enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it will make that proxy automatically apply to WSL distributions.
-
-- **Intune/MDM setting in WSL**: Microsoft Defender for Endpoint (MDE) now integrates with WSL, providing the ability to monitor what's running inside of your WSL distros and report them to your online MDE dashboards.
+- **Hyper-V Firewall**: This new firewall setting is a network firewall solution that enables filtering of inbound and outbound traffic to/from WSL containers hosted by Windows
+- **DNS Tunneling**: This new networking setting improves compatibility in different networking environments and makes use of virtualization features to obtain DNS information rather than a networking packet
+- **Auto proxy**: This new networking setting enforces WSL to use Windows' HTTP proxy information. Turn on when using a proxy on Windows, as it will make that proxy automatically apply to WSL distributions
+- **Intune/MDM setting in WSL**: Microsoft Defender for Endpoint (MDE) now integrates with WSL, providing the ability to monitor what's running inside of your WSL distros and report them to your online MDE dashboards
 
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
 - [Hyper-V Firewall](/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall)
 - [DNS Tunneling](/windows/wsl/networking#dns-tunneling)
 - [Auto proxy](/windows/wsl/networking#auto-proxy)
 - [Intune/MDM setting in WSL](/windows/wsl/intune)
-
-
-
-
diff --git a/windows/security/book/cloud-services-protect-your-personal-information.md b/windows/security/book/cloud-services-protect-your-personal-information.md
index 8438a9fac2..24628c757f 100644
--- a/windows/security/book/cloud-services-protect-your-personal-information.md
+++ b/windows/security/book/cloud-services-protect-your-personal-information.md
@@ -38,7 +38,7 @@ When location services and Find my device settings are turned on, basic system s
 
 ## OneDrive for personal
 
-Microsoft OneDrive <sup>[\[17\]](conclusion.md#footnote17)</sup> for personal provides more security, backup, and restore options for important personal files. OneDrive stores and protects files in the cloud, allowing users to access them from laptops, desktops, and mobile devices. Plus, OneDrive provides an excellent solution for backing up folders. If a device is lost or stolen, the user can quickly recover all their important files from the cloud.
+Microsoft OneDrive<sup>[\[17\]](conclusion.md#footnote17)</sup> for personal provides more security, backup, and restore options for important personal files. OneDrive stores and protects files in the cloud, allowing users to access them from laptops, desktops, and mobile devices. Plus, OneDrive provides an excellent solution for backing up folders. If a device is lost or stolen, the user can quickly recover all their important files from the cloud.
 
 In the event of a ransomware attack, OneDrive can enable recovery. And if backups are configured in OneDrive, users have additional options to mitigate and recover from a ransomware attack.
 
@@ -50,7 +50,7 @@ In the event of a ransomware attack, OneDrive can enable recovery. And if backup
 
 ## OneDrive Personal Vault
 
-OneDrive Personal Vault<sup>[\[9\]](conclusion.md#footnote9)</sup> also provides protection for the most important or sensitive files and photos without sacrificing the convenience of anywhere access. Protect digital copies of important documents in OneDrive Personal Vault. Files will be secured by identity verification yet are still easily accessible across devices.
+OneDrive Personal Vault also provides protection for the most important or sensitive files and photos without sacrificing the convenience of anywhere access. Protect digital copies of important documents in OneDrive Personal Vault. Files will be secured by identity verification yet are still easily accessible across devices.
 
