Merge branch 'main' into docs-editor/network-unlock-1732303226

2025-05-12 13:27:23 +00:00 · 2024-11-25 16:54:40 -05:00 · 2024-11-25 16:54:40 -05:00 · d1f96a784a
commit d1f96a784a
parent cd623810af cc68ea174e
64 changed files with 324 additions and 460 deletions
--- a/education/windows/take-tests-in-windows.md
+++ b/education/windows/take-tests-in-windows.md
@ -1,7 +1,7 @@
 ---
 title: Take tests and assessments in Windows
 description: Learn about the built-in Take a Test app for Windows and how to use it.
-ms.date: 02/29/2024
+ms.date: 11/11/2024
 ms.topic: how-to
 ---

@ -9,11 +9,11 @@ ms.topic: how-to

 Many schools use online testing for formative and summation assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. To help schools with testing, Windows provides an application called **Take a Test**. The application is a secure browser that provides different features to help with testing, and can be configured to only allow access a specific URL or a list of URLs. When using Take a Test, students can't:

- print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
- access other applications
- change system settings, such as display extension, notifications, updates
- access Cortana
- access content copied to the clipboard
+- Print, use screen capture, or text suggestions (unless enabled by the teacher or administrator)
+- Access other applications
+- Change system settings, such as display extension, notifications, updates
+- Access Cortana
+- Access content copied to the clipboard

 ## How to use Take a Test

@ -22,7 +22,7 @@ There are different ways to use Take a Test, depending on the use case:
 - For lower stakes assessments, such a quick quiz in a class, a teacher can generate a *secure assessment URL* and share it with the students. Students can then open the URL to access the assessment through Take a Test. To learn more, see the next section: [Create a secure assessment link](#create-a-secure-assessment-link)
 - For higher stakes assessments, you can configure Windows devices to use a dedicated account for testing and execute Take a Test in a locked-down mode, called **kiosk mode**. Once signed in with the dedicated account, Windows will execute Take a Test in a lock-down mode, preventing the execution of any applications other than Take a Test. For more information, see [Configure Take a Test in kiosk mode](edu-take-a-test-kiosk-mode.md)

-:::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false":::
+  :::image type="content" source="./images/takeatest/flow-chart.png" alt-text="Set up and user flow for the Take a Test app." border="false":::

 ## Create a secure assessment link

@ -37,9 +37,9 @@ To create a secure assessment link to the test, there are two options:

 For this option, copy the assessment URL and open the web application <a href="https://aka.ms/create-a-take-a-test-link" target="_blank"><u>Customize your assessment URL</u></a>, where you can:

- Paste the link to the assessment URL
- Select the options you want to allow during the test
- Generate the link by selecting the button Create link
+- Paste the link to the assessment URL.
+- Select the options you want to allow during the test.
+- Generate the link by selecting the button Create link.

 This is an ideal option for teachers who want to create a link to a specific assessment and share it with students using OneNote, for example.

@ -67,7 +67,7 @@ To enable permissive mode, don't include `enforceLockdown` in the schema paramet

 ## Distribute the secure assessment link

-Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choosing.
+Once the link is created, it can be distributed through the web, email, OneNote, or any other method of your choice.

 For example, you can create and copy the shortcut to the assessment URL to the students' desktop.

--- a/windows/configuration/taskbar/xsd.md
+++ b/windows/configuration/taskbar/xsd.md
@ -2,7 +2,7 @@
 title: Windows Taskbar XML Schema Definition (XSD)
 description: Reference article about the Taskbar XML schema definition (XSD).
 ms.topic: reference
-ms.date: 11/07/2024
+ms.date: 11/11/2024
 ---

 # Taskbar XML Schema Definition (XSD)
--- a/windows/deployment/update/optional-content.md
+++ b/windows/deployment/update/optional-content.md
@ -70,9 +70,9 @@ Most commercial organizations understand the pain points outlined above, and dis

 Windows Update for Business solves the optional content problem. Optional content is published and available for acquisition by Windows Setup from a nearby Microsoft content delivery network and acquired using the Unified Update Platform. Optional content migration and acquisition scenarios just work when the device is connected to an update service that uses the Unified Update Platform, such as Windows Update or Windows Update for Business. If for some reason a language pack fails to install during the update, the update will automatically roll back.

-The [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens.
+The [Unified Update Platform](https://blogs.windows.com/windows-insider/2016/11/03/introducing-unified-update-platform-uup/) is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is *unified* because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens.

-Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) and the [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002).
+Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes. Further, devices are immune to the challenge of upgrading Windows when the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more information about this issue, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/blog/windows-itpro-blog/upgrading-windows-10-devices-with-installation-media-different-than-the-original/746126).


 ### Option 2: Use WSUS with UUP Integration
@ -115,7 +115,7 @@ You can customize the Windows image in these ways:
 - Adding or removing languages
 - Adding or removing Features on Demand

-The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and the [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
+The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where `Setup.exe` is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/blog/windows-itpro-blog/updating-windows-10-media-with-dynamic-update-packages/982477). Also like Dynamic Update, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there's a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.


 ### Option 5: Install language features during deployment
@ -151,11 +151,9 @@ For more information about the Unified Update Platform and the approaches outlin
 - [/DynamicUpdate](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate)
 - [Configure a Windows Repair Source](/windows-hardware/manufacture/desktop/configure-a-windows-repair-source)
 - [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions)
- [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/)
+- [Unified Update Platform](https://blogs.windows.com/windows-insider/2016/11/03/introducing-unified-update-platform-uup/)
 - [Updating Windows installation media with Dynamic Update packages](media-dynamic-update.md)
 - [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
- [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073)  
- [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002)

 ## Sample scripts

--- a/windows/security/book/application-security-application-and-driver-control.md
+++ b/windows/security/book/application-security-application-and-driver-control.md
@ -1,6 +1,6 @@
 ---
-title: Application and driver control
-description: Windows 11 security book - Application and driver control.
+title: Windows 11 security book - Application and driver control
+description: Application and driver control.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/application-security-application-isolation.md
+++ b/windows/security/book/application-security-application-isolation.md
@ -1,6 +1,6 @@
 ---
-title: Application isolation
-description: Windows 11 security book - Application isolation.
+title: Windows 11 security book - Application isolation
+description: Application isolation.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/application-security.md
+++ b/windows/security/book/application-security.md
@ -1,6 +1,6 @@
 ---
-title: Application security
-description: Windows 11 security book - Application security chapter.
+title: Windows 11 security book - Application security
+description: Application security chapter.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/cloud-services-protect-your-personal-information.md
+++ b/windows/security/book/cloud-services-protect-your-personal-information.md
@ -1,6 +1,6 @@
 ---
-title: Cloud services - Protect your personal information
-description: Windows 11 security book - Cloud services chapter - Protect your personal information.
+title: Windows 11 security book - Cloud services - Protect your personal information
+description: Cloud services chapter - Protect your personal information.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/cloud-services-protect-your-work-information.md
+++ b/windows/security/book/cloud-services-protect-your-work-information.md
@ -1,6 +1,6 @@
 ---
-title: Cloud services - Protect your work information
-description: Windows 11 security book - Cloud services chapter - Protect your work information.
+title: Windows 11 security book - Cloud services - Protect your work information
+description: Cloud services chapter - Protect your work information.
 ms.topic: overview
 ms.date: 11/04/2024
 ---
@ -49,7 +49,7 @@ Every Windows device has a built-in local administrator account that must be sec
 - [Microsoft Entra ID documentation][LINK-1]
 - [Microsoft Entra plans and pricing][LINK-2]

-### :::image type="icon" source="images/microsoft-entra-private-access.svg" border="false":::  Microsoft Entra Private Access
+### Microsoft Entra Private Access

 Microsoft Entra Private Access provides organizations the ability to manage and give users access to private or internal fully qualified domain names (FQDNs) and IP addresses. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need.

@ -57,7 +57,7 @@ Microsoft Entra Private Access provides organizations the ability to manage and

 - [Microsoft Entra Private Access][LINK-4]

-### :::image type="icon" source="images/microsoft-entra-internet-access.svg" border="false":::  Microsoft Entra Internet Access
+### Microsoft Entra Internet Access

 Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs.

@ -168,7 +168,7 @@ With Windows enrollment attestation, Microsoft Entra and Microsoft Intune certif

 - [Windows enrollment attestation][LINK-13]

-### :::image type="icon" source="images/microsoft-cloud-pki.svg" border="false"::: Microsoft Cloud PKI
+### Microsoft Cloud PKI

 Microsoft Cloud PKI is a cloud-based service included in the Microsoft Intune Suite<sup>[\[4\]](conclusion.md#footnote4)</sup> that simplifies and automates the management of a Public Key Infrastructure (PKI) for organizations. It eliminates the need for on-premises servers, hardware, and connectors, making it easier to set up and manage a PKI compared to, for instance, Microsoft Active Directory Certificate Services (AD CS) combined with the Certificate Connector for Microsoft Intune.

@ -185,7 +185,7 @@ With Microsoft Cloud PKI, organizations can accelerate their digital transformat

 - [Overview of Microsoft Cloud PKI for Microsoft Intune](/mem/intune/protect/microsoft-cloud-pki-overview)

-### :::image type="icon" source="images/endpoint-privilege-management.svg" border="false"::: Endpoint Privilege Management (EPM)
+### Endpoint Privilege Management (EPM)

 Intune Endpoint Privilege Management supports organizations' Zero Trust journeys by helping them achieve a broad user base running with least privilege, while still permitting users to run elevated tasks allowed by the organization to remain productive.

