diff --git a/CHANGELOG.md b/CHANGELOG.md
index e5494a04a1..d68120fcb4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,57 @@
+## Fleet 4.72.0 (Aug 13, 2025)
+
+### Security Engineers
+- Added support for issuing host identity certificates through SCEP (Simple Certificate Enrollment Protocol) that `fleetd` can use with TPM 2.0 hardware to cryptographically sign all HTTP requests.
+- Added flag `--fleet-managed-host-identity-certificate` to generate `fleetd` packages for linux that use TPMs to sign HTTP requests.
+- Added `sso_server_url` configuration option to support SSO setups with separate URLs for admin access vs agent/API access. When set, SSO authentication will only work from the specified URL. This fixes SSO authentication errors for organizations using dual URL configurations.
+
+### IT Admins
+- Added support for Apple Account Driven User Enrollment for iOS/iPadOS when end user authentication is configured.
+- Added support for MS-MDE2 v7.0 Windows MDM Enrollments.
+- Added the following Fleet-maintained apps for macOS: iTerm2, Yubikey Manager, VNC Viewer, Beyond Compare. 
+- On the host details > software > library page and Fleet Desktop > Self-service page, show installer status and installer actions based on what software is detected in software inventory.
+- On the host details > software > library page and Fleet Desktop > Self-service page, show user's when a software can be updated, allowing users to easily trigger a software update and see fresh data after an update completes.
+- Updated VPP apps reported by osquery to retain their last install information when viewed in host software library.
+- Switched to more comprehensive `UpgradeCode` based uninstall scripts when an `UpgradeCode` can be extracted from an MSI custom package.
+
+### Other improvements and bug fixes
+- Added support for `fleetd` TUF extensions on Linux arm64 and Windows arm64 devices.
+- Added a fallback to package install path for extracting app names from uploaded PKG packages.
+- Added special handling for version extraction of Fleet-maintained app manifests that reference a download URL that isn't version-pinned.
+- Improved `fleetctl gitops` type error mesages.
+- Improved accuracy of auto-install queries for custom MSI packages by using a better identifier.
+- Label created_at no longer factored in when scoping software packages by "exclude any" manual labels.
+- Refactored `AddHostsToTeam` method to fix race condition introduced by global var.
+- Changed `enable_software_inventory` to default to true if missing from gitops config.
+- Modified backend for `GET /api/v1/fleet/commands` when filtering by `host_identifier` to address performance concerns and exhausting database connections when API is called concurrently for many hosts.
+- Allowed users of Fleet in Primo mode to access Software automations and failing policy ticket & webhook automations.
+- Update UI to support personally enrolled MDM devices.
+- Removed DEB and RPM installers from installable software lists on hosts with incompatible Linux distributions (e.g. Ubuntu for an RPM).
+- Revised MSI uninstall scripts to wait for an uninstall to complete before returning and avoid restarting after an uninstall.
+- Added back software mutation on ingestion to fix non-semver-compliant software versions, starting with DCV Viewer.
+- Increased timeouts on `/fleet/mdm/profiles/batch` to better support customer workflows with large numbers of profiles.
+- Made consistent and update the Install and Uninstall detail modals for VPP and non-VPP apps across the Fleet UI.
+- Updated go to 1.24.6.
+- Fixed issue with package ids ordering causing software installers' scripts to be inconsistently generated.
+- Fixed incorrectly displayed status in controls OS Settings page, if a host was only pending or failing on declaration for removal.
+- Fixed bug with `mdm_bridge` Orbit table that caused panics due to invalid COM initialization.
+- Fixed bug where a certificate Distinguished Name (DN) parser did not allow forward slashes in the value which resulted in parsing error.
+- Fixed an issue where the detected date for software vulnerabilities was not being pulled correctly from the database.
+- Fixed missing empty host lists on manual labels in gitops.
+- Fixed an issue where two banners would sometimes be displayed on the host details page.
+- Fixed missing webhook url in automations tooltip.
+- Fixed an issue where using `ESCAPE` in a `LIKE` clause caused SQL validation to fail.
+- Fixed error when trying to escrow a linux disk key multiple times.
