diff --git a/.DS_Store b/.DS_Store
index 098daf36..69dbc326 100644
Binary files a/.DS_Store and b/.DS_Store differ
diff --git a/README.md b/README.md
index 293460e3..bc2e8139 100644
--- a/README.md
+++ b/README.md
@@ -1,22 +1,42 @@
-# Home
+# Overview
 
 Welcome to the SEED documentation! 
- 
-## Supported browsers and Operating Systems (OS)
 
-Ensure you are using one of the supported browsers and operating systems before getting started with SEED:
+Before you begin the process of onboarding your Internet Device to SEED, you need meet the necessary prerequisites. These prerequisites are vital for a successful onboarding experience. 
 
-**Supported browsers**:
+![onboarding](/images/onboarding-image.png)
 
-- Google Chrome
-- Safari
-- Microsoft Edge
-- Mozilla Firefox (Configuration needed, [learn more](https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox))
+> **Note**: Each user can onboard **only one device** to SEED.  
 
-**Supported Operating Systems (OS)**:
+## Supported browsers and operating systems
+
+Supported browsers:
+
+ - Google Chrome
+ - Microsoft Edge
+ - Mozilla Firefox. If you are using Mozilla Firefox, you need to [configure Firefox to trust the root certificate store of your system](https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox).
+ - Safari
+
+Supported operating system:
+
+!> **Important**  
+Windows 10 will reach end of life on **14 October 2025**.  
+Access to SGTS and GCC will be blocked from **15 October 2025**.  
+Onboarding of Windows 10 devices will stop from **19 September 2025**.
+
+| **Operating system** | **Version supported** |
+|---|---|
+| **macOS 26**        | 26.0.0 |
+| **macOS 15**        | 15.6.1 <br> **Note**: If you encounter issues accessing SGTS or GCC services after the update, please ensure that [FDA is enabled](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/post-onboarding-instructions/macos-latest?id=ensure-full-disk-access-fda-is-enabled-for-seed-components) and reboot your device. <br> Do **not** install unsupported versions of macOS unless explicitly communicated via email by the SEED team.|
+| **macOS 14**        | 14.7.8 |
+| **macOS 13**        | 13.7.8 |
+| **Windows 10** | 1507 (LTSC only, build 10240, minimally revision 21128) <br> 1607 (LTSC only, build 14393, minimally revision 8442) <br> 1809 (LTSC only, build 17763, minimally revision 7792) <br> 21H2 (LTSC only, build 19044, minimally revision 6332) <br> 22H2 (build 19045, minimally revision 6332) |
+| **Windows 11** | 22H2 (build 22621, minimally revision 5909) <br> 23H2 (build 22631, minimally revision 5909) <br> 24H2 (build 26100, minimally revision 6584) <br> 25H2 (build 26200, minimally revision 6584) |
+
+
+> **Note**:
+> Admin privilege is required to onboard to SEED.
 
-- macOS 13, 14 and 15
-- Windows 10 and 11 (Pro and Enterprise)
 
 
 ## Popular topics
diff --git a/_sidebar.md b/_sidebar.md
index c58668a8..dd8cde06 100644
--- a/_sidebar.md
+++ b/_sidebar.md
@@ -10,8 +10,13 @@
   - [Onboard as a public officer](/onboard-device/public-officer)
   - [Onboard as a vendor](onboard-device/vendor)
 - Post onboarding steps  
-  - [macOS 14 and 13 post onboarding guide](/post-onboarding-instructions/macos-latest.md)
+  - [macOS post onboarding guide](/post-onboarding-instructions/macos-latest.md)
   - [Windows post onboarding guide](/post-onboarding-instructions/windows.md)
+- macOS Platform SSO 
+  - [Set up Secure Enclave](set-up-secure-enclave.md)
+- SEED+
+  - [CyberArk dialogs and permissions (Users)](seed-plus/cyberark-dialog.md)
+  - [Approval guide (PoC)](seed-plus/poc-approver-guide.md)
 - Monitor using SEED Dashboard
   - [SEED Dashboard overview](/seed-dashboard/seed-dashboard-overview.md)
   - [SEED Dashboard tour](/seed-dashboard/seed-dashboard-tour.md)
@@ -24,11 +29,16 @@
   - [Onboarding FAQ](/faqs/onboarding-faq.md)
   - [Offboarding FAQ](/faqs/offboarding-faq.md)
   - [GCC 1.0 connectivity FAQ](/faqs/gcc1-connectivity-faq.md)
+- Update schedule
+  - [Patching schedule (OS updates)](update-schedule/os-patching-schedule.md)
 - Support
-  - [Raise a service request](/support/raise-service-request.md)
-  - [Troubleshooting issues](/support/troubleshooting-issues.md)
+  - [Cloudflare Certificate Update FAQ](/support/cloudflare-cert-update-guide.md)
+  - [Configuration of Common Tools FAQ](/support/configuration-of-common-developer-cli-tools-with-cloudflare-warp-guide.md)
+  - [Security hardening list](/support/hardening-list.md)
   - [Generate diagnostic files](/support/generate-diagnostic-files)
+  - [Troubleshooting issues](/support/troubleshooting-issues.md)
   - [View SEED service status](/support/seed-status.md)
+  - [Raise a service request](/support/raise-service-request.md)
 - Additional resources 
   - [Best practices](/additional-resources/best-practices.md)
   - [Split tunnel allowlisting](additional-resources/split-tunnel-allowlist)
diff --git a/announcements.md b/announcements.md
index c3c609c2..3805a6be 100644
--- a/announcements.md
+++ b/announcements.md
@@ -2,11 +2,25 @@
 
 | <div style="width:150px"><b>Date</b></div>  | Announcement |
 | --- | --- |
+| 19 September 2025 | **Windows 10 end of life (EOL)**<br><br>Windows 10 will reach **end of life on 14 October 2025**.<br><br>**Impact:**<br>- Access to **SGTS** and **GCC** will be blocked from **15 October 2025**.<br>- Onboarding of Windows 10 devices will stop from **19 September 2025**.<br><br>Please plan your device upgrades accordingly.<br><br>For assistance, contact **enquiries_seed@tech.gov.sg**. |
+| 13 August 2025 | **Cloudflare connection issue**<br><br>Users may encounter **Cloudflare connection** or **certificate errors** when using SEED.<br><br>**Impact:**<br>- Some users may be **unable to connect** or may see a security warning.<br>- The **SEED team is aware** and is currently investigating the issue.<br><br>We apologise for the inconvenience and will provide updates as soon as the service is restored.<br><br>For assistance, contact **enquiries_seed@tech.gov.sg**.|
+| 23 July 2025 | **Scheduled maintenance for Tanium servers**<br><br>We will be performing a scheduled upgrade of the **Tanium servers** to ensure continued performance and reliability.<br><br>**Maintenance window:**<br>- **Date:** 31 July 2025 (Thursday)<br>- **Time:** 6:00 PM to 9:00 PM (SGT)<br><br>**Impact:**<br>- **SEED onboarding will be temporarily unavailable** during this period. Users are advised to plan onboarding activities **outside this window**.<br>- **Access to SGTS applications** for already onboarded users will **not be affected**.<br><br>If you encounter issues after the maintenance, please create an [incident support request](https://go.gov.sg/seed-techpass-support). |
+| 22 July 2025 | **Temporary onboarding limitation for public officers**<br><br>Public officers under Whole-of-Government (WoG) are currently **unable to onboard new SEED devices**.<br><br>**Impact:**<br>- Existing SEED usersare **not affected**.<br>- **Vendors** onboarding new SEED devices are **not affected**.<br><br>The SEED team is aware of the issue and is investigating. Updates will be provided as they become available.<br><br>For assistance, contact **enquiries_seed@tech.gov.sg**. |
+| 24 June 2025 | Starting from **July 2025**, OS updates will be automatically pushed on a **fixed schedule — every 3rd Tuesday of the month**. The first two scheduled update dates are **15 July 2025** and **19 August 2025**.<br><br>As a one-time exception, the OS update for **June 2025** will commence on **24 June 2025 (Tuesday of the 4th week)** instead of following the standard schedule.<br><br>**Update window:**<br/>- Updates will be pushed between **8:00 AM and 5:00 PM (SGT)**.<br/>- Devices may **auto-reboot** to complete the update. Users are advised to **save work** beforehand to prevent data loss.<br><br>**Impact:**<br/>- Users with unpatched devices will be notified daily.<br/>- Devices not patched in time may be **blocked from accessing SGTS and GCC services**.<br><br>**No user action is required during the update process.**<br><br>For details on supported OS versions and the update calendar, refer to the [update schedule documentation](/update-schedule/os-patching-schedule.md).<br><br>For queries, please contact us at **enquiries_seed@tech.gov.sg**. |
+| 02 June 2025 | **SEED onboarding issue**<br><br>Please note that we are aware of the issue where users are encountering errors while onboarding devices to SEED.<br><br>The SEED support team is actively investigating and working towards resolving the issue. We will provide timely updates as progress is made.<br><br>**Impact:**<br>- Users may experience failures or errors during the onboarding process.<br><br>For assistance or to report issues, please contact **enquiries_seed@tech.gov.sg**. |
+| 21 May 2025 | SEED team will be conducting scheduled server maintenance on **21 May 2025, Wednesday, from 6:00 PM SGT onwards**.<br><br>This was previously announced via email broadcast on 8 May and published on the documentation portal.<br><br>**Impact:**<br/>- Users onboarding to SEED may experience intermittent errors or delays.<br/>- Users are advised not to onboard during this window or within 30 minutes prior.<br><br>For more assistance:<br/> Please contact us at enquiries_seed@tech.gov.sg for any issues or concerns. |
+| 08 May 2025 | **Scheduled maintenance for Tanium servers** <br> We will be upgrading the Tanium servers to ensure continued performance and reliability. <br><br>**Maintenance schedule**:<br>The upgrading will be conducted from **6pm to 8pm, Wednesday, 21st May 2025**. <br><br>**Impact**:<br>- Onboarding may experience intermittent errors. Users are strongly advised to refrain from onboarding during this time and preferably avoid starting onboarding **30 minutes before the maintenance begins**.<br>- Access to SGTS for onboarded users should not be affected.<br><br>- If you encounter issues following the maintenance, please create an [incident support request](https://go.gov.sg/seed-techpass-support).|
+| 21 March 2025 | **Intermittent access issues with SGTS and GCC services** <br> We are aware that some users are experiencing access issues with SGTS and GCC services. Our team is actively investigating the cause and working on a resolution. <br><br> **Key details:** <br> - Some users may encounter difficulties accessing SGTS and GCC services. <br> - Other functionalities remain unaffected. <br><br> We apologise for any inconvenience caused. If you need further assistance, please contact us at **enquiries_seed@tech.gov.sg**. |
+| 20 March 2025 | Enforcing OS Version Baselines for SEED Devices <br> To enhance the security of SEED devices, we will be enforcing OS version baselines for minor and patch versions. This ensures devices are patched against vulnerabilities in a timely manner. <br><br>Enforcement schedule:<br>- Windows baseline enforcement begins on 27 March 2025.<br>- macOS baseline enforcement begins on 9 April 2025.<br><br>Impact:<br>- Devices that do not meet the baseline will be notified and given a 7-day grace period to patch.<br>- After the grace period, devices that remain non-compliant will be blocked from accessing SGTS and GCC services.<br><br>What should I do?<br>- Check your OS version using the guide [here](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/on[…]equisites?id=how-to-check-your-operating-system-version).<br>- Perform necessary updates if your device does not meet the baseline. Refer to the links below for update instructions:<br> - [Windows update guide](https://support.microsoft.com/en-us/windows/install-windows-updates-3c5ae7fc-9fb6-9af1-1984-b5e0412c556a)<br> - [macOS update guide](https://support.apple.com/en-sg/108382)<br>- For macOS user updating to version 15.3.2, if you encounter issues accessing SGTS or GCC services after the update, ensure that Full Disk Access (FDA) is enabled and reboot your device refer to [guide](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/post-onboarding-instructions/macos-latest?id=ensure-full-disk-access-fda-is-enabled-for-seed-components)<br><br>Future updates:<br>- Baselines will be adjusted periodically based on security reviews, and SEED users will be notified via email and the Documentation Portal.<br><br>For queries, contact us at enquiries_seed@tech.gov.sg. |
+| 12 March 2025 | **Scheduled maintenance for Tanium servers** <br> We will be upgrading the Tanium servers to ensure continued performance and reliability. <br><br>**Maintenance schedule**:<br>The upgrading will be conducted from **6pm to 9pm, Tuesday, 18th March 2025**. <br><br>**Impact**:<br>- Onboarding may experience intermittent errors. Users are strongly advised to refrain from onboarding during this time and preferably avoid starting onboarding **30 minutes before the maintenance begins**.<br><br>- Access to SGTS for onboarded users should not be affected.<br><br>- If you encounter issues following the maintenance, please create an [incident support request](https://go.gov.sg/seed-techpass-support). |
+| 22 January 2025 | **Scheduled maintenance for Tanium servers** <br> We will be upgrading the Tanium servers to ensure continued performance and reliability. <br><br>**Maintenance schedule**:<br>The upgrade will be conducted from **6pm to  9pm, Thursday, 23rd January 2025**. <br><br>**Impact**:<br>- Onboarding may experience intermittent errors. Users are strongly advised to refrain from onboarding during this time.<br<br>- If you encounter issues following the maintenance, please create an [incident support request](https://go.gov.sg/seed-techpass-support). |
+| 26 December 2024 | **Update of Cloudflare Root Certificate** <br> In preparation for the Cloudflare rotation exercise, SEED team will be pushing down new certificates to all GMDs on 30th December 2024, Monday, from 12:00 PM to 02:00 PM SGT.<br><br>**Impact**:<br>There should be no impact to users during the period of certification provisioning. <br><br>**Action required**:<br>- If you have configured your developer CLI tools to trust the Cloudflare certificate previously, please update the certificates by referring to the [Configuration of Common Developer CLI tools with Cloudflare WARP Guide](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/support/configuration-of-common-developer-cli-tools-with-cloudflare-warp-guide).<br>- If you face issues accessing SGTS and GCC from 13th January 2025, Monday, onwards, please refer to the [Cloudflare Certificate Update Guide](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/support/cloudflare-cert-update-guide) for troubleshooting.<br><br>**Additional information**:<br>- If the issue persists after troubleshooting, please create an incident support request with [SEED support](https://go.gov.sg/seed-techpass-support). |
+| 24 December 2024 | **Wrapping up an incredible 2024!**<br>As we wrap up 2024, WOW, what a year! The TechPass and SEED teams absolutely crushed it, and it’s all thanks to your hard work, creativity, and dedication. You’ve made this year’s achievements not just possible, but extraordinary!<br><br>To our awesome users and bosses, a big shoutout to you too! Your feedback and support have been the secret sauce to our success.<br><br>**Looking ahead to 2025:**<br>- I’d love to hear your ideas, thoughts, or even wild dreams for what we can do next.<br>- Book time with me: [Schedule a session](https://outlook.office.com/bookwithme/user/c8467a03effd490b8669ecefa50fccb7@tech.gov.sg?anonymous&ep=pcard&isanonymous=true). Let’s make magic happen together!<br><br>Here’s to a well-deserved break, a joyful holiday season, and an even brighter New Year. You’ve earned it! 🎄🍾🎉<br><br>**Eunice Teo**<br>Product Manager of TechPass and SEED![TechPass](/images/impact.png)<br> |
 | 18 December 2024 | **Intermittent issue accessing Microsoft Sentinel on Azure portal**<br>TechPass has detected an issue where some users are experiencing intermittent difficulties accessing Microsoft Sentinel on the Azure portal. Our team is actively investigating the matter to resolve it as soon as possible.<br><br>**Key details:**<br>- The issue affects access to Microsoft Sentinel on the Azure portal.<br>- Sign-ins to downstream applications remain unaffected.<br><br>We apologise for any inconvenience caused. If you need further assistance, please contact us at **enquiries_seed@tech.gov.sg**. |
 | 06 December 2024 | **Resolve *CF_DNS_Lookup_Failure* on macOS**<br>We have observed instances of users encountering the `CF_DNS_Lookup_Failure` error while using Cloudflare WARP on macOS. To address this issue, please follow the updated resolution steps.<br><br>**Key Recommendations:**<br>- **Upgrade macOS**: Update to macOS 15.1 or later to resolve several underlying issues.<br>- **Firewall Settings**: Ensure your firewall is turned on and configured to allow incoming connections for Cloudflare WARP.<br>- **Additional Steps**: Disable "block all incoming connections" in your firewall settings and explicitly allow connections for the Cloudflare WARP application.<br><br>[Read the full guide here](https://community.cloudflare.com/t/cf-dns-lookup-failure-cloudflare-zero-trust-gateway-with-wrap-on-macos-15/712557/2).<br><br>If you need further assistance, contact us at **enquiries_seed@tech.gov.sg**. |
 | 26 November 2024 | **macOS Policy enforcement starting 27 November**<br>To maintain the security of our systems and protect against vulnerabilities, updates for Apple macOS versions 13, 14, and 15 will be enforced starting **27 November 2024**.<br><br>**Specific update requirement for macOS 15 and 15.1:**<br>Devices running macOS 15 or macOS 15.1 must immediately update to macOS 15.1.1. This update addresses significant vulnerabilities that could compromise system security (JavaScriptCore and WebKit).<br><br>**Key Details:**<br>- Devices on macOS 15 or 15.1 will be **blocked from accessing SGTS services starting 10 December 2024** until they are updated to macOS 15.1.1.<br>- Please prioritise this update to ensure uninterrupted access to services.<br><br>[Read about security notes here](https://support.apple.com/en-us/121753).<br><br>If you have any questions, please reach out to us at **enquiries_seed@tech.gov.sg**. | 
 | 01 November 2024 | SEED is now officially supported on macOS 15 Sequoia. If you encounter any issues, please reach out to us at enquiries_seed@tech.gov.sg. |
-| 20 September 2024 | A new banner feature has been introduced on the [SEED Dashboard](https://dashboard.seed.tech.gov.sg/) to push critical messages to SEED users.<br><br>.<br><br>**For more assistance**:<br>Email us at enquiries_seed@tech.gov.sg. |
+| 20 September 2024 | A new banner feature has been introduced on the [SEED Dashboard](https://dashboard.seed.tech.gov.sg/) to push critical messages to SEED users.<br><br>**For more assistance**:<br>Email us at enquiries_seed@tech.gov.sg. |
 | 16 September 2024 | SEED has not been officially tested on macOS 15 Sequoia, and we cannot provide support if users encounter issues. <br><br>For more assistance:<br>Email us at enquiries_seed@tech.gov.sg. |
 | 30 August 2024 | The previously announced support for macOS 15 Sequoia, originally scheduled to begin on August 31, 2024, has been delayed until further notice.<br><br>**For more assistance**:<br>Email us at enquiries_seed@tech.gov.sg. |
 | 5 August 2024 | SEED team has implemented the following changes:<br><br> - Enhanced notifications to help users troubleshoot access issues with SGTS services.<br> - Improved integrations between SEED components for a smoother user experience when accessing SGTS services.<br> - Expanded browser support, now including Safari for macOS users.<br> - Strengthened security measures for accessing GCC 2.0 AWS.<br><br>**For more assistance**:<br>Create an [incident support request](https://go.gov.sg/seed-techpass-support).|
diff --git a/assets/Cloudflare_CA.crt b/assets/Cloudflare_CA.crt
new file mode 100644
index 00000000..cb12b5dd
--- /dev/null
+++ b/assets/Cloudflare_CA.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHjCCAsOgAwIBAgIUXUAq4excUIfVtFwcHVRyjmQsTSQwCgYIKoZIzj0EAwIw
+gcAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMuMRswGQYDVQQL
+ExJ3d3cuY2xvdWRmbGFyZS5jb20xTDBKBgNVBAMTQ0dhdGV3YXkgQ0EgLSBDbG91
+ZGZsYXJlIE1hbmFnZWQgRzEgZDRjYWIxYzBlMDA2MTM4NDQxZTFmMWI1N2JmZGU2
+MTQwHhcNMjQxMjI2MDMzNTAwWhcNMjkxMjI2MDMzNTAwWjCBwDELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
+GTAXBgNVBAoTEENsb3VkZmxhcmUsIEluYy4xGzAZBgNVBAsTEnd3dy5jbG91ZGZs
+YXJlLmNvbTFMMEoGA1UEAxNDR2F0ZXdheSBDQSAtIENsb3VkZmxhcmUgTWFuYWdl
+ZCBHMSBkNGNhYjFjMGUwMDYxMzg0NDFlMWYxYjU3YmZkZTYxNDBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABNPxnTcczvjnFDe5AaqTEe16EfxN1MApC2C62sqkLJu1
+R4NNDJEMdz0ICeVdPAYEcLW6eSozcoo829LAk0Ics66jgZgwgZUwDgYDVR0PAQH/
+BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFM4dLTqhGMsGyBlfnTe0
+W7yapsV0MFMGA1UdHwRMMEowSKBGoESGQmh0dHA6Ly9jcmwuY2xvdWRmbGFyZS5j
+b20vYjExNGY4N2QtYTA2YS00YWQ3LTg4YzgtNzNjYmRiMjkyZjgxLmNybDAKBggq
+hkjOPQQDAgNJADBGAiEA8fzQzpEoSDmna5FVh9840dG1Zw4SXonPbmp0YI+TuN8C
+IQCSzEGpQ9epfKk0SIbVcj26L6Z7mBqjOaxHIsbUog7n3A==
+-----END CERTIFICATE-----
diff --git a/assets/Cloudflare_CA.pem b/assets/Cloudflare_CA.pem
new file mode 100644
index 00000000..cb12b5dd
--- /dev/null
+++ b/assets/Cloudflare_CA.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHjCCAsOgAwIBAgIUXUAq4excUIfVtFwcHVRyjmQsTSQwCgYIKoZIzj0EAwIw
+gcAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMuMRswGQYDVQQL
+ExJ3d3cuY2xvdWRmbGFyZS5jb20xTDBKBgNVBAMTQ0dhdGV3YXkgQ0EgLSBDbG91
+ZGZsYXJlIE1hbmFnZWQgRzEgZDRjYWIxYzBlMDA2MTM4NDQxZTFmMWI1N2JmZGU2
+MTQwHhcNMjQxMjI2MDMzNTAwWhcNMjkxMjI2MDMzNTAwWjCBwDELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
+GTAXBgNVBAoTEENsb3VkZmxhcmUsIEluYy4xGzAZBgNVBAsTEnd3dy5jbG91ZGZs
+YXJlLmNvbTFMMEoGA1UEAxNDR2F0ZXdheSBDQSAtIENsb3VkZmxhcmUgTWFuYWdl
+ZCBHMSBkNGNhYjFjMGUwMDYxMzg0NDFlMWYxYjU3YmZkZTYxNDBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABNPxnTcczvjnFDe5AaqTEe16EfxN1MApC2C62sqkLJu1
+R4NNDJEMdz0ICeVdPAYEcLW6eSozcoo829LAk0Ics66jgZgwgZUwDgYDVR0PAQH/
+BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFM4dLTqhGMsGyBlfnTe0
+W7yapsV0MFMGA1UdHwRMMEowSKBGoESGQmh0dHA6Ly9jcmwuY2xvdWRmbGFyZS5j
+b20vYjExNGY4N2QtYTA2YS00YWQ3LTg4YzgtNzNjYmRiMjkyZjgxLmNybDAKBggq
+hkjOPQQDAgNJADBGAiEA8fzQzpEoSDmna5FVh9840dG1Zw4SXonPbmp0YI+TuN8C
+IQCSzEGpQ9epfKk0SIbVcj26L6Z7mBqjOaxHIsbUog7n3A==
+-----END CERTIFICATE-----
diff --git a/assets/Cloudflare_CA_dev.crt b/assets/Cloudflare_CA_dev.crt
new file mode 100644
index 00000000..4feed2bd
--- /dev/null
+++ b/assets/Cloudflare_CA_dev.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAsOgAwIBAgIUAiiTsMofOFQ4b9dTU0L46COAcKUwCgYIKoZIzj0EAwIw
+gcAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMuMRswGQYDVQQL
+ExJ3d3cuY2xvdWRmbGFyZS5jb20xTDBKBgNVBAMTQ0dhdGV3YXkgQ0EgLSBDbG91
+ZGZsYXJlIE1hbmFnZWQgRzEgN2I5MWMwNjlmZDEyYWJjMDRlMThkMDMwNWM0NTg0
+MjIwHhcNMjQxMjE4MDIzNDAwWhcNMjkxMjE4MDIzNDAwWjCBwDELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
+GTAXBgNVBAoTEENsb3VkZmxhcmUsIEluYy4xGzAZBgNVBAsTEnd3dy5jbG91ZGZs
+YXJlLmNvbTFMMEoGA1UEAxNDR2F0ZXdheSBDQSAtIENsb3VkZmxhcmUgTWFuYWdl
+ZCBHMSA3YjkxYzA2OWZkMTJhYmMwNGUxOGQwMzA1YzQ1ODQyMjBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABIMeJdtXsNibXDEUgBd00440CRtLsrMgEsyStSjv/rOR
+SUR5FkJzHvPOUC5G2S67pTHR4WUSvFsjRfpVSWNeH4OjgZgwgZUwDgYDVR0PAQH/
+BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMpdk7/Ahx28szkL92u4
++oUdKqQ7MFMGA1UdHwRMMEowSKBGoESGQmh0dHA6Ly9jcmwuY2xvdWRmbGFyZS5j
+b20vZTM3ZmQ2OGYtYjMxZC00NjE5LTlmODMtMmVhNTEwZmNkMWEzLmNybDAKBggq
+hkjOPQQDAgNIADBFAiEAghE9vyk9X8cTwyfitUk7uiOqSp1MxkEN6oOD1wWX640C
+IBOiKkK+AZLeF1CKRsODB3ui9PSFnrnTI5c2CHt04s5A
+-----END CERTIFICATE-----
diff --git a/assets/Cloudflare_CA_dev.pem b/assets/Cloudflare_CA_dev.pem
new file mode 100644
index 00000000..4feed2bd
--- /dev/null
+++ b/assets/Cloudflare_CA_dev.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAsOgAwIBAgIUAiiTsMofOFQ4b9dTU0L46COAcKUwCgYIKoZIzj0EAwIw
+gcAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMuMRswGQYDVQQL
+ExJ3d3cuY2xvdWRmbGFyZS5jb20xTDBKBgNVBAMTQ0dhdGV3YXkgQ0EgLSBDbG91
+ZGZsYXJlIE1hbmFnZWQgRzEgN2I5MWMwNjlmZDEyYWJjMDRlMThkMDMwNWM0NTg0
+MjIwHhcNMjQxMjE4MDIzNDAwWhcNMjkxMjE4MDIzNDAwWjCBwDELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
+GTAXBgNVBAoTEENsb3VkZmxhcmUsIEluYy4xGzAZBgNVBAsTEnd3dy5jbG91ZGZs
+YXJlLmNvbTFMMEoGA1UEAxNDR2F0ZXdheSBDQSAtIENsb3VkZmxhcmUgTWFuYWdl
+ZCBHMSA3YjkxYzA2OWZkMTJhYmMwNGUxOGQwMzA1YzQ1ODQyMjBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABIMeJdtXsNibXDEUgBd00440CRtLsrMgEsyStSjv/rOR
+SUR5FkJzHvPOUC5G2S67pTHR4WUSvFsjRfpVSWNeH4OjgZgwgZUwDgYDVR0PAQH/
+BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMpdk7/Ahx28szkL92u4
++oUdKqQ7MFMGA1UdHwRMMEowSKBGoESGQmh0dHA6Ly9jcmwuY2xvdWRmbGFyZS5j
+b20vZTM3ZmQ2OGYtYjMxZC00NjE5LTlmODMtMmVhNTEwZmNkMWEzLmNybDAKBggq
+hkjOPQQDAgNIADBFAiEAghE9vyk9X8cTwyfitUk7uiOqSp1MxkEN6oOD1wWX640C
+IBOiKkK+AZLeF1CKRsODB3ui9PSFnrnTI5c2CHt04s5A
+-----END CERTIFICATE-----
diff --git a/assets/Cloudflare_CA_old.crt b/assets/Cloudflare_CA_old.crt
new file mode 100644
index 00000000..f02f49a9
Binary files /dev/null and b/assets/Cloudflare_CA_old.crt differ
diff --git a/assets/Cloudflare_CA_old.pem b/assets/Cloudflare_CA_old.pem
new file mode 100644
index 00000000..fbf96a84
--- /dev/null
+++ b/assets/Cloudflare_CA_old.pem
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC6zCCAkygAwIBAgIUI7b68p0pPrCBoW4ptlyvVcPItscwCgYIKoZIzj0EAwQw
+gY0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRgwFgYDVQQKEw9DbG91ZGZsYXJlLCBJbmMxNzA1BgNVBAMT
+LkNsb3VkZmxhcmUgZm9yIFRlYW1zIEVDQyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw
+HhcNMjAwMjA0MTYwNTAwWhcNMjUwMjAyMTYwNTAwWjCBjTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGDAW
+BgNVBAoTD0Nsb3VkZmxhcmUsIEluYzE3MDUGA1UEAxMuQ2xvdWRmbGFyZSBmb3Ig
+VGVhbXMgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0eTCBmzAQBgcqhkjOPQIBBgUr
+gQQAIwOBhgAEAVdXsX8tpA9NAQeEQalvUIcVaFNDvGsR69ysZxOraRWNGHLfq1mi
+P6o3wtmtx/C2OXG01Cw7UFJbKl5MEDxnT2KoAdFSynSJOF2NDoe5LoZHbUW+yR3X
+FDl+MF6JzZ590VLGo6dPBf06UsXbH7PvHH2XKtFt8bBXVNMa5a21RdmpD0Pho0Uw
+QzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQU
+YBcQng1AEMMNteuRDAMG0/vgFe0wCgYIKoZIzj0EAwQDgYwAMIGIAkIBQU5OTA2h
+YqmFk8paan5ezHVLcmcucsfYw4L/wmeEjCkczRmCVNm6L86LjhWU0v0wER0e+lHO
+3efvjbsu8gIGSagCQgEBnyYMP9gwg8l96QnQ1khFA1ljFlnqc2XgJHDSaAJC0gdz
++NV3JMeWaD2Rb32jc9r6/a7xY0u0ByqxBQ1OQ0dt7A==
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/assets/Cloudflare_CA_stg.crt b/assets/Cloudflare_CA_stg.crt
new file mode 100644
index 00000000..a148a997
--- /dev/null
+++ b/assets/Cloudflare_CA_stg.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAsOgAwIBAgIUK3iFTL+C81BZCZELsWKqjB0RHZUwCgYIKoZIzj0EAwIw
+gcAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMuMRswGQYDVQQL
+ExJ3d3cuY2xvdWRmbGFyZS5jb20xTDBKBgNVBAMTQ0dhdGV3YXkgQ0EgLSBDbG91
+ZGZsYXJlIE1hbmFnZWQgRzEgNTdiNzY3N2ExYzViNGE5MzBkYWVkYTYyNmU3MTRk
+OTUwHhcNMjQxMjIzMDkzMDAwWhcNMjkxMjIzMDkzMDAwWjCBwDELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
+GTAXBgNVBAoTEENsb3VkZmxhcmUsIEluYy4xGzAZBgNVBAsTEnd3dy5jbG91ZGZs
+YXJlLmNvbTFMMEoGA1UEAxNDR2F0ZXdheSBDQSAtIENsb3VkZmxhcmUgTWFuYWdl
+ZCBHMSA1N2I3Njc3YTFjNWI0YTkzMGRhZWRhNjI2ZTcxNGQ5NTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABIE/zGXtw4bkGBTK5oEaSKy4pCoAMWFSO03u3LyYlRN0
+w2Zj5WGU/SfSu3LdLPnTjCUMiDHJEmmPC9GjK6DuCo+jgZgwgZUwDgYDVR0PAQH/
+BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAnjpcLxVeTblHI90ezD
+AN7uSbqYMFMGA1UdHwRMMEowSKBGoESGQmh0dHA6Ly9jcmwuY2xvdWRmbGFyZS5j
+b20vNjhkYWZlMTAtZmFlNi00Y2NhLWFiZjAtOTQ4MTRmYjFjZTQ0LmNybDAKBggq
+hkjOPQQDAgNIADBFAiAHjudYmd/URxZKUuQDEsXm8LudsFfF1mvU1E3x7LJazAIh
+AN9m/S9970N3VFkttB/UToyNx1HinnG+20GogCbVhYVV
+-----END CERTIFICATE-----
diff --git a/assets/Cloudflare_CA_stg.pem b/assets/Cloudflare_CA_stg.pem
new file mode 100644
index 00000000..a148a997
--- /dev/null
+++ b/assets/Cloudflare_CA_stg.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAsOgAwIBAgIUK3iFTL+C81BZCZELsWKqjB0RHZUwCgYIKoZIzj0EAwIw
+gcAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMuMRswGQYDVQQL
+ExJ3d3cuY2xvdWRmbGFyZS5jb20xTDBKBgNVBAMTQ0dhdGV3YXkgQ0EgLSBDbG91
+ZGZsYXJlIE1hbmFnZWQgRzEgNTdiNzY3N2ExYzViNGE5MzBkYWVkYTYyNmU3MTRk
+OTUwHhcNMjQxMjIzMDkzMDAwWhcNMjkxMjIzMDkzMDAwWjCBwDELMAkGA1UEBhMC
+VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
+GTAXBgNVBAoTEENsb3VkZmxhcmUsIEluYy4xGzAZBgNVBAsTEnd3dy5jbG91ZGZs
+YXJlLmNvbTFMMEoGA1UEAxNDR2F0ZXdheSBDQSAtIENsb3VkZmxhcmUgTWFuYWdl
+ZCBHMSA1N2I3Njc3YTFjNWI0YTkzMGRhZWRhNjI2ZTcxNGQ5NTBZMBMGByqGSM49
+AgEGCCqGSM49AwEHA0IABIE/zGXtw4bkGBTK5oEaSKy4pCoAMWFSO03u3LyYlRN0
+w2Zj5WGU/SfSu3LdLPnTjCUMiDHJEmmPC9GjK6DuCo+jgZgwgZUwDgYDVR0PAQH/
+BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAnjpcLxVeTblHI90ezD
+AN7uSbqYMFMGA1UdHwRMMEowSKBGoESGQmh0dHA6Ly9jcmwuY2xvdWRmbGFyZS5j
+b20vNjhkYWZlMTAtZmFlNi00Y2NhLWFiZjAtOTQ4MTRmYjFjZTQ0LmNybDAKBggq
+hkjOPQQDAgNIADBFAiAHjudYmd/URxZKUuQDEsXm8LudsFfF1mvU1E3x7LJazAIh
+AN9m/S9970N3VFkttB/UToyNx1HinnG+20GogCbVhYVV
+-----END CERTIFICATE-----
diff --git a/assets/falcon-on-demand-mac.pdf b/assets/falcon-on-demand-mac.pdf
new file mode 100644
index 00000000..8a486eeb
Binary files /dev/null and b/assets/falcon-on-demand-mac.pdf differ
diff --git a/cloudflare-troubleshooting.md b/cloudflare-troubleshooting.md
deleted file mode 100644
index e5513407..00000000
--- a/cloudflare-troubleshooting.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation is obsolete. Refer to [Cloudflare troubleshooting](https://support.cloudflare.com/hc/en-us/categories/200276217-Troubleshooting) for more details.
\ No newline at end of file
diff --git a/device-clean-up-policy.md b/device-clean-up-policy.md
deleted file mode 100644
index 259282bd..00000000
--- a/device-clean-up-policy.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation is obsolute. Refer to [macOS offboarding guide](/offboard-device/macos-offboarding-guide.md) and [Windows offboarding guide](/offboard-device/windows-offboarding-guide.md).
\ No newline at end of file
diff --git a/enclave-10.png b/enclave-10.png
new file mode 100644
index 00000000..5bb47812
Binary files /dev/null and b/enclave-10.png differ
diff --git a/enclave-7.png b/enclave-7.png
new file mode 100644
index 00000000..39ac155e
Binary files /dev/null and b/enclave-7.png differ
diff --git a/enclave-8.png b/enclave-8.png
new file mode 100644
index 00000000..5cf1ed55
Binary files /dev/null and b/enclave-8.png differ
diff --git a/enclave-9.png b/enclave-9.png
new file mode 100644
index 00000000..0207a0e3
Binary files /dev/null and b/enclave-9.png differ
diff --git a/enrol-in-intune-mdm.md b/enrol-in-intune-mdm.md
new file mode 100644
index 00000000..e0352f86
--- /dev/null
+++ b/enrol-in-intune-mdm.md
@@ -0,0 +1,19 @@
+# Enrol in Intune MDM (macOS)
+
+Before registering a Mac device with Platform SSO (PSSO), you must enrol it in Microsoft Intune using the Company Portal app. Once enrolled, you can use Secure Enclave, smart card, or password to register your device with PSSO.
+
+If you have already onboarded to SEED, you can skip this step.
+
+## Steps to enrol
+
+1. **Open the Company Portal app** and select **Sign in**.  
+2. **Enter your Microsoft Entra ID credentials** and select **Next**.  
+3. When prompted to **Set up {Company} access**, select **Begin**. On the next screen, select **Continue**.  
+4. Follow the instructions to install the management profile. This profile should have been set up by your administrator in Microsoft Intune. Select **Download profile**.  
+5. If the profile window does not open automatically, navigate to **Settings** > **Privacy & Security** > **Profiles** and select **Management Profile**.  
+6. Select **Install** to grant access to company resources.  
+7. Enter your local device password in the **Profiles** window and select **Enrol**.  
+8. Once installation is complete, you will see a notification in Company Portal. Select **Done**.  
+
+
+After completing these steps, your device will be enrolled in Intune MDM and ready for Platform SSO registration.
diff --git a/faqs/.DS_Store b/faqs/.DS_Store
index 6545f155..b028f68d 100644
Binary files a/faqs/.DS_Store and b/faqs/.DS_Store differ
diff --git a/faqs/cloudflare-warp-known-issues.md b/faqs/cloudflare-warp-known-issues.md
deleted file mode 100644
index e5513407..00000000
--- a/faqs/cloudflare-warp-known-issues.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation is obsolete. Refer to [Cloudflare troubleshooting](https://support.cloudflare.com/hc/en-us/categories/200276217-Troubleshooting) for more details.
\ No newline at end of file
diff --git a/faqs/common-onboarding-issues.md b/faqs/common-onboarding-issues.md
deleted file mode 100644
index a327ac7a..00000000
--- a/faqs/common-onboarding-issues.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved to [Onboarding FAQ](/post-onboarding-instructions/onboarding-faq).
\ No newline at end of file
diff --git a/faqs/configuration-of-common-developer-cli-tools-with-cloudflare-warp.md b/faqs/configuration-of-common-developer-cli-tools-with-cloudflare-warp.md
deleted file mode 100644
index ce34403c..00000000
--- a/faqs/configuration-of-common-developer-cli-tools-with-cloudflare-warp.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation is obsolete. Refer to [SHIP-HATS documentation](https://docs.developer.tech.gov.sg/docs/ship-hats-docs/) for more details.
\ No newline at end of file
diff --git a/faqs/device-clean-up-policy-faqs.md b/faqs/device-clean-up-policy-faqs.md
deleted file mode 100644
index fefaa48d..00000000
--- a/faqs/device-clean-up-policy-faqs.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation is obsolete. Refer to [Offboarding FAQ](/post-onboarding-instructions/offboarding-faq).
\ No newline at end of file
diff --git a/faqs/general-faq.md b/faqs/general-faq.md
index 782bd857..8a2e53aa 100644
--- a/faqs/general-faq.md
+++ b/faqs/general-faq.md
@@ -1,145 +1,199 @@
 # General FAQ
 