--- a/windows/security/book/cloud-services.md
+++ b/windows/security/book/cloud-services.md
@ -1,6 +1,6 @@
 ---
-title: Cloud services
-description: Windows 11 security book - Cloud services chapter.
+title: Windows 11 security book - Cloud services
+description: Cloud services chapter.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/conclusion.md
+++ b/windows/security/book/conclusion.md
@ -1,5 +1,5 @@
 ---
-title: Conclusion
+title: Windows 11 security book - Conclusion
 description: Windows 11 security book conclusion.
 ms.topic: overview
 ms.date: 11/18/2024
--- a/windows/security/book/features-index.md
+++ b/windows/security/book/features-index.md
--- a/windows/security/book/hardware-security-hardware-root-of-trust.md
+++ b/windows/security/book/hardware-security-hardware-root-of-trust.md
@ -1,6 +1,6 @@
 ---
-title: Hardware root-of-trust
-description: Windows 11 security book - Hardware root-of-trust.
+title: Windows 11 security book - Hardware root-of-trust
+description: Hardware root-of-trust.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/hardware-security-silicon-assisted-security.md
+++ b/windows/security/book/hardware-security-silicon-assisted-security.md
@ -1,6 +1,6 @@
 ---
-title: Silicon assisted security
-description: Windows 11 security book - Silicon assisted security.
+title: Windows 11 security book - Silicon assisted security
+description: Silicon assisted security.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/hardware-security.md
+++ b/windows/security/book/hardware-security.md
@ -1,6 +1,6 @@
 ---
-title: Hardware security
-description: Windows 11 security book - Hardware security chapter.
+title: Windows 11 security book - Hardware security
+description: Hardware security chapter.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/identity-protection-advanced-credential-protection.md
+++ b/windows/security/book/identity-protection-advanced-credential-protection.md
@ -1,6 +1,6 @@
 ---
-title: Identity protection - Advanced credential protection
-description: Windows 11 security book - Identity protection chapter.
+title: Windows 11 security book - Advanced credential protection
+description: Identity protection chapter - Advanced credential protection.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/identity-protection-passwordless-sign-in.md
+++ b/windows/security/book/identity-protection-passwordless-sign-in.md
@ -1,6 +1,6 @@
 ---
-title: Identity protection - Passwordless sign-in
-description: Windows 11 security book - Identity protection chapter.
+title: Windows 11 security book - Passwordless sign-in
+description: Identity protection chapter - Passwordless sign-in.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/identity-protection.md
+++ b/windows/security/book/identity-protection.md
@ -1,6 +1,6 @@
 ---
-title: Identity protection
-description: Windows 11 security book - Identity protection chapter.
+title: Windows 11 security book - Identity protection
+description: Identity protection chapter.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/images/azure-attestation.svg
+++ b/windows/security/book/images/azure-attestation.svg
@ -1,17 +1,17 @@
-<svg width="49" height="32" viewBox="0 0 49 32" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M37.4071 14.9238C37.4071 23.516 27.0194 30.4344 24.7622 31.8367C24.6329 31.9175 24.4835 31.9603 24.331 31.9603C24.1787 31.9603 24.0293 31.9175 23.9 31.8367C21.6427 30.4344 11.2551 23.516 11.2551 14.9238V4.58328C11.256 4.36919 11.3403 4.16388 11.4902 4.01099C11.6401 3.85807 11.8436 3.76964 12.0577 3.76446C20.1373 3.54525 18.2768 0 24.331 0C30.3854 0 28.525 3.54525 36.6044 3.76446C36.8185 3.76964 37.0222 3.85807 37.172 4.01099C37.3219 4.16388 37.4062 4.36919 37.4071 4.58328V14.9238Z" fill="url(#paint0_linear_1073_1117)"/>
-<path d="M36.322 15.0107C36.322 22.891 26.7968 29.2352 24.7279 30.5214C24.6094 30.5951 24.4725 30.6341 24.3331 30.6341C24.1934 30.6341 24.0565 30.5951 23.938 30.5214C21.8674 29.2352 12.344 22.891 12.344 15.0107V5.52891C12.344 5.33247 12.421 5.14387 12.5585 5.00365C12.696 4.8634 12.8831 4.78271 13.0795 4.77892C20.4852 4.57783 18.7787 1.32605 24.3311 1.32605C29.8836 1.32605 28.1773 4.5869 35.5865 4.77892C35.7829 4.78271 35.97 4.8634 36.1075 5.00365C36.245 5.14387 36.322 5.33247 36.322 5.52891V15.0107Z" fill="url(#paint1_linear_1073_1117)"/>
-<path d="M30.1681 18.0669H18.4942C18.1656 18.0669 17.8504 18.1974 17.6181 18.4298C17.3857 18.6622 17.2551 18.9774 17.2551 19.306V20.8422C17.2551 20.897 17.2769 20.9495 17.3156 20.9883C17.3543 21.027 17.4069 21.0487 17.4616 21.0487H31.2007C31.2278 21.0487 31.2545 21.0434 31.2797 21.033C31.3048 21.0226 31.3276 21.0074 31.3468 20.9883C31.3657 20.9691 31.381 20.9463 31.3913 20.9213C31.4017 20.8962 31.4072 20.8693 31.4072 20.8422V19.306C31.4072 18.9774 31.2766 18.6622 31.0442 18.4298C30.8118 18.1974 30.4967 18.0669 30.1681 18.0669Z" fill="white"/>
-<path d="M30.1173 22.5795H18.545C18.506 22.5795 18.4687 22.5951 18.4412 22.6225C18.4137 22.6501 18.3982 22.6874 18.3982 22.7262V23.5017C18.3982 23.7357 18.4911 23.9601 18.6566 24.1254C18.8221 24.2909 19.0464 24.3838 19.2804 24.3838H29.3817C29.6159 24.3838 29.8401 24.2909 30.0056 24.1254C30.1711 23.9601 30.264 23.7357 30.264 23.5017V22.7262C30.264 22.6874 30.2486 22.6501 30.221 22.6225C30.1936 22.5951 30.1561 22.5795 30.1173 22.5795Z" fill="white"/>
-<path d="M27.0194 11.3205C27.8364 10.1339 28.4089 10.3586 27.9435 7.61765C27.4778 4.87673 24.429 4.90028 24.2423 4.90028C24.0558 4.90028 21.0068 4.8713 20.5413 7.61765C20.0757 10.364 20.6481 10.1339 21.4634 11.3205C21.9897 12.9829 22.2413 14.7201 22.2079 16.4636H26.2768C26.2435 14.7203 26.4944 12.9832 27.0194 11.3205Z" fill="white"/>
+<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M40.4071 14.9238C40.4071 23.516 30.0194 30.4344 27.7622 31.8367C27.6329 31.9175 27.4835 31.9603 27.331 31.9603C27.1787 31.9603 27.0293 31.9175 26.9 31.8367C24.6427 30.4344 14.2551 23.516 14.2551 14.9238V4.58328C14.256 4.36919 14.3403 4.16388 14.4902 4.01099C14.6401 3.85807 14.8436 3.76964 15.0577 3.76446C23.1373 3.54525 21.2768 0 27.331 0C33.3854 0 31.525 3.54525 39.6044 3.76446C39.8185 3.76964 40.0222 3.85807 40.172 4.01099C40.3219 4.16388 40.4062 4.36919 40.4071 4.58328V14.9238Z" fill="url(#paint0_linear_1073_1117)"/>
+<path d="M39.322 15.0107C39.322 22.891 29.7969 29.2352 27.7279 30.5214C27.6094 30.5951 27.4725 30.6341 27.3331 30.6341C27.1934 30.6341 27.0565 30.5951 26.938 30.5214C24.8674 29.2352 15.344 22.891 15.344 15.0107V5.52891C15.344 5.33247 15.421 5.14387 15.5585 5.00365C15.696 4.8634 15.8831 4.78271 16.0795 4.77892C23.4852 4.57783 21.7787 1.32605 27.3311 1.32605C32.8836 1.32605 31.1773 4.5869 38.5865 4.77892C38.7829 4.78271 38.97 4.8634 39.1075 5.00365C39.245 5.14387 39.322 5.33247 39.322 5.52891V15.0107Z" fill="url(#paint1_linear_1073_1117)"/>
+<path d="M33.1681 18.0669H21.4942C21.1656 18.0669 20.8504 18.1974 20.6181 18.4298C20.3857 18.6622 20.2551 18.9774 20.2551 19.306V20.8422C20.2551 20.897 20.2769 20.9495 20.3156 20.9883C20.3543 21.027 20.4069 21.0487 20.4616 21.0487H34.2007C34.2278 21.0487 34.2545 21.0434 34.2797 21.033C34.3048 21.0226 34.3276 21.0074 34.3468 20.9883C34.3657 20.9691 34.381 20.9463 34.3913 20.9213C34.4017 20.8962 34.4072 20.8693 34.4072 20.8422V19.306C34.4072 18.9774 34.2766 18.6622 34.0442 18.4298C33.8118 18.1974 33.4967 18.0669 33.1681 18.0669Z" fill="white"/>
+<path d="M33.1173 22.5795H21.545C21.506 22.5795 21.4687 22.5951 21.4412 22.6225C21.4137 22.6501 21.3982 22.6874 21.3982 22.7262V23.5017C21.3982 23.7357 21.4911 23.9601 21.6566 24.1254C21.8221 24.2909 22.0464 24.3838 22.2804 24.3838H32.3817C32.6159 24.3838 32.8401 24.2909 33.0056 24.1254C33.1711 23.9601 33.264 23.7357 33.264 23.5017V22.7262C33.264 22.6874 33.2486 22.6501 33.221 22.6225C33.1936 22.5951 33.1561 22.5795 33.1173 22.5795Z" fill="white"/>
+<path d="M30.0194 11.3205C30.8364 10.1339 31.4089 10.3586 30.9435 7.61766C30.4778 4.87673 27.429 4.90028 27.2423 4.90028C27.0558 4.90028 24.0068 4.8713 23.5413 7.61766C23.0757 10.364 23.6481 10.1339 24.4634 11.3205C24.9897 12.9829 25.2413 14.7201 25.2079 16.4636H29.2768C29.2435 14.7203 29.4944 12.9832 30.0194 11.3205Z" fill="white"/>
 <defs>
-<linearGradient id="paint0_linear_1073_1117" x1="24.331" y1="-1.57607" x2="24.331" y2="34.976" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint0_linear_1073_1117" x1="27.331" y1="-1.57607" x2="27.331" y2="34.976" gradientUnits="userSpaceOnUse">
 <stop stop-color="#5E9624"/>
 <stop offset="0.316" stop-color="#619A25"/>
 <stop offset="0.659" stop-color="#69A728"/>
 <stop offset="0.999" stop-color="#76BC2D"/>
 </linearGradient>
-<linearGradient id="paint1_linear_1073_1117" x1="24.3311" y1="31.9" x2="24.3311" y2="-2.07428" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint1_linear_1073_1117" x1="27.3311" y1="31.9" x2="27.3311" y2="-2.07428" gradientUnits="userSpaceOnUse">
 <stop stop-color="#5E9624"/>
 <stop offset="0.546" stop-color="#6DAD2A"/>
 <stop offset="0.999" stop-color="#76BC2D"/>
--- a/windows/security/book/images/defender-for-endpoint.svg
+++ b/windows/security/book/images/defender-for-endpoint.svg
--- a/windows/security/book/images/endpoint-privilege-management.svg
+++ b/windows/security/book/images/endpoint-privilege-management.svg
@ -1,46 +0,0 @@
-<svg width="56" height="32" viewBox="0 0 56 32" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g clip-path="url(#clip0_1073_1106)">
-<mask id="mask0_1073_1106" style="mask-type:luminance" maskUnits="userSpaceOnUse" x="0" y="0" width="56" height="32">
-<path d="M55.4331 0H0V32H55.4331V0Z" fill="white"/>
-</mask>
-<g mask="url(#mask0_1073_1106)">
-<path d="M11.3386 4.00317H39.361V21.3504C39.361 22.0583 39.0799 22.7371 38.5794 23.2376C38.079 23.7381 37.4002 24.0193 36.6925 24.0193H14.0074C13.2996 24.0193 12.6208 23.7381 12.1203 23.2376C11.6198 22.7371 11.3386 22.0583 11.3386 21.3504V4.00317Z" fill="url(#paint0_linear_1073_1106)"/>
-<path d="M11.3386 2.6688C11.3386 1.961 11.6198 1.28218 12.1203 0.781677C12.6208 0.281177 13.2996 0 14.0074 0H36.6925C37.4002 0 38.079 0.281177 38.5794 0.781677C39.0799 1.28218 39.361 1.961 39.361 2.6688V4.00323H11.3386V2.6688Z" fill="url(#paint1_linear_1073_1106)"/>
-<path d="M29.353 15.0112H41.3626V30.9279C41.3626 31.8567 40.2489 32.3639 39.5159 31.7695L36.0783 28.9835C35.874 28.8194 35.6197 28.73 35.3579 28.73C35.0959 28.73 34.8417 28.8194 34.6373 28.9835L31.1997 31.7695C30.4667 32.3639 29.353 31.8567 29.353 30.9279V15.0112Z" fill="url(#paint2_linear_1073_1106)"/>
-<path opacity="0.5" d="M35.3223 24.0353C40.3063 24.0353 44.3466 19.9951 44.3466 15.0112C44.3466 10.0273 40.3063 5.98706 35.3223 5.98706C30.3387 5.98706 26.2983 10.0273 26.2983 15.0112C26.2983 19.9951 30.3387 24.0353 35.3223 24.0353Z" fill="url(#paint3_radial_1073_1106)"/>
-<path opacity="0.5" d="M35.3226 23.5175C40.0206 23.5175 43.8288 19.7091 43.8288 15.0112C43.8288 10.3132 40.0206 6.50476 35.3226 6.50476C30.6247 6.50476 26.8162 10.3132 26.8162 15.0112C26.8162 19.7091 30.6247 23.5175 35.3226 23.5175Z" fill="url(#paint4_radial_1073_1106)"/>
-<path d="M35.3581 23.0176C39.7799 23.0176 43.3644 19.433 43.3644 15.0112C43.3644 10.5894 39.7799 7.00476 35.3581 7.00476C30.9361 7.00476 27.3516 10.5894 27.3516 15.0112C27.3516 19.433 30.9361 23.0176 35.3581 23.0176Z" fill="url(#paint5_linear_1073_1106)"/>
-</g>
-</g>
-<defs>
-<linearGradient id="paint0_linear_1073_1106" x1="25.3498" y1="24.0193" x2="25.3498" y2="4.00317" gradientUnits="userSpaceOnUse">
-<stop stop-color="#0669BC"/>
-<stop offset="1" stop-color="#0078D4"/>
-</linearGradient>
-<linearGradient id="paint1_linear_1073_1106" x1="25.3498" y1="4.00323" x2="25.3498" y2="0" gradientUnits="userSpaceOnUse">
-<stop stop-color="#0C59A4"/>
-<stop offset="1" stop-color="#1493DF"/>
-</linearGradient>
-<linearGradient id="paint2_linear_1073_1106" x1="35.3579" y1="32.0257" x2="35.3579" y2="15.0112" gradientUnits="userSpaceOnUse">
-<stop stop-color="#0078D4"/>
-<stop offset="1" stop-color="#5EA0EF"/>
-</linearGradient>
-<radialGradient id="paint3_radial_1073_1106" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(35.3223 15.013) scale(9.02415)">
-<stop/>
-<stop offset="0.859" stop-opacity="0.532"/>
-<stop offset="1" stop-opacity="0"/>
-</radialGradient>
-<radialGradient id="paint4_radial_1073_1106" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(19.3452 15.0129) scale(8.50641)">
-<stop/>
-<stop offset="0.859" stop-opacity="0.532"/>
-<stop offset="1" stop-opacity="0"/>
-</radialGradient>
-<linearGradient id="paint5_linear_1073_1106" x1="35.3581" y1="23.0586" x2="35.3581" y2="6.48167" gradientUnits="userSpaceOnUse">
-<stop stop-color="#32BEDD"/>
-<stop offset="1" stop-color="#50E6FF"/>
-</linearGradient>
-<clipPath id="clip0_1073_1106">
-<rect width="55.4331" height="32" fill="white"/>
-</clipPath>
-</defs>
-</svg>
--- a/windows/security/book/images/microsoft-cloud-pki.svg
+++ b/windows/security/book/images/microsoft-cloud-pki.svg
@ -1,19 +0,0 @@