 Learn how to [set up a Personal Vault][LINK-4] with a strong authentication method or a second step of identity verification, such as fingerprint, face, PIN, or a code sent via email or SMS.
 
diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md
index 38d4ae8c25..7ded054b97 100644
--- a/windows/security/book/cloud-services-protect-your-work-information.md
+++ b/windows/security/book/cloud-services-protect-your-work-information.md
@@ -72,7 +72,7 @@ Windows 11 built-in management features include:
 
 ## Microsoft security baselines
 
-Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company may focus on protecting its internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
+Every organization faces security threats. However, different organizations can be concerned with different types of security threats. For example, an e-commerce company might focus on protecting its internet-facing web apps, while a hospital on confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
 
 A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
 
@@ -80,7 +80,7 @@ A security baseline is a group of Microsoft-recommended configuration settings t
 
 - [Windows security baselines you can deploy with Microsoft Intune](/mem/intune/protect/security-baselines)
 
-## MDM security baseline
+### MDM security baseline
 
 Windows 11 can be configured with Microsoft's MDM security baseline backed by ADMX policies, which functions like the Microsoft GP-based security baseline. The security baseline enables IT administrators to easily address security concerns and compliance needs for modern cloud-managed devices.
 
@@ -91,7 +91,7 @@ The security baseline includes policies for:
 - Setting credential requirements for passwords and PINs
 - Restricting use of legacy technology
 
-The MDM security baseline has been enhanced with over 70 new settings which enable local user rights assignment, services management, and local security policies which were previously only available through Group Policy.  This enable adoption of pure MDM management and closer adherence to industry standard benchmarks for security.
+The MDM security baseline has been enhanced with over 70 new settings which enable local user rights assignment, services management, and local security policies which were previously only available through Group Policy.  This enables the adoption of cloud-based device management solutions and closer adherence to industry standard benchmarks for security.
 
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 
@@ -107,13 +107,13 @@ When a device is enrolled into device management, the administrator assumes that
 
 ## Microsoft Intune
 
-Microsoft Intune <sup>[\[15\]](conclusion.md#footnote15)</sup> is a comprehensive endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
+Microsoft Intune<sup>[\[15\]](conclusion.md#footnote15)</sup> is a comprehensive endpoint management solution that helps secure, deploy, and manage users, apps, and devices. Intune brings together technologies like Microsoft Configuration Manager and Windows Autopilot to simplify provisioning, configuration management, and software updates across the organization.
 
-Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication.
+Intune works with Microsoft Entra ID to manage security features and processes, including multifactor authentication and conditional access.
 
-Organizations can cut costs while securing and managing remote PCs through the cloud in compliance with company policies <sup>[\[15\]](conclusion.md#footnote16)</sup>. For example, organizations save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot for zerotouch deployment.
+Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies<sup>[\[15\]](conclusion.md#footnote16)</sup>. For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot.
 
-Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for Group Policy administrative templates (ADMX-backed policies) in MDM solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
+Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
 
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 
diff --git a/windows/security/book/identity-protection.md b/windows/security/book/identity-protection.md
index dee9621971..24fae8b0de 100644
--- a/windows/security/book/identity-protection.md
+++ b/windows/security/book/identity-protection.md
@@ -11,6 +11,6 @@ ms.date: 09/06/2024
 
 :::image type="content" source="images/identity-protection-on.png" alt-text="Diagram containing a list of security features." lightbox="images/identity-protection.png" border="false":::
 
-Today's flexible workstyles and the security of your organization depend on secure access to corporate resources, including strong identity protection. Weak or reused passwords, password spraying, social engineering, and phishing are some of the top attack vectors. In the last 12 months, we saw an average of more than 4,000 password attacks per second <sup>[\[11\]](conclusion.md#footnote11)</sup>. And phishing threats have increased, making identity a continuous battleground. As Bret Arsenault, Chief Information Security Officer at Microsoft says, *Hackers don't break in, they log in.*
+Today's flexible workstyles and the security of your organization depend on secure access to corporate resources, including strong identity protection. Weak or reused passwords, password spraying, social engineering, and phishing are some of the top attack vectors. In the last 12 months, we saw an average of more than 4,000 password attacks per second<sup>[\[11\]](conclusion.md#footnote11)</sup>. And phishing threats have increased, making identity a continuous battleground. As Bret Arsenault, Chief Information Security Officer at Microsoft says, *Hackers don't break in, they log in.*
 