-<details><summary>What data can I store on a Government Managed Device (GMD)?</summary>
-
-GMDs are intended to facilitate development work for accessing GCC 2.0 and SGTS securely. Do not store production or live data on GMDs.
+## 🖥 Device usage and compliance
 
+<details>
+  <summary>What type of data can I store on a Government Managed Device (GMD)?</summary>
+  GMDs are intended to facilitate development work for accessing GCC 2.0 and SGTS securely.  
+  Do not store production or live data on GMDs.
 </details>
 
-<details><summary>Can I install unlicensed software or tools on my Government Managed Device (GMD)?</summary>
-
-Installing unlicensed software on your GMD is strictly prohibited. GMDs are government-managed, and this policy ensures security and compliance. Unauthorised software compromises security and violates regulations. 
-
-If you need a particular software for your development work, please follow your organisation's processes to obtain the legitimate version. Refer to [Terms of policies](/additional-resources/terms-and-policies.md)for details.
-
+<details>
+  <summary>Can I install unlicensed software or tools on my Government Managed Device (GMD)?</summary>
+  Installing unlicensed software is strictly prohibited.  
+  Use your organisation’s process to request legitimate software.  
+  Refer to <a href="https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/additional-resources/terms-and-policies">Terms and policies</a> for details.
 </details>
 
-<details><summary>Why am I unable to access certain websites?</summary>
-
-If you are experiencing issues accessing websites, [Cloudflare Radar](https://radar.cloudflare.com/security-and-attacks) can identify the cause. Visit [Cloudflare Radar scan](https://radar.cloudflare.com/security-and-attacks), enter the domain you are having trouble with, and view the report. This tool provides insights into network issues or security settings that may be affecting website access.
-
+<details>
+  <summary>Why am I unable to access certain websites?</summary>
+  If you are experiencing access issues, use <a href="https://radar.cloudflare.com/security-and-attacks"> Cloudflare Radar </a> to investigate.  
+  Enter the domain you are trying to access and view the network/security report.
 </details>
 
-<details><summary>Can I bring and use my Government Managed Device (GMD) overseas?</summary>
-
-Users should assess the risk and seek approval from their Reporting Officer (RO) before doing so.
-
+<details>
+  <summary>Can I bring and use my Government Managed Device (GMD) overseas?</summary>
+  You should assess the risk and seek approval from your Reporting Officer (RO) before bringing your device overseas.
 </details>
 
-<details><summary>I have lost my Government Managed Device (GMD). What should I do?</summary>
-
-1. Notify your manager and operations manager to approve data deletion on the lost device.
-2. [Raise a service request](https://go.gov.sg/seed-techpass-support) to notify the SEED team about the lost device.
-3. Mention any sensitive data in the request to prioritise remote wiping.
-4. Attach manager approvals for necessary actions to prevent data breaches.
-
+<details>
+  <summary>What should I do if I lose my Government Managed Device (GMD)?</summary>
+  1. Notify your manager and operations manager to approve data deletion.  
+  2. <a href="https://go.gov.sg/seed-techpass-support"> Raise a support request </a> to notify the SEED team.  
+  3. Mention any sensitive data to prioritise remote wiping.  
+  4. Attach manager approvals to the request.
 </details>
 
-<details><summary>What happens when the security of a Government Managed Device (GMD) is compromised?</summary>
-
-  When SEED detects a compromised device, it contacts the owner for disconnection. After obtaining owner and manager approvals, SEED performs a remote wipe.
-
-> **Note**: 
-> The device must be powered on and connected to the internet for remote wiping.
-
+<details>
+  <summary>What happens when the security of a Government Managed Device (GMD) is compromised?</summary>
+  SEED will contact the user to disconnect the device.  
+  Once the owner and manager approve, SEED will initiate a remote wipe.  
+  > **Note**: The device must be powered on and connected to the internet for the wipe to succeed.
 </details>
-<details><summary>What happens when a remote wipe is performed on a Government Managed Device (GMD)?</summary>
-
-  Remote wipe erases all data on the device, performed only for theft, loss, or security compromise. For more information, refer to the [Terms and policies](/additional-resources/terms-and-policies).
 
+<details>
+  <summary>What happens when a remote wipe is performed on a Government Managed Device (GMD)?</summary>
+  Remote wipe erases all data on the device.  
+  It is only performed in cases of theft, loss, or a confirmed security compromise.
 </details>
-<details><summary>Is remote wipe done only on devices that belong to public sector agencies?</summary>
-
-  No, remote wipe applies to any lost or compromised GMD to prevent data breaches. For more information, refer to the [Terms and policies](/additional-resources/terms-and-policies).
 
+<details>
+  <summary>Is remote wipe applicable only to public sector agency devices?</summary>
+  No. Remote wipe can be performed on any lost or compromised GMD to prevent data breaches.
 </details>
 
-<details><summary>What should I do if my device has been inactive for 180 days?</summary>
-
-If your device is no longer required to access SEED, please offboard your device. For detailed steps on offboarding your Mac, click [here](/offboard-device/macos-offboarding-guide.md), and for Windows, click [here](/offboard-device/windows-offboarding-guide.md). If you still require access after being inactive for 180 days, please email enquiries_seed@tech.gov.sg for assistance.
-
+<details>
+  <summary>Why am I prompted to turn on System Integrity Protection (SIP) on my macOS device?</summary>
+  This is a SEED policy requirement.  
+  SIP enhances macOS security by preventing unauthorised modifications to protected system files and folders.
 </details>
 
-<details><summary>What should I do if I want to check if my device record has been deleted?</summary>
-
-Log in to [SEED Dashboard](https://dashboard.seed.tech.gov.sg/) after 26 October 2023 to see whether your device record still exists. If your device record does not exist, or you are unable to log into SEED Dashboard, your device records have been cleaned up.
-
+<details>
+  <summary>Why do I need to turn on FileVault encryption?</summary>
+  FileVault encryption protects your device and ensures compliance with SEED policies.
 </details>
 
-<details><summary>What should I do if my device record has been deleted even though it is still active?</summary>
-
-Please email enquiries_seed@tech.gov.sg for assistance.
-
+<details>
+  <summary>Why does my device slow down after onboarding to Microsoft Intune?</summary>
+  SEED uses Microsoft Defender for Endpoint.  
+  Other antivirus software may cause performance issues.  
+  Disable or uninstall any non-Microsoft antivirus software.
 </details>
 
-<details><summary>Why am I prompted to turn on my system integrity protection on my macOS device?</summary>
-
-  This is a SEED policy requirement. System Integrity Protection enhances macOS security and is designed to help prevent potentially malicious software from modifying protected files and folders on your macOS. System Integrity Protection restricts the root user account and limits the actions that the root user can perform on protected parts of the macOS.
-
-
- </details>
-
-
-<details><summary>Why do I need to turn on File Vault encryption?</summary>
-
-  FileVault encryption is essential to ensure device security and compliance.
-
- </details>
-
-<details><summary>Why does my device slow down after onboarding to Microsoft Intune?</summary>
+<details>
+  <summary>Why am I prompted to select the device certificate when accessing some websites?</summary>
+  Due to the device compliance check policy, during the Entra ID authentication, you will be prompted the select the device certificate which will be checked for the valid MDM certificate on your machine. 
+  Afterwards, you will be given access to your application if your device is compliant.
+</details>
 
- SEED uses **Microsoft Defender for Endpoint** for security. Other antivirus software may impact performance. Disable or uninstall non-**Microsoft Defender for Endpoint** antivirus software.
+<details>
+  <summary>What password should you key in if you are prompted to select the certificate?</summary>
+  Select the device certificate when prompted and click OK.
+  
+  ![device cert](../images/device-cert1.png)
+  
+  Type in your local mac password and click on “Always Allow”.
+  
+  ![device cert](../images/device-cert2.png)
+  
+  You might be prompted to enter the password multiple times (1-3 times), make sure to click on “Always Allow”.
+  Note: Selecting of certificate is not required if the MacOS is joined to Entra (Registered with Platform SSO)
+</details>
 
- </details>
+## 🔁 Device records and inactivity
 
-<details><summary>Previously, I have successfully onboarded my Internet Device to SEED, but now I received an email indicating limited access to SEED-protected resources. Why, and what should I do? </summary>
+<details>
+  <summary>What should I do if my device has been inactive for 180 days?</summary>
+  If you no longer require the device for SEED access, please offboard it.  
+  If you still require access, email enquiries_seed@tech.gov.sg for assistance.
+</details>
 
-This suggests SEED detected device configuration issues. For example, an unhealthy Microsoft Defender. For resolution:
+<details>
+  <summary>How do I check if my device record has been deleted?</summary>
+  Log in to the <a href="https://dashboard.seed.tech.gov.sg/"> SEED Dashboard </a> to check your device records.
+</details>
 
-- Offboard your device if access is no longer needed.
+<details>
+  <summary>What should I do if my device record has been deleted even though it is still active?</summary>
+  Email enquiries_seed@tech.gov.sg for assistance.
+</details>
 
-- [Raise a service request](https://go.gov.sg/seed-techpass-support) to restore access to SEED-protected resources. Specify that your SEED access was revoked due to device misconfiguration, allowing us to process the request accordingly.
+<details>
+  <summary>Why is my device not showing on the SEED Dashboard?</summary>
+  Your TechPass account may not be linked to your SEED device due to an onboarding or account termination issue.  
+  Offboard and re-onboard your device, or <a href="https://go.gov.sg/seed-techpass-support"> raise a support request </a>.
+</details>
 
+<details>
+  <summary>Why did I receive an email indicating limited access to SEED-protected resources after previously onboarding successfully?</summary>
+  SEED may have detected device configuration issues (e.g. unhealthy Microsoft Defender).  
+  Offboard the device if no longer needed, or <a href="https://go.gov.sg/seed-techpass-support"> raise a support request </a>.
 </details>
 
-<details><summary>Why did I receive the successfully onboarded email again?</summary>
+<details>
+  <summary>Why did I receive the successfully onboarded email again?</summary>
+  This may happen if configuration services were temporarily misconfigured and restored.
+</details>
 
-Receiving this email again indicates that services ensuring SEED compliance may have had configuration issues, temporarily affecting SEED access.
+<details>
+  <summary>Do I need to re-onboard my device after returning from a long leave?</summary>
+  If your GMD has not been logged into for 90 consecutive days, it may be marked inactive and removed from Intune.  
+  This does not wipe your device, but SEED will no longer be able to monitor or manage it.
+</details>
 
+<details>
+  <summary>Will I receive any notification if the MDM certificate is about to expire?</summary>
+  No, you will not receive any notification when your MDM certificate is expiring.
 </details>
 
-<details><summary>Do I need to re-onboard my device to SEED after returning from a long leave?</summary>
+## 🔑 Passwords and reset
 
-If you belong to the TechPass Entra ID and your GMD has not been logged into for 90 consecutive days, the GMD becomes inactive, and its' records are softly removed from the Intune portal.
+<details>
+  <summary>Do I need to change my SEED onboarding password after one year?</summary>
+  Yes. The password requirements are:
+  - At least 12 characters
+  - Cannot reuse the previous 3 passwords
+  - Cannot contain the same character consecutively
+  - Cannot have three sequential characters
+  - Must contain at least one number and one alphabetic character
+</details>
 
-It is important to understand that when your device records are softly removed, it does not perform a device wipe or retirement. Instead, the device record is temporarily taken out of Intune.
+<details>
+  <summary>How do I reset my password using the macOS <b>Utilities</b> menu?</summary>
+  Refer to the following image:  
+  
+  ![reset_password](../images/reset-password-utiliy.png)
+</details>
 
-Consequently, SEED administrators will no longer have access to details such as the device's health status, and they will not be able to manage it from the SEED Dashboard.
+## 🛡️ CrowdStrike
 
+<details>
+  <summary>Why was my device blocked due to a malware alert in CrowdStrike?</summary>
+  Your device will be blocked if you have malware alerts on CrowdStrike.  
+  No action is required from you. The SEED team will review your ticke, and your device will be unblocked after the assessment is completed.  
+  Please <a href="https://go.gov.sg/seed-techpass-support"> raise a support request </a> if you are not unblocked automatically.
 </details>
 
-<details><summary>Will I receive any notification of MDM certificate expiration?</summary>
-
-No, you will not receive any notification for this.
+<details>
+  <summary>[Windows only] How do I perform a malware scan using CrowdStrike?</summary>
+  Right-click the drive → Click **Show more options** → Click **CrowdStrike Falcon malware scan** → Click **Scan**.  
+  A pop-up window will appear at the lower-right corner.
+  
+  ![image](../images/cs1.png)
 
+  You will see a pop up window on the right hand corner.
+  
+  ![image](../images/cs2.png)
+  
 </details>
 
 <details>
-  <summary>Do I need to change my SEED onboarding password after a year, and what are the password requirements for it?</summary>
+  <summary>[Windows only] How do I check the results of a CrowdStrike malware scan?</summary>
+  Go to your Desktop → Right-click and select **Show more options** → Click **CrowdStrike Falcon malware scan** → Click **See results of last scan**.  
 
-  Yes, you are required to change your SEED onboarding password after a year. The password requirements for SEED onboarding are as follows:
+  ![image](../images/cs3.png)
+  
+  You should see the status as **Completed**.
 
-- It should contain at least 12 characters.
-- It should not be the same as the previous three passwords.
-- The same character cannot be used consecutively.
-- It cannot have three sequential characters.
-- It should contain at least one number and one alphabetic character.
+  ![image](../images/cs4.png)
+  
 </details>
 
 <details>
-  <summary>How do I reset my password via the macOS <b>Utilities</b> menu?</summary>
-
-Refer to the following image below:
-![reset_password](/images/reset-password-utiliy.png)
+  <summary>[Mac only] Can I perform an on-demand CrowdStrike Falcon malware scan?</summary>
+  No. Falcon On-Demand Scan is not applicable for macOS.  
+  <a href="/assets/falcon-on-demand-mac.pdf" download>Download the Falcon On-Demand Scan guide for Mac (PDF)</a>
+for more information.
 </details>
 
+
diff --git a/faqs/how-to-clone-a-bitbucket-repository-over-ssh-with-cloudflare-access.md b/faqs/how-to-clone-a-bitbucket-repository-over-ssh-with-cloudflare-access.md
deleted file mode 100644
index ce34403c..00000000
--- a/faqs/how-to-clone-a-bitbucket-repository-over-ssh-with-cloudflare-access.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation is obsolete. Refer to [SHIP-HATS documentation](https://docs.developer.tech.gov.sg/docs/ship-hats-docs/) for more details.
\ No newline at end of file
diff --git a/faqs/how-to-clone-a-gitlab-repository-over-ssh-with-cloudflare-access.md b/faqs/how-to-clone-a-gitlab-repository-over-ssh-with-cloudflare-access.md
deleted file mode 100644
index ce34403c..00000000
--- a/faqs/how-to-clone-a-gitlab-repository-over-ssh-with-cloudflare-access.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation is obsolete. Refer to [SHIP-HATS documentation](https://docs.developer.tech.gov.sg/docs/ship-hats-docs/) for more details.
\ No newline at end of file
diff --git a/faqs/how-to-generate-and-upload-diagnostic-files-to-incident-support-request.md b/faqs/how-to-generate-and-upload-diagnostic-files-to-incident-support-request.md
deleted file mode 100644
index da5d6f6c..00000000
--- a/faqs/how-to-generate-and-upload-diagnostic-files-to-incident-support-request.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved to [Generate diagnostic files](/support/generate-diagnostic-files.md) for more details.
\ No newline at end of file
diff --git a/faqs/known-issues.md b/faqs/known-issues.md
deleted file mode 100644
index ffdface1..00000000
--- a/faqs/known-issues.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved to [Troubleshooting issues](/support/troubleshooting-issues).
\ No newline at end of file
diff --git a/faqs/onboarding-faq.md b/faqs/onboarding-faq.md
index 52e4fc09..cec23de4 100644
--- a/faqs/onboarding-faq.md
+++ b/faqs/onboarding-faq.md
@@ -1,207 +1,126 @@
 # Onboarding FAQ
 
+## ✅ Onboarding confirmation and errors
+
 <details>
   <summary>How can I confirm the successful onboarding of my Internet Device to SEED?</summary>
-
-After completing the onboarding process for your device to SEED, you should expect to receive a confirmation email indicating successful onboarding within two hours. This email will be sent to your organizational email address.
-
-If you have not received the confirmation email after this two-hour period, [raise a service request](https://go.gov.sg/seed-techpass-support) for assistance.
+  After completing the onboarding process, you should receive a confirmation email within two hours. If not, [raise a service request](https://go.gov.sg/seed-techpass-support).
 </details>
 
 <details>
-  <summary>What should I do if profile installation fails during management profile installation?</summary>
+  <summary>I did not receive the successfully onboarded email after onboarding to SEED. What should I do?</summary>
+  Possible reasons:
 
-1. Ensure you have received an email confirming that the required SEED onboarding license has been assigned to you. If you have received this confirmation, proceed to step 2.
-2. Navigate to the **Apple** menu > **System Preferences** > **Profiles**.
-3. If you already have an existing **Management Profile**, select it and remove it by clicking the minus icon at the lower-left corner.
-4. If you encounter difficulties removing the **Management Profile**, uninstall **Company Portal**.
-5. Reinstall [Company Portal](https://go.microsoft.com/fwlink/?linkid=853070).
-6. [Onboard your device to SEED](onboard-device/identify-onboarding-persona).
+  - Microsoft Defender or any other antivirus solution previously installed on the device was not completely removed before onboarding to SEED.
+  - Tanium and Cloudflare were not installed while onboarding to SEED.
 
+  Before raising a service request, confirm the following:
+  - Verify if Microsoft Defender is configured correctly on your device.
+  - Check if Tanium and Cloudflare are installed. These applications should be automatically installed during device enrolment with SEED. If they are not installed, [raise a service request](https://go.gov.sg/seed-techpass-support).
 </details>
-<details>
-  <summary>How does enrolling my device with Microsoft Intune or other MDM solutions impact my SEED onboarding?</summary>
 
-  Enrolling your device with Microsoft Intune or other MDM solutions can have an impact on your SEED onboarding process. It's important to remove any existing enrollments with Microsoft Intune or other MDM solutions from your device before proceeding with SEED onboarding.
-
-</details>
 <details>
-  <summary>What data is collected by Microsoft Intune?</summary>
-
-  To learn about the data collected by Microsoft Intune, please refer to [Data collection in Intune](https://docs.microsoft.com/en-us/mem/intune/protect/privacy-data-collect).
-
+  <summary>What should I do if my device is not automatically renamed after SEED onboarding?</summary>
+  This can happen if Defender or any other antivirus already installed on the device was not completely removed before onboarding to SEED. To confirm this, verify if Microsoft Defender is configured correctly on your device.
 </details>
-<details>
-  <summary>Why is Microsoft Defender not automatically installed after enrolling in Company Portal?</summary>
-
-  This can happen if Defender or any other antivirus solution previously installed on the device was not completely removed before onboarding to SEED. Please verify that Microsoft Defender is correctly configured on your device.
-
-  For detailed steps on verifying Microsoft Defender on your device, please refer to the appropriate guide:
-    - [macOS 14 and 13](/post-onboarding-instructions/macos-latest.md)
-    - [macOS 12](/post-onboarding-instructions/macos.md)
-    - [Windows](/post-onboarding-instructions/windows.md)
 
-</details>
-  
 <details>
-  <summary>While onboarding to Microsoft Intune, I receive an error message: "Could not download the identity profile from the Encrypted Profile Service. The credentials within the Device Enrolment profile may have expired." What should I do?</summary>
+  <summary>What should I do if my onboarding status to SEED shows as 'Failed' due to Tanium issues?</summary>
+  Possible reasons for a failed onboarding status include:
 
-  One possible reason for this error is that your device may have been previously onboarded to Microsoft Intune by a different user and was not properly offboarded during the pre-onboarding steps.
+  - **Failed (Tanium not installed or configured incorrectly)**: Tanium was either not installed or set up properly.
+  - **Failed (Error occurred while tagging device as onboarded)**: An issue occurred while tagging the device as onboarded in Tanium.
+  - **Failed (Error occurred while installing endpoint identity tools)**: An error occurred during the installation of the endpoint identity tools.
 
-  To confirm this, please [raise a service request](https://go.gov.sg/seed-techpass-support) and provide your device's serial number. The SEED team will investigate whether your device was previously enrolled in Microsoft Intune under a different user.
+  To resolve the issue, follow these steps:
 
-  If this is confirmed, you can choose one of the following options to offboard your device from Microsoft Intune and then retry the SEED onboarding process:
+  (Troubleshooting steps for mac (Intel), mac (Apple chip), and Windows...)
 
-  - For Windows users, refer to the [SEED offboarding steps for Windows](/offboard-device/windows-offboarding-guide.md).
-  - For macOS users, go to **System Preferences** and locate the old Management Profile. Follow the [SEED offboarding steps for macOS](/offboard-device/macos-offboarding-guide.md).
+  If the issue persists after following these steps, please raise an [incident support request](https://go.gov.sg/seed-techpass-support).
 </details>
-  
-<details>
-  <summary>What should I do if my device is not automatically renamed after SEED onboarding?</summary>
 
-  This can happen if Defender or any other antivirus already installed on the device was not completely removed before onboarding to SEED. To confirm this, verify if Microsoft Defender is configured correctly on your device.
+## 🔧 Troubleshooting setup issues
 
+<details>
+  <summary>What should I do if profile installation fails during management profile installation?</summary>
+  1. Ensure you have received an email confirming that the required SEED onboarding license has been assigned to you. If you have received this confirmation, proceed to step 2.
+  2. Navigate to the **Apple** menu > **System Preferences** > **Profiles**.
+  3. If you already have an existing **Management Profile**, select it and remove it by clicking the minus icon.
+  4. If you encounter difficulties removing the **Management Profile**, uninstall **Company Portal**.
+  5. Reinstall [Company Portal](https://go.microsoft.com/fwlink/?linkid=853070).
+  6. [Onboard your device to SEED](onboard-device/identify-onboarding-persona).
 </details>
 
-
 <details>
-  <summary>While enabling Full Disk Access (FDA), I could not find <b>TaniumClient</b>. What should I do?</summary>
-
-  If **TaniumClient** is not visible while enabling Full Disk Access (FDA), follow these steps:
-
-
-  1. Open the **Terminal** application and run the command: ``sudo chmod 755 /Library/Tanium/TaniumClient``.
-  2. Go to the **Apple** menu > **System Preferences** > **Security & Privacy**.
-  3. Click the **Privacy** tab.
-  4. From the left pane, choose **Full Disk Access**.
-  5. Click the lock icon at the lower left and use your Touch ID or enter your password to unlock.
-  6. Click the plus icon on the **Full Disk Access** pane.
-  7. Go to **Macintosh HD** > **Library** > **TaniumClient** and select the application file **TaniumClient**.
-  8. Ensure the checkbox beside **TaniumClient** is selected.
-
+  <summary>While onboarding to Microsoft Intune, I receive an error message: "Could not download the identity profile from the Encrypted Profile Service."</summary>
+  One possible reason is your device may have been previously onboarded by another user and was not properly offboarded.  
+  Raise a [service request](https://go.gov.sg/seed-techpass-support) with your serial number and follow relevant offboarding steps.
 </details>
 
 <details>
-  <summary>While enabling Full Disk Access (FDA), I cannot find <b>Microsoft Intune Agent</b> and <b>Microsoft Defender for Endpoint</b>. What should I do?</summary>
-
-  If **Microsoft Intune Agent** and **Microsoft Defender for Endpoint** are not visible while enabling Full Disk Access (FDA), follow these steps:
-
-1. Go to the **Apple** menu > **System Preferences** > **Security & Privacy**.
-2. Click the **Privacy** tab.
-3. In the left pane, select **Full Disk Access**.
-4. Click the lock icon at the lower left and use your Touch ID or enter your password to unlock.
-5. Click the plus icon on the **Full Disk Access** pane and follow these steps as needed:
-   - To add "Microsoft Intune Agent," navigate to **Macintosh HD** > **Library** > **Intune** and open **Microsoft Intune Agent.app**.
-   - To add "Microsoft Defender for Endpoint," go to **Applications**, select **Microsoft Defender for Endpoint**, and click **Open**.
+  <summary>What should I do if my onboarding fails while registering my Intune Device ID on the TechPass portal?</summary>
 
+  | Reason for failed onboarding | Action required |
+  | ---|---|
+  | Unexpected Error | [Raise a service request](https://go.gov.sg/seed-techpass-support). |
+  | Software Misconfiguration Error | [Raise a service request](https://go.gov.sg/seed-techpass-support). |
+  | Endpoint Error | Ensure stable internet > Go to [TechPass Portal](https://portal.techpass.gov.sg) > My Account > SEED Devices > Retry. |
+  | Software Installation Error | Restart your device > Retry steps above. |
+  | Internal Error | Restart your device > Retry steps above. |
+  | DWP device used | You cannot onboard DWP devices. Only Internet Devices are supported. |
 </details>
 
 <details>
-  <summary>While enabling Full Disk Access (FDA), I cannot find <b>Microsoft Defender Endpoint Security Extension</b>. Can I proceed with onboarding?</summary>
-
-  Yes, you can proceed with your SEED onboarding, and **Microsoft Defender Endpoint Security Extension** should become available within four hours. If it does not become available after four hours, please [raise a service request](https://go.gov.sg/seed-techpass-support) as it is necessary to ensure the completeness of your onboarding.
+  <summary>While approving the management profiles, I get a message "Profiles cannot be approved while using remote or automated input method". What should I do?</summary>
+  To resolve this issue, upgrade to the [latest macOS version][upgrade-macos] and ensure your Mac has sufficient available disk space before attempting to approve the profiles.
+</details>
 
-</details> 
+## 🔐 Full Disk Access and FileVault
 
 <details>
-  <summary>When enabling FileVault or FDA, I am unable to unlock Security & Privacy preferences using my current password. What should I do?</summary>
-
-  This issue may arise due to a new password policy that requires you to reset your password. 
-  
-  Follow these steps:
-
-1. Go to the **Apple** menu and choose **Lock Screen** or press **Command+Control+Q**.
-2. Enter your current password and press **Return**.
-3. You will be prompted to reset your password.
+  <summary>While enabling Full Disk Access (FDA), I could not find <b>TaniumClient</b>. What should I do?</summary>
+  Run this command in Terminal: `sudo chmod 755 /Library/Tanium/TaniumClient`  
+  Then manually add **TaniumClient** to **Full Disk Access** under **Security & Privacy**.
 </details>
 