-<svg width="40" height="32" viewBox="0 0 40 32" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path fill-rule="evenodd" clip-rule="evenodd" d="M11.6613 10.951C11.8382 8.97945 12.7464 7.14542 14.2073 5.8097C15.6682 4.47399 17.576 3.73328 19.5555 3.73328C21.5351 3.73328 23.4428 4.47399 24.9038 5.8097C26.3648 7.14542 27.2729 8.97945 27.4498 10.951C28.91 11.1247 30.2485 11.8498 31.1916 12.978C32.1347 14.1062 32.611 15.5522 32.523 17.02C32.435 18.4878 31.7893 19.8666 30.7182 20.8739C29.6471 21.8814 28.2314 22.4414 26.7609 22.4394H12.3501C10.8797 22.4414 9.46401 21.8814 8.39288 20.8739C7.32174 19.8666 6.6761 18.4878 6.5881 17.02C6.50008 15.5522 6.97635 14.1062 7.91944 12.978C8.86252 11.8498 10.2011 11.1247 11.6613 10.951Z" fill="url(#paint0_linear_1073_1130)"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M32.5253 16.6751C32.5253 18.204 31.9181 19.6701 30.837 20.7512C29.7559 21.8321 28.2898 22.4395 26.7609 22.4395H24.3111C24.2544 22.4395 24.1981 22.4507 24.1456 22.4724C24.0932 22.4941 24.0455 22.5259 24.0053 22.5661C23.9653 22.6063 23.9333 22.6539 23.9117 22.7064C23.89 22.7588 23.8788 22.815 23.8788 22.8717V23.4482C23.8788 23.5629 23.8333 23.6728 23.7522 23.7538C23.6711 23.8349 23.5611 23.8806 23.4464 23.8806H22.8701C22.8133 23.8806 22.757 23.8918 22.7045 23.9135C22.6521 23.9352 22.6045 23.967 22.5643 24.0072C22.5243 24.0473 22.4923 24.095 22.4706 24.1474C22.4489 24.1999 22.4377 24.2561 22.4377 24.3129V24.8893C22.4377 25.004 22.3922 25.1138 22.3111 25.1951C22.2301 25.2761 22.12 25.3217 22.0053 25.3217H21.429C21.3143 25.3217 21.2043 25.3672 21.1232 25.4482C21.0421 25.5293 20.9966 25.6393 20.9966 25.754V26.3304C20.9966 26.445 20.9511 26.5551 20.8701 26.6361C20.789 26.7172 20.6789 26.7627 20.5643 26.7627H19.9879C19.8733 26.7627 19.7632 26.8082 19.6821 26.8893C19.6011 26.9704 19.5556 27.0804 19.5556 27.1951V27.7714C19.5556 27.8861 19.5101 27.9961 19.429 28.0772C19.3479 28.1583 19.2379 28.2038 19.1232 28.2038H15.6646C15.55 28.2038 15.44 28.1583 15.3589 28.0772C15.2778 27.9961 15.2323 27.8861 15.2323 27.7714V24.0593C15.2324 23.9446 15.278 23.8347 15.3591 23.7537L21.1408 17.9721C20.9605 17.1817 20.9492 16.3622 21.1074 15.5671C21.2654 14.772 21.5895 14.0191 22.0583 13.3578C22.5271 12.6964 23.1301 12.1414 23.8281 11.7289C24.5261 11.3164 25.3031 11.0558 26.1085 10.9641C26.914 10.8723 27.7298 10.9514 28.5026 11.1964C29.2754 11.4413 29.9877 11.8465 30.5933 12.3854C31.1989 12.9244 31.6839 13.585 32.0169 14.3242C32.3497 15.0634 32.523 15.8644 32.5253 16.6751ZM28.6487 16.2774C29.0309 16.2774 29.3975 16.1255 29.6677 15.8553C29.938 15.585 30.0898 15.2185 30.0898 14.8363C30.0898 14.4541 29.938 14.0876 29.6677 13.8173C29.3975 13.547 29.0309 13.3952 28.6487 13.3952C28.2665 13.3952 27.9001 13.547 27.6297 13.8173C27.3595 14.0876 27.2077 14.4541 27.2077 14.8363C27.2077 15.2185 27.3595 15.585 27.6297 15.8553C27.9001 16.1255 28.2665 16.2774 28.6487 16.2774Z" fill="url(#paint1_radial_1073_1130)"/>
-<defs>
-<linearGradient id="paint0_linear_1073_1130" x1="19.5555" y1="22.435" x2="19.5555" y2="3.74129" gradientUnits="userSpaceOnUse">
-<stop stop-color="#0078D4"/>
-<stop offset="0.156" stop-color="#1380DA"/>
-<stop offset="0.528" stop-color="#3C91E5"/>
-<stop offset="0.822" stop-color="#559CEC"/>
-<stop offset="1" stop-color="#5EA0EF"/>
-</linearGradient>
-<radialGradient id="paint1_radial_1073_1130" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(22.4075 19.2072) rotate(121.131) scale(13.8778 9.46286)">
-<stop offset="0.266" stop-color="#FFD70F"/>
-<stop offset="0.487" stop-color="#FFCB12"/>
-<stop offset="0.884" stop-color="#FEAC19"/>
-<stop offset="1" stop-color="#FEA11B"/>
-</radialGradient>
-</defs>
-</svg>
--- a/windows/security/book/images/microsoft-entra-id.svg
+++ b/windows/security/book/images/microsoft-entra-id.svg
@ -1,4 +1,4 @@
-<svg width="53" height="32" viewBox="0 0 53 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
 <path d="M15.5281 26.0077C16.3103 26.4912 17.6105 27.0288 18.9854 27.0288C20.2372 27.0288 21.4004 26.669 22.364 26.0558C22.364 26.0558 22.3661 26.0558 22.3681 26.0537L26.0067 23.7999V31.9379C25.4302 31.9379 24.8497 31.7819 24.3458 31.4702L15.5281 26.0077Z" fill="#225086"/>
 <path d="M23.7177 1.00992L8.76318 17.8619C7.60869 19.1647 7.90977 21.1327 9.40723 22.0669C9.40723 22.0669 14.9424 25.523 15.6403 25.9593C16.414 26.4412 17.7001 26.9772 19.06 26.9772C20.2982 26.9772 21.4487 26.6185 22.4018 26.007C22.4018 26.007 22.4038 26.007 22.4058 26.0051L26.0049 23.7582L17.3033 18.3241L26.0068 8.51563V0C25.1615 0 24.316 0.336642 23.7177 1.00992Z" fill="#66DDFF"/>
 <path d="M17.2561 18.3555L17.3604 18.4193L26.005 23.8002H26.0068V8.52995L26.005 8.52795L17.2561 18.3555Z" fill="#CBF8FF"/>
--- a/windows/security/book/images/microsoft-entra-internet-access.svg
+++ b/windows/security/book/images/microsoft-entra-internet-access.svg
--- a/windows/security/book/images/microsoft-entra-private-access.svg
+++ b/windows/security/book/images/microsoft-entra-private-access.svg
@ -1,49 +0,0 @@
-<svg width="46" height="32" viewBox="0 0 46 32" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g clip-path="url(#clip0_1073_1049)">
-<mask id="mask0_1073_1049" style="mask-type:luminance" maskUnits="userSpaceOnUse" x="0" y="0" width="46" height="32">
-<path d="M45.4194 0H0V32H45.4194V0Z" fill="white"/>
-</mask>
-<g mask="url(#mask0_1073_1049)">
-<path d="M35.3276 10.4997L37.209 9.41296L37.1583 27.4758L35.2769 28.5624L35.3276 10.4997Z" fill="#D9D9D9"/>
-<path d="M31.147 18.0385V18.8864L25.3242 15.5511V14.7033L31.147 18.0385ZM31.147 20.0755V20.9234L25.3242 17.5882V16.7403L31.147 20.0755ZM31.8252 16.4556V17.3037L25.3242 13.5162V12.6678L31.8252 16.4556Z" fill="#E2E2E2"/>
-<path d="M35.6387 10.3205L35.9533 10.1388L35.9015 28.2008L35.5879 28.3825L35.6387 10.3205Z" fill="#C8C8C8"/>
-<path d="M36.2669 9.95719L36.5808 9.77551L36.53 27.8384L36.2153 28.0201L36.2669 9.95719Z" fill="#C8C8C8"/>
-<path d="M36.8954 9.59488L37.2092 9.41321L37.1584 27.475L36.8438 27.6567L36.8954 9.59488Z" fill="#C8C8C8"/>
-<path d="M33.0426 9.91029L33.6692 9.54858L33.6603 12.6827L33.0337 13.0444L33.0426 9.91049V9.91029Z" fill="#2195DC"/>
-<path d="M30.6233 8.52049L31.2507 8.15796L33.6693 9.54862L33.0429 9.91032L30.6233 8.52049Z" fill="#32B0E7"/>
-<path d="M16.8047 12.1751L18.1858 11.3724L20.4783 12.6964L19.0977 13.4983L16.8047 12.1751Z" fill="#0078D4"/>
-<path d="M19.9048 12.6414L21.2861 11.8394L23.5792 13.1631L22.1978 13.9652L19.9048 12.6414Z" fill="#0078D4"/>
-<path d="M22.9854 20.186L24.3667 19.3835L26.6592 20.7073L25.2784 21.51L22.9854 20.186Z" fill="#0078D4"/>
-<path d="M34.3124 18.209L34.2711 29.5845C34.2711 30.4723 33.6517 30.8232 32.8878 30.369L14.1008 19.5303C13.7017 19.2661 13.3696 18.9127 13.1304 18.4981C12.8914 18.081 12.7503 17.6151 12.7175 17.1355L12.7588 5.76001L34.3124 18.209Z" fill="#FBFBFB"/>
-<path d="M33.8789 30.4516L34.7254 29.9561C34.9731 29.8116 35.1176 29.5019 35.1176 29.0684L34.2712 29.5638C34.2712 30.018 34.106 30.3071 33.8789 30.4516Z" fill="#DCDCDC"/>
-<path d="M34.3123 18.2091L34.271 29.5846L35.1174 29.0891L35.1587 17.7136L34.3123 18.2091Z" fill="#DCDCDC"/>
-<path d="M32.929 13.1922C33.3281 13.4565 33.6603 13.8099 33.8993 14.2245C34.1384 14.6416 34.2794 15.1075 34.3122 15.5871V18.2916L12.738 5.84256V3.13804C12.738 2.2503 13.3574 1.89933 14.1213 2.33288L32.929 13.1922Z" fill="#F0F0F0"/>
-<path d="M34.7665 13.7084C34.5212 13.2984 34.1903 12.9462 33.7961 12.6761L15.009 1.83744C14.6168 1.61034 14.2658 1.5897 14.0181 1.73422L13.1716 2.22969C13.4194 2.08517 13.7703 2.10582 14.1626 2.33292L32.9497 13.1716C33.3488 13.4359 33.6809 13.7893 33.92 14.2039C34.1591 14.621 34.3001 15.0869 34.3329 15.5665V18.271L35.1794 17.7755V15.071C35.1368 14.5933 34.9962 14.1294 34.7665 13.7084Z" fill="#D2D2D2"/>
-<path d="M21.6156 13.8323C21.744 13.9157 21.8503 14.0291 21.9253 14.1626C22.0008 14.2964 22.05 14.4438 22.0698 14.5962C22.0698 14.9059 21.8633 14.9884 21.6156 14.8646L16.1446 11.7059C16.0095 11.6152 15.8966 11.4953 15.8143 11.3549C15.7327 11.2175 15.6899 11.0605 15.6904 10.9007C15.6904 10.591 15.8969 10.5084 16.1446 10.653L21.6156 13.8323ZM26.0543 15.4839L26.4259 16.1446L24.1756 17.4246L23.2466 15.8142L23.6182 15.5872L24.1756 16.5575L26.0543 15.4839Z" fill="#50E6FF"/>
-<path d="M21.5949 20.1084C21.7233 20.1918 21.8296 20.3052 21.9045 20.4388C21.9801 20.5725 22.0292 20.7197 22.0491 20.8723C22.0491 21.182 21.8426 21.2646 21.5949 21.1407L16.1239 17.982C15.9888 17.8914 15.8758 17.7714 15.7936 17.631C15.712 17.4936 15.6691 17.3366 15.6697 17.1768C15.6697 16.8671 15.8761 16.7846 16.1239 16.9291L21.5949 20.1084ZM26.0336 21.8426L26.4052 22.5033L24.1549 23.7833L23.2258 22.173L23.5974 21.9459L24.1549 22.9162L26.0336 21.8426Z" fill="#32B0E7"/>
-<path d="M21.6156 16.9497C21.744 17.0331 21.8503 17.1465 21.9253 17.2801C21.9948 17.4165 22.0436 17.5627 22.0698 17.7136C22.0698 18.0233 21.8633 18.1059 21.6156 17.982L16.1446 14.8233C16.0095 14.7327 15.8966 14.6127 15.8143 14.4723C15.7327 14.3349 15.6899 14.1779 15.6904 14.0181C15.6904 13.7085 15.8969 13.6259 16.1446 13.7704L21.6156 16.9497ZM26.0543 18.5807L26.4259 19.2414L24.1756 20.5214L23.2053 18.911L23.5769 18.6839L24.155 19.6543L26.0543 18.5807Z" fill="#45CAF2"/>
-<path d="M15.9382 25.2491C15.8236 24.2519 15.4384 23.3053 14.8243 22.5113C14.2102 21.7175 13.3906 21.1068 12.4543 20.7455C11.518 20.384 10.5006 20.2857 9.51243 20.4611C8.52423 20.6365 7.60286 21.0789 6.84809 21.7404C5.83685 22.6269 5.18537 23.853 5.01687 25.1871C4.97161 25.3833 4.95768 25.5854 4.97558 25.7858C5.03751 26.5497 5.59493 27.2929 6.5859 27.8916C8.75364 29.1304 12.222 29.1304 14.3691 27.8916C15.3601 27.3136 15.8969 26.5497 15.9588 25.8065C15.9734 25.6205 15.9665 25.4334 15.9382 25.2491Z" fill="url(#paint0_linear_1073_1049)"/>
-<path d="M10.4672 19.7987C11.1217 19.8016 11.762 19.6074 12.3046 19.2413C12.8471 18.8789 13.27 18.3639 13.5199 17.7613C13.7697 17.1586 13.8354 16.4954 13.7085 15.8555C13.5833 15.2125 13.2667 14.6224 12.8001 14.1626C12.3322 13.7069 11.7455 13.3921 11.1072 13.2542C10.4695 13.1287 9.80905 13.1933 9.20782 13.44C8.60606 13.6956 8.09019 14.1183 7.72137 14.6581C7.35254 15.1994 7.15804 15.8405 7.16395 16.4955C7.16232 16.9276 7.24653 17.3556 7.41169 17.7549C7.58148 18.1557 7.8268 18.5202 8.13427 18.8284C8.43881 19.1403 8.80423 19.3863 9.20782 19.551C9.60706 19.7162 10.0351 19.8004 10.4672 19.7987Z" fill="url(#paint1_linear_1073_1049)"/>
-<path d="M36.5283 20.538C36.6109 20.4968 36.6109 20.3316 36.5283 20.1664L36.0741 19.3613C35.9915 19.2168 35.9709 19.0516 36.0535 18.969L36.5489 18.68C36.6315 18.6387 36.6315 18.4735 36.5489 18.3084L35.9089 17.1935V16.9251L34.7735 17.5858V17.8542L35.4135 18.969C35.4517 19.0187 35.4742 19.0787 35.4779 19.1413C35.4816 19.2039 35.4663 19.2662 35.4341 19.32L34.9386 19.609C34.8354 19.6709 34.8354 19.8361 34.9386 20.0013L35.4135 20.8064C35.4517 20.8562 35.4742 20.9161 35.4779 20.9788C35.4816 21.0414 35.4663 21.1035 35.4341 21.1574L34.9593 21.4464C34.856 21.5084 34.856 21.6735 34.9593 21.8387L35.4341 22.6438C35.5167 22.7884 35.5167 22.9535 35.4341 23.0155L36.5696 22.3548C36.6522 22.3135 36.6522 22.1484 36.5696 21.9832L36.0948 21.178C36.0122 21.0129 35.9915 20.8477 36.0741 20.7858L36.5283 20.538ZM38.7718 12.4904L35.7989 7.32906C35.5117 6.79786 35.092 6.34984 34.5808 6.02842C34.1473 5.76003 33.6931 5.71874 33.3628 5.90454L32.2273 6.56519C32.5576 6.37938 33.0118 6.44132 33.4454 6.68906C33.9611 7.00497 34.382 7.45436 34.6634 7.98971L37.6363 13.151C38.3176 14.3278 38.3176 15.5871 37.6363 15.9794L38.7718 15.3187C39.4531 14.9265 39.4531 13.6465 38.7718 12.4904ZM33.5486 10.4258L33.6105 10.4465L33.6518 10.4671C33.6725 10.4671 33.6931 10.4878 33.7137 10.4878H34.0234C34.0441 10.4878 34.0441 10.4878 34.0647 10.4671C34.0854 10.4671 34.0854 10.4671 34.106 10.4465C34.1266 10.4465 34.1266 10.4258 34.1473 10.4258C34.2487 10.355 34.329 10.2582 34.3798 10.1456C34.4305 10.0329 34.4502 9.90865 34.4363 9.78584C34.4396 9.71639 34.4328 9.64681 34.4157 9.57938C33.985 9.23413 33.6981 8.74115 33.6105 8.19616C33.5604 8.15448 33.5048 8.11975 33.4454 8.09293C33.1563 7.92777 32.7744 7.89556 32.6092 8.01944L32.5886 8.04008C32.5832 8.04008 32.5778 8.04225 32.5739 8.04613C32.5702 8.04999 32.5679 8.05525 32.5679 8.06073L32.5473 8.08137C32.5473 8.10202 32.5266 8.10202 32.5266 8.12266L32.506 8.14331C32.506 8.16395 32.4854 8.16395 32.4854 8.1846C32.4854 8.20524 32.4647 8.20524 32.4647 8.22589C32.4624 8.24152 32.4552 8.25599 32.4441 8.26718C32.4441 8.28782 32.4234 8.28782 32.4234 8.30847C32.4234 8.32911 32.4028 8.34976 32.4028 8.3704V8.41169C32.4036 8.4406 32.3966 8.46919 32.3821 8.49427V8.61814C32.3943 8.97896 32.4823 9.33319 32.6402 9.65783C32.8132 9.951 33.5486 10.4258 33.5486 10.4258Z" fill="#32B0E7"/>
-<path d="M37.6361 15.9588L34.7871 17.5897V17.8581L35.4271 18.9729C35.5096 19.1175 35.5096 19.2826 35.4271 19.3446L34.9522 19.6129C34.849 19.6749 34.849 19.84 34.9522 20.0052L35.4271 20.8103C35.5096 20.9549 35.5096 21.12 35.4271 21.182L34.9522 21.4503C34.849 21.5123 34.849 21.6774 34.9522 21.8426L35.4271 22.6478C35.5096 22.7923 35.5096 22.9574 35.4271 23.0194L34.7664 23.391L33.6516 24.031C33.6053 24.0479 33.5562 24.0549 33.5071 24.0516C33.4567 24.0475 33.4076 24.0335 33.3625 24.0103C33.248 23.941 33.1549 23.8409 33.0942 23.7213L31.9587 21.76C31.8542 21.585 31.7972 21.3857 31.7935 21.182L31.8142 15.8555C31.8076 15.6875 31.7578 15.524 31.6696 15.3807L29.1922 11.0865C28.5109 9.90972 28.5316 8.65037 29.1922 8.25811L32.2064 6.54456C32.5367 6.35875 32.9909 6.42069 33.4245 6.66843C33.9402 6.98434 34.3612 7.43371 34.6425 7.96908L37.6154 13.1304C38.3174 14.3071 38.3174 15.5871 37.6361 15.9588ZM33.4245 8.09295C32.8877 7.78327 32.4335 8.03101 32.4335 8.65037C32.4566 8.99122 32.5553 9.32278 32.7225 9.62069C32.8956 9.91404 33.1363 10.1618 33.4245 10.3433C33.9613 10.6529 34.4154 10.4052 34.4154 9.78585C34.3923 9.44496 34.2936 9.11348 34.1264 8.81553C33.9534 8.52216 33.7127 8.2744 33.4245 8.09295ZM31.2774 12.3871L35.6542 14.9265C35.7987 15.0091 35.9225 14.9471 35.9225 14.782V14.72C35.924 14.6241 35.8951 14.5302 35.84 14.4517C35.7956 14.3689 35.7318 14.2981 35.6542 14.2452L31.2774 11.7059C31.1329 11.6233 31.009 11.6852 31.009 11.8504V11.9123C31.0076 12.0083 31.0365 12.1022 31.0916 12.1807C31.1484 12.254 31.2105 12.3231 31.2774 12.3871ZM31.0296 10.7768V10.8388C31.0282 10.9348 31.0571 11.0287 31.1122 11.1071C31.163 11.1852 31.2256 11.255 31.298 11.3136L35.6748 13.8323C35.8193 13.9149 35.9432 13.8529 35.9432 13.6878V13.6259C35.9446 13.5299 35.9157 13.436 35.8606 13.3575C35.8162 13.2747 35.7524 13.2038 35.6748 13.151L31.298 10.6117C31.1535 10.5497 31.0296 10.6117 31.0296 10.7768ZM32.9703 21.8013L32.9909 17.4865C32.988 17.3879 32.9517 17.2932 32.8877 17.2181C32.8617 17.1687 32.8171 17.1316 32.7638 17.1149C32.6606 17.0529 32.5574 17.0942 32.5574 17.2388L32.5367 21.5536C32.5351 21.6337 32.5566 21.7125 32.5987 21.7807C32.6301 21.8432 32.6806 21.8938 32.7432 21.9252C32.8671 22.0078 32.9703 21.9665 32.9703 21.8013Z" fill="url(#paint2_linear_1073_1049)"/>