 Because threats are constantly evolving and often difficult for employees to detect, organizations need proactive protection, including effortlessly secure authentication and features that defend users in real time while they work. Windows 11 is designed with powerful identity protection from chip to cloud, keeping identities and personal and business data safe anywhere people work.
diff --git a/windows/security/book/images/device-encryption.png b/windows/security/book/images/device-encryption.png
deleted file mode 100644
index b6feadbbf7..0000000000
Binary files a/windows/security/book/images/device-encryption.png and /dev/null differ
diff --git a/windows/security/book/index.md b/windows/security/book/index.md
index 4bb02af99f..e533516b82 100644
--- a/windows/security/book/index.md
+++ b/windows/security/book/index.md
@@ -15,13 +15,13 @@ Emerging technologies and evolving business trends bring new opportunities and c
 
 To thrive, organizations need security to work anywhere. [Microsoft's 2022 Work Trend Index][LINK-1] shows *cybersecurity issues and risks* are top concerns for business decision-makers. Business decision-makers worry about malware, stolen credentials, devices that lack security updates, and physical attacks on lost or stolen devices.
 
-In the past, a corporate network and software-based security were the first lines of defense. With an increasingly distributed and mobile workforce, attention shifted to hardware-based endpoint security. People are now the top target for cybercriminals, with 74% of all breaches due to human error, privilege misuses, stolen credentials, or social engineering. Most attacks are financially motivated, and credential theft, phishing, and exploitation of vulnerabilities are the primary attack vectors. Credential theft is the most prevalent attack vector, accounting for 50% of breaches <sup>[\[1\]](conclusion.md#footnote1)</sup>.
+In the past, a corporate network and software-based security were the first lines of defense. With an increasingly distributed and mobile workforce, attention shifted to hardware-based endpoint security. People are now the top target for cybercriminals, with 74% of all breaches due to human error, privilege misuses, stolen credentials, or social engineering. Most attacks are financially motivated, and credential theft, phishing, and exploitation of vulnerabilities are the primary attack vectors. Credential theft is the most prevalent attack vector, accounting for 50% of breaches<sup>[\[1\]](conclusion.md#footnote1)</sup>.
 
-At Microsoft, we work hard to help organizations evolve and stay agile while protecting against modern threats. We help businesses and their users get secure, and stay secure. We [synthesize 43 trillion signals daily][LINK-2] to understand and protect against digital threats. We have more than 8,500 dedicated security professionals across 77 countries and over 15,000 partners in our security ecosystem striving to increase resilience for our customers <sup>[\[2\]](conclusion.md#footnote2)</sup>.
+At Microsoft, we work hard to help organizations evolve and stay agile while protecting against modern threats. We help businesses and their users get secure, and stay secure. We [synthesize 43 trillion signals daily][LINK-2] to understand and protect against digital threats. We have more than 8,500 dedicated security professionals across 77 countries and over 15,000 partners in our security ecosystem striving to increase resilience for our customers<sup>[\[2\]](conclusion.md#footnote2)</sup>.
 
 Businesses worldwide are moving toward [secure-by-design and secure-by-default strategies][LINK-3]. With these models, organizations choose products from manufacturers that consider security as a business requirement, not just a technical feature. With a secure-by-default strategy, businesses can proactively reduce risk and exposure to threats across their organization because products are shipped with security features already built-in and enabled.
 