 <details>
-<summary>I did not receive the successfully onboarded email after onboarding to SEED. What should I do?</summary>
-
-Possible reasons:
-
-- Microsoft Defender or any other antivirus solution previously installed on the device was not completely removed before onboarding to SEED.
-- Tanium and Cloudflare were not installed while onboarding to SEED.
-
-Before raising a service request, confirm the following:
-
-- Verify if Microsoft Defender is configured correctly on your device.
-
-- Check if Tanium and Cloudflare are installed. These applications should be automatically installed during device enrolment with SEED. If they are not installed, [raise a service request](https://go.gov.sg/seed-techpass-support).
-
+  <summary>While enabling Full Disk Access (FDA), I cannot find <b>Microsoft Intune Agent</b> and <b>Microsoft Defender for Endpoint</b>. What should I do?</summary>
+  Add them manually:
+  - **Microsoft Intune Agent**: `/Library/Intune/Microsoft Intune Agent.app`
+  - **Defender**: `/Applications/Microsoft Defender for Endpoint`
 </details>
 
 <details>
-<summary>What should I do if my onboarding status to SEED shows as 'Failed' due to Tanium issues?</summary>
-
-Possible reasons for a failed onboarding status include:
-
-- **Failed (Tanium not installed or configured incorrectly)**: Tanium was either not installed or set up properly.
-- **Failed (Error occurred while tagging device as onboarded)**: An issue occurred while tagging the device as onboarded in Tanium.
-- **Failed (Error occurred while installing endpoint identity tools)**: An error occurred during the installation of the endpoint identity tools.
-
-To resolve the issue, follow these steps:
-
-1. **Access the TechPass portal on your non-SE GSIB device**:
-   - At the top right, select your username and click **My Account** to view your profile details.
-   - Reboot your device.
-
-2. **For mac (Intel)**:
-   - Connect to your personal hotspot.
-   - Open Terminal and run the following command:  
-     `launchctl kickstart -k -p system/com.tanium.taniumclient`
-   - Go to the Company Portal, click on the three dots, and select **Check status** to sync the device.
-   - Wait for 5–10 minutes for the status in the TechPass portal to change to 'Onboarded'. If the status does not update, restart the Tanium service and wait again.
-
-3. **For mac (Apple silicone chip)**:
-   - Connect to your personal hotspot.
-   - Reboot your device.
-   - Go to the Company Portal, click on the three dots, and select **Check status** to sync the device.
-   - Wait for 5–10 minutes for the status in the TechPass portal to change to 'Onboarded'. If it does not update, restart the Tanium service and wait again.
-
-4. **For Windows devices**:
-   - Click on **Run**, type `services.msc`, and find **Tanium Client**. Right-click and select **Restart**.
-   - Connect to your mobile personal hotspot.
-   - Go to **Access work or school**, click on the **Info** button next to your TechPass account, and then click **Sync**.
-   - Wait for 5–10 minutes for the status in the TechPass portal to change to 'Onboarded'. If it does not update, restart the Tanium service and wait again.
-
-If the issue persists after following these steps, please raise an [incident support request](https://go.gov.sg/seed-techpass-support).
-
+  <summary>While enabling Full Disk Access (FDA), I cannot find <b>Microsoft Defender Endpoint Security Extension</b>. Can I proceed with onboarding?</summary>
+  Yes, continue with onboarding. It should appear within four hours. If not, [raise a service request](https://go.gov.sg/seed-techpass-support).
 </details>
 
-
 <details>
-  <summary>While approving the management profiles, I get a message <b>Profiles cannot be approved while using remote or automated input method</b>. What should I do?</summary>
-
-  To resolve this issue, upgrade to the [latest macOS version][upgrade-macos] and ensure your Mac device has sufficient available disk space before attempting to approve the management profiles.
-
+  <summary>When enabling FileVault or FDA, I am unable to unlock Security & Privacy preferences using my current password. What should I do?</summary>
+  1. Go to the **Apple** menu > **Lock Screen** or press **Command+Control+Q**.  
+  2. Enter your password.  
+  3. Follow the prompt to reset your password.
+</details>
 
-</details>     
+## 🛡️ CrowdStrike
 
 <details>
-  <summary>What should I do if my onboarding fails while registering my Intune Device ID on the TechPass portal?</summary>
+  <summary>Why is the Falcon sensor not registered, not operational, or not cloud connected?</summary>
 
-As a prerequisite, ensure the device you are onboarding to SEED has a stable internet connectivity until you see the **Onboarded** Status on the TechPass portal.
-
-![intune-device-id-errors-tp-portal](../images/intune-device-id-error-faq.png)
-
-| Reason for failed onboarding | Action required |
-| ---|---|
-| Unexpected Error| [Raise a service request](https://go.gov.sg/seed-techpass-support). |
-| Software Misconfiguration Error | [Raise a service request](https://go.gov.sg/seed-techpass-support).|
-| Endpoint Error | <br>1. Ensure the device you are onboarding to SEED has a stable internet connectivity until you see the **Onboarded** Status on the TechPass portal.<br>2. Go to the [TechPass portal](https://portal.techpass.gov.sg/).<br>3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.<br>4. Go to the **SEED Devices** section and click **Retry**. <br>5. If the error persists, [Raise a service request](https://go.gov.sg/seed-techpass-support). |
-| Software Installation Error | 1. Restart the device you are onboarding to SEED.<br>2. After 10-15 minutes, go to the [TechPass portal](https://portal.techpass.gov.sg/).<br>3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.<br>4. Go to the **SEED Devices** section and click **Retry**. <br>5. If the error persists, [Raise a service request](https://go.gov.sg/seed-techpass-support).|
-| Internal Error | 1. Restart the device you are onboarding to SEED.<br>2. After 10-15 minutes, go to the [TechPass portal](https://portal.techpass.gov.sg/).<br>3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.<br>4. Go to the **SEED Devices** section and click **Retry**. <br>5. If the error persists, [Raise a service request](https://go.gov.sg/seed-techpass-support).|
-| Device that is trying to onboard is a DWP device. Please onboard with a non-DWP device.| You cannot onboard a DWP device to SEED. You can onboard only an Internet Device to SEED. |
+  **macOS**: Ensure Falcon is turned on for Full Disk Access.
 
+  - Go to the Apple menu > System Settings.
+  - On the left pane, select Privacy & Security.
+  - If prompted, unlock the setting using your Touch ID or enter your device password.
+  - Check that Falcon is turned on for Full Disk Access.
 </details>
 
+<details>
+  <summary>Why is the Falcon sensor not pushed down to my device?</summary>
 
-   
-
-
-
-
-[verify-defender-configuration]: post-onboarding-instructions/verify-microsoft-defender-is-configured-correctly-for-your-os
-[raise-support-request]: https://go.gov.sg/seed-techpass-support
-[upgrade-macos]: https://support.apple.com/downloads/macos
+  - Make sure you have the SEED License assigned to you in the [TechPass Portal](https://portal.techpass.gov.sg).
+  - **macOS**: Go to the Company Portal, click the three dots, and select **Check status** to sync the device.
+  - **Windows**: Go to **Access work or school**, click the **Info** button next to your TechPass account, and then click **Sync**.
+  - Restart your computer.
+  
+</details>
diff --git a/faqs/password-faq.md b/faqs/password-faq.md
index 5a355978..9a8ce36d 100644
--- a/faqs/password-faq.md
+++ b/faqs/password-faq.md
@@ -1,3 +1,5 @@
+# Password FAQ
+
 <details>
   <summary>Do I need to change my SEED onboarding password after a year, and what are the password requirements for it?</summary>
 