-<path d="M31.2775 12.3871L35.6542 14.9264C35.7988 15.009 35.9226 14.9471 35.9226 14.7819V14.72C35.9241 14.624 35.8952 14.5301 35.8401 14.4516C35.7957 14.3688 35.7319 14.298 35.6542 14.2451L31.2775 11.7058C31.133 11.6232 31.0091 11.6851 31.0091 11.8503V11.9122C31.0076 12.0082 31.0365 12.1022 31.0917 12.1806C31.1484 12.2539 31.2106 12.3231 31.2775 12.3871ZM31.0297 10.7767V10.8387C31.0283 10.9347 31.0572 11.0286 31.1123 11.1071C31.1567 11.1898 31.2205 11.2607 31.2981 11.3135L35.6749 13.8322C35.8194 13.9148 35.9433 13.8529 35.9433 13.6877V13.6258C35.9447 13.5298 35.9158 13.4359 35.8607 13.3574C35.8163 13.2746 35.7525 13.2038 35.6749 13.1509L31.2981 10.6116C31.1536 10.5496 31.0297 10.6116 31.0297 10.7767ZM32.9704 21.8012L32.991 17.4864C32.9881 17.3878 32.9516 17.2932 32.8878 17.218C32.8465 17.1767 32.8259 17.1354 32.7639 17.1148C32.6607 17.0529 32.5575 17.0942 32.5575 17.2387L32.5368 21.5535C32.5352 21.6336 32.5566 21.7125 32.5988 21.7806C32.6301 21.8432 32.6807 21.8937 32.7433 21.9251C32.8672 22.0077 32.9704 21.9664 32.9704 21.8012Z" fill="#ACF3FD"/>
-</g>
-</g>
-<defs>
-<linearGradient id="paint0_linear_1073_1049" x1="10.4637" y1="20.3807" x2="10.4637" y2="28.819" gradientUnits="userSpaceOnUse">
-<stop stop-color="#4DC2EB"/>
-<stop offset="1" stop-color="#0078D4"/>
-</linearGradient>
-<linearGradient id="paint1_linear_1073_1049" x1="10.4649" y1="13.1929" x2="10.4649" y2="19.8" gradientUnits="userSpaceOnUse">
-<stop stop-color="#4DC2EB"/>
-<stop offset="1" stop-color="#0078D4"/>
-</linearGradient>
-<linearGradient id="paint2_linear_1073_1049" x1="33.4168" y1="1.05211" x2="33.4168" y2="25.6826" gradientUnits="userSpaceOnUse">
-<stop offset="0.09" stop-color="#50E6FF"/>
-<stop offset="1" stop-color="#45CAF2"/>
-</linearGradient>
-<clipPath id="clip0_1073_1049">
-<rect width="45.4194" height="32" fill="white"/>
-</clipPath>
-</defs>
-</svg>
--- a/windows/security/book/images/microsoft-intune.svg
+++ b/windows/security/book/images/microsoft-intune.svg
@ -1,21 +1,21 @@
-<svg width="57" height="32" viewBox="0 0 57 32" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M40.9807 0.0206299H11.871C11.3009 0.0206299 10.8387 0.482788 10.8387 1.05289V19.7574C10.8387 20.3275 11.3009 20.7897 11.871 20.7897H40.9807C41.5507 20.7897 42.0129 20.3275 42.0129 19.7574V1.05289C42.0129 0.482788 41.5507 0.0206299 40.9807 0.0206299Z" fill="url(#paint0_linear_1073_1098)"/>
-<path d="M39.7006 1.75488H13.1509C12.8317 1.75488 12.5729 2.01369 12.5729 2.33295V18.4981C12.5729 18.8174 12.8317 19.0762 13.1509 19.0762H39.7006C40.0198 19.0762 40.2787 18.8174 40.2787 18.4981V2.33295C40.2787 2.01369 40.0198 1.75488 39.7006 1.75488Z" fill="white"/>
-<path d="M32.6813 27.0865C29.5845 26.6117 29.4606 24.382 29.4813 20.8929H23.2877C23.2877 24.4852 23.1638 26.7149 20.0877 27.0865C19.6697 27.1495 19.2873 27.358 19.0078 27.6751C18.7284 27.9926 18.5698 28.398 18.5599 28.8207H34.1264C34.1164 28.4109 33.9682 28.0168 33.7058 27.702C33.4436 27.3871 33.0823 27.1701 32.6813 27.0865Z" fill="url(#paint1_linear_1073_1098)"/>
-<path d="M45.2542 9.62062H31.0504C30.815 8.46209 30.1575 7.43231 29.206 6.73102C28.2542 6.02971 27.0759 5.70692 25.8997 5.82522C24.7233 5.94351 23.6329 6.49448 22.8399 7.37126C22.0469 8.24803 21.6078 9.38811 21.6078 10.5703C21.6078 11.7525 22.0469 12.8926 22.8399 13.7693C23.6329 14.6461 24.7233 15.1971 25.8997 15.3154C27.0759 15.4337 28.2542 15.1109 29.206 14.4096C30.1575 13.7083 30.815 12.6785 31.0504 11.52H32.5162V31.298C32.5162 31.4787 32.5879 31.6521 32.7157 31.7799C32.8434 31.9076 33.0168 31.9793 33.1975 31.9793H45.2336C45.4142 31.9793 45.5877 31.9076 45.7154 31.7799C45.8431 31.6521 45.9149 31.4787 45.9149 31.298V10.3019C45.9149 10.1248 45.846 9.95451 45.7226 9.82733C45.5993 9.70013 45.4313 9.62599 45.2542 9.62062Z" fill="#32BEDD"/>
-<path d="M44.4284 11.4994H34.0439C33.9071 11.4994 33.7961 11.6103 33.7961 11.7471V29.2129C33.7961 29.3497 33.9071 29.4607 34.0439 29.4607H44.4284C44.5652 29.4607 44.6761 29.3497 44.6761 29.2129V11.7471C44.6761 11.6103 44.5652 11.4994 44.4284 11.4994Z" fill="white"/>
-<path opacity="0.9" d="M26.4258 13.6671C28.0906 13.6671 29.44 12.3176 29.44 10.6529C29.44 8.98817 28.0906 7.63867 26.4258 7.63867C24.7611 7.63867 23.4116 8.98817 23.4116 10.6529C23.4116 12.3176 24.7611 13.6671 26.4258 13.6671Z" fill="url(#paint2_linear_1073_1098)"/>
-<path d="M40.5264 19.7575L38.2142 17.4452C38.1956 17.4285 38.1726 17.4177 38.1479 17.4144C38.1231 17.411 38.098 17.4151 38.0756 17.4263C38.0534 17.4374 38.0348 17.4551 38.023 17.4769C38.0108 17.4987 38.0054 17.5236 38.0077 17.5484V18.9523C38.0077 18.9852 37.9946 19.0167 37.9713 19.0399C37.9481 19.0631 37.9166 19.0762 37.8839 19.0762H32.5161V20.7897H37.8839C37.9166 20.7897 37.9481 20.8028 37.9713 20.826C37.9946 20.8492 38.0077 20.8808 38.0077 20.9136V22.3381C38.0191 22.3552 38.0343 22.3691 38.0524 22.3788C38.0704 22.3885 38.0906 22.3935 38.1109 22.3935C38.1313 22.3935 38.1515 22.3885 38.1695 22.3788C38.1876 22.3691 38.2028 22.3552 38.2142 22.3381L40.5264 20.1291C40.5528 20.1058 40.5739 20.0772 40.5884 20.0452C40.6028 20.0132 40.6103 19.9784 40.6103 19.9433C40.6103 19.9081 40.6028 19.8734 40.5884 19.8413C40.5739 19.8093 40.5528 19.7807 40.5264 19.7575Z" fill="#0078D4"/>
+<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M39.9806 0.0206299H10.8709C10.3008 0.0206299 9.83862 0.482788 9.83862 1.05289V19.7574C9.83862 20.3275 10.3008 20.7897 10.8709 20.7897H39.9806C40.5506 20.7897 41.0128 20.3275 41.0128 19.7574V1.05289C41.0128 0.482788 40.5506 0.0206299 39.9806 0.0206299Z" fill="url(#paint0_linear_1073_1098)"/>
+<path d="M38.7007 1.75488H12.1511C11.8318 1.75488 11.573 2.01369 11.573 2.33295V18.4981C11.573 18.8174 11.8318 19.0762 12.1511 19.0762H38.7007C39.02 19.0762 39.2788 18.8174 39.2788 18.4981V2.33295C39.2788 2.01369 39.02 1.75488 38.7007 1.75488Z" fill="white"/>
+<path d="M31.6814 27.0865C28.5846 26.6117 28.4607 24.382 28.4814 20.8929H22.2878C22.2878 24.4852 22.1639 26.7149 19.0878 27.0865C18.6698 27.1495 18.2874 27.358 18.008 27.6751C17.7285 27.9926 17.5699 28.398 17.5601 28.8207H33.1265C33.1165 28.4109 32.9683 28.0168 32.7059 27.702C32.4437 27.3871 32.0824 27.1701 31.6814 27.0865Z" fill="url(#paint1_linear_1073_1098)"/>
+<path d="M44.2541 9.62062H30.0502C29.8149 8.4621 29.1573 7.43231 28.2059 6.73102C27.2541 6.02971 26.0758 5.70692 24.8995 5.82522C23.7232 5.94351 22.6328 6.49448 21.8398 7.37126C21.0468 8.24803 20.6077 9.38811 20.6077 10.5703C20.6077 11.7525 21.0468 12.8926 21.8398 13.7693C22.6328 14.6461 23.7232 15.1971 24.8995 15.3154C26.0758 15.4337 27.2541 15.1109 28.2059 14.4096C29.1573 13.7083 29.8149 12.6785 30.0502 11.52H31.5161V31.298C31.5161 31.4787 31.5878 31.6521 31.7155 31.7799C31.8433 31.9076 32.0167 31.9793 32.1973 31.9793H44.2335C44.4141 31.9793 44.5875 31.9076 44.7153 31.7799C44.843 31.6521 44.9148 31.4787 44.9148 31.298V10.3019C44.9148 10.1248 44.8459 9.95451 44.7225 9.82733C44.5991 9.70013 44.4311 9.62599 44.2541 9.62062Z" fill="#32BEDD"/>
+<path d="M43.4284 11.4994H33.0439C32.9071 11.4994 32.7961 11.6103 32.7961 11.7471V29.2129C32.7961 29.3497 32.9071 29.4607 33.0439 29.4607H43.4284C43.5652 29.4607 43.6761 29.3497 43.6761 29.2129V11.7471C43.6761 11.6103 43.5652 11.4994 43.4284 11.4994Z" fill="white"/>
+<path opacity="0.9" d="M25.4258 13.6671C27.0906 13.6671 28.44 12.3176 28.44 10.6529C28.44 8.98817 27.0906 7.63867 25.4258 7.63867C23.7611 7.63867 22.4116 8.98817 22.4116 10.6529C22.4116 12.3176 23.7611 13.6671 25.4258 13.6671Z" fill="url(#paint2_linear_1073_1098)"/>
+<path d="M39.5264 19.7575L37.2142 17.4452C37.1956 17.4285 37.1726 17.4177 37.1479 17.4144C37.1231 17.411 37.098 17.4151 37.0756 17.4263C37.0534 17.4374 37.0348 17.4551 37.023 17.4769C37.0108 17.4987 37.0054 17.5236 37.0077 17.5484V18.9523C37.0077 18.9852 36.9946 19.0167 36.9713 19.0399C36.9481 19.0631 36.9166 19.0762 36.8839 19.0762H31.5161V20.7897H36.8839C36.9166 20.7897 36.9481 20.8028 36.9713 20.826C36.9946 20.8492 37.0077 20.8808 37.0077 20.9136V22.3381C37.0191 22.3552 37.0343 22.3691 37.0524 22.3788C37.0704 22.3885 37.0906 22.3935 37.1109 22.3935C37.1313 22.3935 37.1515 22.3885 37.1695 22.3788C37.1876 22.3691 37.2028 22.3552 37.2142 22.3381L39.5264 20.1291C39.5528 20.1058 39.5739 20.0772 39.5884 20.0452C39.6028 20.0132 39.6103 19.9784 39.6103 19.9433C39.6103 19.9081 39.6028 19.8734 39.5884 19.8413C39.5739 19.8093 39.5528 19.7807 39.5264 19.7575Z" fill="#0078D4"/>
 <defs>
-<linearGradient id="paint0_linear_1073_1098" x1="26.4258" y1="20.7897" x2="26.4258" y2="0.0206299" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint0_linear_1073_1098" x1="25.4257" y1="20.7897" x2="25.4257" y2="0.0206299" gradientUnits="userSpaceOnUse">
 <stop stop-color="#0078D4"/>
 <stop offset="0.82" stop-color="#5EA0EF"/>
 </linearGradient>
-<linearGradient id="paint1_linear_1073_1098" x1="26.4258" y1="28.8207" x2="26.4258" y2="20.7897" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint1_linear_1073_1098" x1="25.4259" y1="28.8207" x2="25.4259" y2="20.7897" gradientUnits="userSpaceOnUse">
 <stop stop-color="#1490DF"/>
 <stop offset="0.98" stop-color="#1F56A3"/>
 </linearGradient>
-<linearGradient id="paint2_linear_1073_1098" x1="26.4258" y1="13.6671" x2="26.4258" y2="7.61803" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint2_linear_1073_1098" x1="25.4258" y1="13.6671" x2="25.4258" y2="7.61803" gradientUnits="userSpaceOnUse">
 <stop stop-color="#D2EBFF"/>
 <stop offset="1" stop-color="#F0FFFD"/>
 </linearGradient>
--- a/windows/security/book/images/onedrive.svg
+++ b/windows/security/book/images/onedrive.svg
@ -1,24 +1,29 @@
-<svg width="60" height="32" viewBox="0 0 60 32" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M25.1525 9.93401L33.428 14.8853L38.3601 12.8133C39.3326 12.3938 40.4067 12.1586 41.5316 12.1586C41.716 12.1586 41.8939 12.165 42.0721 12.1777C40.7118 6.85775 35.8877 2.92346 30.1418 2.92346C25.839 2.92346 22.0572 5.12894 19.858 8.46581C19.9025 8.46581 19.9407 8.46581 19.9851 8.46581C21.8856 8.46581 23.6589 9.00606 25.1589 9.93401H25.1525Z" fill="url(#paint0_linear_1073_1093)"/>
-<path d="M25.1525 9.93405C23.6461 9.00608 21.8792 8.46582 19.9788 8.46582C19.9343 8.46582 19.8961 8.46582 19.8516 8.46582C14.4681 8.53573 10.1271 12.915 10.1271 18.3175C10.1271 20.415 10.7817 22.3536 11.894 23.9489L19.1906 20.879L22.4322 19.5124L29.6526 16.4743L33.4215 14.8853L25.1461 9.9277L25.1525 9.93405Z" fill="url(#paint1_linear_1073_1093)"/>
-<path d="M42.0722 12.1776C41.894 12.1649 41.7161 12.1586 41.5317 12.1586C40.4068 12.1586 39.3326 12.3937 38.3602 12.8132L33.4281 14.8853L34.8581 15.7433L39.5423 18.5526L41.5889 19.7793L48.5806 23.9679C49.1908 22.8365 49.5404 21.5463 49.5404 20.1671C49.5404 15.9277 46.2417 12.4637 42.0784 12.184L42.0722 12.1776Z" fill="url(#paint2_linear_1073_1093)"/>
-<path d="M41.5889 19.773L39.5422 18.5463L34.858 15.7369L33.428 14.8789L29.6588 16.4679L22.4385 19.506L19.197 20.8725L11.9004 23.9424C13.6801 26.4912 16.6356 28.1627 19.9851 28.1627H41.5381C44.5825 28.1627 47.2331 26.4594 48.5868 23.9552L41.5954 19.7666L41.5889 19.773Z" fill="url(#paint3_linear_1073_1093)"/>
+<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_1073_1093)">
+<path d="M20.2792 8.87548L30.8995 15.2131L37.2289 12.5609C38.477 12.024 39.8555 11.723 41.2991 11.723C41.5357 11.723 41.764 11.7311 41.9927 11.7474C40.247 4.93787 34.056 -0.0980225 26.6821 -0.0980225C21.1602 -0.0980225 16.3068 2.72499 13.4846 6.99618C13.5417 6.99618 13.5907 6.99618 13.6477 6.99618C16.0866 6.99618 18.3624 7.68771 20.2873 8.87548H20.2792Z" fill="url(#paint0_linear_1073_1093)"/>
+<path d="M20.2792 8.87555C18.346 7.68775 16.0785 6.99622 13.6396 6.99622C13.5825 6.99622 13.5335 6.99622 13.4764 6.99622C6.56762 7.0857 0.996582 12.6911 0.996582 19.6064C0.996582 22.2911 1.83671 24.7725 3.26416 26.8145L12.6281 22.8851L16.7881 21.1359L26.0543 17.2471L30.8911 15.2132L20.271 8.86743L20.2792 8.87555Z" fill="url(#paint1_linear_1073_1093)"/>
+<path d="M41.9924 11.7474C41.7637 11.7312 41.5354 11.723 41.2988 11.723C39.8552 11.723 38.4767 12.024 37.2287 12.561L30.8992 15.2132L32.7343 16.3115L38.7457 19.9074L41.3722 21.4776L50.3449 26.839C51.128 25.3908 51.5766 23.7393 51.5766 21.9739C51.5766 16.5474 47.3432 12.1135 42.0004 11.7556L41.9924 11.7474Z" fill="url(#paint2_linear_1073_1093)"/>
+<path d="M41.3724 21.4693L38.7459 19.8992L32.7345 16.3032L30.8994 15.205L26.0622 17.2388L16.7962 21.1277L12.6362 22.8768L3.27222 26.8063C5.55612 30.0687 9.34904 32.2082 13.6476 32.2082H41.3073C45.2142 32.2082 48.6158 30.028 50.3531 26.8226L41.3808 21.4612L41.3724 21.4693Z" fill="url(#paint3_linear_1073_1093)"/>
+</g>
 <defs>
-<linearGradient id="paint0_linear_1073_1093" x1="-61.3072" y1="1.13744" x2="-55.5105" y2="11.1861" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint0_linear_1073_1093" x1="-90.6774" y1="-2.38413" x2="-83.2674" y2="10.4949" gradientUnits="userSpaceOnUse">
 <stop stop-color="#0572C0"/>
 <stop offset="0.88" stop-color="#0364B8"/>
 </linearGradient>