-To help businesses transform and thrive in a new era, we built Windows 11 to be secure by design and secure by default. Windows 11 devices arrive with more security features enabled out of the box. In contrast, Windows 10 devices came with many safeguards turned off unless enabled by IT or users. The default security provided by Windows 11 elevates protection without needing to configure settings. In addition, Windows 11 devices increase malware resistance without impacting performance <sup>[\[3\]](conclusion.md#footnote3)</sup>. Windows 11 is the most secure Windows ever, built in deep partnership with original equipment manufacturers (OEMs) and silicon manufacturers. Discover why organizations of all sizes, including 90% of Fortune 500 companies, are taking advantage of the powerful default protection of Windows 11 <sup>[\[4\]](conclusion.md#footnote4)</sup>.
+To help businesses transform and thrive in a new era, we built Windows 11 to be secure by design and secure by default. Windows 11 devices arrive with more security features enabled out of the box. In contrast, Windows 10 devices came with many safeguards turned off unless enabled by IT or users. The default security provided by Windows 11 elevates protection without needing to configure settings. In addition, Windows 11 devices increase malware resistance without impacting performance<sup>[\[3\]](conclusion.md#footnote3)</sup>. Windows 11 is the most secure Windows ever, built in deep partnership with original equipment manufacturers (OEMs) and silicon manufacturers. Discover why organizations of all sizes, including 90% of Fortune 500 companies, are taking advantage of the powerful default protection of Windows 11<sup>[\[4\]](conclusion.md#footnote4)</sup>.
 
 ## Security priorities and benefits
 
@@ -29,13 +29,13 @@ To help businesses transform and thrive in a new era, we built Windows 11 to be
 
 ## Feature overview
 
-Windows 11 is designed with layers of security enabled by default, so you can focus on your work, not your security settings. **Out-of-the-box features such as credential safeguards, malware shields, and application protection led to a reported 58% drop in security incidents, including a 3.1x reduction in firmware attacks** <sup>[\[5\]](conclusion.md#footnote5)</sup>.
+Windows 11 is designed with layers of security enabled by default, so you can focus on your work, not your security settings. **Out-of-the-box features such as credential safeguards, malware shields, and application protection led to a reported 58% drop in security incidents, including a 3.1x reduction in firmware attacks**<sup>[\[5\]](conclusion.md#footnote5)</sup>.
 
-In Windows 11, hardware and software work together to shrink the attack surface, protect system integrity, and shield valuable data. New and enhanced features are designed for security by default. For example, Win32 apps in isolation <sup>[\[6\]](conclusion.md#footnote6)</sup>, token protection <sup>[\[6\]](conclusion.md#footnote6)</sup>, and Microsoft Intune Endpoint Privilege Management <sup>[\[7\]](conclusion.md#footnote7)</sup> are some of the latest capabilities that help protect your organization and users against attack. Windows Hello and Windows Hello for Business work with hardware-based features like Trusted Platform Module (TPM) 2.0 and biometric scanners for credential protection and easier, secure sign-on. Existing security features like BitLocker encryption are enhanced to optimize both security and performance.
+In Windows 11, hardware and software work together to shrink the attack surface, protect system integrity, and shield valuable data. New and enhanced features are designed for security by default. For example, Win32 apps in isolation<sup>[\[6\]](conclusion.md#footnote6)</sup>, token protection<sup>[\[6\]](conclusion.md#footnote6)</sup>, and Microsoft Intune Endpoint Privilege Management<sup>[\[7\]](conclusion.md#footnote7)</sup> are some of the latest capabilities that help protect your organization and users against attack. Windows Hello and Windows Hello for Business work with hardware-based features like Trusted Platform Module (TPM) 2.0 and biometric scanners for credential protection and easier, secure sign-on. Existing security features like BitLocker encryption are enhanced to optimize both security and performance.
 
 ### Protect users against evolving threats
 
-With attackers targeting employees and their devices, organizations need stronger security against increasingly sophisticated cyberthreats. Windows 11 provides proactive protection against credential theft. Windows Hello and TPM 2.0 work together to shield identities. Secure biometric sign-in virtually eliminates the risk of lost or stolen passwords. And enhanced phishing protection increases safety. In fact, **businesses reported 2.8x fewer instances of identity theft with the hardware-backed protection in Windows 11** <sup>[\[5\]](conclusion.md#footnote5)</sup>.
+With attackers targeting employees and their devices, organizations need stronger security against increasingly sophisticated cyberthreats. Windows 11 provides proactive protection against credential theft. Windows Hello and TPM 2.0 work together to shield identities. Secure biometric sign-in virtually eliminates the risk of lost or stolen passwords. And enhanced phishing protection increases safety. In fact, **businesses reported 2.8x fewer instances of identity theft with the hardware-backed protection in Windows 11**<sup>[\[5\]](conclusion.md#footnote5)</sup>.
 