diff --git a/faqs/seed-faq-general.md b/faqs/seed-faq-general.md
deleted file mode 100644
index 977c28ef..00000000
--- a/faqs/seed-faq-general.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved to [General FAQ](faqs/general-faq).
diff --git a/faqs/seed-offboarding-faqs.md b/faqs/seed-offboarding-faqs.md
deleted file mode 100644
index 47bad638..00000000
--- a/faqs/seed-offboarding-faqs.md
+++ /dev/null
@@ -1,2 +0,0 @@
-!> This documentation has moved to [Offboarding FAQ](offboarding-faq).
-
diff --git a/git-error-1750732178469 b/git-error-1750732178469
new file mode 100644
index 00000000..c355c8b1
--- /dev/null
+++ b/git-error-1750732178469
@@ -0,0 +1,16 @@
+> git pull --tags origin new-ltsc
+From https://github.com/GovTechSG/seed-documentation
+ * branch            new-ltsc   -> FETCH_HEAD
+hint: You have divergent branches and need to specify how to reconcile them.
+hint: You can do so by running one of the following commands sometime before
+hint: your next pull:
+hint:
+hint:   git config pull.rebase false  # merge
+hint:   git config pull.rebase true   # rebase
+hint:   git config pull.ff only       # fast-forward only
+hint:
+hint: You can replace "git config" with "git config --global" to set a default
+hint: preference for all repositories. You can also pass --rebase, --no-rebase,
+hint: or --ff-only on the command line to override the configured default per
+hint: invocation.
+fatal: Need to specify how to reconcile divergent branches.
diff --git a/identify-seed-onboarding-persona.md b/identify-seed-onboarding-persona.md
deleted file mode 100644
index 16991975..00000000
--- a/identify-seed-onboarding-persona.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved to [Identify onboarding persona](/onboard-device/identify-onboarding-persona).
diff --git a/images/checkos-mb.png b/images/checkos-mb.png
new file mode 100644
index 00000000..8264419b
Binary files /dev/null and b/images/checkos-mb.png differ
diff --git a/images/checkos-win.png b/images/checkos-win.png
new file mode 100644
index 00000000..b3f78b2b
Binary files /dev/null and b/images/checkos-win.png differ
diff --git a/images/checkos-win2.png b/images/checkos-win2.png
new file mode 100644
index 00000000..b36efc94
Binary files /dev/null and b/images/checkos-win2.png differ
diff --git a/images/checkos-win3.png b/images/checkos-win3.png
new file mode 100644
index 00000000..a1ad9c50
Binary files /dev/null and b/images/checkos-win3.png differ
diff --git a/images/checkos-win4.png b/images/checkos-win4.png
new file mode 100644
index 00000000..005edad9
Binary files /dev/null and b/images/checkos-win4.png differ
diff --git a/images/cs1.png b/images/cs1.png
new file mode 100644
index 00000000..2a790c3e
Binary files /dev/null and b/images/cs1.png differ
diff --git a/images/cs2.png b/images/cs2.png
new file mode 100644
index 00000000..7c74e68c
Binary files /dev/null and b/images/cs2.png differ
diff --git a/images/cs3.png b/images/cs3.png
new file mode 100644
index 00000000..fc61ced0
Binary files /dev/null and b/images/cs3.png differ
diff --git a/images/cs4.png b/images/cs4.png
new file mode 100644
index 00000000..32f2db41
Binary files /dev/null and b/images/cs4.png differ
diff --git a/images/defender-fix.png b/images/defender-fix.png
new file mode 100644
index 00000000..6b32ab08
Binary files /dev/null and b/images/defender-fix.png differ
diff --git a/images/device-cert1.png b/images/device-cert1.png
new file mode 100644
index 00000000..725f0252
Binary files /dev/null and b/images/device-cert1.png differ
diff --git a/images/device-cert2.png b/images/device-cert2.png
new file mode 100644
index 00000000..fb43c024
Binary files /dev/null and b/images/device-cert2.png differ
diff --git a/images/enclave-1.png b/images/enclave-1.png
new file mode 100644
index 00000000..ac9bd55f
Binary files /dev/null and b/images/enclave-1.png differ
diff --git a/images/enclave-10.png b/images/enclave-10.png
new file mode 100644
index 00000000..5bb47812
Binary files /dev/null and b/images/enclave-10.png differ
diff --git a/images/enclave-11.png b/images/enclave-11.png
new file mode 100644
index 00000000..519433af
Binary files /dev/null and b/images/enclave-11.png differ
diff --git a/images/enclave-12.png b/images/enclave-12.png
new file mode 100644
index 00000000..24fc0c0e
Binary files /dev/null and b/images/enclave-12.png differ
diff --git a/images/enclave-13.png b/images/enclave-13.png
new file mode 100644
index 00000000..2eb37f31
Binary files /dev/null and b/images/enclave-13.png differ
diff --git a/images/enclave-2.png b/images/enclave-2.png
new file mode 100644
index 00000000..499980bd
Binary files /dev/null and b/images/enclave-2.png differ
diff --git a/images/enclave-3.png b/images/enclave-3.png
new file mode 100644
index 00000000..44c8f190
Binary files /dev/null and b/images/enclave-3.png differ
diff --git a/images/enclave-4.png b/images/enclave-4.png
new file mode 100644
index 00000000..0da16115
Binary files /dev/null and b/images/enclave-4.png differ
diff --git a/images/enclave-5.png b/images/enclave-5.png
new file mode 100644
index 00000000..34705993
Binary files /dev/null and b/images/enclave-5.png differ
diff --git a/images/enclave-6.png b/images/enclave-6.png
new file mode 100644
index 00000000..d16244bd
Binary files /dev/null and b/images/enclave-6.png differ
diff --git a/images/enclave-7.png b/images/enclave-7.png
new file mode 100644
index 00000000..39ac155e
Binary files /dev/null and b/images/enclave-7.png differ
diff --git a/images/enclave-8.png b/images/enclave-8.png
new file mode 100644
index 00000000..5cf1ed55
Binary files /dev/null and b/images/enclave-8.png differ
diff --git a/images/enclave-9.png b/images/enclave-9.png
new file mode 100644
index 00000000..0207a0e3
Binary files /dev/null and b/images/enclave-9.png differ
diff --git a/images/epm/222.png b/images/epm/222.png
new file mode 100644
index 00000000..2fdaed5d
Binary files /dev/null and b/images/epm/222.png differ
diff --git a/images/epm/mac-launch-elevated.png b/images/epm/mac-launch-elevated.png
new file mode 100644
index 00000000..a4a3d5f4
Binary files /dev/null and b/images/epm/mac-launch-elevated.png differ
diff --git a/images/epm/mac-request-admin.png b/images/epm/mac-request-admin.png
new file mode 100644
index 00000000..49f5ff23
Binary files /dev/null and b/images/epm/mac-request-admin.png differ
diff --git a/images/epm/macos-admin-privileges.png b/images/epm/macos-admin-privileges.png
new file mode 100644
index 00000000..64cd2d05
Binary files /dev/null and b/images/epm/macos-admin-privileges.png differ
diff --git a/images/epm/macos-application-blocked.png b/images/epm/macos-application-blocked.png
new file mode 100644
index 00000000..fc44272b
Binary files /dev/null and b/images/epm/macos-application-blocked.png differ
diff --git a/images/epm/macos-elevate-trusted.png b/images/epm/macos-elevate-trusted.png
new file mode 100644
index 00000000..1e9c1c55
Binary files /dev/null and b/images/epm/macos-elevate-trusted.png differ
diff --git a/images/epm/macos-launch-elevated.png b/images/epm/macos-launch-elevated.png
new file mode 100644
index 00000000..a4a3d5f4
Binary files /dev/null and b/images/epm/macos-launch-elevated.png differ
diff --git a/images/epm/macos-request-admin.png b/images/epm/macos-request-admin.png
new file mode 100644
index 00000000..49f5ff23
Binary files /dev/null and b/images/epm/macos-request-admin.png differ
diff --git a/images/epm/macos-request-auth.png b/images/epm/macos-request-auth.png
new file mode 100644
index 00000000..d6e5988a
Binary files /dev/null and b/images/epm/macos-request-auth.png differ
diff --git a/images/epm/macos-restricted-access.png b/images/epm/macos-restricted-access.png
new file mode 100644
index 00000000..c5af732c
Binary files /dev/null and b/images/epm/macos-restricted-access.png differ
diff --git a/images/epm/macos-runs-admin.png b/images/epm/macos-runs-admin.png
new file mode 100644
index 00000000..77a2a748
Binary files /dev/null and b/images/epm/macos-runs-admin.png differ
diff --git a/images/epm/macos-temp-expiring.png b/images/epm/macos-temp-expiring.png
new file mode 100644
index 00000000..9f7f069c
Binary files /dev/null and b/images/epm/macos-temp-expiring.png differ
diff --git a/images/epm/macos-temp-granted.png b/images/epm/macos-temp-granted.png
new file mode 100644
index 00000000..73ac1cda
Binary files /dev/null and b/images/epm/macos-temp-granted.png differ
diff --git a/images/epm/windows-admin-privileges.png b/images/epm/windows-admin-privileges.png
new file mode 100644
index 00000000..d25e8f46
Binary files /dev/null and b/images/epm/windows-admin-privileges.png differ
diff --git a/images/epm/windows-application-blocked.png b/images/epm/windows-application-blocked.png
new file mode 100644
index 00000000..6822bbd2
Binary files /dev/null and b/images/epm/windows-application-blocked.png differ
diff --git a/images/epm/windows-audit-video-error.png b/images/epm/windows-audit-video-error.png
new file mode 100644
index 00000000..be6bd355
Binary files /dev/null and b/images/epm/windows-audit-video-error.png differ
diff --git a/images/epm/windows-audit-video.png b/images/epm/windows-audit-video.png
new file mode 100644
index 00000000..c3d68e2e
Binary files /dev/null and b/images/epm/windows-audit-video.png differ
diff --git a/images/epm/windows-auth-code.png b/images/epm/windows-auth-code.png
new file mode 100644
index 00000000..927a81ad
Binary files /dev/null and b/images/epm/windows-auth-code.png differ
diff --git a/images/epm/windows-elevate-trusted.png b/images/epm/windows-elevate-trusted.png
new file mode 100644
index 00000000..9eae67a0
Binary files /dev/null and b/images/epm/windows-elevate-trusted.png differ
diff --git a/images/epm/windows-kill-blocked.png b/images/epm/windows-kill-blocked.png
new file mode 100644
index 00000000..1d427005
Binary files /dev/null and b/images/epm/windows-kill-blocked.png differ
diff --git a/images/epm/windows-launch-alert.png b/images/epm/windows-launch-alert.png
new file mode 100644
index 00000000..ad7f1c07
Binary files /dev/null and b/images/epm/windows-launch-alert.png differ
diff --git a/images/epm/windows-launch-elevated.png b/images/epm/windows-launch-elevated.png
new file mode 100644
index 00000000..05dd7eed
Binary files /dev/null and b/images/epm/windows-launch-elevated.png differ
diff --git a/images/epm/windows-request-admin.png b/images/epm/windows-request-admin.png
new file mode 100644
index 00000000..4aba2c9d
Binary files /dev/null and b/images/epm/windows-request-admin.png differ
diff --git a/images/epm/windows-request-auth.png b/images/epm/windows-request-auth.png
new file mode 100644
index 00000000..52c28e6b
Binary files /dev/null and b/images/epm/windows-request-auth.png differ
diff --git a/images/epm/windows-restricted-access.png b/images/epm/windows-restricted-access.png
new file mode 100644
index 00000000..61fe63ff
Binary files /dev/null and b/images/epm/windows-restricted-access.png differ
diff --git a/images/epm/windows-runs-admin.png b/images/epm/windows-runs-admin.png
new file mode 100644
index 00000000..cf3a0c3c
Binary files /dev/null and b/images/epm/windows-runs-admin.png differ
diff --git a/images/epm/windows-temp-expiring.png b/images/epm/windows-temp-expiring.png
new file mode 100644
index 00000000..13ad9574
Binary files /dev/null and b/images/epm/windows-temp-expiring.png differ
diff --git a/images/epm/windows-temp-granted.png b/images/epm/windows-temp-granted.png
new file mode 100644
index 00000000..ee14fa83
Binary files /dev/null and b/images/epm/windows-temp-granted.png differ
diff --git a/images/epm/winsows-audit-video-initialization.png b/images/epm/winsows-audit-video-initialization.png
new file mode 100644
index 00000000..0b1fa57e
Binary files /dev/null and b/images/epm/winsows-audit-video-initialization.png differ
diff --git a/images/impact.png b/images/impact.png
new file mode 100644
index 00000000..0cbf8a02
Binary files /dev/null and b/images/impact.png differ
diff --git a/images/limited-connectivity.png b/images/limited-connectivity.png
new file mode 100644
index 00000000..d2772927
Binary files /dev/null and b/images/limited-connectivity.png differ
diff --git a/images/macosimage-1.png b/images/macosimage-1.png
new file mode 100644
index 00000000..665fe349
Binary files /dev/null and b/images/macosimage-1.png differ
diff --git a/images/macosimage-2.png b/images/macosimage-2.png
new file mode 100644
index 00000000..414b85c7
Binary files /dev/null and b/images/macosimage-2.png differ
diff --git a/images/macosimage-3.png b/images/macosimage-3.png
new file mode 100644
index 00000000..48e4a5e8
Binary files /dev/null and b/images/macosimage-3.png differ
diff --git a/images/onboarding-image.png b/images/onboarding-image.png
new file mode 100644
index 00000000..89bdb4b4
Binary files /dev/null and b/images/onboarding-image.png differ
diff --git a/images/orange-wrap.png b/images/orange-wrap.png
new file mode 100644
index 00000000..ac92c6aa
Binary files /dev/null and b/images/orange-wrap.png differ
diff --git a/images/r0.png b/images/r0.png
new file mode 100644
index 00000000..a8ab0d20
Binary files /dev/null and b/images/r0.png differ
diff --git a/images/r1.png b/images/r1.png
new file mode 100644
index 00000000..0ddd9e87
Binary files /dev/null and b/images/r1.png differ
diff --git a/images/r10.png b/images/r10.png
new file mode 100644
index 00000000..fcb492d7
Binary files /dev/null and b/images/r10.png differ
diff --git a/images/r11.png b/images/r11.png
new file mode 100644
index 00000000..70588ce6
Binary files /dev/null and b/images/r11.png differ
diff --git a/images/r12.png b/images/r12.png
new file mode 100644
index 00000000..55688d48
Binary files /dev/null and b/images/r12.png differ
diff --git a/images/r2.png b/images/r2.png
new file mode 100644
index 00000000..974831a2
Binary files /dev/null and b/images/r2.png differ
diff --git a/images/r3.png b/images/r3.png
new file mode 100644
index 00000000..46290290
Binary files /dev/null and b/images/r3.png differ
diff --git a/images/r4.png b/images/r4.png
new file mode 100644
index 00000000..f79740a6
Binary files /dev/null and b/images/r4.png differ
diff --git a/images/r5.png b/images/r5.png
new file mode 100644
index 00000000..7f4f148e
Binary files /dev/null and b/images/r5.png differ
diff --git a/images/r6.png b/images/r6.png
new file mode 100644
index 00000000..b00ff6ba
Binary files /dev/null and b/images/r6.png differ
diff --git a/images/r7.png b/images/r7.png
new file mode 100644
index 00000000..89e6510a
Binary files /dev/null and b/images/r7.png differ
diff --git a/images/r8.png b/images/r8.png
new file mode 100644
index 00000000..c9e94b9e
Binary files /dev/null and b/images/r8.png differ
diff --git a/images/r9.png b/images/r9.png
new file mode 100644
index 00000000..dd15dd83
Binary files /dev/null and b/images/r9.png differ
diff --git a/images/seed-dashboard/blocked1.png b/images/seed-dashboard/blocked1.png
new file mode 100644
index 00000000..acbf8ec8
Binary files /dev/null and b/images/seed-dashboard/blocked1.png differ
diff --git a/images/seed-dashboard/blocked2.png b/images/seed-dashboard/blocked2.png
new file mode 100644
index 00000000..f85c8dd3
Binary files /dev/null and b/images/seed-dashboard/blocked2.png differ
diff --git a/images/seed-dashboard/warning-os1.png b/images/seed-dashboard/warning-os1.png
new file mode 100644
index 00000000..25e763a9
Binary files /dev/null and b/images/seed-dashboard/warning-os1.png differ
diff --git a/images/seed-dashboard/warning-os2.png b/images/seed-dashboard/warning-os2.png
new file mode 100644
index 00000000..4e00b2e9
Binary files /dev/null and b/images/seed-dashboard/warning-os2.png differ
diff --git a/images/seed-plus/poc-approval/access-request-list.png b/images/seed-plus/poc-approval/access-request-list.png
new file mode 100644
index 00000000..4f121347
Binary files /dev/null and b/images/seed-plus/poc-approval/access-request-list.png differ
diff --git a/images/seed-plus/poc-approval/cyberark-login.png b/images/seed-plus/poc-approval/cyberark-login.png
new file mode 100644
index 00000000..8fa36182
Binary files /dev/null and b/images/seed-plus/poc-approval/cyberark-login.png differ
diff --git a/images/seed-plus/poc-approval/email-notification.png b/images/seed-plus/poc-approval/email-notification.png
new file mode 100644
index 00000000..16fa7cdc
Binary files /dev/null and b/images/seed-plus/poc-approval/email-notification.png differ
diff --git a/images/seed-plus/poc-approval/jit-email.png b/images/seed-plus/poc-approval/jit-email.png
new file mode 100644
index 00000000..9441af8f
Binary files /dev/null and b/images/seed-plus/poc-approval/jit-email.png differ
diff --git a/images/seed-plus/poc-approval/jit-filters.png b/images/seed-plus/poc-approval/jit-filters.png
new file mode 100644
index 00000000..4f121347
Binary files /dev/null and b/images/seed-plus/poc-approval/jit-filters.png differ
diff --git a/images/seed-plus/poc-approval/jit-justification.png b/images/seed-plus/poc-approval/jit-justification.png
new file mode 100644
index 00000000..48ff3768
Binary files /dev/null and b/images/seed-plus/poc-approval/jit-justification.png differ
diff --git a/images/seed-plus/poc-approval/jit-notification.png b/images/seed-plus/poc-approval/jit-notification.png
new file mode 100644
index 00000000..4739e39c
Binary files /dev/null and b/images/seed-plus/poc-approval/jit-notification.png differ
diff --git a/images/seed-plus/poc-approval/jit-policy-confirm.png b/images/seed-plus/poc-approval/jit-policy-confirm.png
new file mode 100644
index 00000000..c5f7412f
Binary files /dev/null and b/images/seed-plus/poc-approval/jit-policy-confirm.png differ
diff --git a/images/seed-plus/poc-approval/jit-policy.png b/images/seed-plus/poc-approval/jit-policy.png
new file mode 100644
index 00000000..f240c9f8
Binary files /dev/null and b/images/seed-plus/poc-approval/jit-policy.png differ
diff --git a/images/seed-plus/poc-approval/jit8.png b/images/seed-plus/poc-approval/jit8.png
new file mode 100644
index 00000000..dd05a3e8
Binary files /dev/null and b/images/seed-plus/poc-approval/jit8.png differ
diff --git a/images/seed-plus/poc-approval/request-sheet.png b/images/seed-plus/poc-approval/request-sheet.png
new file mode 100644
index 00000000..81150001
Binary files /dev/null and b/images/seed-plus/poc-approval/request-sheet.png differ
diff --git a/images/seed-plus/poc-approval/software-install-step1.png b/images/seed-plus/poc-approval/software-install-step1.png
new file mode 100644
index 00000000..ec1416af
Binary files /dev/null and b/images/seed-plus/poc-approval/software-install-step1.png differ
diff --git a/images/seed-plus/poc-approval/software-install-step2.png b/images/seed-plus/poc-approval/software-install-step2.png
new file mode 100644
index 00000000..64200b15
Binary files /dev/null and b/images/seed-plus/poc-approval/software-install-step2.png differ
diff --git a/images/seed-plus/poc-approval/sudo-htop-step1.png b/images/seed-plus/poc-approval/sudo-htop-step1.png
new file mode 100644
index 00000000..e89bdc6e
Binary files /dev/null and b/images/seed-plus/poc-approval/sudo-htop-step1.png differ
diff --git a/images/seed-plus/poc-approval/sudo-htop-step2.png b/images/seed-plus/poc-approval/sudo-htop-step2.png
new file mode 100644
index 00000000..91346af0
Binary files /dev/null and b/images/seed-plus/poc-approval/sudo-htop-step2.png differ
diff --git a/images/seed-plus/poc-approval/temp-elevation.png b/images/seed-plus/poc-approval/temp-elevation.png
new file mode 100644
index 00000000..0e5b9d01
Binary files /dev/null and b/images/seed-plus/poc-approval/temp-elevation.png differ
diff --git a/images/seed-plus/poc-approval/temp-user-granted.png b/images/seed-plus/poc-approval/temp-user-granted.png
new file mode 100644
index 00000000..837afa4f
Binary files /dev/null and b/images/seed-plus/poc-approval/temp-user-granted.png differ
diff --git a/images/why-do-we-need-seed.png b/images/why-do-we-need-seed.png
index a3f90c4a..dbc13c6b 100644
Binary files a/images/why-do-we-need-seed.png and b/images/why-do-we-need-seed.png differ
diff --git a/images/winimage-4.png b/images/winimage-4.png
new file mode 100644
index 00000000..308450ab
Binary files /dev/null and b/images/winimage-4.png differ
diff --git a/images/winimage-5.png b/images/winimage-5.png
new file mode 100644
index 00000000..5b3cf004
Binary files /dev/null and b/images/winimage-5.png differ
diff --git a/known-issues.md b/known-issues.md
deleted file mode 100644
index 55f9acf1..00000000
--- a/known-issues.md
+++ /dev/null
@@ -1,11 +0,0 @@
-!> This documentation is obsolute. Refer to [Troubleshooting issues](/support/troubleshooting-issues.md).
-
-
-
-
-
-
-
-
-
-
diff --git a/offboard-device/mac-os-using-script.md b/offboard-device/mac-os-using-script.md
deleted file mode 100644
index 8b5fb715..00000000
--- a/offboard-device/mac-os-using-script.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved to [macOS offboarding guide](mac-os-offboarding-guide).
\ No newline at end of file
diff --git a/onboard-device/mac-os.md b/onboard-device/mac-os.md
deleted file mode 100644
index c258af1d..00000000
--- a/onboard-device/mac-os.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved to [Identify onboarding persona](/onboard-device/identify-onboarding-persona).
\ No newline at end of file
diff --git a/onboard-device/macos-vendor-onboarding.md b/onboard-device/macos-vendor-onboarding.md
deleted file mode 100644
index 3871f27b..00000000
--- a/onboard-device/macos-vendor-onboarding.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved to [Identify onboarding persona](identify-onboarding-persona).
\ No newline at end of file
diff --git a/onboard-device/onboard-device-to-seed.md b/onboard-device/onboard-device-to-seed.md
deleted file mode 100644
index c258af1d..00000000
--- a/onboard-device/onboard-device-to-seed.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved to [Identify onboarding persona](/onboard-device/identify-onboarding-persona).
\ No newline at end of file
diff --git a/onboard-device/public-officer.md b/onboard-device/public-officer.md
index 4c538b6d..9d035480 100644
--- a/onboard-device/public-officer.md
+++ b/onboard-device/public-officer.md
@@ -74,7 +74,7 @@ echo "$actual_id"
 ```
 2. Record the Intune Device ID displayed in the Terminal window.
 
-3. For **non-SE GSIB devices**: Log in to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile).
+3. For **non-SE GSIB?/COMET devices**: Log in to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile).
 
    For **SE GSIB** devices: [raise a service request](https://go.gov.sg/seed-techpass-support) to register your Intune Device ID and skip the remaining steps. An email confirming successful onboarding will be sent to you within two hours.
 
@@ -115,10 +115,10 @@ echo "$actual_id"
 
 | Status | Description | Action required |
 |---| ---| ---|
-| **Triggered, waiting for software installation (step 1 of 2)**| Your SEED onboarding has been triggered on the device and is waiting for the software installation to be completed. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).<br><br>2. At the top right, select your user name and click **My Account**. Your profile details are displayed.<br><br>3. Navigate to the **SEED Devices** section and click the refresh icon. If the software installation is successful, the status changes to **Software installed, waiting for backend onboarding (step 2 of 2)**.|
-| **Software installed, waiting for backend onboarding (step 2 of 2)**| Required software has been installed on the device and waiting for backend onboarding.  | 1. On your non-SE GSIB device,access the [TechPass portal](https://portal.techpass.gov.sg/).<br><br>2. At the top right, select your user name and click **My Account**. Your profile details are displayed.<br><br>3. Navigate to the **SEED Devices** section and click the refresh icon. If the backend onboarding is successful, the status will change to **Onboarded**. |
+| **Triggered, waiting for software installation (step 1 of 2)**| Your SEED onboarding has been triggered on the device and is waiting for the software installation to be completed. | 1. On your non-SE GSIB/COMET device, go to the [TechPass portal](https://portal.techpass.gov.sg/).<br><br>2. At the top right, select your user name and click **My Account**. Your profile details are displayed.<br><br>3. Navigate to the **SEED Devices** section and click the refresh icon. If the software installation is successful, the status changes to **Software installed, waiting for backend onboarding (step 2 of 2)**.|
+| **Software installed, waiting for backend onboarding (step 2 of 2)**| Required software has been installed on the device and waiting for backend onboarding.  | 1. On your non-SE GSIB/COMET device,access the [TechPass portal](https://portal.techpass.gov.sg/).<br><br>2. At the top right, select your user name and click **My Account**. Your profile details are displayed.<br><br>3. Navigate to the **SEED Devices** section and click the refresh icon. If the backend onboarding is successful, the status will change to **Onboarded**. |
 | **Onboarded** | Your SEED onboarding is successful. | Proceed to step 10 in this section.  |
-| **Failed** **(*Reason for failure*)** | Your SEED onboarding has failed due to the error displayed. | 1. On your non-SE GSIB device, access the [TechPass portal](https://portal.techpass.gov.sg/).<br><br>2. At the top right, select your user name and click **My Account**. Your profile details are displayed.<br><br>3. Navigate to the **SEED Devices** section. The action required to resolve this failure is mentioned in the parentheses.<br><br>4. Complete the suggested action. | 
+| **Failed** **(*Reason for failure*)** | Your SEED onboarding has failed due to the error displayed. | 1. On your non-SE GSIB/COMET device, access the [TechPass portal](https://portal.techpass.gov.sg/).<br><br>2. At the top right, select your user name and click **My Account**. Your profile details are displayed.<br><br>3. Navigate to the **SEED Devices** section. The action required to resolve this failure is mentioned in the parentheses.<br><br>4. Complete the suggested action. | 
 
 10. Check your inbox (organisational email address) to see if you have received the successfully onboarded email.
 
@@ -166,7 +166,24 @@ Based on your Windows settings, you may be prompted to restart or reset your pas
 <iframe style="position:absolute;top:0;left:0;width:100%;height:100%;" src="https://www.youtube.com/embed/PAyKoRZ7WSk" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen="true"></iframe>
 </div>
 
-### Step 1: Set up Microsoft Intune 
+### Step 1: Create your personal local administrator account
+
+<details>
+  <summary style="font-size:18px">Create your personal local administrator account.</summary><br>
+
+  > **Note**: Do not use the default administrator account for onboarding.
+
+
+1. Search for **Computer Management**.
+2. Navigate to **Local Users and Groups**, and click on **Users**.
+3. Click **New User**.
+4. Fill in **User Name**, **Password**, and **Confirm Password**. Ensure that **User must change password at next logon** is unchecked. Once done, click **Create**.
+5. Double-click on the user you created and add the user as a member of the **Administrators** group.
+
+   </details>
+
+
+### Step 2: Set up Microsoft Intune 
 
 <details>
   <summary style="font-size:18px"> Set up Microsoft Intune to get the required applications and device configurations.</summary><br>
@@ -192,7 +209,7 @@ Based on your Windows settings, you may be prompted to restart or reset your pas
 
 </details>
 
-### Step 2: Register Microsoft Intune Device ID
+### Step 3: Register Microsoft Intune Device ID
 
 
 <details>
@@ -221,7 +238,7 @@ Write-Output $intune_id
 
     a. If you only have a **SE GSIB** device, [raise a service request](https://go.gov.sg/seed-techpass-support) to register your Intune Device ID and skip rest of the steps. Within two hours, you should receive the successfully onboarded email.
 
-    b. If you have a **non-SE GSIB** device, log in to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile).
+    b. If you have a **non-SE GSIB/COMET** device, log in to the [TechPass portal](https://portal.techpass.gov.sg/secure/account/profile).
 
 4. On the TechPass portal, at the top right, go to your user name and click **My Account**. Your **Profile** details are displayed. 
 5. Click **Onboard device to SEED** and follow the on-screen instructions to submit this Intune Device ID.
@@ -257,10 +274,10 @@ Write-Output $intune_id
 
 | Status | Description | Action required |
 |---| ---| ---|
-| **triggered, waiting for software installation (step 1 of 2)**| Your SEED onboarding has been triggered on the device and is waiting for the software installation to be completed. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).<br><br>3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.<br><br>4. Go to the **SEED Devices** section and click the refresh icon. If the software installation is successful, the status changes to **software installed, waiting for backend onboarding (step 2 of 2)**.|
-| **software installed, waiting for backend onboarding (step 2 of 2)**| Required software has been installed on the device and waiting for backend onboarding.  | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).<br><br>3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.<br><br>4. Go to the **SEED Devices** section and click the refresh icon. If the backend onboarding is successful, the status changes to **onboarded**. |
+| **triggered, waiting for software installation (step 1 of 2)**| Your SEED onboarding has been triggered on the device and is waiting for the software installation to be completed. | 1. On your non-SE GSIB/COMET device, go to the [TechPass portal](https://portal.techpass.gov.sg/).<br><br>3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.<br><br>4. Go to the **SEED Devices** section and click the refresh icon. If the software installation is successful, the status changes to **software installed, waiting for backend onboarding (step 2 of 2)**.|
+| **software installed, waiting for backend onboarding (step 2 of 2)**| Required software has been installed on the device and waiting for backend onboarding.  | 1. On your non-SE GSIB/COMT device, go to the [TechPass portal](https://portal.techpass.gov.sg/).<br><br>3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.<br><br>4. Go to the **SEED Devices** section and click the refresh icon. If the backend onboarding is successful, the status changes to **onboarded**. |
 | **onboarded** | Your SEED onboarding is successful. | Go to step 10 in this section.  |
-| **failed(*Reason for failure*)** | Your SEED onboarding failed due to the  error mentioned within the parentheses. | 1. On your non-SE GSIB device, go to the [TechPass portal](https://portal.techpass.gov.sg/).<br><br>3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.<br><br>4. Go to the **SEED Devices** section. Action required to resolve this failure is generally mentioned in the parentheses.<br><br>5. Complete the suggested action. | 
+| **failed(*Reason for failure*)** | Your SEED onboarding failed due to the  error mentioned within the parentheses. | 1. On your non-SE /COMET device, go to the [TechPass portal](https://portal.techpass.gov.sg/).<br><br>3. At the top right, go to your user name and click **My Account**. Your profile details are displayed.<br><br>4. Go to the **SEED Devices** section. Action required to resolve this failure is generally mentioned in the parentheses.<br><br>5. Complete the suggested action. | 
 
 
 10. Check your inbox (organisational email address) to see if you have received the successfully onboarded email.
@@ -271,7 +288,7 @@ Write-Output $intune_id
 </details>
 
 
-### Step 3: Verify installation
+### Step 4: Verify installation
 
 <details>
   <summary style="font-size:18px">Verify the installation.</summary><br>
diff --git a/onboard-device/seed-prerequisites.md b/onboard-device/seed-prerequisites.md
index 924fb9c0..ecc72890 100644
--- a/onboard-device/seed-prerequisites.md
+++ b/onboard-device/seed-prerequisites.md
@@ -2,7 +2,12 @@
 
 Before you begin the process of onboarding your Internet Device to SEED, you need meet the necessary prerequisites. These prerequisites are vital for a successful onboarding experience. 
 
-## Supported browsers and OS
+![onboarding](../images/onboarding-image.png)
+
+> **Note**: Each user can onboard **only one device** to SEED.  
+
+
+## Supported browsers and operating systems
 
 Supported browsers:
 
@@ -11,14 +16,70 @@ Supported browsers:
  - Mozilla Firefox. If you are using Mozilla Firefox, you need to [configure Firefox to trust the root certificate store of your system](https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox).
  - Safari
 
-Supported OS:
+Supported operating system:
+
+!> **Important**  
+Windows 10 will reach end of life on **14 October 2025**.  
+Access to SGTS and GCC will be blocked from **15 October 2025**.  
+Onboarding of Windows 10 devices will stop from **19 September 2025**.
+
+| **Operating system** | **Version supported** |
+|---|---|
+| **macOS 26**        | 26.0.0 |
+| **macOS 15**        | 15.6.1 <br> **Note**: If you encounter issues accessing SGTS or GCC services after the update, please ensure that [FDA is enabled](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/post-onboarding-instructions/macos-latest?id=ensure-full-disk-access-fda-is-enabled-for-seed-components) and reboot your device. <br> Do **not** install unsupported versions of macOS unless explicitly communicated via email by the SEED team.|
+| **macOS 14**        | 14.7.8 |
+| **macOS 13**        | 13.7.8 |
+| **Windows 10** | 1507 (LTSC only, build 10240, minimally revision 21128) <br> 1607 (LTSC only, build 14393, minimally revision 8442) <br> 1809 (LTSC only, build 17763, minimally revision 7792) <br> 21H2 (LTSC only, build 19044, minimally revision 6332) <br> 22H2 (build 19045, minimally revision 6332) |
+| **Windows 11** | 22H2 (build 22621, minimally revision 5909) <br> 23H2 (build 22631, minimally revision 5909) <br> 24H2 (build 26100, minimally revision 6584) <br> 25H2 (build 26200, minimally revision 6584) |
+
 
-- macOS 13, 14 and 15
-- Windows 10 and 11 (Pro and Enterprise)
 
 > **Note**:
 > Admin privilege is required to onboard to SEED.
 
+## How to check your operating system version  
+
+<details>
+  <summary>macOS</summary>
+
+1. Open Spotlight using **Cmd + Space**  
+2. Search for **About this mac.app**  
+3. Look for the line that says **macOS** (as highlighted below). This will show your macOS version.
+
+   ![macOS](/images/checkos-mb.png)
+</details>
+
+<details>
+  <summary>Windows</summary>
+
+1. Click on the **Start** icon and select **Settings**  
+   ![Windows Start](/images/checkos-win.png)  
+2. Open **System Settings**  
+   ![Windows System Settings](/images/checkos-win2.png)  
+3. Select **System**  
+   ![Windows System Page](/images/checkos-win3.png)  
+4. Under **Windows Specifications**, look at:  
+   - **Edition** – Ensure it is **Windows 10/11** and either **Enterprise** or **Pro** edition  
+   - **OS Build** – Check the **build number** and **revision number**. The build number must be valid, and the revision number should be **greater than or equal** to the required version.  
+
+   **Example:**  
+   If the build number is **19045**, your revision number should be at least **5487**. If your build number is not listed in the table of valid builds, update your device or change to a supported version.  
+
+   ![Windows OS Build](/images/checkos-win4.png)  
+</details>
+
+## SEED hardware minimum specifications  
+
+Hardware must meet the minimum requirements for the supported SEED operating systems and software.  
+
+For detailed OS hardware requirements, refer to:  
+- [macOS Sequoia (macOS 15)](https://support.apple.com/en-us/HT213939)  
+- [macOS Sonoma (macOS 14)](https://support.apple.com/en-us/HT213264)  
+- [macOS Ventura (macOS 13)](https://support.apple.com/en-us/HT213268)  
+- [Windows 10 minimum requirements](https://learn.microsoft.com/en-us/windows-hardware/design/minimum/minimum-hardware-requirements-overview)  
+- [Windows 11 minimum requirements](https://learn.microsoft.com/en-us/windows-hardware/design/minimum/minimum-hardware-requirements-overview)  
+
+
 ## Request SEED provisioning
 
 You can request SEED provisioning through one of the following methods:
diff --git a/onboard-device/vendor.md b/onboard-device/vendor.md
index 6ff4cf9e..3b048be4 100644
--- a/onboard-device/vendor.md
+++ b/onboard-device/vendor.md
@@ -73,51 +73,63 @@ Based on your Windows settings, you may be prompted to restart or reset your pas
 <iframe style="position:absolute;top:0;left:0;width:100%;height:100%;" src="https://www.youtube.com/embed/PAyKoRZ7WSk" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen="true"></iframe>
 </div>
 
-### Step 1: Set up Microsoft Intune
+### Step 1: Create your personal local administrator account
+
 
 <details>
-  <summary style="font-size:18px">Set up Microsoft Intune to get the required applications and device configurations.</summary><br>
+  <summary style="font-size:18px">Create your personal local administrator account.</summary><br>
+
+  > **Note**: Do not use the default administrator account for onboarding.
+
+
+1. Search for **Computer Management**.
+2. Navigate to **Local Users and Groups**, and click on **Users**.
+3. Click **New User**.
+4. Fill in **User Name**, **Password**, and **Confirm Password**. Ensure that **User must change password at next logon** is unchecked. Once done, click **Create**.
+5. Double-click on the user you created and add the user as a member of the **Administrators** group.
+
+</details>
+
 
-1. Click **Start** icon on the taskbar.
+### Step 2: Set up Microsoft Intune
 
-2. Go to **Settings** > **Accounts** > **Access work or school** and click **Connect** to add your TechPass account.
+<details>
+  <summary style="font-size:18px">Set up Microsoft Intune to get the required applications and device configurations.</summary><br>
+
+1. Click the **Start** icon on the taskbar.
+2. Go to **Settings** > **Accounts** > **Access work or school**, and click **Connect** to add your TechPass account.
 
-  ![access-work-or-school](../images/onboarding-instructions-for-windows/access-work-or-school.png)
+   ![access-work-or-school](../images/onboarding-instructions-for-windows/access-work-or-school.png)
 
-3. Approve your TechPass login using the authenticator app that was used to set up TechPass MFA. 
+3. Approve your TechPass login using the authenticator app used to set up TechPass MFA.
 
-  ![techpass-sign-in](../images/onboarding-instructions-for-windows/techpass-sign-in.png)
+   ![techpass-sign-in](../images/onboarding-instructions-for-windows/techpass-sign-in.png)
 
-  Your account is added and listed as a connection. This account has **Info** and **Disconnect** options as shown below. 
+   Your account is added and listed as a connection. This account has **Info** and **Disconnect** options as shown below.
 
-  ![info-disconnect](../images/onboarding-instructions-for-windows/info-disconnect.png)
+   ![info-disconnect](../images/onboarding-instructions-for-windows/info-disconnect.png)
 
 4. Select the **Info** option and verify that a similar result to the following is displayed. You will see **TechPass** instead of **SG Govt M365**.
 
-  ![managed-by-tp](../images/onboarding-instructions-for-windows/managed-by-tp.png)
+   ![managed-by-tp](../images/onboarding-instructions-for-windows/managed-by-tp.png)
 
 </details>
 
 
 
-### Step 2: Verify installation
+### Step 3: Verify installation
 
 <details>
   <summary style="font-size:18px">Verify the installation.</summary><br>
 
-1. Go to the Internet Device onboarded to SEED, open **Settings** > **Apps** > **Apps & features**. 
-2. Ensure that Cloudflare WARP and Tanium are listed.
+1. Go to the Internet device onboarded to SEED, open **Settings** > **Apps** > **Apps & features**.
+2. Ensure that **Cloudflare WARP** and **Tanium** are listed.
 
-  ![cloudflare](../images/onboarding-instructions-for-windows/cloudflare.png)
+   ![cloudflare](../images/onboarding-instructions-for-windows/cloudflare.png)
 
-  ![tanium](../images/onboarding-instructions-for-windows/tanium.png)
+   ![tanium](../images/onboarding-instructions-for-windows/tanium.png)
   
-  You will receive a desktop notification that your device will be renamed according to our standard convention, followed by an automatic restart in 5 minutes. Please save your work to avoid data loss. You can also manually restart your device after the notification for a quicker update. Keep in mind that this naming convention is necessary for administrative purposes, so avoid renaming your device afterward.
+   You will receive a desktop notification that your device will be renamed according to our standard convention, followed by an automatic restart in 5 minutes. Please save your work to avoid data loss. You can also manually restart your device after the notification for a quicker update. Keep in mind that this naming convention is necessary for administrative purposes, so avoid renaming your device afterward.
 
 </details>
 
-
-
-
-
-
diff --git a/onboard-device/windows-vendor-onboarding.md b/onboard-device/windows-vendor-onboarding.md
deleted file mode 100644
index 3871f27b..00000000
--- a/onboard-device/windows-vendor-onboarding.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved to [Identify onboarding persona](identify-onboarding-persona).
\ No newline at end of file
diff --git a/onboard-device/windows.md b/onboard-device/windows.md
deleted file mode 100644
index 3871f27b..00000000
--- a/onboard-device/windows.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved to [Identify onboarding persona](identify-onboarding-persona).
\ No newline at end of file
diff --git a/organisation-ids-and-mapping.md b/organisation-ids-and-mapping.md
deleted file mode 100644
index 470d5b17..00000000
--- a/organisation-ids-and-mapping.md
+++ /dev/null
@@ -1,40 +0,0 @@
-<!-- Commenting this page as the info is redundant. If any complaints that this page is missing, we can bring it back to life
-