-<linearGradient id="paint1_linear_1073_1093" x1="-68.9915" y1="5.61837" x2="-63.9385" y2="14.3578" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint1_linear_1073_1093" x1="-100.539" y1="3.35148" x2="-94.0795" y2="14.5525" gradientUnits="userSpaceOnUse">
 <stop stop-color="#1885D9"/>
 <stop offset="0.89" stop-color="#107AD5"/>
 </linearGradient>
-<linearGradient id="paint2_linear_1073_1093" x1="-52.5041" y1="7.75391" x2="-46.7775" y2="17.6692" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint2_linear_1073_1093" x1="-79.3805" y1="6.08505" x2="-72.0599" y2="18.7931" gradientUnits="userSpaceOnUse">
 <stop stop-color="#138EDE"/>
 <stop offset="0.94" stop-color="#0D7AD5"/>
 </linearGradient>
-<linearGradient id="paint3_linear_1073_1093" x1="-62.2544" y1="10.881" x2="-55.0021" y2="23.4403" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint3_linear_1073_1093" x1="-91.8931" y1="10.0877" x2="-82.6222" y2="26.1845" gradientUnits="userSpaceOnUse">
 <stop offset="0.1" stop-color="#29A9EA"/>
 <stop offset="0.79" stop-color="#1C94E3"/>
 </linearGradient>
+<clipPath id="clip0_1073_1093">
+<rect width="54" height="32" fill="white"/>
+</clipPath>
 </defs>
 </svg>
--- a/windows/security/book/images/universal-print.svg
+++ b/windows/security/book/images/universal-print.svg
@ -1,22 +1,22 @@
-<svg width="40" height="32" viewBox="0 0 40 32" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M32.8622 17.5932C32.8622 16.3814 31.0947 15.9828 30.4147 15.0495C29.4785 13.7651 29.3777 12.1206 27.6666 11.8406C27.5815 9.85776 26.718 7.98839 25.2638 6.63782C23.8095 5.28726 21.8815 4.56434 19.8977 4.62582C18.2951 4.59613 16.7225 5.06477 15.3975 5.96704C14.0725 6.8693 13.0603 8.16068 12.5007 9.66285C10.8045 9.86903 9.23838 10.6764 8.08645 11.9383C6.93454 13.2004 6.27312 14.8334 6.22217 16.5414C6.29662 18.4583 7.12789 20.2675 8.53385 21.5726C9.93979 22.8778 11.8058 23.5724 13.7229 23.5043C13.9466 23.5043 14.1674 23.494 14.3836 23.4762H26.5319C26.6401 23.4748 26.7477 23.459 26.8519 23.4288C28.4124 23.4176 29.9086 22.8046 31.0282 21.7173C32.148 20.6302 32.8049 19.1529 32.8622 17.5932Z" fill="url(#paint0_linear_1073_1040)"/>
-<path d="M30.729 12.3118H18.0209C17.7754 12.3118 17.5764 12.5108 17.5764 12.7562V17.3177C17.5764 17.5631 17.7754 17.7621 18.0209 17.7621H30.729C30.9745 17.7621 31.1734 17.5631 31.1734 17.3177V12.7562C31.1734 12.5108 30.9745 12.3118 30.729 12.3118Z" fill="#005BA1"/>
-<path d="M29.388 8.89404H19.3629C19.1174 8.89404 18.9185 9.09303 18.9185 9.33849V16.6718C18.9185 16.9173 19.1174 17.1163 19.3629 17.1163H29.388C29.6335 17.1163 29.8324 16.9173 29.8324 16.6718V9.33849C29.8324 9.09303 29.6335 8.89404 29.388 8.89404Z" fill="url(#paint1_linear_1073_1040)"/>
-<path d="M16.7497 14.7222H32.0001C32.2358 14.7222 32.4619 14.8158 32.6287 14.9825C32.7953 15.1492 32.889 15.3753 32.889 15.6111V24.648H15.8623V15.6111C15.8623 15.3756 15.9557 15.1497 16.1221 14.983C16.2885 14.8164 16.5142 14.7226 16.7497 14.7222Z" fill="#5EA0EF"/>
-<path d="M32.889 23.4822H15.8623V24.9933H32.889V23.4822Z" fill="#0078D4"/>
-<path d="M30.231 20.8333H18.514C18.2685 20.8333 18.0696 21.0322 18.0696 21.2777V22.1547C18.0696 22.4002 18.2685 22.5991 18.514 22.5991H30.231C30.4765 22.5991 30.6754 22.4002 30.6754 22.1547V21.2777C30.6754 21.0322 30.4765 20.8333 30.231 20.8333Z" fill="#83B9F9"/>
-<path d="M29.9925 17.9621C30.2258 17.9621 30.4148 17.7731 30.4148 17.5399C30.4148 17.3067 30.2258 17.1177 29.9925 17.1177C29.7595 17.1177 29.5703 17.3067 29.5703 17.5399C29.5703 17.7731 29.7595 17.9621 29.9925 17.9621Z" fill="#C3F1FF"/>
-<path d="M18.9186 21.1399H29.8325V26.8035C29.8325 26.9214 29.7858 27.0345 29.7024 27.1178C29.619 27.2012 29.506 27.248 29.3881 27.248H19.3614C19.2436 27.248 19.1307 27.2012 19.0473 27.1178C18.9639 27.0345 18.917 26.9214 18.917 26.8035V21.1399H18.9186Z" fill="url(#paint2_linear_1073_1040)"/>
+<svg width="54" height="34" viewBox="0 0 54 34" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M45.0294 19.3174C45.0294 17.5547 42.4462 16.975 41.4523 15.6175C40.0841 13.7492 39.9367 11.3573 37.4359 10.95C37.3114 8.06581 36.0494 5.34673 33.924 3.38225C31.7986 1.4178 28.9808 0.36629 26.0813 0.455709C23.739 0.412525 21.4407 1.09418 19.5041 2.40658C17.5676 3.71896 16.0882 5.59733 15.2703 7.7823C12.7912 8.08221 10.5023 9.2565 8.81872 11.0921C7.13516 12.9278 6.16846 15.3032 6.09399 17.7874C6.20281 20.5757 7.41775 23.2073 9.4726 25.1056C11.5274 27.0041 14.2546 28.0144 17.0566 27.9154C17.3836 27.9154 17.7062 27.9004 18.0223 27.8745H35.7774C35.9356 27.8724 36.0928 27.8494 36.2451 27.8055C38.5259 27.7892 40.7126 26.8976 42.349 25.3161C43.9856 23.7348 44.9457 21.5859 45.0294 19.3174Z" fill="url(#paint0_linear_1073_1040)"/>
+<path d="M41.9117 11.6353H23.3384C22.9795 11.6353 22.6887 11.9247 22.6887 12.2817V18.9166C22.6887 19.2736 22.9795 19.5631 23.3384 19.5631H41.9117C42.2706 19.5631 42.5613 19.2736 42.5613 18.9166V12.2817C42.5613 11.9247 42.2706 11.6353 41.9117 11.6353Z" fill="#005BA1"/>
+<path d="M39.9517 6.66406H25.2997C24.9409 6.66406 24.6501 6.9535 24.6501 7.31053V17.9772C24.6501 18.3342 24.9409 18.6237 25.2997 18.6237H39.9517C40.3106 18.6237 40.6013 18.3342 40.6013 17.9772V7.31053C40.6013 6.9535 40.3106 6.66406 39.9517 6.66406Z" fill="url(#paint1_linear_1073_1040)"/>
+<path d="M21.4803 15.1414H43.7693C44.1138 15.1414 44.4443 15.2776 44.6881 15.5201C44.9315 15.7625 45.0685 16.0914 45.0685 16.4343V29.579H20.1833V16.4343C20.1833 16.0918 20.3199 15.7632 20.5631 15.5208C20.8063 15.2784 21.1361 15.1419 21.4803 15.1414Z" fill="#5EA0EF"/>
+<path d="M45.0685 27.8832H20.1833V30.0812H45.0685V27.8832Z" fill="#0078D4"/>
+<path d="M41.1838 24.0302H24.059C23.7002 24.0302 23.4094 24.3195 23.4094 24.6766V25.9522C23.4094 26.3093 23.7002 26.5987 24.059 26.5987H41.1838C41.5426 26.5987 41.8334 26.3093 41.8334 25.9522V24.6766C41.8334 24.3195 41.5426 24.0302 41.1838 24.0302Z" fill="#83B9F9"/>
+<path d="M40.8354 19.854C41.1763 19.854 41.4524 19.579 41.4524 19.2399C41.4524 18.9007 41.1763 18.6257 40.8354 18.6257C40.4947 18.6257 40.2183 18.9007 40.2183 19.2399C40.2183 19.579 40.4947 19.854 40.8354 19.854Z" fill="#C3F1FF"/>
+<path d="M24.6503 24.4762H40.6015V32.7142C40.6015 32.8857 40.5331 33.0501 40.4113 33.1714C40.2894 33.2927 40.1241 33.3607 39.9519 33.3607H25.2975C25.1253 33.3607 24.9603 33.2927 24.8384 33.1714C24.7165 33.0501 24.6479 32.8857 24.6479 32.7142V24.4762H24.6503Z" fill="url(#paint2_linear_1073_1040)"/>
 <defs>
-<linearGradient id="paint0_linear_1073_1040" x1="19.5422" y1="23.5073" x2="19.5422" y2="4.62582" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint0_linear_1073_1040" x1="25.5617" y1="27.9198" x2="25.5617" y2="0.455711" gradientUnits="userSpaceOnUse">
 <stop stop-color="#773ADC"/>
 <stop offset="0.817" stop-color="#A67AF4"/>
 </linearGradient>
-<linearGradient id="paint1_linear_1073_1040" x1="24.3746" y1="8.89404" x2="24.3746" y2="17.1177" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint1_linear_1073_1040" x1="32.6246" y1="6.66406" x2="32.6246" y2="18.6258" gradientUnits="userSpaceOnUse">
 <stop stop-color="#C3F1FF"/>
 <stop offset="0.999" stop-color="#9CEBFF"/>
 </linearGradient>
-<linearGradient id="paint2_linear_1073_1040" x1="24.3748" y1="27.248" x2="24.3748" y2="21.1399" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint2_linear_1073_1040" x1="32.6247" y1="33.3607" x2="32.6247" y2="24.4762" gradientUnits="userSpaceOnUse">
 <stop stop-color="#C3F1FF"/>
 <stop offset="0.999" stop-color="#9CEBFF"/>
 </linearGradient>
--- a/windows/security/book/images/windows-security.svg
+++ b/windows/security/book/images/windows-security.svg
@ -1,22 +1,22 @@
-<svg width="49" height="32" viewBox="0 0 49 32" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path d="M24.2765 31.8354L21.9288 22.8553L24.2765 15.5891L31.1894 12.573L38.2976 15.5891C37.1237 22.2385 32.1675 27.2426 24.7331 31.7667C24.6027 31.7667 24.4722 31.8354 24.2765 31.8354Z" fill="url(#paint0_linear_1073_1125)"/>
-<path d="M24.2765 15.5232V31.838C24.081 31.838 23.9506 31.7693 23.7548 31.7007C16.3205 27.1765 11.4294 22.1724 10.1903 15.5232L16.9726 13.1925L24.2765 15.5232Z" fill="url(#paint1_linear_1073_1125)"/>
-<path d="M24.2765 0.441528C26.2982 0.441528 28.0589 1.05849 29.4285 2.08673C31.6458 3.66336 33.2109 4.48593 37.7107 4.55448C38.2325 4.55448 38.6888 5.03432 38.6888 5.58272V12.3691C38.6888 13.4659 38.5584 14.4941 38.428 15.5224H24.2765L21.9288 7.84483L24.2765 0.441528Z" fill="url(#paint2_linear_1073_1125)"/>
-<path d="M10.1919 15.5222C9.99624 14.494 9.93103 13.3972 9.93103 12.369V5.58259C9.93103 5.0342 10.3223 4.55436 10.9092 4.55436C15.409 4.48581 16.9742 3.66323 19.1915 2.0866C20.4958 1.05837 22.3219 0.441406 24.3434 0.441406V15.5222H10.1919Z" fill="url(#paint3_linear_1073_1125)"/>
+<svg width="54" height="32" viewBox="0 0 54 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M27.2766 31.8354L24.929 22.8553L27.2766 15.5891L34.1895 12.573L41.2977 15.5891C40.1238 22.2385 35.1676 27.2426 27.7332 31.7667C27.6028 31.7667 27.4724 31.8354 27.2766 31.8354Z" fill="url(#paint0_linear_1073_1125)"/>
+<path d="M27.2764 15.5232V31.838C27.0809 31.838 26.9505 31.7693 26.7547 31.7007C19.3203 27.1765 14.4293 22.1724 13.1902 15.5232L19.9725 13.1925L27.2764 15.5232Z" fill="url(#paint1_linear_1073_1125)"/>
+<path d="M27.2766 0.441528C29.2983 0.441528 31.059 1.05849 32.4286 2.08673C34.6459 3.66336 36.211 4.48593 40.7109 4.55448C41.2326 4.55448 41.689 5.03432 41.689 5.58272V12.3691C41.689 13.4659 41.5585 14.4941 41.4281 15.5224H27.2766L24.929 7.84483L27.2766 0.441528Z" fill="url(#paint2_linear_1073_1125)"/>
+<path d="M13.192 15.5222C12.9964 14.494 12.9312 13.3972 12.9312 12.369V5.58259C12.9312 5.0342 13.3224 4.55436 13.9094 4.55436C18.4092 4.48581 19.9743 3.66323 22.1916 2.0866C23.4959 1.05837 25.322 0.441406 27.3435 0.441406V15.5222H13.192Z" fill="url(#paint3_linear_1073_1125)"/>
 <defs>
-<linearGradient id="paint0_linear_1073_1125" x1="32.9701" y1="26.7136" x2="25.6719" y2="14.6876" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint0_linear_1073_1125" x1="35.9702" y1="26.7136" x2="28.672" y2="14.6876" gradientUnits="userSpaceOnUse">
 <stop stop-color="#114A8B"/>
 <stop offset="1" stop-color="#0C59A4"/>
 </linearGradient>
-<linearGradient id="paint1_linear_1073_1125" x1="25.3418" y1="31.1801" x2="14.3342" y2="13.0417" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint1_linear_1073_1125" x1="28.3417" y1="31.1801" x2="17.3341" y2="13.0417" gradientUnits="userSpaceOnUse">
 <stop stop-color="#0669BC"/>
 <stop offset="1" stop-color="#0078D4"/>
 </linearGradient>
-<linearGradient id="paint2_linear_1073_1125" x1="35.2768" y1="17.3893" x2="24.8053" y2="0.134459" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint2_linear_1073_1125" x1="38.2769" y1="17.3893" x2="27.8054" y2="0.134459" gradientUnits="userSpaceOnUse">
 <stop stop-color="#0078D4"/>
 <stop offset="1" stop-color="#1493DF"/>
 </linearGradient>
-<linearGradient id="paint3_linear_1073_1125" x1="22.1142" y1="16.8492" x2="13.5749" y2="2.77815" gradientUnits="userSpaceOnUse">
+<linearGradient id="paint3_linear_1073_1125" x1="25.1143" y1="16.8492" x2="16.575" y2="2.77815" gradientUnits="userSpaceOnUse">
 <stop stop-color="#28AFEA"/>
 <stop offset="1" stop-color="#3CCBF4"/>
 </linearGradient>
--- a/windows/security/book/index.md
+++ b/windows/security/book/index.md
@ -1,6 +1,6 @@
 ---
-title: Windows security book introduction
-description: Windows security book introduction
+title: Windows 11 security book - Windows security book introduction
+description: Windows 11 security book introduction.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/operating-system-security-encryption-and-data-protection.md
+++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md
@ -1,6 +1,6 @@
 ---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Encryption and data protection
+description: Operating System security chapter - Encryption and data protection.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/operating-system-security-network-security.md
+++ b/windows/security/book/operating-system-security-network-security.md
@ -1,6 +1,6 @@
 ---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Network security
+description: Operating System security chapter - Network security.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/operating-system-security-system-security.md
+++ b/windows/security/book/operating-system-security-system-security.md
@ -1,6 +1,6 @@
 ---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - System security
+description: Operating System security chapter - System security.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
@ -139,7 +139,7 @@ Config Refresh can also be paused for a configurable period of time, after which
        Windows allows you to restrict functionality to specific applications using built-in features, making it ideal for public-facing or shared devices like kiosks. You can set up Windows as a kiosk either locally on the device, or through a cloud-based device management solution like Microsoft Intune<sup>[\[7\]](conclusion.md#footnote7)</sup>. Kiosk mode can be configured to run a single app, multiple apps, or a full-screen web browser. You can also configure the device to automatically sign in and launch the designated kiosk app at startup.
    :::column-end:::
    :::column span="2":::
-:::image type="content" source="images/kiosk.png" alt-text="Screenshot of the Windows Security app." border="false" lightbox="images/kiosk.png" :::
+:::image type="content" source="images/kiosk.png" alt-text="Screenshot of a Windows kiosk." border="false" lightbox="images/kiosk.png" :::
    :::column-end:::
 :::row-end:::