+- Fixed silent failure when passing flags after arguments in `fleetctl`.
+- Fixed wrongly formatted URL for EULA when accessing from Fleet UI and when shown in the iFrame for SSO callback.
+- Fixed stale pending remove apple declarations, if the host was offline while adding and removing the same declaration.
+- Fixed a case where a vulnerability would show up twice for a given operating system.
+- Fixed specification of policy software automations via GitOps when referring to software by hash from a software YAML file.
+- Fixed cases where the vulnerabilities list endpoint would count the same CVE multiple times for the `count` field returned with a result set.
+- Fixed an issue where SSO URLs with trailing slashes would cause authentication failures due to double slashes in the ACS URL. Both regular SSO and MDM SSO URLs now properly handle trailing slashes.
+- Fixed an issue during the DEP sync where errors such as 404 from the DEP API could result in devices never being assigned a cloud configuration profile.
+- Fixed server panic when listing software titles for "All teams" with page that contains a software title with a policy automation in "No team".
+
 ## Fleet 4.71.1 (Aug 04, 2025)
 
 ### Bug fixes
diff --git a/changes/21973-better-unmarshal-type-errors b/changes/21973-better-unmarshal-type-errors
deleted file mode 100644
index f4d4ad9691..0000000000
--- a/changes/21973-better-unmarshal-type-errors
+++ /dev/null
@@ -1 +0,0 @@
-- Improved fleetctl gitops type error mesages
diff --git a/changes/25587-pkg-name-extraction b/changes/25587-pkg-name-extraction
deleted file mode 100644
index 4247b5b084..0000000000
--- a/changes/25587-pkg-name-extraction
+++ /dev/null
@@ -1 +0,0 @@
-* Added a fallback to package install path for extracting app names from uploaded PKG packages
diff --git a/changes/26618-software-vuln-detected-dates b/changes/26618-software-vuln-detected-dates
deleted file mode 100644
index 4bfadecd87..0000000000
--- a/changes/26618-software-vuln-detected-dates
+++ /dev/null
@@ -1 +0,0 @@
-- Fixed an issue where the detected date for software vulnerabilities was not being pulled correctly from the database.
diff --git a/changes/27061-dedupe-cve b/changes/27061-dedupe-cve
deleted file mode 100644
index 0906b2f43b..0000000000
--- a/changes/27061-dedupe-cve
+++ /dev/null
@@ -1 +0,0 @@
-* Fixed a case where a vulnerability would show up twice for a given operating system
diff --git a/changes/27447-auto-install-queries-for-custom-msi-2 b/changes/27447-auto-install-queries-for-custom-msi-2
deleted file mode 100644
index 15cc76661c..0000000000
--- a/changes/27447-auto-install-queries-for-custom-msi-2
+++ /dev/null
@@ -1 +0,0 @@
-- Improved accuracy of auto-install queries for custom MSI packages by using a better identifier.
diff --git a/changes/27580-vuln-counts b/changes/27580-vuln-counts
deleted file mode 100644
index 92907e78bf..0000000000
--- a/changes/27580-vuln-counts
+++ /dev/null
@@ -1 +0,0 @@
-* Fixed cases where the vulnerabilities list endpoint would count the same CVE multiple times for the `count` field returned with a result set
diff --git a/changes/27758-msi-unnstall b/changes/27758-msi-unnstall
deleted file mode 100644
index d4546e4b80..0000000000
--- a/changes/27758-msi-unnstall
+++ /dev/null
@@ -1 +0,0 @@
-* Switched to more comprehensive UpgradeCode based uninstall scripts when an UpgradeCode can be extracted from an MSI custom package.
diff --git a/changes/27919-fma-versions b/changes/27919-fma-versions
deleted file mode 100644
index 5acc461b0a..0000000000
--- a/changes/27919-fma-versions
+++ /dev/null
@@ -1 +0,0 @@
-* Added special handling for version extraction of Fleet-maintained app manifests that reference a download URL that isn't version-pinned
diff --git a/changes/27983-update-software b/changes/27983-update-software
deleted file mode 100644
index 6940715153..0000000000
--- a/changes/27983-update-software
+++ /dev/null
@@ -1 +0,0 @@
-- Fleet UI: On the host details > software > library page and Fleet Desktop > Self-service page, show user's when a software can be updated, allowing users to easily trigger a software update and see fresh data after an update completes
diff --git a/changes/28342-linux-escrow-error-report b/changes/28342-linux-escrow-error-report
deleted file mode 100644
index 6082c93aff..0000000000
--- a/changes/28342-linux-escrow-error-report
+++ /dev/null
@@ -1 +0,0 @@
-* Fixed error when trying to escrow a linux disk key multiple times.