-### Organisation IDs and organisation mapping
-
-While onboarding your device to SEED, one of the prerequisites is to remove Microsoft Defender or any other antivirus solution from it. If your device has Microsoft Defender, it will be associated with an organisation.
-
-To unenrol the device from Defender:
-
-contact the respective organisation and get the offboarding scripts. If you have a different antivirus solution other than Defender, contact your organisation administrator to remove that antivirus solution from your device.
-
-The following table provides some of the possible organisation ids and their names associated with Defender.
-
-
-| org_id  | Organisation |
-| ------------- |:-------------:|
-| faa36a5e-2da6-4225-8e27-226177c801a0      | WOG     |
-| 49237d71-42ac-425a-a803-881b92cc18ce  | TechPass    |
-| 6389e966-e334-461d-86ce-0fed12484620      | Hive     |
-
-
-<div class="warn">
-<p><b>Notes:</b></p>
-<ul>
-<li>If the org_id is different from the above three, contact the respective MDM administrator to get the offboarding script.</li>
-<li>If your TechPass ID used for SEED onboarding is similar to <em>your_name<span>@</span>tech.gov.sg</em> or <em>your_name<span>@</span><agency>.gov.sg</em>, your device will be onboarded to SEED under WOG profile - SG Govt M365.</li>
-<li>If your TechPass ID used for SEED onboarding is similar to <em>your_name<span>@</span>techpass.gov.sg</em>, your device will be onboarded to SEED under TECHPASS profile.</li>
-</ul>
-</div>
-
-
-
-**Related topics**
-- [Prerequisites for onboarding device to SEED](prerequisites-for-onboarding)
-- [Post onboarding instructions](post-onboarding-instructions/post-onboarding-steps-and-verification)
-- [Ensure Microsoft Defender is configured correctly for your OS](verify-microsoft-defender-is-configured-correctly-for-your-os)
-- [Offboard device from SEED](offboard-device/offboard-device-from-seed)
-- [FAQs](faqs/seed-faqs)
-
--->
-
diff --git a/overview.md b/overview.md
index dd9824b4..f4a2a603 100644
--- a/overview.md
+++ b/overview.md
@@ -1,11 +1,35 @@
 # SEED overview
 
-## What is SEED?
+SEED and SEED+ are security solutions for managing and protecting engineering endpoint devices used in government projects. This page explains what SEED and SEED+ are, how they work, and what users can expect during and after onboarding.
 
-**Security Suite for Engineering Endpoint Devices (SEED)** is the Singapore Government's implementation of Identity and Access Management (IAM) and Zero Trust framework.  It aims to protect the Government's engineering resources, such as Government on Commercial Cloud (GCC) and the Singapore Government Tech Stack (SGTS), against unauthorised access.
+---
+
+## SEED vs SEED+: At a glance
+
+|  Feature | **SEED** | **SEED+** |
+|---|---|---|
+| Who it is for | Users working in Singapore on government engineering systems | Users working outside Singapore for government projects. <br><br> **Note**: SEED+ applies to users from fully qualified offshore development centres (ODCs) or those approved by their POC. New users will receive an email invitation to onboard to SEED. Both new SEED+ users and existing users can refer to the [SEED+ section of this documentation](#what-is-seed-1) for more details. |
+| Device types | macOS and Windows | macOS and Windows |
+| Admin rights  | Retained by user | Removed (CyberArk used for elevation) |
+| USB storage blocking | No       | Yes (storage only) |
+| Network access | No Always-On Cloudflare WARP | Always-on Cloudflare WARP |
+| DNS configuration | No Preset DNS | Preset Cloudflare DNS (1.1.1.1, 1.0.0.1) |
+| Onboarding flow | [Standard SEED onboarding](/onboard-device/identify-onboarding-persona.md) | [Standard SEED onboarding](/onboard-device/identify-onboarding-persona.md)|
+
+> **Know which one applies to you?**  
+> - [Go to SEED → What is SEED](#what-is-seed)  
+> - [Go to SEED+ → What is SEED+](#what-is-seed-1)
+
+---
+
+## What is SEED
+
+**Security Suite for Engineering Endpoint Devices (SEED)** is the Singapore Government's implementation of Identity and Access Management (IAM) and Zero Trust framework. It aims to protect the Government's engineering resources, such as Government on Commercial Cloud (GCC) and the Singapore Government Tech Stack (SGTS), against unauthorised access.
 
 Zero Trust replaces traditional Virtual Private Network (VPN) connections and network-based security policies with a standardised central identity provider. This enforces access policies, ensuring that only authorised users with devices compliant with device postures gain access.
 
+---
+
 ## Why do we need SEED?
 
 ![why-do-we-need-seed](images/why-do-we-need-seed.png)
@@ -15,6 +39,8 @@ Zero Trust replaces traditional Virtual Private Network (VPN) connections and ne
 - Detects if the endpoint’s operating system version and security patches are up to date.
 - Prevents access to the resources of GCC and the SGTS services if the above requirements are not satisfied.
 
+---
+
 ## How does SEED work?
 
 ![how-does-seed-work](images/how-does-seed-work.png)
@@ -25,21 +51,76 @@ SEED comprises three key components:
 - Cloudflare
 - SEED Dashboard
 
+---
+
 ## What can SEED do on my device?
 
 | SEED capabilities                            | Supported |
-| ----------------------------------------------------------- | :-------: |
-| View device information such as model number and OS version |     ✔️     |
-| View the names of installed applications                 |     ✔️     |
-| Identify your device by name                       |     ✔️     |
-| Reset a lost or stolen device to factory settings          |     ✔️     |
-| View browsing history                              |     ❌     |
-| Access emails, contacts, and calendar                     |     ❌     |
-| Access documents                                         |     ❌     |
+|----------------------------------------------|:---------:|
+| View device information such as model number and OS version | ✔️ |
+| View the names of installed applications     | ✔️ |
+| Identify your device by name                 | ✔️ |
+| Reset a lost or stolen device to factory settings | ✔️ |
+| View browsing history                        | ❌ |
+| Access emails, contacts, and calendar        | ❌ |
+| Access documents                             | ❌ |
+
+
+### Next steps for SEED users
+
+If SEED applies to you, you can proceed directly with onboarding.  
+Go to the **Onboard to SEED** section in the sidebar.
+
+
+## What is SEED+
+
+**SEED+** extends SEED to provide additional security for offshore development centres (ODCs) — users working outside Singapore on government projects.
+
+### Who is SEED+ for
+
+SEED+ is intended for:
+
+- Users working outside Singapore on projects sponsored by Singapore Government agencies
+- macOS or Windows devices
+- Users with an active TechPass account
+- Users onboarded with POC approval
+
+> A POC (point-of-contact) is a designated officer from the sponsoring agency who is responsible for approving your onboarding and access requests.
+
+
+
+### What SEED+ includes
+
+SEED+ uses the same baseline protection as SEED, with additional controls for offshore use:
+
+- **CyberArk Endpoint Privilege Manager (EPM)**  
+  Removes administrative rights and requires POC approval for elevated access.
+
+- **USB storage blocking**  
+  Blocks storage devices only. Peripherals like mouse and keyboard are allowed.
+
+- **Cloudflare WARP**  
+  Always stays on and connected.
+
+- **DNS IP address preset**  
+  Cloudflare DNS: `1.1.1.1` and `1.0.0.1`
+
+
+### What to expect
+
+- You will not have superuser access. All `sudo` or install-level actions must be approved via elevation requests.
+- Elevation requests will be routed to your POC for approval.
+- Devices that are idle for more than 30 days may be offboarded automatically.
+
 
+### Next steps for SEED+ users
 
+If SEED+ applies to you, follow the [Onboard as a vendor guide](/onboard-device/vendor) to begin.
 
+After onboarding, go to the **SEED+ section** in the sidebar to learn more about:
 
+- [CyberArk dialogs and permissions (Users)](/seed-plus/cyberark-dialog.md)  
+- [Approval guide (POC)](/seed-plus/poc-approver-guide.md)
 
 
 
diff --git a/post-onboarding-instructions/mac-os-13.md b/post-onboarding-instructions/mac-os-13.md
deleted file mode 100644
index 199d5e90..00000000
--- a/post-onboarding-instructions/mac-os-13.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved to [macOS 14 and 13 post onboarding guide](post-onboarding-instructions/macos-latest).
\ No newline at end of file
diff --git a/post-onboarding-instructions/mac-os.md b/post-onboarding-instructions/mac-os.md
deleted file mode 100644
index 314d2050..00000000
--- a/post-onboarding-instructions/mac-os.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved. Refer to [macOS 14 and 13 post onboarding guide](post-onboarding-instructions/macos-latest).
diff --git a/post-onboarding-instructions/macos-latest.md b/post-onboarding-instructions/macos-latest.md
index 7d6a62e2..d7ccc540 100644
--- a/post-onboarding-instructions/macos-latest.md
+++ b/post-onboarding-instructions/macos-latest.md
@@ -14,6 +14,7 @@ After onboarding, ensure FDA is enabled for the following SEED components:
 - Microsoft Intune Agent
 - Microsoft Defender
 - Microsoft Defender ATP Security Extension 
+- Falcon agent (Users who signed up after 22 August 2025)
 
 **Verification steps**:
 
@@ -24,7 +25,7 @@ After onboarding, ensure FDA is enabled for the following SEED components:
 > **Note**: If you were not prompted to reset device password during onboarding, you will be prompted now. Refer to the FAQ for password policy.
 
 4. On the **Privacy & Security** pane, choose **Full Disk Access**.
-  ![fda-enabled](../images/macos-13-fda.png)
+  ![fda-enabled](../images/macosimage-1.png)
 
 5. Ensure the following applications are listed and enabled:
 
@@ -32,12 +33,23 @@ After onboarding, ensure FDA is enabled for the following SEED components:
     - Microsoft Intune Agent
     - Microsoft Defender
     - Microsoft Defender Endpoint Security Extension
+    - Falcon agent (Users who signed up after 22 August 2025)
 
-    ![fda-enabled](../images/applications-on-macos13.png)
+  ![fda-enabled](../images/macosimage-2.png)
 
-    >**Note**: If a SEED component is missing, refer to [Onboarding FAQ](/faqs/onboarding-faq).
+  >**Note**: If a SEED component is missing, refer to [Onboarding FAQ](/faqs/onboarding-faq).
 
+## Verify CrowdStrike is configured
 
+1. Open **Finder** → **Applications** → **Falcon.app**.
+2. Ensure the **CrowdStrike Falcon Sensor** is **registered**, **operational**, and **cloud connected**.  
+
+   ![CrowdStrike Falcon Sensor status](../images/macosimage-3.png)
+
+3. If any of the above statuses indicate an error:
+   -  Click **Configure Settings** and follow the steps as prompted.
+
+   
 ## Turn on Cloudflare WARP
 
 After onboarding your macOS Internet Device to SEED, you need to activate Cloudflare WARP.
@@ -46,7 +58,8 @@ After onboarding your macOS Internet Device to SEED, you need to activate Cloudf
 
 1. Open **Cloudflare WARP** client from the menu bar.
 
-  ![cloudflare-warp-icon](../images/onboarding-for-macos/cloudflare-icon.png) 
+  ![cloudflare-warp-icon](../images/onboarding-for-macos/cloudflare-icon.png)
+  
   You will see the information page, followed by the privacy policy.
 
 2. Click **Next**, **Accept** to agree to Cloudflare’s privacy policy.
diff --git a/post-onboarding-instructions/macos.md b/post-onboarding-instructions/macos.md
deleted file mode 100644
index 670e7fa2..00000000
--- a/post-onboarding-instructions/macos.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved to [macOS post onboarding guide](post-onboarding-instructions/macos-latest).
diff --git a/post-onboarding-instructions/post-onboarding-steps-and-verification.md b/post-onboarding-instructions/post-onboarding-steps-and-verification.md
deleted file mode 100644
index cc54bb08..00000000
--- a/post-onboarding-instructions/post-onboarding-steps-and-verification.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved. Refer to [macOS 14 and 13 post onboarding guide](post-onboarding-instructions/macos-latest) and [Windows post onboarding guide](post-onboarding-instructions/windows).
diff --git a/post-onboarding-instructions/windows.md b/post-onboarding-instructions/windows.md
index 9df2d30d..3cc5b704 100644
--- a/post-onboarding-instructions/windows.md
+++ b/post-onboarding-instructions/windows.md
@@ -80,6 +80,22 @@ Within the next few hours, **Intune** pushes the **Microsoft Defender** client t
 
 At any time, users can manually sync by going to **Start** > **Settings** > **Accounts** > **Access work or school** > **Work or School Account** > **Info** > **Sync**. Alternatively, Open the Company Portal app on your device, go to **Settings** > **Sync**. Wait while Company Portal syncs your device. When complete, the screen will show the timestamp of the last successful sync.
 
+## Verify CrowdStrike is configured
+
+1. In the **Taskbar**, click the **CrowdStrike** icon.
+2. Confirm that the **CrowdStrike Falcon Sensor** is:
+   - **Running**
+   - **Service is active**
+   - **Cloud connected**  
+
+   ![CrowdStrike Falcon Sensor status](../images/winimage-4.png)  
+   ![CrowdStrike Falcon Sensor details](../images/winimage-5.png)
+
+3. If any of the above statuses indicate an error:
+   - Go to **Start** → **Settings** → **Accounts** → **Access work or school**.
+   - Click the **Info** button next to your **TechPass** account.
+   - Select **Sync**.
+   - Restart your computer.
 
 
 
diff --git a/prerequisites-for-onboarding.md b/prerequisites-for-onboarding.md
deleted file mode 100644
index 16991975..00000000
--- a/prerequisites-for-onboarding.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved to [Identify onboarding persona](/onboard-device/identify-onboarding-persona).
diff --git a/raise-an-incident-support-request.md b/raise-an-incident-support-request.md
deleted file mode 100644
index 086188be..00000000
--- a/raise-an-incident-support-request.md
+++ /dev/null
@@ -1,5 +0,0 @@
-!> This documentation has moved to [Raise a service request](/support/raise-service-request.md).
-
-
-
-  
diff --git a/release-notes.md b/release-notes.md
index 7f6a4b27..dcd64907 100644
--- a/release-notes.md
+++ b/release-notes.md
@@ -11,8 +11,337 @@ This section lists the most recent enhancements, new features and fixes that are
 | **Gamma Release** | **Device Based Blocking** | To enforce better protection to our development resources e.g., GCC and SGTS services and tools. On 19 July 2023, we have rolled out beta testing for more effective blocking of access when a GMD's health is at risk. We have passed the beta test and we have rolled out the gamma release. If you have queries on this feature, please get in touch with us through our SEED mailbox at: [enquiries_seed@tech.gov.sg](mailto:enquiries_seed@tech.gov.sg).|
 -->
 
+## October 2025
+
+### 3 October 2025
+
+| Type | Change | Description |
+| --- | --- | --- |
+| **New feature** | **CrowdStrike deployment** | Deployed CrowdStrike to all **SEED users**. No user impact during installation.<br><br>Users will be evaluated based on the CrowdStrike risk score instead of Microsoft Defender. Microsoft Defender will remain installed during this trial period. |
+
+## September 2025
+
+### 30 September 2025
+
+| Type | Change | Description |
+| --- | --- | --- |
+| **Update** | **macOS 26 deployment** | Deployed macOS 26 to all users. |
+
+
+
+### 25 September 2025
+
+| Type | Change | Description |
+| --- | --- | --- |
+| **Update** | **Tanium server maintenance** | Upgraded Tanium Server Platform to 7.6.4.2160 and TanOS to 1.8.4.0199.<br><br>SEED onboarding was affected from 18:00 hrs to 21:00 hrs. More information can be found here: [Maintenance release updates for 2024H2](https://help.tanium.com/bundle/2024H2_releasenotes/page/maintenance.html#2024h2_update_11_august_19_2025). |
+
+### 23 September 2025
+
+| Type | Change | Description |
+| --- | --- | --- |
+| **Update** | **macOS 26 deployment** | macOS 26 rollout to **CEP users**. |
+
+### 19 September 2025
+
+| Type | Change | Description |
+| --- | --- | --- |
+| **New feature** | **CrowdStrike deployment** | Deployed CrowdStrike to **SEED users (Contractors)**.<br><br>No user impact during installation.<br><br>Microsoft Defender will still be installed during this trial period. |
+
+
+### 11 September 2025
+
+| Type | Change | Description |
+| --- | --- | --- |
+| **New feature** | **CrowdStrike deployment** | Deployed CrowdStrike to **SEED users (Remaining NDI Helpdesk Agents)**. No user impact during installation.<br><br>Users will be evaluated based on CrowdStrike risk score instead of Microsoft Defender. Microsoft Defender will still be installed during this trial period. |
+| **New feature** | **Pushing of standard apps from Intune** | Deployment of standard applications to **SEED devices (WOG)**:<br>- Chrome<br>- Edge<br>- Telegram<br>- Slack |
+
+### 10 September 2025
+
+| Type | Change | Description |
+| --- | --- | --- |
+| **New feature** | **macOS Platform SSO rollout** | macOS Platform SSO is now available for **SEED users (GovTech users)** on macOS. This feature allows you to sign in to your Mac using your enterprise credentials and automatically gain access to supported apps and services without repeatedly entering your username and password, improving convenience and security. |
+| **Update** | **Azure Portal Conditional Access Policy (CAP)** | Added device compliance checks (**Report Only**) for **macOS (Contractors)** before allowing access to Microsoft Admin Portals. |
+
+
+### 5 September 2025
+
+| Type | Change | Description |
+| --- | --- | --- |
+| **New feature** | **CrowdStrike deployment** | Deployed CrowdStrike to **GovTech users**, plus 2 **NDI Helpdesk Agents** and **NDI users**. No user impact during installation.<br><br>Users will be evaluated based on CrowdStrike risk score instead of Microsoft Defender. Microsoft Defender will remain installed during this trial period. |
+
+### 3 September 2025
+
+| Type | Change | Description |
+| --- | --- | --- |
+| **Update** | **Azure Portal Conditional Access Policy (CAP)** | Added device compliance checks (Report Only) for **non-macOS (all users)** before allowing access to Microsoft Admin Portals. |
+| **New feature** | **Intune standard apps deployment (TechPass)** | Deployment of standard applications to SEED devices (**TechPass users**):<br>- Chrome<br>- Edge<br>- Telegram<br>- Slack |
+
+### 2 September 2025
+
+| Type | Change | Description |
+| --- | --- | --- |
+| **Update** | **CrowdStrike API** | Removed **Automated Leads** from CrowdStrike device blocking criteria. |
+
+## August 2025
+
+### 28 August 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **Tanium server maintenance** | Upgraded Tanium Server Platform to 7.6.4.2144.<br><br>SEED onboarding was affected from 18:00 hrs to 21:00 hrs. |
+
+### 27 August 2025
+
+| Type | Change | Description |
+| --- | --- | --- |
+| **Update** | **Azure Portal Conditional Access Policy (CAP)** | Added device compliance checks (Report Only) for all operating systems (**CEP users**) before allowing access to Microsoft Admin Portals. |
+| **New feature** | **macOS Platform SSO rollout (Vendors)** | macOS Platform SSO is now available for **Vendor SEED users** on macOS. This feature allows you to sign in to your Mac using enterprise credentials and automatically gain access to supported apps and services without repeatedly entering your username and password. |
+
+### 22 August 2025
+
+| Type | Change | Description |
+| --- | --- | --- |
+| **New feature** | **CrowdStrike deployment** | Deployed CrowdStrike to **CEP SEED users**. No user impact during installation.<br><br>Users will be evaluated based on CrowdStrike risk score instead of Microsoft Defender. Microsoft Defender will remain installed during this trial period. |
+
+
+### 11 August 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **macOS Platform SSO rollout** | macOS Platform SSO is now available for **CEP SEED users** on macOS. This feature allows you to sign in to your Mac using your enterprise credentials and automatically gain access to supported apps and services without repeatedly entering your username and password, improving convenience and security.<br><br>**Rollout dates:**<br>- **CEP SEED users**: 11 August 2025<br>- **PO SEED users**: 18 August 2025<br>- **Vendor SEED users**: 25 August 2025 |
+
+### 4 August 2025
+
+| Type | Change | Description |
+| --- | --- | --- |
+| **Update** | **Azure Portal Conditional Access Policy (CAP)** | Added device compliance checks (Report Only) for **macOS (SEED Team)** before allowing access to Microsoft Admin Portals. |
+
+
+## July 2025
+
+### 31 July 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **Tanium server maintenance** | Upgraded Tanium TanOS to 1.8.4.0190.<br><br>SEED onboarding was affected from 18:00 hrs to 21:00 hrs. More information can be found [here](https://help.tanium.com/bundle/2024H2_releasenotes/page/maintenance.html#2024h2_update_8_june_18_2025). |
+
+### 17 July 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **New feature** | **CrowdStrike deployment** | Deployed CrowdStrike to CEP SEED users (public officers and vendors). No user impact during installation.<br><br>Users will be evaluated based on CrowdStrike risk score instead of Microsoft Defender. Microsoft Defender will still be installed during this trial period. |
+
+### 11 July 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **Cloudflare WARP client update** | Updated Cloudflare WARP client in WoG.<br>- macOS WARP Client version: 2025.4.943.0<br>Brief disconnection from SGTS may occur during installation. |
+
+---
+
+## June 2025
+
+### 26 June 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **Tanium server maintenance** | Upgraded Tanium Server Platform to 7.6.4.2132 and TanOS to 1.8.4.0188.<br><br>SEED onboarding was affected from 18:00 hrs to 21:00 hrs. More information can be found [here](https://help.tanium.com/bundle/2024H2_releasenotes/page/maintenance.html#2024h2_update_6_may_22_2025). |
+
+### 24 June 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **OS version enforcement** | Monthly updates will be pushed on a fixed schedule found [here](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/update-schedule/os-patching-schedule). Users who do not meet the minimum OS version [baseline](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/onboard-device/seed-prerequisites?id=how-to-check-your-operating-system-version) will start receiving update reminders before access is removed. |
+
+### 23 June 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **Cloudflare WARP client update** | Updated Cloudflare WARP client.<br><br>**TechPass:**<br>- WinOS WARP Client version: 2025.4.943.0<br>- macOS WARP Client version: 2025.4.943.0<br><br>**WoG:**<br>- WinOS WARP Client version: 2025.4.943.0<br>Brief disconnection from SGTS may occur during installation. |
+
+
+## May 2025
+
+### 23 May 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Fix** | **SEED configuration notification delay** | SEED configuration alerts will now only appear if the issue persists for more than 4 hours. This reduces unnecessary pop-ups for users. |
+
+### 14 May 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Fix** | **macOS baseline update** | Adjusted baseline configuration for macOS. No action is required unless otherwise notified. |
+
+### 5 May 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **Login service update** | TechPass rotated Cloudflare Access credentials. If you encounter login issues accessing SGTS or GCC 2.0, contact support. |
+
+
+## April 2025
+
+### 1 April 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **Cloudflare access policy update** | Brief downtime (5 minutes) may affect Windows users while applying access policy for non-production SEED applications. |
+
+
+## March 2025
+
+### 27 March 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **OS version enforcement for Windows** | Windows users who did not meet the minimum OS version baseline started receiving update reminders. Affected users were previously informed via advisory. |
+
+### 6 March 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **Microsoft Defender update** | The Microsoft Defender client was updated. Installation takes around 5 minutes. Users with the latest version were not affected. |
+
+## February 2025
+
+### 13 February 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **Cloudflare WARP client update** | Updated Cloudflare WARP client in TechPass and WOG. Brief disconnection from SGTS may occur during installation. |
+
+## January 2025
+
+### 16 January 2025
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **Apple certificate renewal** | Rotated Apple MDM push certificate for TechPass. Enables enrolment of new vendor MacBooks. No user action required unless issues arise. |
+
+
+## December 2024
+
+### 30 December 2024
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **Cloudflare certificate update** | New Cloudflare certificate pushed to SEED devices. If using developer CLI tools, refer to the guide to update trusted certificates. Certificate will activate on 13 January 2025. |
+
+### 20 December 2024
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **Firewall settings for macOS 15** | Updated firewall rules for macOS 15 to allow Cloudflare WARP. No impact to other firewall configurations. |
+
+### 18 December 2024
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Fix** | **Warning resolution fix** | Fixed issue where addressed warnings were not reflected on the SEED dashboard. |
+
+### 12 December 2024
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **Cloudflare WARP client update** | Cloudflare WARP client was updated. During installation, SGTS access may briefly disconnect. No action needed for devices already on the new version. |
+
+### 6 December 2024
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **Minimum OS version enforcement** | Devices not updated to the required OS version will receive warnings and be blocked after 7 days. Users should update to continue access. |
+
+
+## November 2024
+
+### 29 November 2024
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **M365 RBI access expansion** | CEP public officers and vendor users were granted access to M365 RBI. No downtime occurred. |
+
+
+### 26 November 2024
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **macOS policy enforcement** | Security updates for Apple macOS versions 13, 14, and 15 are enforced starting 27 November 2024. <br><br>**Action required:** <br>- Devices on macOS 15 or 15.1 must update to macOS 15.1.1 to avoid being blocked from accessing SGTS services starting 10 December 2024. <br><br>[Read security notes](https://support.apple.com/en-us/121753). For questions, contact **enquiries_seed@tech.gov.sg**. |
+
+### 1 November 2024
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **SEED support for macOS 15 Sequoia** | SEED is now officially supported on macOS 15 Sequoia. For issues, contact **enquiries_seed@tech.gov.sg**. |
+
+---
+
+## September 2024
+
+### 20 September 2024
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **New feature** | **Banner feature on SEED dashboard** | Introduced a new banner feature on the [SEED dashboard](https://dashboard.seed.tech.gov.sg/) to push critical messages to SEED users. For assistance, contact **enquiries_seed@tech.gov.sg**. |
+
+### 16 September 2024
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **SEED support status for macOS 15 Sequoia** | SEED has not been officially tested on macOS 15 Sequoia, and support cannot be provided for issues encountered. For assistance, contact **enquiries_seed@tech.gov.sg**. |
+
+---
+
 ## August 2024
 
+### 30 August 2024
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+| --- | --- | --- |
+| **Update** | **Delay in macOS 15 Sequoia support** | The previously announced support for macOS 15 Sequoia, originally scheduled to begin on 31 August 2024, has been delayed until further notice. For assistance, contact **enquiries_seed@tech.gov.sg**. |
+
+# August 2024
+
+## 30 August 2024
+
+| **Type** | **Change** | **Description** |
+|---|---|---|
+| **Update** | **Windows security updates** | Security updates were pushed through Windows Update Rings in Intune for vendors using Windows devices. <br><br>**Action required:** Save your work before restarting your device if prompted. <br><br>For questions, contact **enquiries_seed@tech.gov.sg**. |
+
+---
+
+## 29 August 2024
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+|---|---|---|
+| **Update** | **Cloudflare WARP client update** | Updated Cloudflare WARP client versions: <br>- Windows: 2024.6.473.0 <br>- macOS: 2024.6.474.0 <br><br>**Impact:** Users may experience a brief disconnection from SGTS resources during the installation process, lasting up to five minutes. No action is required if your device already has the updated version. <br><br>For assistance, contact **enquiries_seed@tech.gov.sg**. |
+
+---
+
+## 22 August 2024
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+|---|---|---|
+| **Update** | **macOS 12 onboarding blocked** | Devices running macOS 12 are now blocked from onboarding to SEED. <br><br>For assistance, contact **enquiries_seed@tech.gov.sg**. |
+
+---
+
+## 14 August 2024
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+|---|---|---|
+| **Bug fix** | **Email and desktop notifications** | Device naming will be standardised for notifications <br><br>For assistance, contact **enquiries_seed@tech.gov.sg**. |
+
+---
+
+## 7 August 2024
+
+| <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
+|---|---|---|
+| **Update** | **SEED dashboard UI changes** | The SEED Dashboard has been updated with information on SEED Configuration issues. Explore the changes on [SEED Dashboard tour](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/seed-dashboard/seed-dashboard-tour) <br><br>For assistance, contact **enquiries_seed@tech.gov.sg**. |
+
+
 ### 5 August 2024
 
 | <div style="width:100px"><b>Type</b></div> | <div style="width:150px"><b>Change</b></div> | **Description** |
diff --git a/seed-dashboard/seed-dashboard-tour.md b/seed-dashboard/seed-dashboard-tour.md
index 69061989..9a054bb1 100644
--- a/seed-dashboard/seed-dashboard-tour.md
+++ b/seed-dashboard/seed-dashboard-tour.md
@@ -42,5 +42,16 @@ To review your compliance status and view the necessary compliance checks, follo
 ## OS upgrade issues
 
 - **Warning**: Devices running unsupported OS versions receive a warning based on requirements outlined [here](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/). Notifications are sent to users for necessary OS upgrades.
+  
+  ![comp-page](../images/seed-dashboard/warning-os1.png)
+
+  ![comp-page](../images/seed-dashboard/warning-os2.png)
+
+
 - **Blocked**: After a 7-day notification period, unsupported OS devices will be blocked. Email and in-app notifications are provided, and steps for upgrading are accessible on the details page.
 
+  ![comp-page](../images/seed-dashboard/blocked1.png)
+
+  ![comp-page](../images/seed-dashboard/blocked2.png)
+
+
diff --git a/seed-plus/cyberark-dialog.md b/seed-plus/cyberark-dialog.md
new file mode 100644
index 00000000..7b8cbaab
--- /dev/null
+++ b/seed-plus/cyberark-dialog.md
@@ -0,0 +1,111 @@
+# CyberArk dialogs and permissions (Users)
+
+After your device is onboarded to SEED+, CyberArk Endpoint Privilege Manager (EPM) manages actions that require elevated permissions.
+
+You may encounter dialogs when installing software, running certain commands, or using tools that need admin access. These dialogs vary slightly between Windows and macOS. Use the tabs to view the appropriate version for your device.
+
+---
+
+## 1. Application requires administrative privileges
+
+You tried to launch an application that requires administrative privileges.  
+For example: installing or uninstalling software.
+
+<!-- tabs:start -->
+
+#### **Windows**
+
+![Windows](../images/epm/windows-admin-privileges.png)
+
+#### **macOS**
+
+![macOS](../images/epm/macos-admin-privileges.png)
+
+<!-- tabs:end -->
+
+---
+
+## 2. Application runs with administrative privileges
+
+The application requires administrative privileges in order to run.  
+For example: running PowerShell as administrator.
+
+<!-- tabs:start -->
+
+#### **Windows**
+
+![Windows](../images/epm/windows-runs-admin.png)
+
+<!-- tabs:end -->
+
+---
+
+## 3. Launch with elevated privileges
+
+The application you launched will be running with elevated privileges automatically.
+
+<!-- tabs:start -->
+
+#### **Windows**
+
+![Windows](../images/epm/windows-launch-elevated.png)
+
+#### **macOS**
+
+![macOS](../images/epm/macos-launch-elevated.png)
+
+<!-- tabs:end -->
+
+---
+
+## 4. Request administrative privileges
+
+You are requesting for Just-In-Time (JIT) elevation to gain administrative privileges temporarily.
+
+<!-- tabs:start -->
+
+#### **Windows**
+
+![Windows](../images/epm/windows-request-admin.png)
+
+#### **macOS**
+
+![macOS](../images/epm/macos-request-admin.png)
+
+<!-- tabs:end -->
+
+---
+
+## 5. Temporary permissions granted
+
+Your elevation request has been approved. Temporary permissions have been granted.
+
+<!-- tabs:start -->
+
+#### **Windows**
+
+![Windows](../images/epm/windows-temp-granted.png)
+
+#### **macOS**
+
+![macOS](../images/epm/macos-temp-granted.png)
+
+<!-- tabs:end -->
+
+---
+
+## 6. Temporary permissions expiration
+
+Your elevated access is expiring or has expired. You will need to submit a new request if admin rights are required again.
+
+<!-- tabs:start -->
+
+#### **Windows**
+
+![Windows](../images/epm/windows-temp-expiring.png)
+
+#### **macOS**
+
+![macOS](../images/epm/macos-temp-expiring.png)
+
+<!-- tabs:end -->
diff --git a/seed-plus/poc-approver-guide.md b/seed-plus/poc-approver-guide.md
new file mode 100644
index 00000000..10e36681
--- /dev/null
+++ b/seed-plus/poc-approver-guide.md
@@ -0,0 +1,85 @@
+# SEED+ POC approver guide
+
+This guide is for point-of-contact (POC) approvers who manage and approve elevation requests from offshore developers via CyberArk Endpoint Privilege Manager (EPM).
+
+---
+
+## Typical elevation requests
+
+Examples of elevation requests that may require your approval:
+
+- `sudo htop` from macOS Terminal  
+  ![sudo htop step 1](../images/seed-plus/poc-approval/sudo-htop-step1.png)  
+  ![sudo htop step 2](../images/seed-plus/poc-approval/sudo-htop-step2.png)
+
+- Software installation on Windows  
+  ![software install step 1](../images/seed-plus/poc-approval/software-install-step1.png)  
+  ![software install step 2](../images/seed-plus/poc-approval/software-install-step2.png)
+
+---
+
+## How to approve elevation requests
+
+1. You will receive a periodic email report containing elevation requests.  
+   ![JIT email notification](../images/seed-plus/poc-approval/jit-email.png)
+
+2. Download or preview the attached Excel sheet.  
+   ![Request sheet](../images/seed-plus/poc-approval/request-sheet.png)
+
+3. Go to [CyberArk EPM Portal](http://sg.epm.cyberark.com/SAML/GovTech) and log in using your TechPass credentials.  
+   ![CyberArk login](../images/seed-plus/poc-approval/cyberark-login.png)
+
+4. Navigate to **Events Management**.
+
+5. Click **All filters**, check **With justification**, then click **Apply**.  
+   ![JIT filters](../images/seed-plus/poc-approval/jit-filters.png)
+
+6. You will be able to see the justification in the first result.  
+   ![JIT justification](../images/seed-plus/poc-approval/jit-justification.png)
+
+7. Click the 3 dots (`...`) and select **Approve temporary elevation**.  
+   A temporary policy will be automatically created and shown under **Policies**.
+
+---
+
+## Just-in-time (JIT) access elevation
+
+### What is JIT access elevation?
+
+Just-in-time (JIT) access elevation allows temporary administrative rights to be granted to users on a per-request basis. 
+
+---
+
+### JIT policy creation
+
+1. Go to **Events Management** > Click **All filters** > Check **With justification** > Click **Apply**  
+   ![Access request list](../images/seed-plus/poc-approval/access-request-list.png)
+
+2. Click **Create JIT access and elevation policy**  
+   ![JIT policy creation](../images/seed-plus/poc-approval/jit-policy.png)
+
+   
+3. Under **OS users**, add:
+   - .\\\<username> (For example: .\hin)
+   ![JIT policy creation](../images/seed-plus/poc-approval/jit8.png)
+
+4. Under **Permissions (Local Groups)**, add:
+   - `admin` (for macOS)  
+   - `Administrators` (for Windows)
+
+6. Click **Create**, then **Confirm**  
+   ![JIT policy confirmation](../images/seed-plus/poc-approval/jit-policy-confirm.png)
+
+7. Once approved, the user will receive a confirmation on their endpoint  
+   ![Temporary access granted (user view)](../images/seed-plus/poc-approval/temp-user-granted.png)
+
+---
+
+## Reminders for POC approvers
+
+- Always **review the justification** before approving any request
+- Access must be granted solely for the period necessary to complete the task, and no longer.
+- **Notify the user** once the request is approved
+- Use the correct group name (`admin` for macOS, `Administrators` for Windows)
+
+
diff --git a/seed-post-onboarding-verification-for-gcc-1.0.md b/seed-post-onboarding-verification-for-gcc-1.0.md
deleted file mode 100644
index 8673ba49..00000000
--- a/seed-post-onboarding-verification-for-gcc-1.0.md
+++ /dev/null
@@ -1,4 +0,0 @@
-# Post onboarding verification for GCC 1.0
-
-!> This documentation is obsolete. Refer to [GCC 1.0 connectivity FAQ](/faqs/gcc1-connectivity-faq.md).
-
diff --git a/seed-status.md b/seed-status.md
deleted file mode 100644
index a5239dbf..00000000
--- a/seed-status.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved. Refer to [macOS 12 post onboarding guide](/post-onboarding-instructions/macos).
\ No newline at end of file
diff --git a/set-up-secure-enclave.md b/set-up-secure-enclave.md
new file mode 100644
index 00000000..55f1a69e
--- /dev/null
+++ b/set-up-secure-enclave.md
@@ -0,0 +1,71 @@
+# Set up Secure Enclave
+
+Secure Enclave allows passwordless, phish-resistant sign-in on macOS using hardware-bound cryptographic keys. This setup enables seamless access to Microsoft Entra ID applications after the initial device unlock.
+
+**Prerequisite:** Your device must already be onboarded to SEED before you set up Secure Enclave.
+
+
+## Platform SSO registration
+
+1. Navigate to the **Registration required** pop-up at the top right of the screen. Hover over the pop-up and select **Register**.  
+   ![Registration required pop-up](/images/enclave-1.png)
+
+   For macOS 13 Ventura users, a prompt appears to register your device with Microsoft Entra ID. Enter your sign-in credentials and select **Next**.
+
+2. You are prompted to register your device with Microsoft Entra ID. Enter your sign-in credentials and select **Next**.  
+   ![Device registration prompt](/images/enclave-2.png)
+
+   If your administrator has configured multi-factor authentication (MFA) for device registration, open the Authenticator app on your mobile device and complete the MFA flow.
+
+3. When the **Single sign-on** window appears, enter your local account password and select **OK**.  
+   ![Single sign-on window](/images/enclave-3.png)
+
+   If you are on macOS 14, you will be prompted to unlock your local account beforehand.
+
+4. When the Microsoft Entra sign-in window appears, enter your Microsoft Entra ID password and select **Sign in**.  
+   ![Microsoft Entra sign-in](/images/enclave-4.png)
+
+5. Enable Company Portal as a passkey provider:  
+   - Navigate to **Settings** > **General** > **Autofill & Passwords** > **Autofill form**.  
+   - Enable **Company Portal**.  
+   ![Enable Company Portal as passkey provider](/images/enclave-5.png)
+
+6. You can now use Platform SSO to access Microsoft app resources. From this point on, you will be automatically signed in to Microsoft applications and other apps configured with Entra ID (such as SGTS, GCC 2.0 AWS). Password entry will no longer be required, although MFA challenges will still apply.  
+   ![Automatic sign-in to Microsoft apps](/images/enclave-6.png)
+
+7. Your local Mac password is not affected and will still be required to log on to the Mac.
+
+8. For selected users (excluding CEP), your local Mac profile will become a **Standard User** after registering with Platform SSO.  
+   ![Standard user profile](/images/enclave-7.png)
+
+   If you do not see the registration prompt, check that the SSO profile is present in your Mac settings.
+   
+   ![Profile Settings](/images/enclave-8.png ':size=50%')
+   
+   ![Profile Settings](/images/enclave-9.png ':size=50%')
+   
+   Alternatively, open **Company Portal**, select your profile icon, and register for SSO by clicking **Add account to this device**.
+
+   ![Register for SSO](/images/enclave-11.png ':size=50%')
+
+---
+
+## Check device registration status
+
+1. If you encounter problem registering the device, make sure that device registration status is correct.
+
+![Company Portal error](/images/enclave-13.png ':size=50%')
+    
+2. Navigate to **Settings** and select **Users & Groups**.  
+
+3. Select **Edit** next to **Network Account Server** and confirm that **Platform SSO** is listed as **Registered**.
+
+![Registered](/images/enclave-12.png ':size=50%')
+
+4. To verify the authentication method, select your username in the **Users & Groups** window, then select the **Information** icon. Confirm that the method listed is **Secure Enclave**, **Smart Card**, or **Password**.
+
+5. You can also verify registration using the **Terminal** app. Run the provided command to check the registration status. The output should indicate that SSO tokens have been retrieved. For macOS 13 Ventura users, this command is required to verify registration.
+`app-sso platform -s`
+
+6. Once issued, an SSO token is valid for 14 days and will be continuously renewed as long as the device is actively used.  
+   ![Verify registration](/images/enclave-10.png)
