diff --git a/content/actions/how-tos/manage-runners/larger-runners/use-custom-images.md b/content/actions/how-tos/manage-runners/larger-runners/use-custom-images.md
index 562cb91fdebb..f16977ed057f 100644
--- a/content/actions/how-tos/manage-runners/larger-runners/use-custom-images.md
+++ b/content/actions/how-tos/manage-runners/larger-runners/use-custom-images.md
@@ -159,3 +159,11 @@ Once your custom image is ready, you can install it on a new {% data variables.a
     ```
 
 1. Run your workflow to verify that it completes successfully. The job logs will show the image name and version in the "Set up job" section.
+
+## Security best practices for custom images
+
+To prevent unauthorized changes to your images, follow these best practices.
+
+* **Use dedicated runner groups for image generation.** Runners that generate production images must remain in a dedicated runner group. Do not share runner groups between production and development or test repositories, as anyone with access to a development or test repository could inject malicious code into a production image.
+* **Do not allow public repositories to access image-generation runners.** Limit the repositories that can use image-generation runners to only those that require it, and review access regularly.
+* **Apply least privilege to repositories.** Avoid granting organization-wide `write` access for repositories that have access to image-generation runners. Because images can be generated from any branch, anyone with write access could create a branch with arbitrary code and trigger image generation.
\ No newline at end of file
diff --git a/content/admin/data-residency/getting-started-with-data-residency-for-github-enterprise-cloud.md b/content/admin/data-residency/getting-started-with-data-residency-for-github-enterprise-cloud.md
index 5f6e3072ef71..2c401fe9b32a 100644
--- a/content/admin/data-residency/getting-started-with-data-residency-for-github-enterprise-cloud.md
+++ b/content/admin/data-residency/getting-started-with-data-residency-for-github-enterprise-cloud.md
@@ -47,8 +47,9 @@ To get started with {% data variables.enterprise.data_residency_short %}, you wi
 1. Select **Get started with managed users**.
 1. Under "Data hosting", use the dropdown menu to select your region for {% data variables.enterprise.data_residency_short %}.
 1. Complete the signup form. Pay close attention to the following fields:
-
    * **Subdomain**: This will appear in your enterprise's dedicated domain. For example: `{% data variables.enterprise.data_residency_example_domain %}`.
+      > [!NOTE]
+      > Please select the subdomain carefully. You cannot change it later.
    * **Identity Provider**: {% data variables.product.github %} partners with certain identity providers to provide a "paved-path" experience. Check whether your identity provider is a partner and ensure you understand the requirements for other systems. See [AUTOTITLE](/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users#identity-management-systems).
    * **Admin work email**: This is where you will receive the invitation to sign in and configure the enterprise for the first time.