diff --git a/articles/fleet-4.62.0.md b/articles/fleet-4.62.0.md
index 24926d2d927f..232f291ca7de 100644
--- a/articles/fleet-4.62.0.md
+++ b/articles/fleet-4.62.0.md
@@ -22,7 +22,7 @@ Fleet now creates policies automatically when you add a custom package. This eli
### Hide secrets in configuration profiles and scripts
-Fleet ensures that GitHub or GitLab secrets, like API tokens and license keys used in scripts (Shell & PowerShell) and configuration profiles (macOS & Windows), are hidden when viewed or downloaded in Fleet. This protects sensitive information, keeping it secure until it’s deployed to the hosts. Learn more about secrets [here](https://fleetdm.com/guides/secret-variables).
+Fleet ensures that GitHub or GitLab secrets, like API tokens and license keys used in scripts (Shell & PowerShell) and configuration profiles (macOS & Windows), are hidden when viewed or downloaded in Fleet. This protects sensitive information, keeping it secure until it’s deployed to the hosts. Learn more about secrets [here](https://fleetdm.com/guides/secrets-in-scripts-and-configuration-profiles).
## Changes
diff --git a/articles/secret-variables.md b/articles/secret-variables.md
deleted file mode 100644
index 29d298dc2ff0..000000000000
--- a/articles/secret-variables.md
+++ /dev/null
@@ -1,136 +0,0 @@
-# How to use secret variables in Fleet
-
-Fleet [v4.62.0](https://github.com/fleetdm/fleet/releases/tag/fleet-v4.62.0) allows you to use secret variables in Fleet scripts, software install/uninstall scripts, and MDM configuration profiles. Secret variables are encrypted and stored securely in Fleet, enabling you to use sensitive information in your scripts and profiles without exposing it in plain text. Fleet secret variables cannot be retrieved via the Fleet API or UI.
-
-Examples of sensitive information include:
-- API tokens
-- Passwords
-- Certificates
-- Private keys
-- Other sensitive data
-
-## Prerequisites
-
-- Fleet v4.62.0
-
-## How to specify a secret variable
-
-A secret variable can be used in a script or MDM configuration profile by specifying the variable name in the format `$FLEET_SECRET_MYNAME` or `${FLEET_SECRET_MYNAME}`. When the script or profile is sent to the host, Fleet will replace the variable with the actual secret value. The prefix `FLEET_SECRET_` is required to indicate that the variable is a secret, and Fleet reserves this prefix for secret variables.
-
-For macOS and Linux scripts, if a secret doesn't have the `$FLEET_SECRET_` prefix, it will be treated as a local environment variable.
-
-**Example:**
-
-```xml
-
-
-
-
- PayloadDisplayName
- Certificate PKCS12
- PayloadIdentifier
- com.example.certificate
- PayloadType
- Configuration
- PayloadUUID
- 918ee83d-ebd5-4192-bcd4-8b4feb750e4b
- PayloadVersion
- 1
- PayloadContent
-
-
- Password
- $FLEET_SECRET_CERT_PASSWORD
- PayloadContent
- $FLEET_SECRET_CERT_BASE64
- PayloadDisplayName
- Certificate PKCS12
- PayloadIdentifier
- com.example.certificate
- PayloadType
- com.apple.security.pkcs12
- PayloadUUID
- 25cdd076-f1e7-4932-aa30-1d4240534fb0
- PayloadVersion
- 1
-
-
-
-
-```
-
-In the example above, we use `$FLEET_SECRET_CERT_PASSWORD` and `$FLEET_SECRET_CERT_BASE64` secret variables.
-
-## Using secret variables with GitOps
-
-You can configure Fleet using the [best practice GitOps workflow](https://fleetdm.com/docs/configuration/yaml-files).
-
-You must add the secret variables to your repository's secrets to use them in GitOps.