diff --git a/support/cloudflare-cert-update-guide.md b/support/cloudflare-cert-update-guide.md
new file mode 100644
index 00000000..798648fa
--- /dev/null
+++ b/support/cloudflare-cert-update-guide.md
@@ -0,0 +1,65 @@
+<!-- !> This documentation is obsolete. Refer to [SHIP-HATS documentation](https://docs.developer.tech.gov.sg/docs/ship-hats-docs/) for more details. -->
+
+# Cloudflare Certificate Update Guide
+
+This article guides you to update the Cloudflare Cert on your GMD
+
+## Download Cloudflare Root Certificates
+
+Click on the links to download the certifcate to your GMD.
+
+| Environment | Certificate | Validity |
+| --- | --- |--- |
+| Cloudflare PROD | [Cloudflare_CA.crt](https://seed-general-public-files.s3.ap-southeast-1.amazonaws.com/seed-cloudflare-root-certs/Cloudflare_CA.crt)<br>[Cloudflare_CA.pem](https://seed-general-public-files.s3.ap-southeast-1.amazonaws.com/seed-cloudflare-root-certs/Cloudflare_CA.pem) | Currently active until 26 Dec 2029 |
+| Cloudflare DEV | [Cloudflare_CA _dev.crt](https://seed-general-public-files.s3.ap-southeast-1.amazonaws.com/seed-cloudflare-root-certs/Cloudflare_CA_dev.crt)<br>[Cloudflare_CA_dev.pem](https://seed-general-public-files.s3.ap-southeast-1.amazonaws.com/seed-cloudflare-root-certs/Cloudflare_CA_dev.pem) | Currently active 18 Dec 2029 |
+| Cloudflare STG |[Cloudflare_CA _stg.crt](https://seed-general-public-files.s3.ap-southeast-1.amazonaws.com/seed-cloudflare-root-certs/Cloudflare_CA_stg.crt)<br>[Cloudflare_CA_stg.pem](https://seed-general-public-files.s3.ap-southeast-1.amazonaws.com/seed-cloudflare-root-certs/Cloudflare_CA_stg.pem) | Currently active 23 Dec 2029 |
+
+## Certificate update for macOS
+
+To install a Cloudflare certificate in macOS, you need to download a certificate in .crt format.
+1.	Download a Cloudflare certificate.
+2.	Open the .crt file in Keychain Access. If prompted, enter your local password.
+3.	In **Keychain**, choose the access option that suits your needs and select **Add**.
+4.	In the list of certificates, locate the newly installed certificate. Keychain Access will mark this certificate as not trusted. Right-click the certificate and select **Get Info**.
+5.	Select **Trust**. Under **When using this certificate**, select _Always Trust_.
+The root certificate is now installed and ready to be used.
+
+## Certificate update for Windows
+
+1.	Download a Cloudflare certificate.
+2.	Right-click the certificate file.
+3.	Select **Open**. If a security warning appears, choose **Open** to proceed.
+4.	The **Certificate** window will appear. Select **Install Certificate**.
+5.	Now choose a Store Location. If a security warning appears, choose **Yes** to proceed.
+6.	On the next screen, select **Browse**.
+7.	In the list, choose the _Trusted Root Certification Authorities_ store.
+8.	Select **OK**, then select **Finish**.
+The root certificate is now installed and ready to be used.
+
+## Verify Cloudflare root certification
+
+### For macOS users
+
+Follow these steps to verify if the Cloudflare root certificate is successfully installed using Keychain Access:
+
+1. Open the **Keychain Access** app on your Mac:
+   - Press **Command + Space bar**, type **Keychain Access**, and press **Return**.
+2. Enter your MacBook's password if prompted.
+3. In Keychain Access, click **System** on the left sidebar.
+4. Look for the Cloudflare certificate titled **Gateway CA - Cloudflare Managed G1 d4cab1c0e006138441e1f1b57bfde614**.
+5. Ensure the expiry date of the certificate is **26 December 2029**.
+
+### For Windows users
+
+To verify SSL certificates on Windows, use the Certificate Manager tool:
+
+1. Open the command prompt.
+2. Type `certlm.msc` and press **Enter**.
+3. Expand the folder **Trusted Root Certification Authorities > Certificates**.
+4. Locate the Cloudflare certificate titled **Gateway CA - Cloudflare Managed G1 d4cab1c0e006138441e1f1b57bfde614**.
+5. Verify that the expiry date of the certificate is **26 December 2029**.
+
+
+> **Note**:
+>- Link to: [Configuration of Common Developer CLI tools with Cloudflare WARP](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/support/configuration-of-common-developer-cli-tools-with-cloudflare-warp-guide)
+<br><br>Once you have downloaded the respective certificate, you can configure your Developer CLI tools to trust the Cloudflare Certificate.
diff --git a/support/configuration-of-common-developer-cli-tools-with-cloudflare-warp-guide.md b/support/configuration-of-common-developer-cli-tools-with-cloudflare-warp-guide.md
new file mode 100644
index 00000000..ba8e7ff2
--- /dev/null
+++ b/support/configuration-of-common-developer-cli-tools-with-cloudflare-warp-guide.md
@@ -0,0 +1,146 @@
+<!-- !> This documentation is obsolete. Refer to [SHIP-HATS documentation](https://docs.developer.tech.gov.sg/docs/ship-hats-docs/) for more details. -->
+
+# Configuration of Common Developer CLI tools with Cloudflare WARP Guide
+
+This article tells you how to configure the following common applications.
+
+> **Note**:
+>- Tools listed here are the common applications/tools used by software developers in the Singapore Government agencies.
+>- To configure other applications or tools, refer to the [Cloudflare documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/install-cloudflare-cert).
+
+- [Node.js and NPM](#nodejs-and-npm)
+- [Docker](#docker)
+- [AWS CLI](#aws-cli)
+- [Golang](#golang)
+
+> **Note**:
+>- If you are experiencing issues while using any CLI tools and applications to access SGTS services, create a support request. For more information, refer to [create support request](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/support/raise-service-request).
+>- All other issues that are not related to SGTS services, contact [Cloudflare Community Support Forums](https://support.cloudflare.com/hc/en-us)
+
+## Node.js and NPM
+
+
+Node.js and NPM use a hardcoded certificate store and requires additional configuration to trust the Cloudflare Certificate.
+
+**macOS users**
+
+If you are using macOS, Zsh is likely to be your default terminal. If you are using zsh, please run the following commands:
+
+```bash
+mkdir -p "${HOME}/.config/.cloudflare"
+curl -sSLj -o "${HOME}/.config/.cloudflare/Cloudflare_CA.pem" "https://seed-general-public-files.s3.ap-southeast-1.amazonaws.com/seed-cloudflare-root-certs/Cloudflare_CA.pem"
+echo 'export NODE_EXTRA_CA_CERTS="${HOME}/.config/.cloudflare/Cloudflare_CA.pem"' | tee -a "${HOME}/.zshrc"
+source "${HOME}/.zshrc"
+```
+**Linux users**
+
+If you are using Linux, Bash is likely to be your default terminal. If you are using bash, please run the following commands:
+
+```bash
+mkdir -p "${HOME}/.config/.cloudflare"
+curl -sSLj -o "${HOME}/.config/.cloudflare/Cloudflare_CA.pem" "https://seed-general-public-files.s3.ap-southeast-1.amazonaws.com/seed-cloudflare-root-certs/Cloudflare_CA.pem"
+echo 'export NODE_EXTRA_CA_CERTS="${HOME}/.config/.cloudflare/Cloudflare_CA.pem"' | tee -a "${HOME}/.bashrc"
+source "${HOME}/.bashrc"
+```
+
+
+## Docker
+
+<!--Docker for Desktop makes use of virtual machines to host the Docker engine. The Docker engine must be configured to trust the Cloudflare Certificate.
+
+Please follow the Documentation for Docker for Desktop for [Mac](https://docs.docker.com/desktop/mac/#add-tls-certificates) or [Windows](https://docs.docker.com/desktop/windows/#adding-tls-certificates) to install the Cloudflare Cert.-->
+
+Docker for Desktop on macOS and Windows uses virtual machines to host the Docker engine. The Docker engine must be configured to trust the Cloudflare Certificate.
+
+Following are the instructions for the smooth operation of the Docker engine behind the Cloudflare WARP, but note this is **not recommended** for building a production-ready Docker images.
+
+> **Tip**:
+> You may consider building your Docker images using [SHIP-HATS CI/CD]( https://www.ship.gov.sg/).
+
+- [Pull Docker images from a Docker image repository with Cloudflare Warp](#pull-docker-images-from-a-docker-image-repository-with-cloudflare-warp)
+- [Connect operating system in your Docker container to Internet with Cloudflare Warp](#connect-operating-system-in-your-docker-container-to-internet-with-cloudflare-warp)
+
+### Pull Docker images from a Docker image repository with Cloudflare Warp
+
+To pull Docker images from a Docker image repository with Cloudflare Warp turned on, you must configure the Docker engine on your host machine to trust the Cloudflare Certificate Authority (CA) certificate.
+
+**To configure Docker engine on your host machine to trust Cloudflare Certificate Authority (CA) certificate**
+
+1.	Locate the Docker engine configuration directory on your host machine. This is usually the `.docker` directory in your user home directory. Create the `.docker` directory if it does not exist.
+2.	Locate the certificate directory for your Docker image repository. This is located in the `certs.d` directory in the `.docker` directory. Create the directory for your Docker Image repository if it does not exist in the `certs.d` directory.
+
+For example, `mkdir -p ~/.docker/certs.d/registry-in.ship.gov.sg`.
+
+3. Copy the Cloudflare CA certificate from https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/support/cloudflare-cert-update-guide and save it in the Docker Image repository certificate directory as ca-certificates.crt.
+For example:
+
+```
+curl -sSLj -o ~/.docker/certs.d/registry-in.ship.gov.sg/ca-certificates.crt https://seed-general-public-files.s3.ap-southeast-1.amazonaws.com/seed-cloudflare-root-certs/Cloudflare_CA.pem
+```
+
+### Connect operating system in your Docker container to Internet with Cloudflare Warp
+
+To connect the operating system in your Docker container to the Internet with Cloudflare Warp turned on, you need to configure the operating system on the Docker container to trust the Cloudflare CA certificate.
+
+**To configure operating system to trust Cloudflare certificate**
+
+The following Dockerfile snippet shows how to configure the operating system to trust the Cloudflare Certificate.  
+
+**Prerequisite**
+
+- Turn off Cloudflare WARP and run the apt-get commands. This is needed to run the above Dockerfile correctly.
+
+> **Note**:
+> Source of the following snippet is ubuntu.
+
+```
+RUN \
+    apt-get update && \
+    apt-get install -y ca-certificates && \
+    curl -sSLj -o "/etc/ssl/certs/Cloudflare_CA.pem" "https://seed-general-public-files.s3.ap-southeast-1.amazonaws.com/seed-cloudflare-root-certs/Cloudflare_CA.pem" && \
+    update-ca-certificates
+```
+
+## AWS CLI
+
+AWS CLI uses its own certificate store. It must be configured to trust the Cloudflare Certificate.
+
+For Linux & macOS users:
+```bash
+mkdir -p "${HOME}/.config/.cloudflare"
+curl -sSLj -o "${HOME}/.config/.cloudflare/Cloudflare_CA.pem" "https://seed-general-public-files.s3.ap-southeast-1.amazonaws.com/seed-cloudflare-root-certs/Cloudflare_CA.pem"
+
+# If you are using macOS, Zsh is likely to be your default terminal. If you are using Zsh, please run the following commands:
+echo 'export AWS_CA_BUNDLE="${HOME}/.config/.cloudflare/Cloudflare_CA.pem"' | "tee -a ${HOME}/.zshrc"
+source "${HOME}/.zshrc"
+
+# If you are using Linux, Bash is likely to be your default terminal. If you are using Bash, please run the following commands:
+echo 'export AWS_CA_BUNDLE="${HOME}/.config/.cloudflare/Cloudflare_CA.pem"' | "tee -a ${HOME}/.bashrc"
+source "${HOME}/.bashrc"
+```
+
+
+
+## AWS SDK
+
+
+### Javascript
+```js
+import { readFileSync } from “fs”;
+import { Agent } from “https”;
+import { config } from “aws-sdk”:
+
+const certs = [ readFileSync(“path-to-cert”) ];
+
+config.update({
+        httpOptions: {
+            agent: new Agent({
+                ca: certs,
+            }),
+        },
+    });
+```
+
+
+## Golang
+Golang on macOS does not use the Big Sur DNS resolver by default, resulting in DNS resolution by golang binaries not being able to work with VPN clients such as OpenVPN or Cloudflare WARP. Please ensure that you build your golang binaries with cgo enabled.
diff --git a/support/hardening-list.md b/support/hardening-list.md
new file mode 100644
index 00000000..032081ba
--- /dev/null
+++ b/support/hardening-list.md
@@ -0,0 +1,438 @@
+# Security hardening list
+
+This list outlines recommended **Level 1 (L1) security configurations** for Windows and macOS systems. These settings help secure devices by enforcing best practices around authentication, remote access, auditing, and system behaviour.
+
+<!-- tabs:start -->
+
+#### **Windows**
+
+| Title | Description | Impact |
+| --- | --- | --- |
+| (L1) Ensure **Enforce password history** is set to **24 or more password(s)** (Automated) | Set password history to 3 or more passwords(s) to prevent users from reusing old passwords which could lead to account compromise | No impact |
+| (L1) Ensure **Maximum password age** is set to **365 or fewer days, but not 0** (Automated) | Password will expire after 365 days | No impact |
+| (L1) Ensure **Minimum password age** is set to **1 or more day(s)** (Automated) | Setting to ensure that users cannot reuse any of their last 3 passwords | No impact |
+| (L1) Ensure **Minimum password length** is set to **14 or more character(s)** (Automated) | Users login password require to have mininum of 12 characters in accordance with IM8 | No impact |
+| (L1) Ensure **Password must meet complexity requirements** is set to **Enabled** (Automated) | <ul><li><code>Users are obligated to set complexity password such as password must consist of numeric</code></li><li><code>upper</code></li><li><code>lower and special characters</code></li></ul> | No impact |
+| (L1) Ensure **Relax minimum password length limits** is set to **Enabled** (Automated) | Enable the enforcement of longer and generally stronger passwords or<br>passphrases where MFA is not in use. | No impact |
+| (L1) Ensure **Store passwords using reversible encryption** is set to **Disabled** (Automated) | <ul><li><code>Setting this to &quot;Disabled&quot; ensures that passwords are not stored in a format that could be easily recovered</code></li><li><code>significantly improving security.</code></li></ul> | No impact |
+| (L1) Ensure **Account lockout duration** is set to **15 or more minute(s)** (Automated) | Account remains locked for 15 minutes after reaching the defined threshold of failed login attempts | No impact |
+| (L1) Ensure **Account lockout threshold** is set to **5 or fewer invalid logon attempt(s), but not 0** (Automated) | Account is temporarily locked out after 10 failed attempts as per IM8 | No impact |
+| (L1) Ensure **Reset account lockout counter after** is set to **15 or more minute(s)** (Automated) | 15 minutes must elapse before the counter that tracks failed logon attempts and triggers lockouts is reset to 0 | No impact |
+| (L1) Ensure **Access Credential Manager as a trusted caller** is set to **No One** (Automated) | Ensure no one can access to Credential Manager | No impact |
+| (L1) Ensure **Access this computer from the network** is set to **Administrators, Remote Desktop Users** (Automated) | Setting this to only &quot;Administrators&quot; and &quot;Remote Desktop Users&quot; ensures that only this group of users can remotely access the system | No impact |
+| (L1) Ensure **Act as part of the operating system** is set to **No One** (Automated) | Setting this to &quot;No One&quot; ensures that no user or service can act with LocalSystem privileges | No impact |
+| (L1) Ensure **Adjust memory quotas for a process** is set to **Administrators, LOCAL SERVICE, NETWORK SERVICE** (Automated) | <ul><li><code>Setting this policy to Administrators</code></li><li><code>LOCAL SERVICE</code></li><li><code>and NETWORK SERVICE ensures that only essential system accounts and privileged users can manage memory quotas</code></li></ul> | No impact |
+| (L1) Ensure **Allow log on locally** is set to **Administrators, Users** (Automated) | Restricting local logon rights ensures that only approved users and administrator can access the system directly | No impact |
+| (L1) Ensure **Allow log on through Remote Desktop Services** is set to **Administrators, Remote Desktop Users** (Automated) | Restricting this setting to Administrators and Remote Desktop Users ensures that these groups of users can access the system remotely | No impact |
+| (L1) Ensure **Back up files and directories** is set to **Administrators** (Automated) | <ul><li><code>Restricting this privilege to Administrators only</code></li><li><code>the system ensures that users from administrator group can perform backups</code></li></ul> | No impact |
+| (L1) Ensure **Change the system time** is set to **Administrators, LOCAL SERVICE** (Automated) | <ul><li><code>Setting this privilege to only Administrators and LOCAL SERVICE ensures that only trusted accounts can alter the system time</code></li><li><code>maintaining system integrity and security.</code></li></ul> | No impact |
+| (L1) Ensure **Change the time zone** is set to **Administrators, LOCAL SERVICE, Users** (Automated) | Setting this privilege to only these group of users to be able to change time zone of their device | No impact |
+| (L1) Ensure **Create a pagefile** is set to **Administrators** (Automated) | <ul><li><code>Only administrator have the right to create</code></li><li><code>modify</code></li><li><code>or delete the paging file (pagefile.sys) used for virtual memory management</code></li></ul> | No impact |
+| (L1) Ensure **Create a token object** is set to **No One** (Automated) | <ul><li><code>Setting this policy to &#x27;No One&#x27;</code></li><li><code>so that no user or service can create a security token</code></li></ul> | No impact |
+| (L1) Ensure **Create global objects** is set to **Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE** (Automated) | Only these groups of users can create global objects | No impact |
+| (L1) Ensure **Create permanent shared objects** is set to **No One** (Automated) | No one is allow to create permanent shared objects in the system | No impact |
+| (L1) Configure **Create symbolic links** (Automated) | Restrict to only administrator can create symbolic links | No impact |
+| (L1) Ensure **Debug programs** is set to **Administrators** (Automated) | Restrict to only administrator can debug programs | No impact |
+| (L1) Ensure **Deny access to this computer from the network** to include **Guests** (Automated) | Deny Guests from accessing the computer via network | No impact |
+| (L1) Ensure **Deny log on as a batch job** to include **Guests** (Automated) | Restricting members of the Guests group from running batch jobs | No impact |
+| (L1) Ensure **Deny log on as a service** to include **Guests** (Automated) | Preventing any members of the Guests group from running services | No impact |
+| (L1) Ensure **Deny log on locally** to include **Guests** (Automated) | Preventing any Guest accounts from logging into the system locally | No impact |
+| (L1) Ensure **Deny log on through Remote Desktop Services** to include **Guests** (Automated) | Preventing any Guest accounts from using remote desktop service | No impact |
+| (L1) Ensure **Enable computer and user accounts to be trusted for delegation** is set to **No One** (Automated) | No computer or user account can act as a trusted delegate for other accounts | No impact |
+| (L1) Ensure **Force shutdown from a remote system** is set to **Administrators** (Automated) | Restrict to only administrator can perform force shutdown from a remote system | No impact |
+| (L1) Ensure **Generate security audits** is set to **LOCAL SERVICE, NETWORK SERVICE** (Automated) | Restrict to only Local service and Network service can generate security audits | No impact |
+| (L1) Ensure **Impersonate a client after authentication** is set to **Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE** (Automated) | <ul><li><code>Only these groups of users can assume the identity of the authenticated user to perform actions on their behalf</code></li><li><code>usually in a service or application context</code></li></ul> | No impact |
+| (L1) Ensure **Increase scheduling priority** is set to **Administrators, Window Manager\Window Manager Group** (Automated) | Restrict to only the listed groups or accounts have the ability to increase the scheduling priority of processes running on Windows | No impact |
+| (L1) Ensure **Load and unload device drivers** is set to **Administrators** (Automated) | Restrict to only administrator can load and unload device drivers | No impact |
+| (L1) Ensure **Lock pages in memory** is set to **No One** (Automated) | Setting to no one ensure only operating system have full control on memory management | No impact |
+| (L1) Ensure **Manage auditing and security log** is set to **Administrators** (Automated) | Restrict to only administrator have the rights to manage auditing and security log | No impact |
+| (L1) Ensure **Modify an object label** is set to **No One** (Automated) | <ul><li><code>No user or group can change the integrity level (label) of system objects such as files</code></li><li><code>registry keys</code></li><li><code>or processes.</code></li></ul> | No impact |
+| (L1) Ensure **Modify firmware environment values** is set to **Administrators** (Automated) | Restrict to only administrator can modify firmware environment values stored in the UEFI/BIOS or Boot Configuration Data (BCD) | No impact |
+| (L1) Ensure **Perform volume maintenance tasks** is set to **Administrators** (Automated) | <ul><li><code>Restricting this privilege to Administrators</code></li><li><code>to ensure that only authorized users can perform critical disk-related operations</code></li><li><code>protecting system integrity and data security.</code></li></ul> | No impact |
+| (L1) Ensure **Profile single process** is set to **Administrators** (Automated) | <ul><li><code>Restricting this privilege to Administrators</code></li><li><code>to ensure that only authorized users can monitor or debug processes</code></li><li><code>reducing the risk of information disclosure or misuse.</code></li></ul> | No impact |
+| (L1) Ensure **Profile system performance** is set to **Administrators, NT SERVICE\WdiServiceHost** (Automated) | <ul><li><code>Restricting this privilege to the listed user</code></li><li><code>to ensure that only authorized users can collect and analyze system-wide performance data such as collecting diagnostic data on CPU</code></li><li><code>memory</code></li><li><code>and disk usage</code></li></ul> | No impact |
+| (L1) Ensure **Replace a process level token** is set to **LOCAL SERVICE, NETWORK SERVICE** (Automated) | Restrict to only the listed user/group to allows a process to assign a different security token to a running process. This is essential for services that need to change user contexts during execution such as: Scheduled tasks and Windows services that run under LOCAL SERVICE or NETWORK SERVICE | No impact |
+| (L1) Ensure **Restore files and directories** is set to **Administrators** (Automated) | Restrict to only administrator can restore older version of system files or replace files | No impact |
+| (L1) Ensure **Shut down the system** is set to **Administrators, Users** (Automated) | Restrict to only allows administrator to shut down or restart the computer system | No impact |
+| (L1) Ensure **Take ownership of files or other objects** is set to **Administrators** (Automated) | <ul><li><code>Restrict to only allows administrator to take ownership of a file</code></li><li><code>folder</code></li><li><code>or other system objects</code></li></ul> | No impact |
+| (L1) Ensure **Accounts: Administrator account status** is set to **Disabled** (Automated) | Built-in Administrator account is set to disabled | No impact |
+| (L1) Ensure **Accounts: Guest account status** is set to **Disabled** (Automated) | Built-in Guest account is set to disabled | No impact |
+| (L1) Ensure **Accounts: Limit local account use of blank passwords to console logon only** is set to **Enabled** (Automated) | <ul><li><code>This is to ensure that a blank password cannot be used for remote access (like RDP or SMB)</code></li><li><code>preventing unauthorized access over the network.</code></li></ul> | No impact |
+| (L1) Configure **Accounts: Rename administrator account** (Automated) | Built-in Administrator account is renamed for example from administrator to deepadmin | No impact |
+| (L1) Configure **Accounts: Rename guest account** (Automated) | Built-in Guest account is renamed for example from guest to deepguest | No impact |
+| (L1) Ensure **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** is set to **Enabled** (Automated) | <ul><li><code>This is to ensures that if audit subcategory settings are configured (for specific events)</code></li><li><code>they take precedence over the more general category settings. This allows more precise control over auditing at a granular level.</code></li></ul> | No impact |
+| (L1) Ensure **Audit: Shut down system immediately if unable to log security audits** is set to **Disabled** (Automated) | <ul><li><code>Setting it to disabled</code></li><li><code>so that system will continue to operate even if it cannot log security audit events</code></li><li><code>and the inability to log security events will not trigger an immediate shutdown.</code></li></ul> | No impact |
+| (L1) Ensure **Interactive logon: Do not require CTRL+ALT+DEL** is set to **Disabled** (Automated) | Users are required to press CTRL+ALT+DEL before they can log in | No impact |
+| (BL) Ensure **Interactive logon: Machine account lockout threshold** is set to **10 or fewer invalid logon attempts, but not 0 ** (Automated) | User account will lockout after 10 failed login attempts | No impact |
+| (L1) Ensure **Interactive logon: Machine inactivity limit** is set to **900 or fewer second(s), but not ** (Automated) | User&#x27;s device will lock after 900 seconds of idle time | No impact |
+| (L1) Configure **Interactive logon: Message text for users attempting to log on** (Automated) | Login message appear when user login to their device | No impact |
+| (L1) Configure **Interactive logon: Message title for users attempting to log on** (Automated) | Custom title appears before users enter their credentials on the Windows login screen. | No impact |
+| (L1) Ensure **Interactive logon: Prompt user to change password before expiration** is set to **between 5 and 14 days** (Automated) | Prompt user to change password 14 days upon password expire | No impact |
+| (L1) Ensure **Interactive logon: Smart card removal behavior** is set to **Lock Workstation** or higher (Automated) | Computer will automatically lock itself when smart card is removed | No impact |
+| (L1) Ensure **Microsoft network client: Digitally sign communications (always)** is set to **Enabled** (Automated) | Ensures that all SMB (Server Message Block) communication between Windows clients and servers is digitally signed | No impact |
+| (L1) Ensure **Microsoft network client: Digitally sign communications (if server agrees)** is set to **Enabled** (Automated) | To ensure that server agree to digital signing is enabled | No impact |
+| (L1) Ensure **Microsoft network client: Send unencrypted password to third-party SMB servers** is set to **Disabled** (Automated) | Preventing window SMB client from sending plain-text (unencrypted) passwords when authenticating to third-party SMB servers | No impact |
+| (L1) Ensure **Microsoft network server: Amount of idle time required before suspending session** is set to **15 or fewer minute(s)** (Automated) | Set 15 minutes Idle session timeout for SMB (Server Message Block) connections on Windows servers before automatically disconnected by the server | User will need to re-establish the connection when the session is disconnected after  15minutes if idle time |
+| (L1) Ensure **Microsoft network server: Digitally sign communications (always)** is set to **Enabled** (Automated) | <ul><li><code>Digital signing is enabled to ensure all SMB traffic must be digitally signed</code></li><li><code>ensuring the integrity and authenticity of data exchanged between clients and servers.</code></li></ul> | Custom applications or scripts that use unsigned smb communication will fail unless they are updated to support signing |
+| (L1) Ensure **Microsoft network server: Digitally sign communications (if client agrees)** is set to **Enabled** (Automated) | The server will digitally sign SMB communication only if the client supports SMB signing | No impact |
+| (L1) Ensure **Microsoft network server: Disconnect clients when logon hours expire** is set to **Enabled** (Automated) | The server forces disconnection of users whose logon hours have expired | User need to finish their work within their permitted hours |
+| (L1) Ensure **Microsoft network server: Server SPN target name validation level** is set to **Accept if provided by client** or higher (Automated) | To ensure that a client is connecting to the correct server and not a malicious impersonator. | Applications using anonymous smb authentication may experience failures. |
+| (L1) Ensure **Network access: Allow anonymous SID/Name translation** is set to **Disabled** (Automated) | Prevent anonymous users requesting SID-to-name translations | Services that require anonymous access to resolve sids (e.g., certain file-sharing or remote admin tools) may stop working. |
+| (L1) Ensure **Network access: Do not allow anonymous enumeration of SAM accounts** is set to **Enabled** (Automated) | Prevent unauthorised user query the system and obtain a list of local user accounts. | Some older applications or scripts that rely on anonymous sam enumeration may fail. |
+| (L1) Ensure **Network access: Do not allow anonymous enumeration of SAM accounts and shares** is set to **Enabled** (Automated) | Users who are not logged in cannot retrieve a list of local user accounts from the Security Account Manager (SAM) database. | Older applications or scripts that rely on anonymous sam enumeration may fail when trying to list local users. |
+| (L1) Ensure **Network access: Let Everyone permissions apply to anonymous users** is set to **Disabled** (Automated) | <ul><li><code>Disabled to ensures that anonymous users do not receive the same permissions as authenticated users</code></li><li><code>thereby restricting unauthorized access.</code></li></ul> | No impact |
+| (L1) Ensure **Network access: Named Pipes that can be accessed anonymously** is set to **None** (Automated) | Prevent unauthenticated users from connecting to system services or applications that expose named pipes | Older applications or services that require anonymous named pipe access might fail to work. |
+| (L1) Ensure **Network access: Remotely accessible registry paths** is configured (Automated) | Determines which registry paths on a machine can be accessed remotely over the network by authenticated users | Some third-party applications or legacy systems may need access to specific registry paths for proper operation. restricting access might cause them to malfunction. |
+| (L1) Ensure **Network access: Remotely accessible registry paths and sub-paths** is configured (Automated) | <ul><li><code>When this setting is configured automatically</code></li><li><code>administrators can restrict or allow remote access to particular parts of the registry</code></li></ul> | No impact |
+| (L1) Ensure **Network access: Restrict anonymous access to Named Pipes and Shares** is set to **Enabled** (Automated) | Restricts anonymous (unauthenticated) users from accessing named pipes and shares | Some older applications or legacy systems may depend on anonymous access to named pipes or shares. enabling this restriction might break functionality or cause compatibility issues with older software that does not use authenticated access |
+| (L1) Ensure **Network access: Restrict clients allowed to make remote calls to SAM** is set to **Administrators: Remote Access: Allow** (Automated) | Restricts remote calls to the SAM database to only those clients that have been granted Administrator privileges | Some older remote administration tools or custom scripts that previously relied on non-administrative access to sam may fail or experience issues after this policy is enabled |
+| (L1) Ensure **Network access: Shares that can be accessed anonymously** is set to **None** (Automated) | <ul><li><code>Setting configured to &#x27;None&#x27;</code></li><li><code>to ensures that no shared folders on the system can be accessed by anonymous users</code></li></ul> | After enforcing this setting, users will need to authenticate (i.e., provide credentials) whenever accessing shared resources |
+| (L1) Ensure **Network access: Sharing and security model for local accounts** is set to **Classic - local users authenticate as themselves** (Automated) | Local user accounts will authenticate using their own credentials (username and password) when accessing shared resources over the network | No impact |
+| (L1) Ensure **Network security: Allow Local System to use computer identity for NTLM** is set to **Enabled** (Automated) | The Local System account can authenticate using the computer’s machine account credentials when communicating with other systems using NTLM authentication. | No impact |
+| (L1) Ensure **Network security: Allow LocalSystem NULL session fallback** is set to **Disabled** (Automated) | <ul><li><code>When set to &quot;Disabled</code></li><li><code>&quot; the system blocks Local System NULL session fallback</code></li><li><code>preventing unauthenticated connections.</code></li></ul> | Older applications or services that rely on null sessions for authentication may fail to connect or function improperly. |
+| (L1) Ensure **Network Security: Allow PKU2U authentication requests to this computer to use online identities** is set to **Disabled** (Automated) | <ul><li><code>When set to &quot;Disabled</code></li><li><code>&quot; the system prevents authentication using online identities</code></li><li><code>restricting authentication to local accounts.</code></li></ul> | No impact |
+| (L1) Ensure **Network security: Configure encryption types allowed for Kerberos** is set to **AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types** (Automated) | <ul><li><code>Windows ensures strong encryption for Kerberos authentication and eliminates the use of weaker or outdated encryption types like DES</code></li><li><code>RC4</code></li><li><code>or MD5.</code></li></ul> | Some applications may require rc4-hmac and fail authentication. |
+| (L1) Ensure **Network security: Do not store LAN Manager hash value on next password change** is set to **Enabled** (Automated) | <ul><li><code>By setting &#x27;Enabled&#x27;</code></li><li><code>Windows will only store NTLM hashes</code></li><li><code>which are significantly stronger than LM hashes</code></li><li><code>thus improving overall security.</code></li></ul> | Some legacy applications or services that require lm hashes may stop authenticating correctly. |
+| (L1) Ensure **Network security: Force logoff when logon hours expire** is set to **Enabled** (Manual) |  |  |
+| (L1) Ensure **Network security: LAN Manager authentication level** is set to **Send NTLMv2 response only. Refuse LM & NTLM** (Automated) | <ul><li><code>The system enforces a stronger</code></li><li><code>more secure authentication method by using NTLMv2 and refuses weaker</code></li><li><code>outdated authentication protocols like LM (LAN Manager) and NTLM.</code></li></ul> | Some legacy applications that rely on ntlm or lm may not function, requiring updates or replacements. |
+| (L1) Ensure **Network security: LDAP client signing requirements** is set to **Negotiate signing** or higher (Automated) | This setting instructs the client to use the most secure method available for signing the communication. | No impact |
+| (L1) Ensure **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** is set to **Require NTLMv2 session security, Require 128-bit encryption** (Automated) |  |  |
+| (L1) Ensure **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** is set to **Require NTLMv2 session security, Require 128-bit encryption** (Automated) |  |  |
+| (L1) Ensure **System objects: Require case insensitivity for non-Windows subsystems** is set to **Enabled** (Automated) | It enforces case insensitivity for system objects in non-Windows subsystems. | No impact |
+| (L1) Ensure **User Account Control: Virtualize file and registry write failures to per-user locations** is set to **Enabled** (Automated) | Windows virtualizes (or redirects) file and registry write operations from applications that try to modify system locations (which typically require administrator privileges) to user-specific locations. | No impact |
+| (L1) Ensure **Internet Connection Sharing (ICS) (SharedAccess)** is set to **Disabled** (Automated) | The computer will not offer its internet connection to other devices. | No impact |
+| (L1) Ensure **Remote Procedure Call (RPC) Locator (RpcLocator)** is set to **Disabled** (Automated) | <ul><li><code>The system prevents the RPC Locator service from running</code></li><li><code>which means it will not attempt to find RPC services or allow other systems to query it for RPC services.</code></li></ul> | Applications or systems that rely on rpc locator for discovering services across a network may no longer function as expected |
+| (L1) Ensure **Routing and Remote Access (RemoteAccess)** is set to **Disabled** (Automated) | Prevent remotely access to system through VPNs or dial-up connections using RRAS | Disabling rras prevents remote users or systems from connecting to the network through vpn |
+| (L1) Ensure **Simple TCP/IP Services (simptcp)** is set to **Disabled** or **Not Installed** (Automated) | Disabling legacy service in windows operating systems that provides basic network functionality and services based on the TCP/IP protocol | If the system needs to communicate with older devices or software that rely on these legacy services, disabling simptcp might break compatibility with such systems. |
+| (L1) Ensure **Special Administration Console Helper (sacsvr)** is set to **Disabled** or **Not Installed** (Automated) | Disabling sacsvr services on services.msc | No impact |
+| (L1) Ensure **SSDP Discovery (SSDPSRV)** is set to **Disabled** (Automated) | Prevent devices from discover each other and establish communication based on the SSDP protocol. | Could cause impact on upnp devices as upnp, often associated with ssdp |
+| (L1) Ensure **UPnP Device Host (upnphost)** is set to **Disabled** (Automated) | <ul><li><code>Prevent devices such as printers</code></li><li><code>computers</code></li><li><code>and other networked devices from discover each other and establish communication automatically on a local network</code></li></ul> | Users may face inconvenience in networks that rely on upnp for easy device setup and communication. |
+| (L1) Ensure **Windows Media Player Network Sharing Service (WMPNetworkSvc)** is set to **Disabled** or **Not Installed** (Automated) | Prevent Windows Media Player from sharing media files with other devices over the network. | No impact |
+| (L1) Ensure **Windows Mobile Hotspot Service (icssvc)** is set to **Disabled** (Automated) | Preventing the device from sharing its internet connection with other devices | No impact |
+| (L1) Ensure **World Wide Web Publishing Service (W3SVC)** is set to **Disabled** or **Not Installed** (Automated) | The machine will not be able to act as a web server and will not respond to HTTP requests. | If the device is intended to serve websites or web applications, disabling w3svc will prevent it from performing this role. |
+| (L1) Ensure **Xbox Accessory Management Service (XboxGipSvc)** is set to **Disabled** (Automated) | <ul><li><code>Prevent the system to recognize and manage Xbox accessories like controllers</code></li><li><code>headsets</code></li><li><code>and other peripherals.</code></li></ul> | No impact |
+| (L1) Ensure **Xbox Live Auth Manager (XblAuthManager)** is set to **Disabled** (Automated) | Prevent windows service from managing authentication processes related to Xbox Live accounts | No impact |
+| (L1) Ensure **Xbox Live Game Save (XblGameSave)** is set to **Disabled** (Automated) | Disallow users from storing their game data in the cloud through Xbox Live | No impact |
+| (L1) Ensure **Xbox Live Networking Service (XboxNetApiSvc)** is set to **Disabled** (Automated) | <ul><li><code>Prevent device from connecting to Xbox Live for multiplayer games</code></li><li><code>matchmaking</code></li><li><code>and interacting with other players online.</code></li></ul> | No impact |
+| (L1) Ensure **Windows Firewall: Private: Firewall state** is set to **On (recommended)** (Automated) | Firewall is enabled for private networks | No impact |
+| (L1) Ensure **Windows Firewall: Private: Logging: Size limit (KB)** is set to **16,384 KB or greater** (Automated) | <ul><li><code>Setting logging size limit to 16</code></li><li><code>384 KB (16 MB) before starts overwriting old data</code></li></ul> | No impact |
+| (L1) Ensure **Windows Firewall: Private: Logging: Log dropped packets** is set to **Yes** (Automated) | <ul><li><code>Windows records these events in the firewall log (pfirewall.log)</code></li><li><code>allowing administrators to analyze and troubleshoot blocked connections.</code></li></ul> | No impact |
+| (L1) Ensure **Windows Firewall: Private: Logging: Log successful connections** is set to **Yes** (Automated) | Windows records log successful connections in the firewall log file (pfirewall.log). | No impact |
+| (L1) Ensure **Windows Firewall: Public: Firewall state** is set to **On (recommended)** (Automated) | This setting enables the Windows Firewall when the system is connected to a public network | Applications requiring inbound connections (e.g., remote desktop, file sharing) may be blocked unless allowed manually |