 ### Gain mission-critical application safeguards
 
@@ -43,7 +43,7 @@ Help keep business data secure and employees productive with robust safeguards a
 
 ### End-to-end protection with cloud-native management
 
-Increase protection and efficiency with Windows 11 and chip-to-cloud security. Microsoft offers comprehensive cloud services for identity, storage, and access management. Microsoft provides the tools needed to attest that Windows 11 devices connecting to your network or accessing your data and resources are trustworthy. You can enforce compliance and conditional access with management solutions such as Microsoft Intune and cloud-based identity with Microsoft Entra ID. Security by default not only enables people to work securely anywhere, but it also simplifies IT. A streamlined, chip-to-cloud security solution based on Windows 11, improves productivity for IT and security teams by a reported 25% <sup>[\[8\]](conclusion.md#footnote8)</sup>.
+Increase protection and efficiency with Windows 11 and chip-to-cloud security. Microsoft offers comprehensive cloud services for identity, storage, and access management. Microsoft provides the tools needed to attest that Windows 11 devices connecting to your network or accessing your data and resources are trustworthy. You can enforce compliance and conditional access with management solutions such as Microsoft Intune and cloud-based identity with Microsoft Entra ID. Security by default not only enables people to work securely anywhere, but it also simplifies IT. A streamlined, chip-to-cloud security solution based on Windows 11, improves productivity for IT and security teams by a reported 25%<sup>[\[8\]](conclusion.md#footnote8)</sup>.
 
 ## Security by design and default
 
diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md
index caa221afea..6b6b528b59 100644
--- a/windows/security/book/operating-system-security-encryption-and-data-protection.md
+++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md
@@ -13,7 +13,7 @@ When people travel with their PCs, their confidential information travels with t
 
 ## BitLocker
 
-BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure<sup>[\[9\]](conclusion.md#footnote9)</sup> can be used to save recovery key content. BitLocker can be managed by any MDM solution such as Microsoft Intune<sup>[\[6\]](conclusion.md#footnote6)</sup> using a configuration service provider (CSP)<sup>[\[9\]](conclusion.md#footnote9)</sup>. BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. 
+BitLocker is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. Cloud storage on Microsoft OneDrive or Azure<sup>[\[9\]](conclusion.md#footnote9)</sup> can be used to save recovery key content. BitLocker can be managed by a device management solution like Microsoft Intune<sup>[\[6\]](conclusion.md#footnote6)</sup> using a configuration service provider (CSP)<sup>[\[9\]](conclusion.md#footnote9)</sup>. BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
 
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 
@@ -29,9 +29,7 @@ BitLocker To Go refers to BitLocker Drive Encryption on removable data drives. B
 
 ## Device Encryption
 
-Device Encryption is consumer-level device encryption that can't be managed. Device Encryption is turned on by default for devices with the right hardware components (for example, TPM 2.0, UEFI Secure Boot, Hardware Security Test Interface, and Modern Standby). However, for a commercial scenario, it's possible for commercial customers to disable Device Encryption in favor of BitLocker Drive Encryption. BitLocker Drive Encryption is manageable through MDM.
-
-:::image type="content" source="images/device-encryption.png" alt-text="Screenshot of Settings - device encryption.":::
+Device Encryption is consumer-level device encryption that can't be managed. Device Encryption is turned on by default for devices with the right hardware components (for example, TPM 2.0, UEFI Secure Boot, Hardware Security Test Interface, and Modern Standby). However, for a commercial scenario, it's possible for organizations to disable Device Encryption in favor of BitLocker.
 