\ No newline at end of file
diff --git a/changes/28818-tpm-backed-http-signatures b/changes/28818-tpm-backed-http-signatures
deleted file mode 100644
index d51d86cd1b..0000000000
--- a/changes/28818-tpm-backed-http-signatures
+++ /dev/null
@@ -1 +0,0 @@
-Fleet server now supports issuing host identity certificates through SCEP (Simple Certificate Enrollment Protocol) that fleetd can use with TPM 2.0 hardware to cryptographically sign all HTTP requests. This hardware-backed authentication provides enterprise-grade security similar to mTLS by ensuring private keys never leave the TPM's secure boundary, establishing cryptographic proof that requests originate from the same physical device that initially enrolled.
diff --git a/changes/28996-parse-cert-dn-with-slashes b/changes/28996-parse-cert-dn-with-slashes
deleted file mode 100644
index eb0b77843e..0000000000
--- a/changes/28996-parse-cert-dn-with-slashes
+++ /dev/null
@@ -1 +0,0 @@
-* Fixed bug where a certificate Distinguished Name (DN) parser did not allow forward slashes in the value which resulted in parsing error.
diff --git a/changes/29286-sort-package-ids b/changes/29286-sort-package-ids
deleted file mode 100644
index b10874680b..0000000000
--- a/changes/29286-sort-package-ids
+++ /dev/null
@@ -1 +0,0 @@
-* Fixed issue with package ids ordering causing software installers' scripts to be inconsistently generated
\ No newline at end of file
diff --git a/changes/29315-manual-label-scoping b/changes/29315-manual-label-scoping
deleted file mode 100644
index 454e72b5e6..0000000000
--- a/changes/29315-manual-label-scoping
+++ /dev/null
@@ -1 +0,0 @@
-* Label created_at no longer factored in when scoping software packages by "exclude any" manual labels
\ No newline at end of file
diff --git a/changes/29451-fix-doubled-banners b/changes/29451-fix-doubled-banners
deleted file mode 100644
index 6549d963c5..0000000000
--- a/changes/29451-fix-doubled-banners
+++ /dev/null
@@ -1 +0,0 @@
-- Fixed an issue where two banners would sometimes be displayed on the host details page
diff --git a/changes/29824-declarations-status-not-respected-with-remove-operations b/changes/29824-declarations-status-not-respected-with-remove-operations
deleted file mode 100644
index ffc4844896..0000000000
--- a/changes/29824-declarations-status-not-respected-with-remove-operations
+++ /dev/null
@@ -1 +0,0 @@
-* Fixed incorrectly displayed status in controls OS Settings page, if a host was only pending or failing on declaration for removal
\ No newline at end of file
diff --git a/changes/29824-delete-installs-that-has-not-reached-hosts b/changes/29824-delete-installs-that-has-not-reached-hosts
deleted file mode 100644
index a88ae5c93c..0000000000
--- a/changes/29824-delete-installs-that-has-not-reached-hosts
+++ /dev/null
@@ -1 +0,0 @@
-* Fix stale pending remove apple declarations, if the host was offline while adding and removing the same declaration.