+| (L1) Ensure **Audit Credential Validation** is set to **Success and Failure** (Automated) | Windows logs events when authentication requests are processed for both user fails and successful authentication | No impact |
+| (L1) Ensure **Audit Application Group Management** is set to **Success and Failure** (Automated) | Windows logs events when changes are made to application groups in local systems | No impact |
+| (L1) Ensure **Audit Security Group Management** is set to include **Success** (Automated) | The system logs all successful modifications to security groups such as creating and deleting | No impact |
+| (L1) Ensure **Audit User Account Management** is set to **Success and Failure** (Automated) | <ul><li><code>Tracks changes made to user accounts on local machines such as user accounts are created</code></li><li><code>deleted and disabled</code></li></ul> | No impact |
+| (L1) Ensure **Audit PNP Activity** is set to include **Success** (Automated) | Windows logs an event whenever a device is successfully installed or configured using Plug and Play (PnP) | No impact |
+| (L1) Ensure **Audit Process Creation** is set to include **Success** (Automated) | Windows records details about every successfully launched process such as Process Name and Process ID | No impact |
+| (L1) Ensure **Audit Account Lockout** is set to include **Failure** (Automated) | <ul><li><code>System will generate an event whenever an account lockout occurs due to repeated invalid login attempts</code></li><li><code></code></li></ul> | No impact |
+| (L1) Ensure **Audit Group Membership** is set to include **Success** (Automated) | Logs successful changes to the group memberships of user accounts | No impact |
+| (L1) Ensure **Audit Logoff** is set to include **Success** (Automated) | Successful logoff events will be recorded and logged into the security event log | No impact |
+| (L1) Ensure **Audit Logon** is set to **Success and Failure** (Automated) | <ul><li><code>Any logon attempt</code></li><li><code>whether successful or unsuccessful</code></li><li><code>will be recorded in the system’s security logs</code></li></ul> | No impact |
+| (L1) Ensure **Audit Other Logon/Logoff Events** is set to **Success and Failure** (Automated) | <ul><li><code>Tracks and records events that do not fall under the typical Logon or Logoff categories but still involve user authentication</code></li><li><code>authorization</code></li><li><code>and system access activities such as Remote Desktop logins and Network logins (when accessing shared resources over the network)</code></li></ul> | No impact |
+| (L1) Ensure **Audit Special Logon** is set to include **Success** (Automated) | Log events whenever a user successfully logs on with special privileges. These special logons typically involve actions such as: Administrator account logins and Logins that trigger elevated access levels | No impact |
+| (L1) Ensure **Audit Detailed File Share** is set to include **Failure** (Automated) | Log an event whenever an access attempt to a file share fails | No impact |
+| (L1) Ensure **Audit File Share** is set to **Success and Failure** (Automated) | Logs both successful and failed attempts to access files or directories shared on the network such as Reading files from shared folders and Writing to files | No impact |
+| (L1) Ensure **Audit Other Object Access Events** is set to **Success and Failure** (Automated) | <ul><li><code>Tracks access to objects other than typical files and directories such as Service objects: Access to services</code></li><li><code>such as starting or stopping services and Registry keys</code></li></ul> | No impact |
+| (L1) Ensure **Audit Removable Storage** is set to **Success and Failure** (Automated) | Logging both successful and failed attempts to access removable storage devices such as plugging in a USB drive and Copying files to or from removable storage | No impact |
+| (L1) Ensure **Audit Audit Policy Change** is set to include **Success** (Automated) | Logging successful modifications to auditing settings such as modifying advanced audit policy settings and Enabling or disabling audit policies | No impact |
+| (L1) Ensure **Audit Authentication Policy Change** is set to include **Success** (Automated) | Logging successful changes to authentication policies on a system such as kerberos policy changes and changes to user password policies | No impact |
+| (L1) Ensure **Audit Authorization Policy Change** is set to include **Success** (Automated) | System records events where policies that determine user access permissions are changed such as changes to object access control lists (ACLs) and adjustments to role-based access control (RBAC) policies | No impact |
+| (L1) Ensure **Audit MPSSVC Rule-Level Policy Change** is set to **Success and Failure** (Automated) | System records events when there are successful changes to firewall rules and failed attempts to modify firewall rules | No impact |
+| (L1) Ensure **Audit Other Policy Change Events** is set to include **Failure** (Automated) | <ul><li><code>Tracks fail change attempt to security policies that are not covered by other specific audit categories. This includes modifications to trust policies</code></li><li><code>authentication settings</code></li><li><code>and other system-wide security configurations.</code></li></ul> | No impact |
+| (L1) Ensure **Audit Sensitive Privilege Use** is set to **Success and Failure** (Automated) | Logging both successful and failed privileged operations such as debugging programs and Backing up/restoring files and directories | No impact |
+| (L1) Ensure **Audit IPsec Driver** is set to **Success and Failure** (Automated) | <ul><li><code>Logging both successful and failed IPsec-related events such as establishing secure connections</code></li><li><code>encryption failures and authentication failures</code></li></ul> | No impact |
+| (L1) Ensure **Audit Security State Change** is set to include **Success** (Automated) | <ul><li><code>Logging successful events related to major security-related changes in the system such as system startup and shutdown</code></li><li><code>changes in audit policies and enforcement of security settings.</code></li></ul> | No impact |
+| (L1) Ensure **Audit Security System Extension** is set to include **Success** (Automated) | Logging successful events related to the installation and loading of system extensions that could impact security such as loading of authentication packages and changes to system security components | No impact |
+| (L1) Ensure **Audit System Integrity** is set to **Success and Failure** (Automated) | Logging both successful and failed attempts to alter the system’s core structure or integrity such as modification of protected system files and changes to system security settings. | No impact |
+| (L1) Ensure **Prevent enabling lock screen camera** is set to **Enabled** (Automated) | <ul><li><code>This setting disables the ability to use the camera while the device is locked</code></li><li><code>meaning that users cannot access the camera through the lock screen interface.</code></li></ul> | Legitimate users may want to use the camera on the lock screen for activities such as quick video calls. this setting prevents that functionality. |
+| (L1) Ensure **Prevent enabling lock screen slide show** is set to **Enabled** (Automated) | It disables the ability to use a slideshow on the lock screen. | No impact |
+| (L1) Ensure **Allow users to enable online speech recognition services** is set to **Disabled** (Automated) | <ul><li><code>Users are prevented from enabling these online speech recognition services</code></li><li><code>which might be used for features like voice commands</code></li><li><code>dictation</code></li><li><code>or speech-to-text functionality in various applications.</code></li></ul> | Inconvenience for users who rely on online speech recognition for tasks like voice-to-text or using voice commands in applications |
+| (L1) Ensure **Configure SMB v1 client driver** is set to **Enabled: Disable driver (recommended)** (Automated) | It disables the SMB v1 client driver on the system. This means that the system will not use SMB v1 for file sharing or network communication. | If a network relies heavily on smb v1 (perhaps due to legacy hardware or software), disabling smb v1 could disrupt operations |
+| (L1) Ensure **Configure SMB v1 server** is set to **Disabled** (Automated) | Preventing SMB v1 from being used on the system as a server | Devices and clients will not be able to connect to this system using the insecure smb v1 protocol. |
+| (L1) Ensure **NetBT NodeType configuration** is set to **Enabled: P-node (recommended)** (Automated) | Resolves names through a WINS (Windows Internet Name Service) server. | Some older applications or systems may still rely on broadcast name resolution (b-node) or may not be compatible with wins |
+| (L1) Ensure **WDigest Authentication** is set to **Disabled** (Automated) | Disabled so that WDigest won&#x27;t be able to storesuser credentials (passwords) in a way that is generally considered insecure compared to modern methods | Disabling wdigest might cause disruption if any third-party software or scripts depend on this authentication method for logging into systems or services. |
+| (L1) Ensure **MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)** is set to **Disabled** (Automated) | Prevent user&#x27;s password is stored in the system registry in plain text and to prevent auto logon into the system | No impact |
+| (L1) Ensure **MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)** is set to **Enabled: Highest protection, source routing is completely disabled** (Automated) | <ul><li><code>Source routing is disabled all traffic have to follows the standard</code></li><li><code>trusted routes defined by network devices</code></li></ul> | No impact |
+| (L1) Ensure **MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes** is set to **Disabled** (Automated) | Prevents ICMP redirects from overriding OSPF-generated routes | No impact |
+| (L1) Ensure **MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers** is set to **Enabled** (Automated) | <ul><li><code>Only trusted WINS servers can request name releases</code></li><li><code>blocking all other sources.</code></li></ul> | Older systems and applications that rely on netbios name resolution may experience issues if name releases are blocked. |
+| (L1) Ensure **MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)** is set to **Enabled** (Automated) | This setting ensures that Windows prioritizes safer locations when searching for Dynamic Link Libraries (DLLs) that applications request | Some legacy applications (especially custom or poorly coded ones) might expect dlls to load from the current working directory first |
+| (L1) Ensure **MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)** is set to **Enabled: 5 or fewer seconds** (Automated) | Setting grace period to 5 seconds or less after the screen saver activated during which a user can move the mouse or press a key to return to the session without re-entering their credentials. | No impact |
+| (L1) Ensure **Turn off multicast name resolution** is set to **Enabled** (Automated) | <ul><li><code>Link-Local Multicast Name Resolution (LLMNR) is turned off</code></li><li><code>preventing Windows from using multicast to resolve hostnames.</code></li></ul> | No impact |
+| (L1) Ensure **Enable insecure guest logons** is set to **Disabled** (Automated) | Windows will not allow users to access shared resources using a guest account. | No impact |
+| (L1) Ensure **Prohibit installation and configuration of Network Bridge on your DNS domain network** is set to **Enabled** (Automated) | Prevents users from creating or configuring a Network Bridge on computers that are part of a DNS domain network | No impact |
+| (L1) Ensure **Prohibit use of Internet Connection Sharing on your DNS domain network** is set to **Enabled** (Automated) | <ul><li><code>Windows blocks users from enabling ICS</code></li><li><code>ensuring that domain-joined computers cannot share their internet connection with other devices.</code></li></ul> | No impact |
+| (L1) Ensure **Hardened UNC Paths** is set to **Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares** (Automated) | Secure authentication (Kerberos or NTLMv2) is required before accessing NETLOGON/SYSVOL and data integrity checks are enforced | No impact |
+| (L1) Ensure **Minimize the number of simultaneous connections to the Internet or a Windows Domain** is set to **Enabled: 3 = Prevent Wi-Fi when on Ethernet** (Automated) | <ul><li><code>If an Ethernet connection is active</code></li><li><code>the system automatically disables Wi-Fi.</code></li></ul> | No impact |
+| (L1) Ensure **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services** is set to **Disabled** (Automated) | <ul><li><code>Prevents Windows from automatically connecting to the following types of networks:Suggested Open Hotspots</code></li><li><code>Hotspots Offering Paid Services and Networks Shared by Contacts</code></li></ul> | No impact |
+| (L1) Ensure **Point and Print Restrictions: When installing drivers for a new connection** is set to **Enabled: Show warning and elevation prompt** (Automated) | <ul><li><code>&quot;When installing drivers for a new connection&quot;</code></li><li><code>Windows will:
+Display a warning message whenever a user attempts to install a new printer driver via a Point and Print connection.
+Prompt for elevation (i.e.</code></li><li><code>request administrative privileges) before the driver installation can proceed.</code></li></ul> | No impact |
+| (L1) Ensure **Point and Print Restrictions: When updating drivers for an existing connection** is set to **Enabled: Show warning and elevation prompt** (Automated) | <ul><li><code>When updating drivers for an existing connection&quot;</code></li><li><code>Windows will:
+Display a warning message whenever a user attempts to update a printer driver for a printer that is already connected.
+Prompt for elevation (i.e.</code></li><li><code>require administrative privileges) to confirm the update process before proceeding.</code></li></ul> | No impact |
+| (L1) Ensure **Include command line in process creation events** is set to **Enabled** (Automated) | Windows ensures that command-line arguments used during the creation of a process are logged in event logs | No impact |
+| (L1) Ensure **Encryption Oracle Remediation** is set to **Enabled: Force Updated Clients** (Automated) | <ul><li><code>This setting ensures that only clients with updated encryption capabilities (e.g.</code></li><li><code>using stronger encryption standards) are allowed to connect.</code></li></ul> | Older devices, browsers, or software that only support weak or outdated encryption may no longer be able to establish connections |
+| (L1) Ensure **Remote host allows delegation of non-exportable credentials** is set to **Enabled** (Automated) | <ul><li><code>this setting allows the delegation of non-exportable credentials to remote servers or services. In other words</code></li><li><code>it permits the remote host (the destination system) to use the credentials from a local user session to authenticate the user or perform operations on the user&#x27;s behalf</code></li><li><code>even if the credentials are non-exportable</code></li></ul> | No impact |
+| (L1) Ensure **Boot-Start Driver Initialization Policy** is set to **Enabled: Good, unknown and bad but critical** (Automated) | It allows the system to initialize:<br>Good drivers (trusted and verified).<br>Unknown drivers (drivers that are unsigned or have unknown origins).<br>Bad but critical drivers (drivers that may be problematic but are required for booting or for critical system functions). | No impact |
+| (L1) Ensure **Continue experiences on this device** is set to **Disabled** (Automated) | It prevents the device from syncing or continuing experiences across multiple devices | No impact |
+| (L1) Ensure **Turn off Internet download for Web publishing and online ordering wizards** is set to **Enabled** (Automated) | It disables the ability of Windows Internet Explorer and Microsoft Office tools to automatically download content from the internet during the use of their wizards such as web publishing  and online ordering feature. | No impact |
+| (L1) Ensure **Do not display network selection UI** is set to **Enabled** (Automated) | <ul><li><code>It prevents the user from being able to manually select a network from the available list of networks (for example</code></li><li><code>Wi-Fi networks or VPNs).</code></li></ul> | No impact |
+| (L1) Ensure **Turn off app notifications on the lock screen** is set to **Enabled** (Automated) | <ul><li><code>It prevents any app notifications (such as emails</code></li><li><code>messages</code></li><li><code>calendar events</code></li><li><code>and system alerts) from appearing on the lock screen</code></li></ul> | No impact |
+| (L1) Ensure **Turn on convenience PIN sign-in** is set to **Disabled** (Automated) | Windows blocks users from setting up and using a convenience PIN for authentication | No impact |
+| (L1) Ensure **Allow network connectivity during connected-standby (on battery)** is set to **Disabled** (Automated) | device automatically disconnects from all networks when entering Modern Standby mode while on battery power. | No impact |
+| (L1) Ensure **Allow network connectivity during connected-standby (plugged in)** is set to **Disabled** (Automated) | <ul><li><code>Device disconnects from all networks (Wi-Fi</code></li><li><code>Ethernet</code></li><li><code>cellular) when entering Modern Standby mode</code></li><li><code>even when it is plugged in.</code></li></ul> | No impact |
+| (L1) Ensure **Require a password when a computer wakes (on battery)** is set to **Enabled** (Automated) | <ul><li><code>When device wakes from sleep</code></li><li><code>hibernation</code></li><li><code>or Modern Standby while running on battery power</code></li><li><code>a password is required to regain access.</code></li></ul> | No impact |
+| (L1) Ensure **Require a password when a computer wakes (plugged in)** is set to **Enabled** (Automated) | <ul><li><code>When device wakes from sleep</code></li><li><code>hibernation</code></li><li><code>or Modern Standby while plugged into a power source</code></li><li><code>a password is required to regain access.</code></li></ul> | No impact |
+| (L1) Ensure **Configure Offer Remote Assistance** is set to **Disabled** (Automated) | <ul><li><code>Remote assistance cannot be offered or initiated by IT/admins without user action. However</code></li><li><code>users can still request help through Remote Assistance manually.</code></li></ul> | No impact |
+| (L1) Ensure **Configure Solicited Remote Assistance** is set to **Disabled** (Automated) | IT administrators or support personnel cannot connect to assist users remotely using this built-in tool. | No impact |
+| (L1) Ensure **Enable RPC Endpoint Mapper Client Authentication** is set to **Enabled** (Automated) | The RPC Endpoint Mapper requires authentication before allowing clients to connect. | Legacy applications that require unauthenticated rpc connections |
+| (L1) Ensure **Restrict Unauthenticated RPC clients** is set to **Enabled: Authenticated** (Automated) | Only authenticated RPC clients can establish connections. | Older applications or legacy systems that rely on anonymous rpc connections may fail. |
+| (L1) Ensure **Prevent non-admin users from installing packaged Windows apps** is set to **Enabled** (Automated) | Only allow admin users installing packaged windows apps from sources like microsoft store and downloaded app packages | No impact |
+| (L1) Ensure **Let Windows apps activate with voice while the system is locked** is set to **Enabled: Force Deny** (Automated) | Completely blocks voice activation when the system is locked. | Users who rely on voice control for accessibility may experience difficulty. |
+| (L1) Ensure **Allow Microsoft accounts to be optional** is set to **Enabled** (Automated) | Users can use a local account instead of being forced to use a Microsoft account. | No impact |
+| (L1) Ensure **Disallow Autoplay for non-volume devices** is set to **Enabled** (Automated) | Prevents Autoplay from activating for non-volume devices. | Users may need to manually access media devices instead of having them launch automatically. |
+| (L1) Ensure **Set the default behavior for AutoRun** is set to **Enabled: Do not execute any autorun commands** (Automated) | <ul><li><code>Prevents Windows from automatically executing any AutoRun commands</code></li><li><code>even if an &quot;autorun.inf&quot; file is present.</code></li></ul> | Software or installers that rely on autorun (e.g., cd/dvd-based installers, external software launchers) will not start automatically. |
+| (L1) Ensure **Turn off Autoplay** is set to **Enabled: All drives** (Automated) | <ul><li><code>This setting disables AutoPlay for all types of drives</code></li><li><code>including USB drives</code></li><li><code>CD/DVD drives</code></li><li><code>and network drives.</code></li></ul> | No impact |
+| (L1) Ensure **Configure enhanced anti-spoofing** is set to **Enabled** (Automated) | Windows enhances the anti-spoofing capabilities for biometric systems (like face recognition or fingerprints) by verifying that the biometric data is genuine and not spoofed or manipulated. | No impact |
+| (L1) Ensure **Turn off Microsoft consumer experiences** is set to **Enabled** (Automated) | <ul><li><code>Enabled → This setting disables specific features and experiences that are typically associated with consumer-focused apps and services</code></li><li><code>such as: App suggestions and recommendations and Microsoft Store promotions</code></li></ul> | No impact |
+| (L1) Ensure **Require pin for pairing** is set to **Enabled: First Time** OR **Enabled: Always** (Automated) | <ul><li><code>When this setting is enabled with the &quot;First Time&quot; option</code></li><li><code>a PIN will only be required during the initial pairing process for a device. Once the device is paired for the first time</code></li><li><code>no PIN will be required for future pairings with the same device.</code></li></ul> | No impact |
+| (L1) Ensure **Do not display the password reveal button** is set to **Enabled** (Automated) | This setting disables the visibility of the password reveal button (the eye icon) in password input fields across Windows | No impact |
+| (L1) Ensure **Enumerate administrator accounts on elevation** is set to **Disabled** (Automated) | <ul><li><code>Windows will not display any administrator account names in the UAC prompt</code></li><li><code>and the user will be required to manually enter the credentials (username and password) for an administrator account in order to proceed with the elevated action.</code></li></ul> | No impact |
+| (L1) Ensure **Prevent the use of security questions for local accounts** is set to **Enabled** (Automated) | It prevents users from setting or using security questions to recover or reset the passwords for their local accounts in Windows. | User will not have an additional fallback option for password recovery through security questions. |
+| (L1) Ensure **Do not show feedback notifications** is set to **Enabled** (Automated) | It disables the feedback notifications that Windows typically displays to users such as prompts users to send feedback or take part in the windows insider program or surveys about the operating system | No impact |
+| (L1) Ensure **Download Mode** is NOT set to **Enabled: Internet** (Automated) | Updates are not downloaded directly from Microsoft’s servers over the internet. | No impact |
+| (L1) Ensure **Application: Control Event Log behavior when the log file reaches its maximum size** is set to **Disabled** (Automated) | System does not enforce any specific behavior or restrictions regarding the size limit of event log files | No impact |
+| (L1) Ensure **Application: Specify the maximum log file size (KB)** is set to **Enabled: 32,768 or greater** (Automated) | <ul><li><code>Max log size for Application event is set to 32</code></li><li><code>768 KB</code></li></ul> | No impact |
+
+
+#### **macOS**
+
+| Title | Description | Impact |
+| --- | --- | --- |
+| (L1) Ensure **Security: Control Event Log behavior when the log file reaches its maximum size** is set to **Disabled** (Automated) | System does not enforce any specific behavior regarding the size limits of security event log files | No impact |
+| (L1) Ensure **Security: Specify the maximum log file size (KB)** is set to **Enabled: 196,608 or greater** (Automated) | <ul><li><code>Max log size for Security event is set to 196</code></li><li><code>608 KB</code></li></ul> | No impact |
+| (L1) Ensure **Setup: Control Event Log behavior when the log file reaches its maximum size** is set to **Disabled** (Automated) | System does not enforce any specific behavior regarding the maximum size of the setup event log file | No impact |
+| (L1) Ensure **Setup: Specify the maximum log file size (KB)** is set to **Enabled: 32,768 or greater** (Automated) | Max log size for Setup event is set to 32,768 KB | No impact |
+| (L1) Ensure **System: Control Event Log behavior when the log file reaches its maximum size** is set to **Disabled** (Automated) | System does not enforce any specific behavior regarding the maximum size of the control event log file | No impact |
+| (L1) Ensure **System: Specify the maximum log file size (KB)** is set to **Enabled: 32,768 or greater** (Automated) | Max log size for System event is set to 32,768 KB | No impact |
+| (L1) Ensure **Turn off Data Execution Prevention for Explorer** is set to **Disabled** (Automated) | <ul><li><code>Data Execution Prevention (DEP) is enabled for Windows Explorer (explorer.exe)</code></li><li><code>which is the system process that provides the graphical interface for file management</code></li><li><code>taskbar</code></li><li><code>Start menu</code></li><li><code>and more.</code></li></ul> | No impact |
+| (L1) Ensure **Turn off heap termination on corruption** is set to **Disabled** (Automated) | <ul><li><code>If Windows detects heap corruption in a process</code></li><li><code>the process will be immediately terminated rather than allowing it to continue running in an unstable state.</code></li></ul> | Some older or poorly written applications may have minor heap corruption issues |
+| (L1) Ensure **Turn off shell protocol protected mode** is set to **Disabled** (Automated) | <ul><li><code>Windows keeps shell protocol protected mode enabled. This setting affects how Windows handles certain URL and shell commands launched via the Windows Shell (e.g.</code></li><li><code>File Explorer</code></li><li><code>Start Menu</code></li><li><code>Run dialog</code></li></ul> | Older or custom enterprise applications that rely on unrestricted shell protocol execution may stop working or experience issues. |
+| (L1) Ensure **Prevent the computer from joining a homegroup** is set to **Enabled** (Automated) | <ul><li><code>Windows prevents the computer from joining or creating a HomeGroup. This restricts the ability to share files</code></li><li><code>printers</code></li><li><code>and other resources using the HomeGroup feature.</code></li></ul> | No impact |
+| (L1) Ensure **Configure local setting override for reporting to Microsoft MAPS** is set to **Disabled** (Automated) | Users cannot enable or disable MAPS reporting manually from Windows Security settings. | No impact |
+| (L1) Ensure **Prevent users and apps from accessing dangerous websites** is set to **Enabled: Block** (Automated) | <ul><li><code>Blocks access to phishing sites</code></li><li><code>malware-hosting pages</code></li><li><code>and other potentially harmful content and Helps protect against malware downloads</code></li><li><code>command-and-control (C2) attacks</code></li><li><code>and phishing attempts.</code></li></ul> | Some users may find that harmless websites get flagged due to false positives. |
+| (L1) Ensure **Scan all downloaded files and attachments** is set to **Enabled** (Automated) | All downloaded files and email attachments are automatically scanned for malware and security threats before they can be accessed | No impact |
+| (L1) Ensure **Turn off real-time protection** is set to **Disabled** (Automated) | Real-time protection is enabled and cannot be turned off by users | No impact |
+| (L1) Ensure **Turn on behavior monitoring** is set to **Enabled** (Automated) | <ul><li><code>Windows Defender actively monitors and analyzes the behavior of applications and processes to detect suspicious activities that may indicate malware or threats</code></li><li><code>even if the files themselves are not yet recognized as malicious.</code></li></ul> | No impact |
+| (L1) Ensure **Scan removable drives** is set to **Enabled** (Automated) | <ul><li><code>Microsoft Defender Antivirus automatically scans USB drives</code></li><li><code>external hard disks</code></li><li><code>SD cards</code></li><li><code>and other removable media for malware during manual or scheduled scans.</code></li></ul> | No impact |
+| (L1) Ensure **Turn on e-mail scanning** is set to **Enabled** (Automated) | <ul><li><code>Microsoft Defender Antivirus will scan incoming and outgoing emails for malware</code></li><li><code>phishing attempts</code></li><li><code>and other security threats.</code></li></ul> | No impact |
+| (L1) Ensure **Configure detection for potentially unwanted applications** is set to **Enabled: Block** (Automated) | Microsoft Defender Antivirus actively detects and blocks PUAs before they can be installed or executed on the system. | No impact |
+| (L1) Ensure **Turn off Microsoft Defender AntiVirus** is set to **Disabled** (Automated) | Microsoft Defender not allow to be turn off | No impact |
+| (L1) Ensure **Do not allow passwords to be saved** is set to **Enabled** (Automated) | <ul><li><code>Users are blocked from storing passwords in certain applications</code></li><li><code>browsers</code></li><li><code>and Windows components. This enforces manual password entry for authentication</code></li><li><code>enhancing security but reducing convenience.</code></li></ul> | No impact |
+| (L1) Ensure **Do not allow drive redirection** is set to **Enabled** (Automated) | Users are prevented from redirecting their local drives while using Remote Desktop Protocol (RDP) to connect to another system. | Admins may need alternative ways to upload/download files when managing remote systems. |
+| (L1) Ensure **Always prompt for password upon connection** is set to **Enabled** (Automated) | <ul><li><code>Users are required to enter their password every time they establish a Remote Desktop Protocol (RDP) session</code></li><li><code>even if they previously saved their credentials.</code></li></ul> | Requires manual password entry for every rdp session, which can slow down workflows. |
+| (L1) Ensure **Require secure RPC communication** is set to **Enabled** (Automated) | All Remote Procedure Call (RPC) communications must use secure authentication and encryption to prevent unauthorized access and data tampering. | No impact |
+| (L1) Ensure **Require user authentication for remote connections by using Network Level Authentication** is set to **Enabled** (Automated) | All Remote Desktop Protocol (RDP) connections must authenticate the user before establishing a full session with the remote computer. | No impact |
+| (L1) Ensure **Set client connection encryption level** is set to **Enabled: High Level** (Automated) | All Remote Desktop Protocol (RDP) connections must use strong encryption (128-bit) to secure data transmitted between the client and server. | No impact |
+| (L1) Ensure **Do not delete temp folders upon exit** is set to **Disabled** (Automated) | Temporary folders created during a Remote Desktop Services (RDS) session are automatically deleted when the session ends. | No impact |
+| (L1) Ensure **Prevent downloading of enclosures** is set to **Enabled** (Automated) | Users are blocked from downloading enclosures (attachments) in RSS feeds in supported applications like Microsoft Outlook or Internet Explorer (legacy). | Users cannot download podcast episodes, newsletters, or media files linked in feeds. |
+| (L1) Ensure **Allow Cortana** is set to **Disabled** (Automated) | <ul><li><code>Microsoft&#x27;s virtual assistant</code></li><li><code>is completely disabled on the system</code></li><li><code>meaning users can no longer access or use Cortana for voice commands</code></li><li><code>search queries</code></li><li><code>reminders</code></li><li><code>or any other Cortana-related functionality.</code></li></ul> | Users lose the ability to use voice commands or cortana to set reminders, check the weather, or quickly access search results. |
+| (L1) Ensure **Allow Cortana above lock screen** is set to **Disabled** (Automated) | Cortana is prevented from being accessed or used on the lock screen of the Windows device | Users can no longer use cortana for quick access to information like weather updates or reminders while the device is locked, |
+| (L1) Ensure **Allow indexing of encrypted files** is set to **Disabled** (Automated) | <ul><li><code>Windows Search will not index the contents of encrypted files</code></li><li><code>meaning these files will not be included in search results and will not be easily searchable by their contents.</code></li></ul> | Users will not be able to search the contents of encrypted files via windows search, reducing convenience for those who regularly access encrypted documents. |
+| (L1) Ensure **Allow search and Cortana to use location** is set to **Disabled** (Automated) | Both Windows Search and Cortana are prevented from accessing and using the device&#x27;s location to provide location-based results or services. | No impact |
+| (L1) Ensure **Turn off Automatic Download and Install of updates** is set to **Disabled** (Automated) | Windows Update is allowed to automatically download and install updates without any user intervention | No impact |
+| (L1) Ensure **Configure Windows Defender SmartScreen** is set to **Enabled: Warn and prevent bypass** (Automated) | <ul><li><code>Provide an additional layer of protection by warning users about potentially unsafe apps</code></li><li><code>websites</code></li><li><code>or downloads</code></li></ul> | No impact |
+| (L1) Ensure **Configure Windows Defender SmartScreen** is set to **Enabled** (Automated) | <ul><li><code>To protect users by preventing the execution of untrusted or potentially dangerous apps</code></li><li><code>files</code></li><li><code>and websites</code></li></ul> | No impact |
+| (L1) Ensure **Prevent bypassing Windows Defender SmartScreen prompts for sites** is set to **Enabled** (Automated) | Windows Defender SmartScreen will block users from bypassing the security prompts that appear when they visit potentially unsafe websites. | Some legitimate websites may be flagged as unsafe by mistake, causing inconvenience for users who need to access those sites |
+| (L1) Ensure **Enables or disables Windows Game Recording and Broadcasting** is set to **Disabled** (Automated) | <ul><li><code>The Game Bar</code></li><li><code>Game DVR</code></li><li><code>and Game Broadcasting features in Windows are completely turned off. This prevents users from recording gameplay</code></li><li><code>taking screenshots</code></li><li><code>or live-streaming their gameplay using built-in Windows tools.</code></li></ul> | No impact |
+| (L1) Ensure **Allow Windows Ink Workspace** is set to **Enabled: On, but disallow access above lock** OR **Disabled** but not **Enabled: On** (Automated) | <ul><li><code>Windows Ink Workspace remains available</code></li><li><code>but users cannot access it from the lock screen.</code></li></ul> | No impact |
+| (L1) Ensure **Allow user control over installs** is set to **Disabled** (Automated) | Users are prevented from changing installation settings and cannot manually install or modify software on the system but users with admin privilege will not be affected | No impact |
+| (L1) Ensure **Always install with elevated privileges** is set to **Disabled** (Automated) | Windows does not grant elevated (admin-level) privileges to Windows Installer-based installations for non-administrator users | No impact |
+| (L1) Ensure **Sign-in and lock last interactive user automatically after a restart** is set to **Disabled** (Automated) | <ul><li><code>Windows will not automatically sign in the last logged-in user after a system restart. Instead</code></li><li><code>the user must manually enter their credentials at the sign-in screen to access their session.</code></li></ul> | No impact |
+| (L1) Ensure **Turn on PowerShell Script Block Logging** is set to **Enabled** (Automated) | <ul><li><code>Windows logs all PowerShell script execution activity</code></li><li><code>including the full content of scripts</code></li><li><code>commands</code></li><li><code>and code blocks that are executed.</code></li></ul> | No impact |
+| (L1) Ensure **Turn on PowerShell Transcription** is set to **Enabled**' (Automated) | <ul><li><code>Windows records and saves a transcript of every PowerShell session in a text log. This includes all commands executed</code></li><li><code>input and output</code></li><li><code>and any errors encountered.</code></li></ul> | No impact |
+| (L1) Ensure **Allow Basic authentication** is set to **Disabled** - WinRM Client (Automated) | System prevents the use of Basic authentication when connecting to remote systems using WinRM. | Basic authentication is often used when connecting to non-domain-joined machines or third-party services. if disabled, these connections may fail. |
+| (L1) Ensure **Allow unencrypted traffic** is set to **Disabled** - WinRM Client (Automated) | Prevents the use of unencrypted HTTP connections for remote management or PowerShell remoting | Some legacy or third-party applications may need to be updated to use encrypted winrm connections. |
+| (L1) Ensure **Disallow Digest authentication** is set to **Enabled** (Automated) | Digest Authentication is explicitly disabled for all WinRM communications. This setting ensures that WinRM will not use the Digest authentication method | If older systems or services rely on digest authentication, those systems may fail to connect or function correctly when this setting is enabled. |
+| (L1) Ensure **Allow Basic authentication** is set to **Disabled** - WinRM Service (Automated) | WinRM service will block any attempts to use Basic authentication for remote connections. | Some systems or applications that rely on basic authentication (such as certain third-party tools or legacy systems) may experience connection failures if they cannot use kerberos or ntlm. |
+| (L1) Ensure **Allow unencrypted traffic** is set to **Disabled** WinRM Service (Automated) | The service rejects all incoming WinRM connections that are not encrypted | If legacy systems or scripts rely on http (unencrypted) winrm connections, they will stop working. |
+| (L1) Ensure **Disallow WinRM from storing RunAs credentials** is set to **Enabled** (Automated) | Prevents Windows Remote Management (WinRM) from caching or storing credentials when using &quot;RunAs&quot; authentication | Users must re-enter credentials for each new remote session. |
+| (L1) Ensure **Prevent users from modifying settings** is set to **Enabled** (Automated | Local users can not make changes in the Exploit protection settings area. | No impact |
+| (L1) Ensure **No auto-restart with logged on users for scheduled automatic updates installations** is set to **Disabled** (Automated) | <ul><li><code>Windows will automatically restart the system after installing updates</code></li><li><code>even if users are logged in.</code></li></ul> | If a user is logged in and working, they may lose unsaved work when the system restarts unexpectedly. |
+| (L1) Ensure **Configure Automatic Updates** is set to **Enabled** (Automated) | Windows will automatically download and install updates based on the specific configuration set by the administrator | Users may experience unexpected restarts after updates. |
+| (L1) Ensure **Configure Automatic Updates: Scheduled install day** is set to ** - Every day** (Automated) | Windows will attempt to install updates daily at 9:00am. | No impact |
+| (L1) Ensure **Remove access to “Pause updates” feature** is set to **Enabled** (Automated) | Users will not be able to pause Windows updates through the Windows Update settings. | Users cannot temporarily pause updates when they are working on important work |
+| (L1) Ensure **Manage preview builds** is set to **Disabled** (Automated) | <ul><li><code>Windows will prevent the installation and management of preview (or Insider) builds. This setting ensures that only stable</code></li><li><code>officially released versions of Windows are installed on the device</code></li></ul> | Users and testers will not have early access to upcoming features and improvements available in preview builds. |
+| (L1) Ensure **Select when Preview Builds and Feature Updates are received** is set to **Enabled: 180 or more days** (Automated) | <ul><li><code>Windows postpones the installation of feature updates and preview builds for 180 days after their official release. This configuration allows organizations to delay the deployment of new features</code></li><li><code>providing ample time to address potential compatibility issues or other concerns before the update is applied to systems.</code></li></ul> | Users will not have immediate access to the latest features and improvements, as updates are postponed for six months. |
+| (L1) Ensure **Select when Quality Updates are received** is set to **Enabled:  0 days** (Automated) | <ul><li><code>Windows will install quality updates immediately upon their release. This configuration ensures that devices receive critical security patches and bug fixes without delay</code></li><li><code>maintaining optimal system security and performance.</code></li></ul> | Rapid deployment of updates may lead to compatibility issues with existing software or hardware. |