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 
@@ -39,7 +37,7 @@ Device Encryption is consumer-level device encryption that can't be managed. Dev
 
 ## Encrypted hard drive
 
-*Encrypted hard drives* are a class of hard drives that are self-encrypted at the hardware level. They allow for full-disk hardware encryption and are transparent to the user. These drives combine the security and management benefits provided by BitLocker Drive Encryption, with the power of self-encrypting drives.
+Encrypted hard drives are a class of hard drives that are self-encrypted at the hardware level. They allow for full-disk hardware encryption and are transparent to the user. These drives combine the security and management benefits provided by BitLocker Drive Encryption, with the power of self-encrypting drives.
 
 By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, BitLocker deployment can be expanded across enterprise devices with little to no impact on productivity.
 
@@ -56,9 +54,9 @@ Encrypted hard drives enable:
 
 ## Personal data encryption (PDE)
 
-Personal Data Encryption refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism, which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container, which houses the encryption keys used by Personal Data Encryption (PDE). When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content.
+Personal Data Encryption refers to a user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container, which houses the encryption keys used by Personal Data Encryption (PDE). When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content.
 
-With the first release of PDE (Windows 11, version 22H2), the PDE API was available, which when adopted by applications can protect data under the purview of the applications. With the next Windows platform release, PDE for Folders will be released. This feature doesn't require updates to any applications, and protects the contents in the Known Windows Folders from bootup until first sign-in. 
+With the first release of PDE (Windows 11, version 22H2), the PDE API was available, which when adopted by applications can protect data under the purview of the applications. With the next Windows platform release, PDE for Folders will be released. This feature doesn't require updates to any applications, and protects the contents in the Known Windows Folders from bootup until first sign-in.
 
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 
@@ -66,7 +64,7 @@ With the first release of PDE (Windows 11, version 22H2), the PDE API was availa
 
 ## Email encryption
 
-Email encryption enables users to encrypt outgoing email messages and attachments so that only intended recipients with a digital identification (ID) - also called a certificate - can read them.10 Users can digitally sign a message, which verifies the identity of the sender and ensures the message hasn't been tampered with.
+Email encryption enables users to encrypt outgoing email messages and attachments so that only intended recipients with a digital identification (ID) - also called a certificate - can read them<sup>[\[10\]](conclusion.md#footnote10)</sup>. Users can digitally sign a message, which verifies the identity of the sender and ensures the message hasn't been tampered with.
 
 These encrypted messages can be sent by a user to people within their organization and external contacts who have proper encryption certificates.
 
diff --git a/windows/security/book/operating-system-security-network-security.md b/windows/security/book/operating-system-security-network-security.md
index 1d37fb4775..932c58b935 100644
--- a/windows/security/book/operating-system-security-network-security.md
+++ b/windows/security/book/operating-system-security-network-security.md
@@ -25,13 +25,11 @@ In enterprise environments, network protection works best with Microsoft Defende
 
 Transport Layer Security (TLS) is a popular security protocol, encrypting data in transit to help provide a more secure communication channel between two endpoints. Windows enables the latest protocol versions and strong cipher suites by default and offers a full suite of extensions such as client authentication for enhanced server security, or session resumption for improved application performance. TLS 1.3 is the latest version of the protocol and is enabled by default in Windows. This version helps to eliminate obsolete cryptographic algorithms, enhance security over older versions, and aim to encrypt as much of the TLS handshake as possible. The handshake is more performant with one fewer round trip per connection on average and supports only strong cipher suites which provide perfect forward secrecy and less operational risk. Using TLS 1.3 will provide more privacy and lower latencies for encrypted online connections. Note that if the client or server application on either side of the connection does not support TLS 1.3, the connection will fall back to TLS 1.2. Windows uses the latest Datagram Transport Layer Security (DTLS) 1.2 for UDP communications.
 