\ No newline at end of file
diff --git a/changes/29848-tooltip-missing-webhook-url b/changes/29848-tooltip-missing-webhook-url
deleted file mode 100644
index cd83cac729..0000000000
--- a/changes/29848-tooltip-missing-webhook-url
+++ /dev/null
@@ -1 +0,0 @@
-- Fixed missing webhook url in automations tooltip
diff --git a/changes/29849-filter-linux-installers b/changes/29849-filter-linux-installers
deleted file mode 100644
index ce1a34287d..0000000000
--- a/changes/29849-filter-linux-installers
+++ /dev/null
@@ -1 +0,0 @@
-* Removed DEB and RPM installers from installable software lists on hosts with incompatible Linux distributions (e.g. Ubuntu for an RPM)
diff --git a/changes/29994-use-comshim b/changes/29994-use-comshim
deleted file mode 100644
index 1916131f76..0000000000
--- a/changes/29994-use-comshim
+++ /dev/null
@@ -1 +0,0 @@
-* Fixed bug with `mdm_bridge` Orbit table that caused panics due to invalid COM initialization.
\ No newline at end of file
diff --git a/changes/30109-fix-sql-like-clause b/changes/30109-fix-sql-like-clause
deleted file mode 100644
index 4e7e178c02..0000000000
--- a/changes/30109-fix-sql-like-clause
+++ /dev/null
@@ -1 +0,0 @@
-- Fixed an issue where using ESCAPE in a LIKE clause caused SQL validation to fail
diff --git a/changes/30157-enable_software_inventory-default-true b/changes/30157-enable_software_inventory-default-true
deleted file mode 100644
index b875821ae2..0000000000
--- a/changes/30157-enable_software_inventory-default-true
+++ /dev/null
@@ -1 +0,0 @@
-- Changed enable_software_inventory to default to true if missing from gitops config
diff --git a/changes/30240-show-appropriate-status-actions b/changes/30240-show-appropriate-status-actions
deleted file mode 100644
index 70763d49f1..0000000000
--- a/changes/30240-show-appropriate-status-actions
+++ /dev/null
@@ -1 +0,0 @@
-- Fleet UI: On the host details > software > library page and Fleet Desktop > Self-service page, show installer status and installer actions based on what software is detected in software inventory
diff --git a/changes/30311-fix-race-cond-test b/changes/30311-fix-race-cond-test
deleted file mode 100644
index c2f02f34b2..0000000000
--- a/changes/30311-fix-race-cond-test
+++ /dev/null
@@ -1 +0,0 @@
-* Refactored `AddHostsToTeam` method to fix race condition introduced by global var.
\ No newline at end of file
diff --git a/changes/30359-mdm-eula-url-extra-slash b/changes/30359-mdm-eula-url-extra-slash
deleted file mode 100644
index 16fc8cf0b2..0000000000
--- a/changes/30359-mdm-eula-url-extra-slash
+++ /dev/null
@@ -1 +0,0 @@
-* Fix wrongly formatted URL for EULA when accessing from Fleet UI and when shown in the iFrame for SSO callback.
\ No newline at end of file
diff --git a/changes/30409-list-mdm-commands-sql b/changes/30409-list-mdm-commands-sql
deleted file mode 100644
index f1c8f4eb87..0000000000
--- a/changes/30409-list-mdm-commands-sql
+++ /dev/null
@@ -1,2 +0,0 @@
-- Modified backend for GET /api/v1/fleet/commands when filtering by `host_identifier` to address performance
-  concerns and exhausting database connections when API is called concurrently for many hosts.
diff --git a/changes/30435-hash-for-policy-in-software-path b/changes/30435-hash-for-policy-in-software-path
deleted file mode 100644
index 61a455c5fa..0000000000
--- a/changes/30435-hash-for-policy-in-software-path
+++ /dev/null
@@ -1 +0,0 @@
-* Fixed specification of policy software automations via GitOps when referring to software by hash from a software YAML file
diff --git a/changes/30461-fleetd-generate-tpm-key b/changes/30461-fleetd-generate-tpm-key
deleted file mode 100644
index 3378480c02..0000000000
--- a/changes/30461-fleetd-generate-tpm-key
+++ /dev/null
@@ -1 +0,0 @@
-- Added flag `--fleet-managed-host-identity-certificate` to generate fleetd packages for linux that use TPMs to sign HTTP requests.