+| (L1) Ensure **Do not preserve zone information in file attachments** is set to **Disabled** (Automated) | <ul><li><code>Windows marks file attachments with their zone of origin information (such as Internet</code></li><li><code>intranet</code></li><li><code>local). This enables Windows to assess potential risks associated with opening these files and can prompt appropriate security warnings to users.</code></li></ul> | No impact |
+| (L1) Ensure **Notify antivirus programs when opening attachments** is set to **Enabled** (Automated) | <ul><li><code>Windows will notify all registered antivirus programs to scan a file when a user attempts to open an attachment. If the antivirus scan fails or encounters an issue</code></li><li><code>Windows will block the attachment from being opened.</code></li></ul> | No impact |
+| (L1) Ensure **Configure Windows spotlight on lock screen** is set to Disabled' (Automated) | <ul><li><code>Windows Spotlight is turned off for the lock screen. This means that users will no longer see daily changing images or receive suggestions</code></li><li><code>fun facts</code></li><li><code>tips</code></li><li><code>or other content provided by Windows Spotlight on their lock screens</code></li></ul> | No impact |
+| (L1) Ensure **Do not suggest third-party content in Windows spotlight** is set to **Enabled** (Automated) | <ul><li><code>Windows Spotlight features—such as the lock screen spotlight</code></li><li><code>suggested apps in the Start menu</code></li><li><code>and Windows tips—will no longer display content or suggestions from third-party software publishers. However</code></li><li><code>users may still receive recommendations and tips related to Microsoft features and applications.</code></li></ul> | No impact |
+| (L1) Ensure **Turn off Spotlight collection on Desktop** is set to **Enabled** (Automated) | Windows Spotlight&#x27;s dynamic desktop background feature is disabled. This means that the desktop will no longer display daily changing images provided by Microsoft | No impact |
+| (L1) Ensure **Prevent users from sharing files within their profile.** is set to **Enabled** (Automated) | <ul><li><code>Users are restricted from sharing files located within their user profile directories (e.g.</code></li><li><code>C:\Users\Username) with other users on the network.</code></li></ul> | No impact |
+| (L1) Ensure **Always install with elevated privileges** is set to **Disabled** (Automated) | Windows Installer operates with the current user&#x27;s privilege level during application installations. This means that users can only install applications that their account permissions allow and installations requiring elevated privileges will prompt for administrative credentials or fail if the user lacks the necessary rights. | No impact |
+| (L1) Ensure **Remove access to “Pause updates” feature** is set to **Enabled** (Automated) | Users will not be able to pause Windows updates through the Windows Update settings. | Users cannot temporarily pause updates when they are working on important work |
+| (L1) Ensure **Manage preview builds** is set to **Disabled** (Automated) | <ul><li><code>Windows will prevent the installation and management of preview (or Insider) builds. This setting ensures that only stable</code></li><li><code>officially released versions of Windows are installed on the device</code></li></ul> | Users and testers will not have early access to upcoming features and improvements available in preview builds. |
+| (L1) Ensure **Select when Preview Builds and Feature Updates are received** is set to **Enabled: 180 or more days** (Automated) | <ul><li><code>Windows postpones the installation of feature updates and preview builds for 180 days after their official release. This configuration allows organizations to delay the deployment of new features</code></li><li><code>providing ample time to address potential compatibility issues or other concerns before the update is applied to systems.</code></li></ul> | Users will not have immediate access to the latest features and improvements, as updates are postponed for six months. |
+| (L1) Ensure **Select when Quality Updates are received** is set to **Enabled:  0 days** (Automated) | <ul><li><code>Windows will install quality updates immediately upon their release. This configuration ensures that devices receive critical security patches and bug fixes without delay</code></li><li><code>maintaining optimal system security and performance.</code></li></ul> | Rapid deployment of updates may lead to compatibility issues with existing software or hardware. |
+| (L1) Ensure **Do not preserve zone information in file attachments** is set to **Disabled** (Automated) | <ul><li><code>Windows marks file attachments with their zone of origin information (such as Internet</code></li><li><code>intranet</code></li><li><code>local). This enables Windows to assess potential risks associated with opening these files and can prompt appropriate security warnings to users.</code></li></ul> | No impact |
+| (L1) Ensure **Notify antivirus programs when opening attachments** is set to **Enabled** (Automated) | <ul><li><code>Windows will notify all registered antivirus programs to scan a file when a user attempts to open an attachment. If the antivirus scan fails or encounters an issue</code></li><li><code>Windows will block the attachment from being opened.</code></li></ul> | No impact |
+| (L1) Ensure **Configure Windows spotlight on lock screen** is set to Disabled' (Automated) | <ul><li><code>Windows Spotlight is turned off for the lock screen. This means that users will no longer see daily changing images or receive suggestions</code></li><li><code>fun facts</code></li><li><code>tips</code></li><li><code>or other content provided by Windows Spotlight on their lock screens</code></li></ul> | No impact |
+| (L1) Ensure **Do not suggest third-party content in Windows spotlight** is set to **Enabled** (Automated) | <ul><li><code>Windows Spotlight features—such as the lock screen spotlight</code></li><li><code>suggested apps in the Start menu</code></li><li><code>and Windows tips—will no longer display content or suggestions from third-party software publishers. However</code></li><li><code>users may still receive recommendations and tips related to Microsoft features and applications.</code></li></ul> | No impact |
+| (L1) Ensure **Turn off Spotlight collection on Desktop** is set to **Enabled** (Automated) | Windows Spotlight&#x27;s dynamic desktop background feature is disabled. This means that the desktop will no longer display daily changing images provided by Microsoft | No impact |
+| (L1) Ensure **Prevent users from sharing files within their profile.** is set to **Enabled** (Automated) | <ul><li><code>Users are restricted from sharing files located within their user profile directories (e.g.</code></li><li><code>C:\Users\Username) with other users on the network.</code></li></ul> | No impact |
+| (L1) Ensure **Always install with elevated privileges** is set to **Disabled** (Automated) | Windows Installer operates with the current user&#x27;s privilege level during application installations. This means that users can only install applications that their account permissions allow and installations requiring elevated privileges will prompt for administrative credentials or fail if the user lacks the necessary rights. | No impact |
+| Description | Remediation (for control cannot be automatically harden) | Impact |
+| Records detailed logs of system events for security monitoring and forensic analysis |  | No impact |
+| Involves specifying which system events are recorded for security auditing purposes
+Audit Flag:
+pc -Audit All Failed Program Execution on the System
+fa- System to Audit All Deletions of Object Attributes
+fm- System to Audit All Deletions of Object Attributes and System to Audit All Failed Change of Object Attributes
+fr- System to Audit All Failed Read Actions on the System
+fw- System to Audit All Failed Write Actions on the System
+fa- System to Audit All Changes of Object Attributes
+ex- System to Audit All Failed Program Execution on the System |  | No impact |
+| Helps in filtering out routine or non-critical entries, allowing analysts to focus on significant events that may indicate security incidents or policy violations. ​ |  | No impact |
+| Audit retention to maintain at least sixty days of records or up to five gigabytes |  | No impact |
+| Involves assigning each executing process its own distinct address space, preventing one process from accessing or modifying the memory and code of another |  | No impact |
+| Prevent system from broadcasting its presence and available services over network interfaces |  | It may disrupt several features and applications that rely on it for service discovery, such as shared disks, screen sharing, printing, and airdrop |
+| Only allow administrators can change various system settings, including those related to security and privacy. |  | No impact |
+| Audit logs are protected against tampering |  | No impact |
+| Ensuring that only authorized users and applications can access specific resources |  | No impact |
+| Ensuring that error messages on macOS applications do not expose exploitable information |  | No impact |
+| Disable facetime.app to prevent unwanted calls and maintain privacy |  | No impact |
+| Ensuring that your macOS system transitions to a known safe state during initialization, shutdown, or in the event of an abort is crucial for maintaining system integrity and protecting data |  | No impact |
+| FileVault ensures that unauthorized users cannot access your information without proper credentials |  | No impact |
+| Enabling firewall logging on macOS to monitor and analyze incoming connection attempts | Open Terminal<br>sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt detail | No impact |
+| Enabling gatekeeper security feature in macOS to ensure that only trusted software can runs on the device | Navigate to System Setting &gt; Privacy &amp; Security &gt; Security &gt; Allow applications from<br>Select &quot;App Store &amp; Known Developers | It may limit the installation of certain legitimate applications from unidentified developers |
+| Gatekeeper automatically re-enables after 30 days if it has been disabled |  | No impact |
+| Only Administrator accounts possess elevated privileges that allow users to manage system-wide settings, install applications, and oversee other user accounts |  | No impact |
+| Disable the transfer of data between devices |  | No impact |
+| Disable built-in web server (Apache HTTP Server) on macOS |  | No impact |
+| Enforce the use of validated cryptographic modules and algorithms |  | Some applications or services that rely on non-fips-approved cryptographic methods may experience compatibility issues |
+| Protecting system memory from unauthorized code execution |  | No impact |
+| Prevent unintended interactions with nearby IR devices, such as remote controls from other Macs or Apple TVs. |  | No impact |
+| Ensuring that user activities do not interfere with critical system operations, and vice versa to prevent compromise of system integrity |  | No impact |
+| Only authorized users can select auditable events on macOS to prevent unauthorized modifications |  | No impact |
+| Only authenticated and authorized users can access specific system resources and information |  | No impact |
+| Providing a clear logoff capability and displaying messages upon logoff help prevent unauthorized access and exploitation. |  | No impact |
+| Ensuring that macOS systems implement effective malicious code protection mechanisms to safeguard against malware and other security threats |  | No impact |
+| Disable systems from sharing files over a network |  | No impact |
+| Masking password input during authentication, preventing unauthorized individuals from viewing sensitive information |  | No impact |
+| Ensuring that macOS uniquely identifies peripherals before establishing a connection such as before allowing access to USB drives, external hard disks, or other storage media, the system should verify the device's identity |  | No impact |
+| Users will be seeing the following message before they login to the system:
+"This computer system is managed by the Government of Singapore and/or Government Technology Agency of Singapore (GovTech), and computer and network usage may be monitored. Any unauthorised access or use of this computer system is prohibited and may be subject to disciplinary action and/or criminal prosecution. By proceeding to use this computer system, you acknowledge the above and agree to abide by the applicable security policies." |  | No impact |
+| When macOS encounters invalid inputs, it will respond in a consistent and documented way, such as displaying an appropriate error message or rejecting the input without causing system instability. |  | No impact |
+| Ensuring that software on macOS does not execute with higher privileges than those of the invoking user is crucial for maintaining system security and integrity |  | No impact |
+| Ensure that only authorized personnel have administrative privileges. Standard users should not have the ability to execute commands or perform actions that can alter system configurations or security settings. |  | No impact |
+| Only authorized individuals have access to shared resources |  | No impact |
+| To ensure that collaborative computing devices such as cameras and microphones cannot be activated remotely without user consent, thereby protecting against eavesdropping or unauthorized recordings. |  | No impact |
+| Ensuring that macOS provides the ability to disconnect or disable remote access |  | No impact |
+| Requiring users to reauthenticate for privilege escalation on macOS enhances security by ensuring that elevated permissions are granted only after explicit user verification |  | No impact |
+| Whenever a user attempts to modify their authentication method—such as setting up or altering Touch ID, changing passwords, or configuring other security settings—a reauthentication prompt should be enforced. |  | No impact |
+| Controlling remote access methods on macOS is essential for maintaining system security and ensuring that only authorized users can connect to your Mac such as disabling of screen sharing , bluetooth sharing, internal sharing and remote management |  | No impact |
+| All software components are fully removed after installing updated versions on macOS |  | No impact |
+| Ensuring compliance with federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to cryptographic modules on macOS involves adhering to established security frameworks and leveraging Apple's validated cryptographic modules. |  | No impact |
+| Mac's Secure Boot level is set to "Full Security" |  | No impact |
+| Ensuring the protected storage of cryptographic keys is a fundamental aspect of securing macOS systems such as disable iCloud Keychain |  | No impact |
+| Separating user and system functionality on macOS enhances security by ensuring that user activities do not interfere with critical system operations. |  | No impact |
+| Enable of filename extension for example mac.exe and mac.txt |  | No impact |
+| Prevent the use of logging to the terminal using root credential |  | No impact |
+| On macOS, passwords and other sensitive data are securely stored and encrypted using the Keychain system |  | No impact |
+| By default the system volume is mounted as read-only, meaning that critical system files are protected from accidental or malicious modifications |  | No impact |
+| Terminating all sessions and network connections upon completing maintenance on macOS is a crucial security measure to prevent unauthorized access and ensure system integrity |  | No impact |
+| Disable Trivial File Transfer Protocol Service on macOS as it transmits data in clear text without authentication, making it susceptible to interception and unauthorized access |  | No impact |
+| Enabling the Time Synchronization Daemon (timed) on macOS ensures that the system maintains accurate time by synchronizing with authorized time servers. |  | No impact |
+| Default setting on macOS to employs specific identifiers and tools to distinguish between different users and the processes they initiate |  | No impact |
+| By default, macOS disables the UUCP service at startup by preventing unauthorized connections and data transfers |  | No impact |
+| By default, macOS disables verify that all remote connections have been effectively terminated |  | No impact |
+| By default, macOS automatically remove or disable emergency accounts within 72 hours |  | No impact |
+| Requires user to change their password the next time they log in |  | No impact |
+| Prevents users from recycling any of their last 5 used passwords. |  | No impact |
+| Enforces the inclusion of at least one lowercase letter (a–z) in every user password |  | No impact |
+| Password policy that mandates all user passwords on macOS must be at least 15 characters long |  | No impact |
+| Prevents users from creating weak and easily guessable passwords by disallowing patterns such as:
+*Repeating characters: aaaaaa, 111111, zzzzzz
+*Ascending sequences: 123456, abcdef, abcd1234
+*Descending sequences: 654321, zyxwvu, 4321dcba |  | No impact |
+| Password policy that enforces inclusion of at least one non-alphanumeric character (such as !, @, #, $, %, ^, etc.) in every user password. |  | No impact |
+| Password policy that ensures all user passwords include at least one capital letter (A–Z) |  | No impact |
+| Prevents the system from automatically sending analytics, crash reports, and usage patterns to Apple |  | No impact |
+| Activates the built-in firewall on macOS to control incoming network traffic based on specific application rules | Open Terminal<br>sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on | No impact |
+| Prevents applications and system services from accessing the geographical location of the device |  | No impact |
+| Disabling the ability to share your screen or remotely control your Mac using macOS's built-in services. |  | No impact |
+| Turning off the built-in voice assistant, Siri |  | Users will no longer be able to use siri for tasks like setting reminders, searching for files, dictating text, or controlling system functions using voice commands. |
+| Ensure that macOS automatically downloads and installs updates as they become available. |  | Some updates, especially major macos updates, may require the system to reboot. this could result in temporary downtime for users. |
+| Disabling the SSH (Secure Shell) server on macOS to prevent remote access to the system via the command line. |  | No impact |
+| Only users with administrator privileges can make changes to system-wide settings and configurations |  | No impact |
+| Ensuring that data is regularly backed up and can be recovered in the event of system failure, data corruption, or accidental deletion | <ul><li><code>Go to:
+Apple Menu → System Settings (or System Preferences) → General → Time Machine
+Click Add Backup Disk…
+Select a disk (external drive</code></li><li><code>network location</code></li><li><code>or Time Capsule) and click Set Up Disk
+Ensure the “Back Up Automatically” toggle is enabled</code></li></ul> | No impact |
+| Enable encryption when setting up the Time Machine backup destination on your Mac | <ul><li><code>Connect the external drive (or select a network volume).
+Go to:
+System Settings → General → Time Machine → click Add Backup Disk…
+Select the disk</code></li><li><code>then check the option:
+&quot;Encrypt backups&quot;
+Set a strong password and remember it — this is required to access the backup.
+Click Use Disk.</code></li></ul> | No impact |
+| Ensuring that system has accurate and synchronized time settings |  | No impact |
+| Ensures your macOS system’s clock is accurate and synchronized with a trusted time source via the Network Time Protocol (NTP) |  | No impact |
+| SSH (Secure Shell) clients will not be able to authenticate to the server using just a username and password. Instead, SSH clients will need to use another authentication method, typically public key authentication, to establish a secure connection. |  | There’s a risk of user lockout if ssh keys are not set up correctly before disabling password authentication. |
+| Ensures that only the system, authorized administrators, or specific applications can access the audit logs, without granting granular permissions to individual users or groups through ACLs. |  | Must ensure that the appropriate access control measures (e.g., file system permissions) are in place to secure the audit logs. |
+| Prevent unauthorized modifications, access, or tampering with audit log files by removing the ability to set specific, user-based access controls for the folder that stores these logs. |  | Users or processes that do not have explicit read/write permissions for the log folder may not be able to access the logs |
+| Configure the audit capacity warning to 90% threshold 
+minsfree:10, warning is logged when disk fall below 10% free space |  | No impact |
+| System log event base on the following:
+Authorization events refer to actions where the system grants or denies access based on user permissions and roles. For instance, a user trying to access a restricted file or a network resource may trigger an authorization event.
+Authentication events refer to actions where the system verifies the identity of a user, typically by checking a password, fingerprint, or other credentials. Examples include login attempts, successful logins, failed login attempts, and account lockouts. |  | No impact |
+| Record activities related to privileged or administrative actions — such as sudo usage, system configuration changes, and user privilege escalation attempts |  | No impact |
+| System will log any attempts to run programs that fail to execute — for example, due to permissions issues, missing files, or invalid binaries |  | No impact |
+| Audit all deletions of object attributes, which refers to any instance where metadata or properties (such as permissions, labels, or extended attributes) associated with files or directories are removed. |  | No impact |
+| Audit all changes to object attributes, meaning any updates or modifications to metadata associated with files and directories (e.g., permissions, labels, ownership, timestamps). |  | No impact |
+| Any failed attempts to change file or directory attributes—such as ownership, permissions, or timestamps—are audited and recorded by the system. |  | No impact |
+| Every failed attempt to read a file or data object on the system is logged. |  | No impact |
+| Any attempt to write, modify, or delete a file or object that fails is recorded in macOS audit logs. |  | No impact |
+| All login and logout activity on whether successful or failed is captured in macOS's audit log system |  | No impact |
+| Notify administrators when a security event fails to be recorded
+Policy:cnt
+minsfree:10, warning is logged when disk fall below 10% free space |  | No impact |
+| macOS enforces restrictions on critical system files and directories, ensuring that only authenticated users (with root or appropriate privileges) can modify the system’s most sensitive components |  | No impact |
+| System will automatically remove guest folder if is present in the device |  | No impact |
+| No unauthorized user or application can access, modify, or delete the files contained within the Home Folder. |  | No impact |
+| System will retain log files for 365 days |  | No impact |
+| macOS will no longer prompt or accept password-sharing requests from nearby devices, regardless of trust or proximity. |  | No impact |
+| Prevents the system from allowing users to share saved passwords (such as Wi-Fi credentials, keychain items, or autofill data) with other Apple devices, either through AirDrop, iCloud Keychain and bluetooth |  | No impact |
+| when users attempt to log in remotely, typically through services like SSH (Secure Shell) or remote desktop tools. This banner provides a warning about unauthorized access, security policies, or other legal disclaimers, ensuring that users acknowledge the terms before gaining access to the system. |  | No impact |
+| System to show a legal notice or policy message whenever a user logs in via SSH. |  | No impact |
+| The server will not send keep-alive messages to the client. In other words, the server will not try to keep the connection alive by periodically sending requests to check if the client is still responsive. |  | No impact |
+| Set server idle time to 900 seconds |  | No impact |
+| Set client idle time to 900 seconds |  | No impact |
+| Only allow secure algorithms for encrypting and authenticating SSH traffic.
+FIPS_CIPHERS="aes128-ctr,aes192-ctr,aes256-ctr"
+FIPS_KEX_ALGORITHMS="diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256"
+FIPS_MACS="hmac-sha1,hmac-sha2-256,hmac-sha2-512" |  | Older ssh clients may not support the stricter cipher list and fail to connect. |
+| Server waits for user to authenticate after the SSH connection is established. If the user does not successfully log in within the 30 seconds window, the server automatically drops the connection. |  | Users must complete login within 30 seconds |
+| Prevents one authenticated session from granting access to another. |  | Users may need to re-authenticate more often across sessions or commands. |
+| Time difference (offset) between the local system clock and NTP server does not exceed 5 minutes. |  | No impact |
+| Users cannot log into another active or locked user session on the macOS system |  | No impact |
+| Password policy that enforces inclusion of at least one numeric character (0-9) in every user password |  | No impact |
+| To block applications from unidentified developers (i.e., developers who have not registered with Apple and have not signed their apps), |  | Third-party developers (especially smaller or independent developers) may not sign their applications or get them notarized by apple. this means their apps will be blocked by gatekeeper |
+| Preventing users from bypassing Gatekeeper’s restrictions |  | Cannot run apps from unidentified developers |
+| Prevent guest from accessing to the shared files over the network. |  | No impact |
+| Prevent guest account from login into the device |  | No impact |
+| Preventing Apple from collecting and analyzing your voice interactions for quality improvement purposes. |  | No impact |
+| Disallow Mac from sharing its active internet connection with other devices via a different network interface. |  | No impact |
+| Disable automatically login, user will need to login into their device using their username and password |  | No impact |
+| Disallows files and folders to be shared with other devices on the same network. |  | Users no longer can share or access files via smb |
+| System regularly checks for and installs updates to built-in Apple apps and system components without user intervention |  | No impact |
+| macOS automatically downloads software updates — including macOS updates, security patches, and system files — in the background without requiring user action |  | No impact |
+| macOS to automatically check, download, and install system and security updates — without needing user action. |  | No impact |
+| Disallow Mac from wake up from sleep when another device on the same network sends a request |  | No impact |
+
+
+<!-- tabs:end -->
\ No newline at end of file
diff --git a/support/seed-status.md b/support/seed-status.md
index 89dca598..b9c264c4 100644
--- a/support/seed-status.md
+++ b/support/seed-status.md
@@ -7,24 +7,40 @@ This page provides the following Information:
 
 ## Scheduled maintenance
 
-No ongoing maintenance!
-
-
+No scheduled maintenance
 
 ## Ongoing incidents
 
-| Date | 11 December 2024  |
-|---|---|
-| **Issue summary** | We are aware that some users have received unexpected notifications on their SEED devices. The team has investigated and fixed the issue. <br><br>**Impact**: Access to SGTS and GCC services is not affected. <br><br>**What should I do if I am still having an issue?**<br> Create an [incident support request](https://go.gov.sg/seed-techpass-support). |
-
-
 <!-- | Date | 09 July 2023 |
 | ------------- |:-------------|
 | **Issue summary** | Cloudflare has identified increase level of 530 errors in Singapore on 09 July 2023, 10:54 SGT. <br><br>**Impact**: Users may experience service degradation on their GMDs and intermittent connectivity to SGTS services and GCC. More information available https://www.cloudflarestatus.com/ <br><br>**For more assistance**: Create an [incident support request](https://go.gov.sg/seed-techpass-support).|
 -->
+No ongoing incident!
 
 ## Previous incidents
 
+| Date | 13 August 2025 |
+| ------------- |:-------------|
+| **Issue summary** | Users may encounter **Cloudflare connection** or **certificate errors** when using SEED.<br><br>**Impact**: Some users may be unable to connect or may see a security warning. <br><br>The issue has been fixed, and is now working as expected.<br><br>**For more assistance**: Create an [incident support request](https://go.gov.sg/seed-techpass-support). |
+
+| Date | 22 July 2025 |
+|------|--------------|
+| **Issue summary** | Public officers (WoG) are currently unable to onboard new SEED devices.<br><br>**Impact**: Existing SEED users and vendor device onboarding are **not affected**. <br><br>The issue has been fixed, and is now working as expected. <br><br>**For more assistance**: Create an [incident support request](https://go.gov.sg/seed-techpass-support).  |
+
+| Date | 4 June 2025 |
+|------|--------------|
+| **Issue summary** | The Intune issue affecting new user onboarding to SEED was **resolved at 6:57 PM SGT**. <br><br>**Impact**: Some new users may have experienced difficulties during the onboarding process earlier today. <br><br>The issue has been fixed, and onboarding is now working as expected. <br><br>**For more assistance**: Create an [incident support request](https://go.gov.sg/seed-techpass-support). |
+
+
+
+| Date | 21 March 2025 |
+|------|--------------|
+| **Issue summary** | We have identified access issues to SGTS and GCC services for some users at **9:06 AM SGT**. Our team is actively investigating the matter. <br><br>**Impact**: Users may experience difficulties accessing SGTS and GCC services. <br><br>We will provide updates as soon as we have more information. Thank you for your patience. <br><br>**For more assistance**: Create an [incident support request](https://go.gov.sg/seed-techpass-support). |
+
+| Date | 11 December 2024  |
+|---|---|
+| **Issue summary** | We are aware that some users have received unexpected notifications on their SEED devices. The team has investigated and fixed the issue. <br><br>**Impact**: Access to SGTS and GCC services is not affected. <br><br>**What should I do if I am still having an issue?**<br> Create an [incident support request](https://go.gov.sg/seed-techpass-support). |
+
 | Date | 26 September 2024 |
 | ------------- |:-------------|
 | **Issue summary** | **Resolved**<br>The Cloudflare connectivity issue affecting SEED users has been resolved as of 26 September 2024, 11:30 SGT. <br><br>*Updated on: 26 September 2024, 09:33 SGT*<br><br>**Impact**: Users may have experienced issues accessing SGTS or GCC services during the outage. <br><br>**Workaround**: If you are still facing issues, please turn Cloudflare WARP off and on again, and reboot your device. <br><br>**What should I do if I am still having an issue?**<br> Create an [incident support request](https://go.gov.sg/seed-techpass-support). |
diff --git a/support/troubleshooting-issues.md b/support/troubleshooting-issues.md
index 928772ca..881c146c 100644
--- a/support/troubleshooting-issues.md
+++ b/support/troubleshooting-issues.md
@@ -2,12 +2,168 @@
 
 This guide provides solutions to common problems for SEED. Follow the steps below to troubleshoot and resolve the problems you are experiencing.
 
-## Unable to log in to MacBook – login loop
 
-This issue commonly occurs on devices with outdated macOS versions. To resolve it, please upgrade your macOS to version 15.1.1 or later.
+## macOS device blocked in SEED dashboard (no remediation steps)
+
+
+If your device is blocked in the SEED dashboard and no remediation steps are shown, follow the instructions below to restore access.
+
+![Launchpad showing Falcon app](/images/r0.png)
+
+
+## Step 1 – Launch CrowdStrike app
+Open **Falcon** from the Launchpad.  
+![Launchpad showing Falcon app](/images/r1.png)
+
+
+## Step 2 – Check Falcon sensor
+If the Falcon window shows red indicators, click **Configure settings**.  
+![CrowdStrike Falcon status – configure settings](/images/r2.png)
+
+
+## Step 3 – Set up Falcon sensor system extension
+Click **Setup** under *Network filter not loaded*.  
+![Setup network filter](/images/r3.png)
+
+
+## Step 4 – Allow network filter
+When prompted, click **Allow**.  
+![Allow network filter](/images/r4.png)
+
+
+## Step 5 – Confirm network filter loaded
+Once the filter is loaded, click **Continue**.  
+![Network filter loaded](/images/r5.png)
+
+
+## Step 6 – Set up system extension
+Click **Setup** under *Extension not loaded*.  
+![Setup extension](/images/r6.png)
+
+
+## Step 7 – Approve extension in system settings
+Click **Open system settings** when prompted.  
+![Open system settings](/images/r7.png)
+
+
+## Step 8 – Enable Falcon in endpoint security extensions
+In **System settings → Extensions**, enable the toggle for *Falcon sensor*. Enter your admin credentials if required.  
+![Enable Falcon endpoint security extension](/images/r8.png)
+
+
+## Step 9 – Confirm extension loaded
+Once enabled, the status will show **Extension loaded**. Click **Continue**.  
+![Extension loaded](/images/r9.png)
+
+
+## Step 10 – Grant full disk access
+Go to **System settings → Privacy & security → Full disk access**.  
+Enable the toggle for **Falcon sensor**.  
+![Grant full disk access](/images/r10.png)
+
+
+## Step 11 – Confirm full disk access
+Once enabled, the status will show **Full disk access granted**. Click **Continue**.  
+![Full disk access granted](/images/r11.png)
+
+
+
+## Step 12 – Verify Falcon sensor
+Ensure that all indicators are green:
+- Sensor is registered  
+- Sensor is operational  
+- Sensor is cloud connected  
+
+![Falcon all green](/images/r12.png)
+
+## Step 13 – Sync to Tanium
+Open **Terminal** and run:
+
+```bash
+sudo launchctl kickstart -k -p system/com.tanium.taniumclient
+
+```
+
+
+
+## Device access to GCC/SGTS is blocked
+
+![defender](/images/defender-fix.png)
+
+When accessing GCC or SGTS, users may see a dashboard message stating that **Microsoft Defender requires attention**. This issue prevents access to GCC and SGTS services.  
+
+### Suggested steps
+
+1. **Check SEED components full disk access (FDA) is enabled**  
+   - Refer to the [FDA guide](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/post-onboarding-instructions/macos-latest?id=ensure-full-disk-access-fda-is-enabled-for-seed-components).  
+
+2. **Verify Microsoft Defender configuration**  
+   - Ensure Defender is configured with the correct Organisation ID.  
+   - Refer to the [Defender configuration guide](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/post-onboarding-instructions/macos-latest?id=verify-microsoft-defender-is-configured).  
+
+3. **Confirm required extensions are turned on**  
+   - **Endpoint security extensions**  
+     - `Falcon.app` → Toggle On (http://falcon.app/)  
+     - `Microsoft Defender Endpoint Security Extension` → Toggle On  
+   - **Network extensions**  
+     - `Microsoft Defender Network Extensions` → Toggle On  
+
+4. **Check Defender health status**  
+   - Open Terminal and run:  
+     ```bash
+     mdatp health
+     ```  
+
+5. **Sync device posture**  
+   - Connect to a mobile hotspot.  
+   - Open **Company Portal** → Select **Device** → Click **… (three dots)** → Select **Check status**.  
+   - Open Terminal and run:  
+     ```bash
+     sudo launchctl kickstart -k -p system/com.tanium.taniumclient
+     ```  
+
+6. **Retry access**  
+   - Wait at least 15 minutes before trying again.  
+   - If access still fails, try using an **incognito window**.  
+   - If incognito works, clear the browser cache and retry.  
+
+
+## Cloudflare connectivity issue: turns orange
+
+![cf](/images/orange-wrap.png)
+
+
+When having difficulty accessing SGTS or GCC services, Cloudflare WARP may display an **Orange** status.  
 
 ### Suggested steps
 
+1. Launch **Cloudflare WARP**.  
+2. Click the **Gear** icon.  
+3. Navigate to **Preferences > Account**.  
+4. Log in to **GovTech Zero Trust** using the account name `gccgovsg`.  
+
+
+## Cloudflare connectivity issue – Limited connectivity: A certificate is missing
+
+![lc](/images/limited-connectivity.png)
+
+When having difficulty accessing SGTS or GCC services, Cloudflare WARP may show a **Missing certificate** error.  
+
+### Suggested steps
+
+1. Download the required certificate from the [Cloudflare certificate update guide](https://docs.developer.tech.gov.sg/docs/security-suite-for-engineering-endpoint-devices/support/cloudflare-cert-update-guide).  
+2. Trust the certificate on your device.
+
+
+## Unable to log in to MacBook – login loop
+
+This is a known issue affecting older versions of macOS, where users are unable to log in despite entering the correct password.
+The problem typically occurs because some key presses are not registered properly at the login screen, resulting in an incorrect password input — even if the user typed it correctly.
+This issue is fixed from macOS **15.4 or later**.
+To resolve the issue, and aligning to our OS baselining, we recommend you to upgrade your macOS to version **15.4.1 or later**, to avoid encountering the login loop issue.
+
+### Suggested steps to log in and update
+
 1. **Log in and upgrade macOS**
    - Attempt to log in to the MacBook a few times using the correct password. Once logged in, upgrade your macOS.
    - Alternatively, log in with a different user account (if available). Once logged in, upgrade your macOS.
@@ -48,6 +204,12 @@ Follow the steps below depending on your Mac model. If you are unsure whether yo
 
 If you are still unable to log in, reinstall macOS through recovery mode. Refer to [Apple’s guide on reinstalling macOS](https://support.apple.com/en-sg/102655).
 
+### Additional reference
+
+Apple has acknowledged this issue in their enterprise support article:  
+[https://support.apple.com/en-gb/121011](https://support.apple.com/en-gb/121011)
+
+
 
 ## Resolving *Cloudflare CF_DNS_Lookup_Failure* error on macOS 15
 
@@ -376,12 +538,12 @@ If your Cloudflare WARP is stuck in the connecting status, please follow these s
 
 3. Search for **Cloudflare WARP** and select **Uninstall**.
 
-After uninstalling, proceed to [download Cloudflare WARP](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/download-warp/)
+After uninstalling, proceed to download Cloudflare WARP.
 
 For a smooth experience, download the following versions:
 
-- **Windows**: Version 2024.3.409.0
-- **macOS**: Version 2024.3.444.0
+- **Windows**: Version [2025.4.943.0](https://downloads.cloudflareclient.com/v1/download/windows/version/2025.4.943.0)
+- **macOS**: Version [2025.4.943.0](https://downloads.cloudflareclient.com/v1/download/macos/version/2025.4.943.0)
 
 Once downloaded, follow these steps:
 
@@ -461,7 +623,7 @@ Cloudflare has reported connectivity problems for users with macOS and Windows W
 3. Enter `Y`. When WARP is successfully uninstalled, the message ```Finished uninstallation!``` is displayed.
 
 4. Proceed to [download Cloudflare WARP](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/download-warp/).
-   - **macOS**: Version 2024.3.444.0 
+  - **macOS**: Version 2025.4.943.0
 
 #### **Windows**
 
@@ -469,7 +631,7 @@ Cloudflare has reported connectivity problems for users with macOS and Windows W
 2. Go to **Settings** > **Apps** and search for **Cloudflare WARP**.
 3. Choose Cloudflare WARP and click **Uninstall**.
 4. Proceed to [download Cloudflare WARP](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/download-warp/).
-   - **Windows**: Version 2024.3.409.0
+   - **Windows**: Version 2025.4.943.0
 
 <!-- tabs:end -->
 
@@ -499,3 +661,5 @@ Ensure to re-authenticate your Cloudflare WARP client with the following steps:
 3. Reboot your machine.
 
 
+
+
diff --git a/update-schedule/SEED-OS-Patch-Release-Schedule-Annual[Public-Edition].pdf b/update-schedule/SEED-OS-Patch-Release-Schedule-Annual[Public-Edition].pdf
new file mode 100644
index 00000000..b7bb4b3c
Binary files /dev/null and b/update-schedule/SEED-OS-Patch-Release-Schedule-Annual[Public-Edition].pdf differ
diff --git a/update-schedule/os-patching-schedule.md b/update-schedule/os-patching-schedule.md
new file mode 100644
index 00000000..fd5044d9
--- /dev/null
+++ b/update-schedule/os-patching-schedule.md
@@ -0,0 +1,6 @@
+# Patching schedule for OS updates
+
+The following PDF contains the current OS patching schedule for SEED-managed devices.
+
+[📄 Download the patching schedule (PDF)](/update-schedule/SEED-OS-Patch-Release-Schedule-Annual[Public-Edition].pdf)
+
diff --git a/verify-microsoft-defender-is-configured-correctly-for-your-os.md b/verify-microsoft-defender-is-configured-correctly-for-your-os.md
deleted file mode 100644
index aa1841b9..00000000
--- a/verify-microsoft-defender-is-configured-correctly-for-your-os.md
+++ /dev/null
@@ -1 +0,0 @@
-!> This documentation has moved. Refer to [macOS 14 and 13 post onboarding guide](/post-onboarding-instructions/macos-latest), [macOS 12 post onboarding guide](/post-onboarding-instructions/macos) and [Windows post onboarding guide](/post-onboarding-instructions/windows).
\ No newline at end of file