chore: Update section titles for enhanced sign-in security, personal data encryption, assigned access, configuration lock, and DNS security

windows/security/book/cloud-services-protect-your-work-information.md

@@ -35,15 +35,15 @@ In combination with Microsoft Intune, Microsoft Entra ID offers powerful securit
 
 Every Windows device has a built-in local administrator account that must be secured and protected to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. Many customers have been using our standalone, on-premises Windows Local Administrator Password Solution (LAPS) to manage their domain-joined Windows machines. We heard from many customers that LAPS support was needed as they modernized their Windows environment to join directly to Microsoft Entra ID.
 
-### Microsoft Entra Private Access ###
+### Microsoft Entra Private Access
 
 Microsoft Entra Private Access unlocks the ability to specify the fully qualified domain names (FQDNs) and IP addresses that you consider private or internal, so you can manage how your organization accesses them. With Private Access, you can modernize how your organization's users access private apps and resources. Remote workers don't need to use a VPN to access these resources if they have the Global Secure Access Client installed. The client quietly and seamlessly connects them to the resources they need.
 
-### Microsoft Entra Internet Access ###
+### Microsoft Entra Internet Access
 
 Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs.
 
-> [!Note] 
+> [!NOTE]
 > Both Microsoft Entra Private Access and Microsoft Entra Internet Access requires Microsoft Entra ID and Microsoft Entra Joined devices and for deployment, refer to [Microsoft's Security Service Edge Solution Deployment Guide for Microsoft Entra Internet Access Proof of Concept](/entra/architecture/sse-deployment-guide-internet-access).
 
 Both these features use a new [Global Secure Access client for Windows](/entra/global-secure-access/how-to-install-windows-client), deployed on the desktop, that secure and control the feature.

windows/security/book/hardware-security-silicon-assisted-security.md

@@ -77,7 +77,7 @@ System Management Mode (SMM) isolation is an execution mode in x86-based process
 - [Dynamic Root of Trust measure and SMM isolation](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/)
 - [Secured-core PC firmware protection](/windows-hardware/design/device-experiences/oem-highly-secure-11)
 
-### Secured-core PC configuration lock
+### Configuration lock
 
 In many organizations, IT administrators enforce policies on their corporate devices to protect the OS and keep devices in a compliant state by preventing users from changing configurations and creating configuration drift. Configuration drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a noncompliant state can be vulnerable until the next sync, when configuration is reset with the mobile device management (MDM) solution. Secured-core PC configuration lock is a Secured-core PC (SCPC) feature that prevents users from making unwanted changes to security settings. With config lock, the OS monitors the registry keys that are supported and reverts to the IT-desired SCPC state in seconds after detecting a drift.
 

windows/security/book/identity-protection-passwordless-sign-in.md

@@ -78,7 +78,7 @@ If a peripheral camera is attached to the device after enrollment, that camera w
 
 - [Windows Hello biometric requirements][LINK-4]
 
-## Windows Hello Enhanced Sign-in Security
+## Enhanced Sign-in Security (ESS)
 
 Windows Hello biometrics also supports Enhanced Sign-in Security, which uses specialized hardware and software components to raise the security bar even higher for biometric sign-in.
 

windows/security/book/operating-system-security-encryption-and-data-protection.md

@@ -54,7 +54,7 @@ Encrypted hard drives enable:
 
 - [Encrypted hard drive](../operating-system-security/data-protection/encrypted-hard-drive.md)
 
-## Personal data encryption
+## Personal data encryption (PDE)
 
 Personal Data Encryption refers to a new user authenticated encryption mechanism used to protect user content. Windows Hello for Business is the modern user authentication mechanism, which is used with PDE. Windows Hello for Business, either with PIN or biometrics (face or fingerprint), is used to protect the container, which houses the encryption keys used by Personal Data Encryption (PDE). When the user logs in (either after bootup or unlocking after a lock screen), the container gets authenticated to release the keys in the container to decrypt user content.
 

windows/security/book/operating-system-security-network-security.md

@@ -21,7 +21,7 @@ In enterprise environments, network protection works best with Microsoft Defende
 
 - [How to protect your network](/defender-endpoint/network-protection)
 
-## Transport layer security (TLS)
+## Transport Layer Security (TLS)
 
 Transport Layer Security (TLS) is the internet's most deployed security protocol, encrypting data in transit to provide a secure communication channel between two endpoints. Windows defaults to the latest protocol versions and strong cipher suites unless policies are in effect to limit them. There are many extensions available, such as client authentication for enhanced server security and session resumption for improved application performance.
 
@@ -36,7 +36,7 @@ Legacy protocol versions TLS 1.0 and 1.1 are officially deprecated and will be d
 - [TLS/SSL overview (Schannel SSP)](/windows-server/security/tls/tls-ssl-schannel-ssp-overview)
 - [TLS 1.0 and TLS 1.1 soon to be disabled in Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/bc-p/3894928/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExMM0hCN0VURDk3OU9OfDM4OTQ5Mjh8U1VCU0NSSVBUSU9OU3xoSw#M6180)
 
-## DNS security
+## Domain Name System (DNS) security
 
 In Windows 11, the Windows DNS client supports DNS over HTTPS and DNS over TLS, two encrypted DNS protocols. These allow administrators to ensure their devices protect their
 name queries from on-path attackers, whether they are passive observers logging browsing behavior or active attackers trying to redirect clients to malicious sites. In a Zero Trust

windows/security/book/operating-system-security-system-security.md

@@ -107,9 +107,9 @@ All auditing categories are disabled when Windows is first installed. Before ena
 - [Security policy settings](/windows/security/threat-protection/security-policy-settings/security-policy-settings)
 - [Security auditing](/windows/security/threat-protection/auditing/security-auditing-overview)
 
-## Assigned Access
+## Assigned Access and Shell Launcher (kiosk mode)
 
-With Assigned Access, Windows devices restrict functionality to pre-selected applications depending on the user and keep individual identities separate, which is ideal for public-facing or shared devices. Configuring a device in Kiosk Mode is a straightforward process. You can do this locally on the device or remotely using modern device management.
+With Assigned Access, Windows devices restrict functionality to pre-selected applications depending on the user and keep individual identities separate, which is ideal for public-facing or shared devices. Configuring a device as a kiosk is a straightforward process. You can do this locally on the device or remotely using mobile device management.
 
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**