-
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 
 - [TLS/SSL overview (Schannel SSP)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)
 - [TLS 1.0 and TLS 1.1 soon to be disabled in Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/bc-p/3894928/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExMM0hCN0VURDk3OU9OfDM4OTQ5Mjh8U1VCU0NSSVBUSU9OU3xoSw#M6180)
 
-
 ## Domain Name System (DNS) security
 
 In Windows 11, the Windows DNS client supports DNS over HTTPS and DNS over TLS, two encrypted DNS protocols. These allow administrators to ensure their devices protect their
@@ -46,7 +44,11 @@ Support for DNS encryption integrates with existing Windows DNS configurations s
 
 The number of Bluetooth devices connected to Windows 11 continues to increase. Windows users connect their Bluetooth headsets, mice, keyboards, and other accessories and improve their day-to-day PC experience by enjoying streaming, productivity, and gaming. Windows supports all standard Bluetooth pairing protocols, including classic and LE Secure connections, secure simple pairing, and classic and LE legacy pairing. Windows also implements host-based LE privacy. Windows updates help users stay current with OS and driver security features in accordance with the Bluetooth Special Interest Group (SIG) and Standard Vulnerability Reports, as well as issues beyond those required by the Bluetooth core industry standards. Microsoft strongly recommends that Bluetooth accessories' firmware and software are kept up to date.
 
-IT-managed environments have a number of [Bluetooth policies](/windows/client-management/mdm/policy-csp-bluetooth) (MDM, Group Policy, and PowerShell) that can be managed through MDM tools such as Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>. You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
+IT-managed environments have a number policy settings available via configuration service providers, group policy, and PowerShell. These settings can be managed through device management solutions like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>. You can configure Windows to use Bluetooth technology while supporting the security needs of your organization. For example, you can allow input and audio while blocking file transfer, force encryption standards, limit Windows discoverability, or even disable Bluetooth entirely for the most sensitive environments.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
+
+- [Policy CSP - Bluetooth](/windows/client-management/mdm/policy-csp-bluetooth)
 
 ## Securing Wi-Fi connections
 
@@ -86,7 +88,6 @@ support from the Firewall configuration service provider (CSP) and applying thes
 Firewall  rule configuration with Package Family Name (PFN) is a new security feature introduced with the 22H2 release of Windows 11.  PFN based rules enforced on an app will include processes request by the app to run on its behalf.
 Currently FW rules can be set on UWP apps with packageSID. However, the processes requested by the app can have different SID and hence the rules applied to the app can be bypassed. The new PFN condition feature ensures the FW rule is uniformly applied to a package and its associated processes.
 
-
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 
 - [Windows Firewall overview](../operating-system-security/network-security/windows-firewall/index.md)
@@ -136,10 +137,6 @@ SMB Firewall changes: The built-in firewall rules doesn't contain the SMB NetBIO
 
 SMB auditing improvements: SMB now supports auditing use of SMB over QUIC, missing third party support for encryption, and missing third party support for signing. These all operate at the SMB server and SMB client level.
 
-
-
-
-
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 
 - [File sharing using the SMB 3 protocol](/windows-server/storage/file-server/file-server-smb-overview)
diff --git a/windows/security/book/operating-system-security-system-security.md b/windows/security/book/operating-system-security-system-security.md
index a8113563d1..46fb829be3 100644
--- a/windows/security/book/operating-system-security-system-security.md
+++ b/windows/security/book/operating-system-security-system-security.md
@@ -91,7 +91,7 @@ Security policy settings are a critical part of your overall security strategy.
 - Whether to record a user or group's actions in the event log
 - Membership in a group
 
-Security auditing is one of the most powerful tools that you can use to maintain the integrity of your network and assets. Auditing can help identify attacks, network vulnerabilities, and attacks against high-value targets. You can specify categories of security-related events to create an audit policy tailored to the needs of your organization using MDM policy or Group policy.
+Security auditing is one of the most powerful tools that you can use to maintain the integrity of your network and assets. Auditing can help identify attacks, network vulnerabilities, and attacks against high-value targets. You can specify categories of security-related events to create an audit policy tailored to the needs of your organization using configuration service providers (CSP) or group policies.
 