--- a/windows/security/book/operating-system-security-virus-and-threat-protection.md
+++ b/windows/security/book/operating-system-security-virus-and-threat-protection.md
@ -1,11 +1,11 @@
 ---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Virus and threat protection
+description: Operating System security chapter - Virus and threat protection.
 ms.topic: overview
 ms.date: 11/18/2024
 ---

-# Virus and threat protection
+# Virus and threat protection in Windows 11

 :::image type="content" source="images/operating-system.png" alt-text="Diagram containing a list of security features." lightbox="images/operating-system.png" border="false":::

--- a/windows/security/book/operating-system-security.md
+++ b/windows/security/book/operating-system-security.md
@ -1,6 +1,6 @@
 ---
-title: Operating System security
-description: Windows 11 security book - Operating System security chapter.
+title: Windows 11 security book - Operating System security
+description: Operating System security chapter.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/privacy-controls.md
+++ b/windows/security/book/privacy-controls.md
@ -1,6 +1,6 @@
 ---
-title: Privacy
-description: Windows 11 security book - Privacy chapter.
+title: Windows 11 security book - Privacy controls
+description: Privacy chapter - Privacy controls.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/privacy.md
+++ b/windows/security/book/privacy.md
@ -1,6 +1,6 @@
 ---
-title: Privacy
-description: Windows 11 security book - Privacy chapter.
+title: Windows 11 security book - Privacy
+description: Privacy chapter.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/security-foundation-certification.md
+++ b/windows/security/book/security-foundation-certification.md
@ -1,6 +1,6 @@
 ---
-title: Security foundation
-description: Windows 11 security book - Security foundation chapter.
+title: Windows 11 security book - Certification
+description: Security foundation chapter - Certification.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/security-foundation-offensive-research.md
+++ b/windows/security/book/security-foundation-offensive-research.md
@ -1,6 +1,6 @@
 ---
-title: Security foundation
-description: Windows 11 security book - Security foundation chapter.
+title: Windows 11 security book - Secure Future Initiative and offensive research
+description: Security foundation chapter - Secure Future Initiative and offensive research.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/security-foundation-secure-supply-chain.md
+++ b/windows/security/book/security-foundation-secure-supply-chain.md
@ -1,6 +1,6 @@
 ---
-title: Secure supply chain
-description: Windows 11 security book - Security foundation chapter - Secure supply chain.
+title: Windows 11 security book - Secure supply chain
+description: Security foundation chapter - Secure supply chain.
 ms.topic: overview
 ms.date: 11/18/2024
 ---
--- a/windows/security/book/security-foundation.md
+++ b/windows/security/book/security-foundation.md
@ -1,14 +1,14 @@
 ---
-title: Security foundation
-description: Windows 11 security book - Security foundation chapter.
+title: Windows 11 security book - Security foundation
+description: Security foundation chapter.
 ms.topic: overview
 ms.date: 11/18/2024
 ---

-# Security foundation
+# Security foundation in Windows 11

 :::image type="content" source="images/security-foundation-cover.png" alt-text="Cover of the security foundation chapter." border="false":::

-Microsoft is committed to continuously investing in improving the development process, building highly secure-by-design software, and addressing security compliance requirements. Security and privacy considerations informed by offensive research are built into each phase of our product design and software development process. Microsoft’s security foundation includes not only our development and certification processes, but also our end-to-end supply chain. The comprehensive Windows 11 security foundation also reflects our deep commitment to principles of security by design and security by default.
+Microsoft is committed to continuously investing in improving the development process, building highly secure-by-design software, and addressing security compliance requirements. Security and privacy considerations informed by offensive research are built into each phase of our product design and software development process. Microsoft's security foundation includes not only our development and certification processes, but also our end-to-end supply chain. The comprehensive Windows 11 security foundation also reflects our deep commitment to principles of security by design and security by default.

 :::image type="content" source="images/security-foundation-on.png" alt-text="Diagram containing a list of security features." lightbox="images/security-foundation.png" border="false":::
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@ -150,7 +150,7 @@
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
        ],
        "book/**/*.md": [
-          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
+          "<a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
        ],
        "hardware-security/**/*.md": [
          "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
@ -251,7 +251,7 @@
        "security-foundations/certification/**/*.md": "paoloma"
      },
      "ms.collection": {
-        "book/*.md": "tier3",
+        "book/*.md": "tier1",
        "identity-protection/hello-for-business/*.md": "tier1",
        "information-protection/pluton/*.md": "tier1",
        "information-protection/tpm/*.md": "tier1",
@ -259,9 +259,6 @@
        "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
        "security-foundations/certification/**/*.md": "tier3",
        "threat-protection/auditing/*.md": "tier3"
-      },
-      "ROBOTS": {
-        "book/*.md": "NOINDEX"
      }
    },
    "template": [],
--- a/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/cloud-only.md
@ -1,7 +1,7 @@
 ---
 title: Windows Hello for Business cloud-only deployment guide
 description: Learn how to deploy Windows Hello for Business in a cloud-only deployment scenario.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ms.topic: tutorial
 ---

--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust.md
@ -1,7 +1,7 @@
 ---
 title: Windows Hello for Business cloud Kerberos trust deployment guide
 description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ms.topic: tutorial
 ---

@ -169,8 +169,8 @@ If you deployed Windows Hello for Business using the key trust model, and want t
 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings)
 1. For Microsoft Entra joined devices, sign out and sign in to the device using Windows Hello for Business

-> [!NOTE]
-> For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.
+  > [!NOTE]
+  > For Microsoft Entra hybrid joined devices, users must perform the first sign in with new credentials while having line of sight to a DC.