-
-For the GitHub GitOps flow, they must also be added to the `env` section of your workflow file, as shown below:
-
-```yaml
- env:
- FLEET_URL: ${{ secrets.FLEET_URL }}
- FLEET_API_TOKEN: ${{ secrets.FLEET_API_TOKEN }}
- FLEET_GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }}
- FLEET_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_ENROLL_SECRET }}
- FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET }}
- FLEET_SECRET_CERT_PASSWORD: ${{ secrets.FLEET_SECRET_CERT_PASSWORD }}
- FLEET_SECRET_CERT_BASE64: ${{ secrets.FLEET_SECRET_CERT_BASE64 }}
-```
-
-When GitOps syncs the configuration, it looks for secret variables in scripts and profiles, extracts the secret values from the environment, and uploads them to Fleet.
-
-On subsequent GitOps syncs, if a secret variable used by a configuration profile has been updated, the profile will be resent to the host device(s).
-
-_Note:_ Profiles with secret variables are not entirely validated during a GitOps dry run because secret variables may not be present/correct in the database during the dry run. Hence, there is an increased chance of GitOps non-dry run failure when using a profile with a secret variable. Try uploading this profile to a test team first.
-
-## Using secret variables with the Fleet API and UI
-
-Before uploading a script/profile with secret variables via the Fleet API or UI, you must create the secret variables in Fleet. You can do this with the new secret variables API endpoint.
-
-**Example:**
-
-```bash
-curl \
--H "Authorization: Bearer $FLEET_API_TOKEN" \
--H 'Content-Type: application/json' \
-https://fleet.example.com/api/v1/fleet/spec/secret_variables \
--X PUT --data-binary @- << EOF
-{ "secrets":
- [
- {
- "name": "FLEET_SECRET_CERT_PASSWORD",
- "value": "abc123"
- },
- {
- "name": "FLEET_SECRET_CERT_BASE64",
- "value": "SGVsbG8gV29ybGQh"
- }
- ]
-}
-EOF
-```
-
-Afterward, you can upload the script/profile with secret variables via the Fleet API or UI.
-
-_Note:_ The checksum of Apple DDM profiles with secret variables now includes the timestamp of the last secrets update.
-
-## Escaping variable and interpolation
-
-The dollar sign ($) can be escaped so it's not considered a variable by using a backslash (e.g. `\$100`). Additionally, `MY${variable}HERE` syntax can be used to put strings around the variable.
-
-## Known limitations and issues
-
-- Windows profiles are currently not re-sent to the device on fleetctl gitops update: [issue #25030](https://github.com/fleetdm/fleet/issues/25030)
-- Fleet does not mask the secret in script results. DO NOT print/echo your secrets to the console output.
-- There is no way to explicitly delete a secret variable. Instead, you can overwrite it with any value.
-- Do not use deprecated API endpoint(s) to upload profiles containing secret variables. Use endpoints documented in [Fleet's REST API](https://fleetdm.com/docs/rest-api/rest-api).
-
-
-
-
-
-
-
diff --git a/articles/secrets-in-scripts-and-configuration-profiles.md b/articles/secrets-in-scripts-and-configuration-profiles.md
new file mode 100644
index 000000000000..fb59836d569f
--- /dev/null
+++ b/articles/secrets-in-scripts-and-configuration-profiles.md
@@ -0,0 +1,90 @@
+# Hide secrets in scripts in configuration profiles
+
+In Fleet you can hide secrets, like API tokens or software license keys, in Fleet [scripts](https://fleetdm.com/guides/scripts) and [configuration profiles](https://fleetdm.com/guides/custom-os-settings). Secrets are encrypted and stored securely in Fleet, until they're delivered to the host. Secrets are hidden in when the script or configuration profile is viewed in the Fleet UI or API.
+
+Currently, hiding secrets is only available using [Fleet's YAML (GitOps)](https://fleetdm.com/docs/configuration/yaml-files).