 All auditing categories are disabled when Windows is first installed. Before enabling them, follow these steps to create an effective security auditing policy:
 
@@ -119,16 +119,18 @@ Visibility and awareness of device security and health are key to any action tak
 
 ## Config Refresh
 
-With traditional Group Policy, policies were refreshed on a PC when a user signed in and every 90 minutes by default. Administrators could adjust that timing to be shorter to ensure that the PC's policies were compliant with the management settings set by IT.
+With traditional Group Policy, policy settings are refreshed on a PC when a user signs in and every 90 minutes by default. Administrators can adjust that timing to be shorter to ensure that the policy settings are compliant with the management settings set by IT.
 
-By contrast, with an MDM solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, policies are refreshed when a user signs in and then at eight-hour intervals by default. But as more available group policies were implemented through MDM, one remaining gap was the longer period between the reapplication of a changed policy.
+By contrast, with a device management solution like Microsoft Intune<sup>[\[9\]](conclusion.md#footnote9)</sup>, policies are refreshed when a user signs in and then at eight-hours interval by default. But policy settings are migrated from GPO to a device management solution, one remaining gap is the longer period between the reapplication of a changed policy.
 
-Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It is configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with Group Policy and are now set through MDM.
+Config Refresh allows settings in the Policy configuration service provider (CSP) that drift due to misconfiguration, registry edits, or malicious software on a PC to be reset to the value the administrator intended every 90 minutes by default. It's configurable to refresh every 30 minutes if desired. The Policy CSP covers hundreds of settings that were traditionally set with Group Policy and are now set through Mobile Device Management (MDM) protocols.
+
+Config Refresh can also be paused for a configurable period of time, after which it will be reenabled. This is to support scenarios where a helpdesk technician might need to reconfigure a device for troubleshooting purposes. It can also be resumed at any time by an administrator.
+
+:::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 
-Config Refresh can also be *paused* for a configurable period of time, after which it will be reenabled. This is to support scenarios where a helpdesk technician might need to reconfigure a PC for troubleshooting purposes. It can also be resumed at any time by an administrator.
 - [Config Refresh](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/intro-to-config-refresh-a-refreshingly-new-mdm-feature/ba-p/4176921#:~:text=With%20Config%20Refresh,%20you%20can%20now)
 
-
 ## Kiosk mode (Assigned Access and Shell Launcher)
 
 With Assigned Access, Windows devices restrict functionality to pre-selected applications depending on the user and keep individual identities separate, which is ideal for public-facing or shared devices. Configuring a device as a kiosk is a straightforward process. You can do this locally on the device or remotely using mobile device management.
@@ -141,7 +143,7 @@ With Assigned Access, Windows devices restrict functionality to pre-selected app
 
 Windows protected print mode is exclusively built to provide a more modern and secure print system that maximizes compatibility and puts users first. It simplifies the printing experience by allowing PCs exclusively print using the Windows modern print stack.
 
-Enabling Windows protected print mode is highly recommended.  
+Enabling Windows protected print mode is highly recommended.
 
 The benefits of Windows protected print mode include:
 
@@ -149,9 +151,9 @@ The benefits of Windows protected print mode include:
 
 - Simplified and consistent printing experience, regardless of PC architecture.
 
-- Removes the need to manage print drivers  
+- Removes the need to manage print drivers
 
-Windows protected print mode is designed to work with Mopria certified printers only. Many existing printers are already compatible.  
+Windows protected print mode is designed to work with Mopria certified printers only. Many existing printers are already compatible.
 
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**