 ## Migrate from certificate trust deployment model to cloud Kerberos trust

@ -179,11 +179,11 @@ If you deployed Windows Hello for Business using the key trust model, and want t

 If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps:

-1. Disable the certificate trust policy
-1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings)
-1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context
-1. Sign out and sign back in
-1. Provision Windows Hello for Business using a method of your choice
+1. Disable the certificate trust policy.
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy-settings).
+1. Remove the certificate trust credential using the command `certutil.exe -deletehellocontainer` from the user context.
+1. Sign out and sign back in.
+1. Provision Windows Hello for Business using a method of your choice.

 > [!NOTE]
 > For Microsoft Entra hybrid joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC.
--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust-enroll.md
@ -1,7 +1,7 @@
 ---
 title: Configure and enroll in Windows Hello for Business in a hybrid key trust model
 description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid key trust scenario.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ms.topic: tutorial
 ---

--- a/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/hybrid-key-trust.md
@ -1,7 +1,7 @@
 ---
 title: Windows Hello for Business hybrid key trust deployment guide
 description: Learn how to deploy Windows Hello for Business in a hybrid key trust scenario.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ms.topic: tutorial
 ---

--- a/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
@ -1,5 +1,5 @@
 ---
-ms.date: 06/23/2024
+ms.date: 11/22/2024
 ms.topic: include
 ---

@ -19,3 +19,6 @@ Windows Hello for Business requires users perform multifactor authentication (MF
 For information on available non-Microsoft authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method)

 Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies).
+
+> [!TIP]
+> When you validate the AD FS configuration, verify if you need to update the configuration of user agent strings to support Windows Integrated Authentication (WIA). For more information, see [Change WIASupportedUserAgent settings](/windows-server/identity/ad-fs/operations/configure-ad-fs-browser-wia#change-wiasupporteduseragent-settings).
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
@ -33,14 +33,14 @@ Windows Hello for Business works exclusively with the Active Directory Federatio

 Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.

-1. Open the **Certification Authority** management console
-1. Expand the parent node from the navigation pane
-1. Select **Certificate Templates** in the navigation pane
-1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
-1. In the **Enable Certificates Templates** window, select the *WHFB Enrollment Agent* template you created in the previous step. Select **OK** to publish the selected certificate templates to the certification authority
-1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
-   - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
-1. Close the console
+1. Open the **Certification Authority** management console.
+1. Expand the parent node from the navigation pane.
+1. Select **Certificate Templates** in the navigation pane.
+1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue.
+1. In the **Enable Certificates Templates** window, select the *WHFB Enrollment Agent* template you created in the previous step. Select **OK** to publish the selected certificate templates to the certification authority.
+1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list.
+   - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation.
+1. Close the console.

 ## Configure the certificate registration authority

@ -55,7 +55,7 @@ Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplat
   ```

 >[!NOTE]
-> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA.
+> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (_certtmpl.msc_). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA.

 ### Enrollment agent certificate lifecycle management

@ -89,18 +89,18 @@ For detailed information about the certificate, use `Certutil -q -v <certificate
 > [!div class="checklist"]
 > Before you continue with the deployment, validate your deployment progress by reviewing the following items:
 >
-> - Configure an enrollment agent certificate template
-> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template
-> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance
-> - Confirm you properly configured the Windows Hello for Business authentication certificate template
-> - Confirm all certificate templates were properly published to the appropriate issuing certificate authorities
-> - Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template
-> - Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet
-> Confirm you restarted the AD FS service
-> - Confirm you properly configured load-balancing (hardware or software)
-> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address
-> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server
-> - Confirm you have deployed a MFA solution for AD FS
+> - Configure an enrollment agent certificate template.
+> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template.
+> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance.
+> - Confirm you properly configured the Windows Hello for Business authentication certificate template.
+> - Confirm all certificate templates were properly published to the appropriate issuing certificate authorities.
+> - Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template.
+> - Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet.
+> - Confirm you restarted the AD FS service.
+> - Confirm you properly configured load-balancing (hardware or software).
+> - Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address.
+> - Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server.
+> - Confirm you have deployed a MFA solution for AD FS.

 > [!div class="nextstepaction"]
 > [Next: configure and enroll in Windows Hello for Business >](on-premises-cert-trust-enroll.md)
--- a/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-adfs.md
@ -1,7 +1,7 @@
 ---
 title: Configure Active Directory Federation Services in an on-premises key trust model
 description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business key trust model.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ms.topic: tutorial
 ---

--- a/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
+++ b/windows/security/identity-protection/hello-for-business/deploy/prepare-users.md
@ -1,7 +1,7 @@
 ---
 title: Prepare users to provision and use Windows Hello for Business
 description: Learn how to prepare users to enroll and to use Windows Hello for Business.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ms.topic: end-user-help
 ---

--- a/windows/security/identity-protection/hello-for-business/dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/dual-enrollment.md
@ -1,7 +1,7 @@
 ---
 title: Dual enrollment
 description: Learn how to configure Windows Hello for Business dual enrollment and how to configure Active Directory to support Domain Administrator enrollment.
-ms.date: 05/06/2024
+ms.date: 11/22/2024
 ms.topic: how-to
 ---

@ -40,7 +40,7 @@ Active Directory Domain Services uses `AdminSDHolder` to secure privileged users

 Sign in to a domain controller or management workstation with access equivalent to *domain administrator*.

-1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object
+1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object.

    ```cmd
    dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink
@ -52,21 +52,21 @@ Sign in to a domain controller or management workstation with access equivalent
    dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink
    ```

-1. To trigger security descriptor propagation, open `ldp.exe`
-1. Select **Connection** and select **Connect...**  Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK**
-1. Select **Connection** and select **Bind...**  Select **OK** to bind as the currently signed-in user
-1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List**
-1. Select **Run** to start the task
-1. Close LDP
+1. To trigger security descriptor propagation, open `ldp.exe`.
+1. Select **Connection** and select **Connect...**  Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK**.
+1. Select **Connection** and select **Bind...**  Select **OK** to bind as the currently signed-in user.
+1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List**.
+1. Select **Run** to start the task.
+1. Close LDP.

 ### Configure dual enrollment with group policy

 You configure Windows to support dual enrollment using the computer configuration portion of a Group Policy object:

-1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users
-1. Edit the Group Policy object from step 1
+1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
+1. Edit the Group Policy object from step 1.
 1. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**
-1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC
-1. Restart computers targeted by this Group Policy object
+1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
+1. Restart computers targeted by this Group Policy object.

-The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the nonprivileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
+   The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the nonprivileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@ -1,7 +1,7 @@
 ---
 title: Windows Hello for Business known deployment issues
 description: This article is a troubleshooting guide for known Windows Hello for Business deployment issues.
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ms.topic: troubleshooting
 ---

--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@ -2,7 +2,7 @@
 title: Windows Hello errors during PIN creation
 description: Learn about the Windows Hello error codes that might happen during PIN creation.
 ms.topic: troubleshooting
-ms.date: 03/12/2024
+ms.date: 11/22/2024
 ---

 # Windows Hello errors during PIN creation
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@ -1,7 +1,7 @@
 ---
 title: Dynamic lock
 description: Learn how to configure dynamic lock on Windows devices via group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: how-to
 ---

@ -19,33 +19,33 @@ You can configure Windows devices to use the **dynamic lock** using a Group Poli
 1. Enable the **Configure dynamic lock factors** policy setting located under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
 1. Close the Group Policy Management Editor to save the Group Policy object.

-The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
+   The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:

-```xml
-<rule schemaVersion="1.0">
+    ```xml
+     <rule schemaVersion="1.0">
     <signal type="bluetooth" scenario="Dynamic Lock" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
-</rule>
-```
+     </rule>
+    ```

->[!IMPORTANT]
->Microsoft recommends using the default values for this policy settings.  Measurements are relative based on the varying conditions of each environment.  Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.
+  >[!IMPORTANT]
+  >Microsoft recommends using the default values for this policy settings. Measurements are relative based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.

-For this policy setting, the `type` and `scenario` attribute values are static and can't change. The `classofDevice` is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table:
+  For this policy setting, the `type` and `scenario` attribute values are static and can't change. The `classofDevice` is configurable but Phone is the only currently supported configuration. The attribute defaults to Phone and uses the values from the following table:

-|Description|Value|
-|:-------------|:-------:|
-|Miscellaneous|0|
-|Computer|256|
-|Phone|512|
-|LAN/Network Access Point|768|
-|Audio/Video|1024|
-|Peripheral|1280|
-|Imaging|1536|
-|Wearable|1792|
-|Toy|2048|
-|Health|2304|
-|Uncategorized|7936|
+  |Description|Value|
+  |:-------------|:-------:|
+  |Miscellaneous|0|
+  |Computer|256|
+  |Phone|512|
+  |LAN/Network Access Point|768|
+  |Audio/Video|1024|
+  |Peripheral|1280|
+  |Imaging|1536|
+  |Wearable|1792|
+  |Toy|2048|
+  |Health|2304|
+  |Uncategorized|7936|

-The `rssiMin` attribute value signal indicates the strength needed for the device to be considered *in-range*.  The default value of `-10` enables a user to move about an average size office or cubicle without triggering Windows to lock the device.  The `rssiMaxDelta` has a default value of `-10`, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
+  The `rssiMin` attribute value signal indicates the strength needed for the device to be considered *in-range*. The default value of `-10` enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The `rssiMaxDelta` has a default value of `-10`, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.

-RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
+  RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@ -1,7 +1,7 @@
 ---
 title: Use Certificates to enable SSO for Microsoft Entra join devices
 description: If you want to use certificates for on-premises single-sign on for Microsoft Entra joined devices, then follow these additional steps.
-ms.date: 04/24/2024
+ms.date: 11/22/2024
 ms.topic: how-to
 ---

@ -62,21 +62,21 @@ To include the on-premises distinguished name in the certificate's subject, Micr

 Sign-in to computer running Microsoft Entra Connect with access equivalent to *local administrator*.

-1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder
-1. In the **Synchronization Service Manager**, select **Help** and then select **About**
-1. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version
+1. Open **Synchronization Services** from the **Microsoft Entra Connect** folder.
+1. In the **Synchronization Service Manager**, select **Help** and then select **About**.
+1. If the version number isn't **1.1.819** or later, then upgrade Microsoft Entra Connect to the latest version.

 ### Verify the onPremisesDistinguishedName attribute is synchronized

 The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph.

-1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer)
-1. Select **Sign in to Graph Explorer** and provide Microsoft Entra ID credentials
+1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
+1. Select **Sign in to Graph Explorer** and provide Microsoft Entra ID credentials.

   > [!NOTE]
   > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?) must be granted
 1. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You'll now be prompted for delegated permissions consent
-1. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query**
+1. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Microsoft Entra ID. Select **Run query**.

   > [!NOTE]
   > Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios.
@ -91,7 +91,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
   GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName
   ```

-1. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**
+1. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute isn't synchronized the value will be **null**.

   #### Response
   <!-- {
@ -119,23 +119,23 @@ The deployment uses the **NDES Servers** security group to assign the NDES servi

 Sign-in to a domain controller or management workstation with access equivalent to *domain administrator*.

-1. Open **Active Directory Users and Computers**
-1. Expand the domain node from the navigation pane
-1. Right-click the **Users** container. Hover over **New** and select **Group**
-1. Type **NDES Servers** in the **Group Name** text box
-1. Select **OK**
+1. Open **Active Directory Users and Computers**.
+1. Expand the domain node from the navigation pane.
+1. Right-click the **Users** container. Hover over **New** and select **Group**.
+1. Type **NDES Servers** in the **Group Name** text box.
+1. Select **OK**.

 ### Add the NDES server to the NDES Servers global security group

 Sign-in to a domain controller or management workstation with access equivalent to *domain administrator*.

-1. Open **Active Directory Users and Computers**
-1. Expand the domain node from the navigation pane
-1. Select **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Select **Add to a group**
-1. Type **NDES Servers** in **Enter the object names to select**. Select **OK**. Select **OK** on the **Active Directory Domain Services** success dialog
+1. Open **Active Directory Users and Computers**.
+1. Expand the domain node from the navigation pane.
+1. Select **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Select **Add to a group**.
+1. Type **NDES Servers** in **Enter the object names to select**. Select **OK**. Select **OK** on the **Active Directory Domain Services** success dialog.

-> [!NOTE]
-> For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
+   > [!NOTE]
+   > For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.

 ### Create the NDES Service Account

@ -143,10 +143,10 @@ The Network Device Enrollment Services (NDES) role runs under a service account.

 Sign-in to a domain controller or management workstation with access equivalent to *domain administrator*.

-1. In the navigation pane, expand the node that has your domain name. Select **Users**
-1. Right-click the **Users** container. Hover over **New** and then select **User**. Type **NDESSvc** in  **Full Name** and **User logon name**. Select **Next**
-1. Type a secure password in **Password**. Confirm the secure password in **Confirm Password**. Clear **User must change password at next logon**. Select **Next**
-1. Select **Finish**
+1. In the navigation pane, expand the node that has your domain name. Select **Users**.
+1. Right-click the **Users** container. Hover over **New** and then select **User**. Type **NDESSvc** in  **Full Name** and **User logon name**. Select **Next**.
+1. Type a secure password in **Password**. Confirm the secure password in **Confirm Password**. Clear **User must change password at next logon**. Select **Next**.
+1. Select **Finish**.

 > [!IMPORTANT]
 > Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires.
@ -159,16 +159,16 @@ Sign-in a domain controller or management workstations with *Domain Admin* equiv

 1. Start the **Group Policy Management Console** (gpmc.msc)

-1. Expand the domain and select the **Group Policy Object** node in the navigation pane
-1. Right-click **Group Policy object** and select **New**
-1. Type **NDES Service Rights** in the name box and select **OK**
-1. In the content pane, right-click the **NDES Service Rights** Group Policy object and select **Edit**
-1. In the navigation pane, expand **Policies** under **Computer Configuration**
-1. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**
-1. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and select **OK**. Select **Add User or Group...**. In the **Add User or Group** dialog box, select **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Select **OK** twice
-1. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and select **OK**. Select **Add User or Group...**. In the **Add User or Group** dialog box, select **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Select **OK** twice
-1. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and select **OK**. Select **Add User or Group...**. In the **Add User or Group** dialog box, select **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Select **OK** three times
-1. Close the **Group Policy Management Editor**
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+1. Right-click **Group Policy object** and select **New**.
+1. Type **NDES Service Rights** in the name box and select **OK**.
+1. In the content pane, right-click the **NDES Service Rights** Group Policy object and select **Edit**.
+1. In the navigation pane, expand **Policies** under **Computer Configuration**.
+1. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**.
+1. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and select **OK**. Select **Add User or Group...**. In the **Add User or Group** dialog box, select **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Select **OK** twice.
+1. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and select **OK**. Select **Add User or Group...**. In the **Add User or Group** dialog box, select **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Select **OK** twice.
+1. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and select **OK**. Select **Add User or Group...**. In the **Add User or Group** dialog box, select **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Select **OK** three times.
+1. Close the **Group Policy Management Editor**.