diff --git a/changes/30481-gitops-manual-label-no-hosts b/changes/30481-gitops-manual-label-no-hosts
deleted file mode 100644
index fae8e40bb4..0000000000
--- a/changes/30481-gitops-manual-label-no-hosts
+++ /dev/null
@@ -1 +0,0 @@
-- Fixed missing empty host lists on manual labels in gitops
diff --git a/changes/30636-apple-account-driven-user-enrollment b/changes/30636-apple-account-driven-user-enrollment
deleted file mode 100644
index c062dd1a44..0000000000
--- a/changes/30636-apple-account-driven-user-enrollment
+++ /dev/null
@@ -1 +0,0 @@
-* Added support for Apple Account Driven User enrollment when end user authentication is configured
diff --git a/changes/30749-primo-mode-expansion b/changes/30749-primo-mode-expansion
deleted file mode 100644
index f4d2f6cc62..0000000000
--- a/changes/30749-primo-mode-expansion
+++ /dev/null
@@ -1,2 +0,0 @@
-* Allow users of Fleet in Primo mode to access Software automations and Failing policy ticket &
-webhook automations.
diff --git a/changes/30797-argparse b/changes/30797-argparse
deleted file mode 100644
index cd0513de98..0000000000
--- a/changes/30797-argparse
+++ /dev/null
@@ -1 +0,0 @@
-* Fixed silent failure when passing flags after arguments in fleetctl
diff --git a/changes/30860-software-modal-updates b/changes/30860-software-modal-updates
deleted file mode 100644
index 07d1411181..0000000000
--- a/changes/30860-software-modal-updates
+++ /dev/null
@@ -1,2 +0,0 @@
-- Make consistent and update the Install and Uninstall detail modals for VPP and non-VPP apps across
-  the Fleet UI
diff --git a/changes/31077-msi-uninstall b/changes/31077-msi-uninstall
deleted file mode 100644
index 82adbcf1d1..0000000000
--- a/changes/31077-msi-uninstall
+++ /dev/null
@@ -1 +0,0 @@
-* Revised MSI uninstall scripts to wait for an uninstall to complete before returning and avoid restarting after an uninstall.
diff --git a/changes/31123-dcv-viewer-fix b/changes/31123-dcv-viewer-fix
deleted file mode 100644
index d63ebf1cc2..0000000000
--- a/changes/31123-dcv-viewer-fix
+++ /dev/null
@@ -1 +0,0 @@
-* Added back software mutation on ingestion to fix non-semver-compliant software versions, starting with DCV Viewer.
diff --git a/changes/31385-dep-sync-url-incorrect b/changes/31385-dep-sync-url-incorrect
deleted file mode 100644
index 4524516542..0000000000
--- a/changes/31385-dep-sync-url-incorrect
+++ /dev/null
@@ -1 +0,0 @@
-Fixed an issue during the DEP sync where errors such as 404 from the DEP API could result in devices never being assigned a cloud configuration profile
diff --git a/changes/31459-null-last-install b/changes/31459-null-last-install
deleted file mode 100644
index 270f56f7d8..0000000000
--- a/changes/31459-null-last-install
+++ /dev/null
@@ -1 +0,0 @@
-* VPP apps reported by osquery retain their last install information when viewed in host software library
\ No newline at end of file
diff --git a/changes/31591-mdm-batch-timeouts b/changes/31591-mdm-batch-timeouts
deleted file mode 100644
index cb23cc493e..0000000000
--- a/changes/31591-mdm-batch-timeouts
+++ /dev/null
@@ -1 +0,0 @@
-Increased timeouts on /fleet/mdm/profiles/batch to better support customer workflows with large numbers of profiles
diff --git a/changes/add-fmas b/changes/add-fmas
deleted file mode 100644
index 359be70ab8..0000000000
--- a/changes/add-fmas
+++ /dev/null
@@ -1,5 +0,0 @@
-- added the following Fleet-maintained apps for macOS:
-  - iTerm2
-  - Yubikey Manager
-  - VNC Viewer
-  - Beyond Compare
\ No newline at end of file
diff --git a/changes/fleetd-extensions-support-arm64 b/changes/fleetd-extensions-support-arm64
deleted file mode 100644
index e3ae70341a..0000000000
--- a/changes/fleetd-extensions-support-arm64
+++ /dev/null
@@ -1 +0,0 @@
-* Added support for fleetd TUF extensions on Linux arm64 and Windows arm64 devices.