+
+## How to specify a secret
+
+A secret can be used in a script or configuration profile by specifying a variable in the format `$FLEET_SECRET_MYNAME` or `${FLEET_SECRET_MYNAME}`. When the script or profile is sent to the host, Fleet will replace the variable with the actual secret value. The prefix `FLEET_SECRET_` is required to indicate that the variable is a secret, and Fleet reserves this prefix for secret variables.
+
+For macOS and Linux scripts, if a secret doesn't have the `$FLEET_SECRET_` prefix, it will be treated as a [local environment variable](https://support.apple.com/en-my/guide/terminal/apd382cc5fa-4f58-4449-b20a-41c53c006f8f/mac).
+
+1. You must add the secret to your repository's secrets to use them in GitOps.
+
+2. For the GitHub GitOps flow, they must also be added to the `env` section of your workflow file, as shown below:
+
+```yaml
+ env:
+ FLEET_URL: ${{ secrets.FLEET_URL }}
+ FLEET_API_TOKEN: ${{ secrets.FLEET_API_TOKEN }}
+ FLEET_GLOBAL_ENROLL_SECRET: ${{ secrets.FLEET_GLOBAL_ENROLL_SECRET }}
+ FLEET_WORKSTATIONS_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_ENROLL_SECRET }}
+ FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET: ${{ secrets.FLEET_WORKSTATIONS_CANARY_ENROLL_SECRET }}
+ FLEET_SECRET_CERT_PASSWORD: ${{ secrets.FLEET_SECRET_CERT_PASSWORD }}
+ FLEET_SECRET_CERT_BASE64: ${{ secrets.FLEET_SECRET_CERT_BASE64 }}
+```
+
+3. Add your script or profile. Here's an example profile with `$FLEET_SECRET_CERT_PASSWORD` and `$FLEET_SECRET_CERT_BASE64` secrets:
+
+```xml
+
+
+
+
+ PayloadDisplayName
+ Certificate PKCS12
+ PayloadIdentifier
+ com.example.certificate
+ PayloadType
+ Configuration
+ PayloadUUID
+ 918ee83d-ebd5-4192-bcd4-8b4feb750e4b
+ PayloadVersion
+ 1
+ PayloadContent
+
+
+ Password
+ $FLEET_SECRET_CERT_PASSWORD
+ PayloadContent
+ $FLEET_SECRET_CERT_BASE64
+ PayloadDisplayName
+ Certificate PKCS12
+ PayloadIdentifier
+ com.example.certificate
+ PayloadType
+ com.apple.security.pkcs12
+ PayloadUUID
+ 25cdd076-f1e7-4932-aa30-1d4240534fb0
+ PayloadVersion
+ 1
+
+
+
+
+```
+
+When GitOps syncs the configuration, it looks for secret variables in scripts and profiles, extracts the secret values from the environment, and uploads them to Fleet.
+
+On subsequent GitOps syncs, if a secret variable used by a configuration profile has been updated, the profile will be resent to the host device(s).
+
+> Profiles with secret variables are not entirely validated during a GitOps dry run because secret variables may not be present/correct in the database during the dry run. Hence, there is an increased chance of GitOps non-dry run failure when using a profile with a secret variable. Try uploading this profile to a test team first.
+
+## Escaping and interpolation
+
+The dollar sign (`$`) can be escaped so it's not considered a variable by using a backslash (e.g. `\$100`). Additionally, `MY${variable}HERE` syntax can be used to put strings around the variable.
+
+## Known limitations and issues
+
+- Windows profiles are currently not re-sent to the device when the GitHub action (or GitLab pipeline) runs: [issue #25030](https://github.com/fleetdm/fleet/issues/25030)
+- Fleet does not hide the secret in script results. DO NOT print/echo your secrets to the console output.
+- There is no way to explicitly delete a secret variable. Instead, you can overwrite it with any value.
+- Do not use deprecated API endpoint(s) to upload profiles containing secret variables. Use endpoints documented in [Fleet's REST API](https://fleetdm.com/docs/rest-api/rest-api).
+
+
+
+
+
+
+