 ### Configure security for the NDES Service User Rights Group Policy object

@ -176,11 +176,11 @@ The best way to deploy the **NDES Service User Rights** Group Policy object is t

 Sign-in to a domain controller or management workstation with access equivalent to *domain administrator*.

-1. Start the **Group Policy Management Console** (gpmc.msc)
-1. Expand the domain and select the **Group Policy Object** node in the navigation pane
-1. Double-click the **NDES Service User Rights** Group Policy object
-1. In the **Security Filtering** section of the content pane, select **Add**. Type **NDES Servers** or the name of the security group you previously created and select **OK**
-1. Select the **Delegation** tab. Select **Authenticated Users** and select **Advanced**
+1. Start the **Group Policy Management Console** (gpmc.msc).
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+1. Double-click the **NDES Service User Rights** Group Policy object.
+1. In the **Security Filtering** section of the content pane, select **Add**. Type **NDES Servers** or the name of the security group you previously created and select **OK**.
+1. Select the **Delegation** tab. Select **Authenticated Users** and select **Advanced**.
 1. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Select **OK**

 ### Deploy the NDES Service User Rights Group Policy object
@ -228,20 +228,20 @@ NDES uses a server authentication certificate to authenticate the server endpoin

 Sign-in to the issuing certificate authority or management workstations with *Domain Admin* equivalent credentials.

-1. Open the **Certificate Authority** management console
-1. Right-click **Certificate Templates** and select **Manage**
-1. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and select **Duplicate Template**
-1. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs
+1. Open the **Certificate Authority** management console.
+1. Right-click **Certificate Templates** and select **Manage**.
+1. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and select **Duplicate Template**.
+1. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.

   > [!NOTE]
-   > If you use different template names, you'll need to remember and substitute these names in different portions of the lab
-1. On the **Subject** tab, select **Supply in the request**
-1. On the **Cryptography** tab, validate the **Minimum key size** is **2048**
-1. On the **Security** tab, select **Add**
-1. Select **Object Types**, then in the window that appears, choose **Computers** and select **OK**
-1. Type **NDES server** in the **Enter the object names to select** text box and select **OK**
-1. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes aren't already cleared. Select **OK**
-1. Select on the **Apply** to save changes and close the console
+   > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+1. On the **Subject** tab, select **Supply in the request**.
+1. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
+1. On the **Security** tab, select **Add**.
+1. Select **Object Types**, then in the window that appears, choose **Computers** and select **OK**.
+1. Type **NDES server** in the **Enter the object names to select** text box and select **OK**.
+1. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes aren't already cleared. Select **OK**.
+1. Select on the **Apply** to save changes and close the console.

 ### Create a Microsoft Entra joined Windows Hello for Business authentication certificate template

@ -249,21 +249,21 @@ During Windows Hello for Business provisioning,  Windows requests an authenticat

 Sign in a certificate authority or management workstations with *Domain Admin equivalent* credentials.

-1. Open the **Certificate Authority** management console
-1. Right-click **Certificate Templates** and select **Manage**
-1. Right-click the **Smartcard Logon** template and choose **Duplicate Template**
-1. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list
-1. On the **General** tab, type **ENTRA JOINED WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs
+1. Open the **Certificate Authority** management console.
+1. Right-click **Certificate Templates** and select **Manage**.
+1. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
+1. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certificate Recipient** list.
+1. On the **General** tab, type **ENTRA JOINED WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.

   > [!NOTE]
   > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment
-1. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list
-1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**
-1. On the **Subject** tab, select **Supply in the request**
-1. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**
-1. On the **Security** tab, select **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and select **OK**
-1. Select  **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes aren't already cleared. Select **OK**
-1. Close the console
+1. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
+1. On the **Subject** tab, select **Supply in the request**.
+1. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**.
+1. On the **Security** tab, select **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and select **OK**.
+1. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes aren't already cleared. Select **OK**.
+1. Close the console.

 ### Publish certificate templates

--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@ -1,7 +1,7 @@
 ---
 title: Configure single sign-on (SSO) for Microsoft Entra joined devices
 description: Learn how to configure single sign-on to on-premises resources for Microsoft Entra joined devices, using Windows Hello for Business.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: how-to
 ---

@ -150,14 +150,16 @@ The web server is ready to host the CRL distribution point. Now, configure the i
 1. In the navigation pane, right-click the name of the certificate authority and select **Properties**
 1. Select **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list
 1. On the **Extensions** tab, select **Add**. Type <b>http://crl.[domainname]/cdp/</b> in **location**. For example, `<http://crl.corp.contoso.com/cdp/>` or `<http://crl.contoso.com/cdp/>` (don't forget the trailing forward slash)
+
   ![CDP New Location dialog box.](images/aadj/cdp-extension-new-location.png)
-1. Select **\<CaName>** from the **Variable** list and select **Insert**. Select **\<CRLNameSuffix>** from the **Variable** list and select **Insert**. Select **\<DeltaCRLAllowed>** from the **Variable** list and select **Insert**
-1. Type **.crl** at the end of the text in **Location**. Select **OK**
-1. Select the CDP you just created
+1. Select **\<CaName>** from the **Variable** list and select **Insert**. Select **\<CRLNameSuffix>** from the **Variable** list and select **Insert**. Select **\<DeltaCRLAllowed>** from the **Variable** list and select **Insert**.
+1. Type **.crl** at the end of the text in **Location**. Select **OK**.
+1. Select the CDP you just created.
+
    ![CDP complete http.](images/aadj/cdp-extension-complete-http.png)
-1. Select **Include in CRLs. Clients use this to find Delta CRL locations**
-1. Select **Include in the CDP extension of issued certificates**
-1. Select **Apply** save your selections. Select **No** when ask to restart the service
+1. Select **Include in CRLs. Clients use this to find Delta CRL locations**.
+1. Select **Include in the CDP extension of issued certificates**.
+1. Select **Apply** save your selections. Select **No** when ask to restart the service.

 > [!NOTE]
 > Optionally, you can remove unused CRL distribution points and publishing locations.
@ -170,7 +172,8 @@ The web server is ready to host the CRL distribution point. Now, configure the i
 1. On the **Extensions** tab, select **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (don't forget the trailing backwards slash)
 1. Select **\<CaName>** from the **Variable** list and select **Insert**. Select **\<CRLNameSuffix>** from the **Variable** list and select **Insert**. Select **\<DeltaCRLAllowed>** from the **Variable** list and select **Insert**
 1. Type **.crl** at the end of the text in **Location**. Select **OK**
-1. Select the CDP you just created
+1. Select the CDP you just created.
+
    ![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png)
 1. Select **Publish CRLs to this location**
 1. Select **Publish Delta CRLs to this location**
@ -178,10 +181,10 @@ The web server is ready to host the CRL distribution point. Now, configure the i

 #### Publish a new CRL

-1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**
+1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
 1. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and select **Publish**
-    ![Publish a New CRL.](images/aadj/publish-new-crl.png)
-1. In the **Publish CRL** dialog box, select **New CRL** and select **OK**
+    ![Publish a New CRL.](images/aadj/publish-new-crl.png).
+1. In the **Publish CRL** dialog box, select **New CRL** and select **OK**.

 #### Validate CDP Publishing

--- a/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works-authentication.md
@ -1,7 +1,7 @@
 ---
 title: How Windows Hello for Business authentication works
 description: Learn about the Windows Hello for Business authentication flows.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: reference
 ---
 # Windows Hello for Business authentication
@ -19,11 +19,11 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in

 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to LSASS. LSASS passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
 |B | The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID.|
 |C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. Microsoft Entra ID then validates the returned signed nonce, and creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
 |D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
-|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|E | The Cloud AP provider returns a successful authentication response to LSASS. LSASS caches the PRT, and informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|

 ## Microsoft Entra join authentication to Active Directory using cloud Kerberos trust

@ -31,7 +31,7 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in

 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller.
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in LSASS, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller.
 |B | After locating a domain controller, the Kerberos provider sends a partial TGT that it received from Microsoft Entra ID from a previous Microsoft Entra authentication to the domain controller. The partial TGT contains only the user SID, and it's signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client.|

 ## Microsoft Entra join authentication to Active Directory using a key
@ -40,9 +40,9 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in

 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in LSASS, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates a domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
 |B | The Kerberos provider sends the signed preauthentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to LSASS, where it's cached and used for subsequent service ticket requests.|

 > [!NOTE]
 > You might have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Microsoft Entra joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
@ -53,9 +53,9 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in

 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
+|A | Authentication to Active Directory from a Microsoft Entra joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in LSASS, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos preauthentication data.|
 |B | The Kerberos provider sends the signed preauthentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to LSASS, where it's cached and used for subsequent service ticket requests.|

 > [!NOTE]
 > You may have an on-premises domain federated with Microsoft Entra ID. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Microsoft Entra ID to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
@ -66,11 +66,11 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in

 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to LSASS. LSASS queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, LSASS passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.
 |B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Microsoft Entra ID.
 |C | Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Microsoft Entra Kerberos and returns them to Cloud AP.
-|D | Cloud AP  receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.
-|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After locating an active domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests. Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|D | Cloud AP  receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to LSASS. LSASS caches the PRT and the Partial TGT.
+|E | The Kerberos security support provider, hosted in LSASS, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a domain controller. After locating an active domain controller, the Kerberos provider sends the partial TGT that it received from Microsoft Entra ID to the domain controller. The partial TGT contains only the user SID and is signed by Microsoft Entra Kerberos. The domain controller verifies that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos returns the TGT to LSASS, where it's cached and used for subsequent service ticket requests. LSASS informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|

 ## Microsoft Entra hybrid join authentication using a key

@ -78,13 +78,13 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in

 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to LSASS. LSASS passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
 |B | The Kerberos provider sends the signed preauthentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed preauthentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
-|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
-|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.|
-|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+|D | After passing this criteria, Kerberos returns the TGT to LSASS, where it's cached and used for subsequent service ticket requests.|
+|E | LSASS informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|F | While Windows loads the user's desktop, LSASS passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.|
+|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to LSASS. LSASS caches the PRT.|

 > [!IMPORTANT]
 > In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Microsoft Entra Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
@ -95,13 +95,13 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in

 | Phase  | Description  |
 | :----: | :----------- |
-|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|A | Authentication begins when the user dismisses the lock screen, which triggers Winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to Winlogon. Winlogon passes the collected credentials to LSASS. LSASS passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
 |B | The Kerberos provider sends the signed preauthentication data and  user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate isn't self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and hasn't been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed preauthentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
 |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it hasn't been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
-|D | After passing this criteria, Kerberos returns the TGT to lsass, where it's cached and used for subsequent service ticket requests.|
-|E | Lsass informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
-|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.|
-|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+|D | After passing this criteria, Kerberos returns the TGT to LSASS, where it's cached and used for subsequent service ticket requests.|
+|E | LSASS informs Winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|F | While Windows loads the user's desktop, LSASS passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Microsoft Entra ID. Microsoft Entra ID returns a nonce.|
+|G |  The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Microsoft Entra ID. Microsoft Entra ID validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Microsoft Entra ID then validates the returned signed nonce. After validating the nonce, Microsoft Entra ID creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to LSASS. LSASS caches the PRT.|

 > [!IMPORTANT]
-> In the above deployment model, a **newly provisioned** user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller.
+> In this deployment model, a **newly provisioned** user will not be able to sign in using Windows Hello for Business unless the device has line of sight to the domain controller.
--- a/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works-provisioning.md
@ -1,7 +1,7 @@
 ---
 title: How Windows Hello for Business provisioning works
 description: Learn about the provisioning flows for Windows Hello for Business.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: reference
 appliesto:
 ---
--- a/windows/security/identity-protection/hello-for-business/how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/how-it-works.md
@ -1,7 +1,7 @@
 ---
 title: How Windows Hello for Business works
 description: Learn how Windows Hello for Business works, and how it can help you protect your organization.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: concept-article
 ---

--- a/windows/security/identity-protection/hello-for-business/index.md
+++ b/windows/security/identity-protection/hello-for-business/index.md
@ -2,7 +2,7 @@
 title: Windows Hello for Business overview
 description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.
 ms.topic: overview
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ---

 # Windows Hello for Business
--- a/windows/security/identity-protection/hello-for-business/multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/multifactor-unlock.md
@ -1,7 +1,7 @@
 ---
 title: Multi-factor unlock
 description: Learn how to configure Windows Hello for Business multi-factor unlock by extending Windows Hello with trusted signals.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: how-to
 ---

--- a/windows/security/identity-protection/hello-for-business/pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/pin-reset.md
@ -1,7 +1,7 @@
 ---
 title: PIN reset
 description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN, and how to configure it.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: how-to
 ---

@ -13,8 +13,8 @@ This article describes how *Microsoft PIN reset service* enables your users to r

 Windows Hello for Business provides the capability for users to reset forgotten PINs. There are two forms of PIN reset:

- *Destructive PIN reset*: the user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new sign in key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration
- *Non-destructive PIN reset*: the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For nondestructive PIN reset, you must deploy the *Microsoft PIN reset service* and configure your clients' policy to enable the *PIN recovery* feature
+- *Destructive PIN reset*: The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, are deleted from the client and a new sign in key and PIN are provisioned. Destructive PIN reset is the default option, and doesn't require configuration.
+- *Non-destructive PIN reset*: The user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed. For nondestructive PIN reset, you must deploy the *Microsoft PIN reset service* and configure your clients' policy to enable the *PIN recovery* feature.

 ## How nondestructive PIN reset works

--- a/windows/security/identity-protection/hello-for-business/policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/policy-settings.md
@ -2,7 +2,7 @@
 title: Windows Hello for Business policy settings
 description: Learn about the policy settings to configure Configure Windows Hello for Business.
 ms.topic: reference
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ---

 # Windows Hello for Business policy settings
--- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md
+++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md
@ -1,7 +1,7 @@
 ---
 title: WebAuthn APIs
 description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps.
-ms.date: 04/23/2024
+ms.date: 11/22/2024
 ms.topic: how-to
 ---
 # WebAuthn APIs for passwordless authentication on Windows
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@ -2,7 +2,7 @@
 title: Remote Credential Guard
 description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device.
 ms.topic: how-to
-ms.date: 03/12/2024
+ms.date: 11/11/2024
 appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>