diff --git a/changes/issue-30782-updates-to-UI-for-personally-enrolled-devices b/changes/issue-30782-updates-to-UI-for-personally-enrolled-devices
deleted file mode 100644
index b669ab62bf..0000000000
--- a/changes/issue-30782-updates-to-UI-for-personally-enrolled-devices
+++ /dev/null
@@ -1 +0,0 @@
-- update UI to support personally enrolled MDM devices
diff --git a/changes/issue-31057-service-discovery-endpoint b/changes/issue-31057-service-discovery-endpoint
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/changes/update-go-1.24.5 b/changes/update-go-1.24.5
deleted file mode 100644
index d742711f33..0000000000
--- a/changes/update-go-1.24.5
+++ /dev/null
@@ -1 +0,0 @@
-* Updated go to 1.24.5
diff --git a/charts/fleet/Chart.yaml b/charts/fleet/Chart.yaml
index 7b4ae9d069..303fee0a55 100644
--- a/charts/fleet/Chart.yaml
+++ b/charts/fleet/Chart.yaml
@@ -4,11 +4,11 @@ name: fleet
 keywords:
   - fleet
   - osquery
-version: v6.6.11
+version: v6.6.12
 home: https://github.com/fleetdm/fleet
 sources:
   - https://github.com/fleetdm/fleet.git
-appVersion: v4.71.1
+appVersion: v4.72.0
 dependencies:
   - name: mysql
     condition: mysql.enabled
diff --git a/charts/fleet/values.yaml b/charts/fleet/values.yaml
index a6bd248558..14da4e9335 100644
--- a/charts/fleet/values.yaml
+++ b/charts/fleet/values.yaml
@@ -3,7 +3,7 @@
 hostName: fleet.localhost
 replicas: 3 # The number of Fleet instances to deploy
 imageRepository: fleetdm/fleet
-imageTag: v4.71.1 # Version of Fleet to deploy
+imageTag: v4.72.0 # Version of Fleet to deploy
 # imagePullSecrets is optional.
 # imagePullSecrets:
 #   - name: docker
diff --git a/infrastructure/dogfood/terraform/aws/variables.tf b/infrastructure/dogfood/terraform/aws/variables.tf
index acff0e74cb..7645c8647c 100644
--- a/infrastructure/dogfood/terraform/aws/variables.tf
+++ b/infrastructure/dogfood/terraform/aws/variables.tf
@@ -56,7 +56,7 @@ variable "database_name" {
 
 variable "fleet_image" {
   description = "the name of the container image to run"
-  default     = "fleetdm/fleet:v4.71.1"
+  default     = "fleetdm/fleet:v4.72.0"
 
 variable "software_inventory" {
   description = "enable/disable software inventory (default is enabled)"
diff --git a/infrastructure/dogfood/terraform/gcp/variables.tf b/infrastructure/dogfood/terraform/gcp/variables.tf
index 1313c32f40..9194588c49 100644
--- a/infrastructure/dogfood/terraform/gcp/variables.tf
+++ b/infrastructure/dogfood/terraform/gcp/variables.tf
@@ -68,7 +68,7 @@ variable "redis_mem" {
 }
 
 variable "image" {
-  default = "fleetdm/fleet:v4.71.1"
+  default = "fleetdm/fleet:v4.72.0"
 
 variable "software_installers_bucket_name" {
   default = "fleet-software-installers"
diff --git a/tools/fleetctl-npm/package.json b/tools/fleetctl-npm/package.json
index d5d933a2d7..916163d33f 100644
--- a/tools/fleetctl-npm/package.json
+++ b/tools/fleetctl-npm/package.json
@@ -1,6 +1,6 @@
 {
   "name": "fleetctl",
-  "version": "v4.71.1",
+  "version": "v4.72.0",
   "description": "Installer for the fleetctl CLI tool",
   "bin": {
     "fleetctl": "./run.js"
@@ -24,4 +24,4 @@
     "osquery",
     "security"
   ]
-}
\ No newline at end of file
+}