Merge pull request #16214 from MicrosoftDocs/main

Publish main to live, Wednesday 3:30PM PDT, 09/25

memdocs/intune/apps/apps-inc-exl-assignments.md

@@ -85,7 +85,7 @@ To assign an app to groups by using the include and exclude assignment:
 > [!NOTE]
 > When you add a group, if any other group has already been included for a specific assignment type, the app is preselected and can't be modified for other include assignment types. The group that has been used can't be used as an included group.
 
-When you make group assignments, groups that have already been assigned aren't available to be modified. If you want to select a group that currently isn't available, first remove the app from the app's assigned list.
+When you make group assignments, groups that have already been assigned aren't available to be modified. If you want to select a group that currently isn't available, first remove the group from the app's assigned list.
 
 To edit assignments, in the app **Assignments** pane, select the row that contains the specific assignment that you want to change. You can also remove an assignment by selecting the ellipse (**…**) at the end of a row, and then selecting **Remove**.
 

memdocs/intune/configuration/oemconfig-managed-home-screen-permissions-android.md

@@ -170,7 +170,7 @@ When you use the schema settings in the **Knox Service Plugin** app, the Intune
     For guidance on configuring the OEM app schema, use the following links:
 
     - [Blog - Frontline workers get a better experience from Microsoft and Samsung](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/frontline-workers-get-a-better-experience-from-microsoft-and/ba-p/4078801)
-    - [Knox Service Plugin - Overview](https://docs.samsungknox.com/admin/knox-platform-for-enterprise/knox-service-plugin/welcome/) (opens Samsung's web site)
+    - [Knox Service Plugin - Grant special permissions for an app](https://docs.samsungknox.com/admin/knox-platform-for-enterprise/knox-service-plugin/kbas/kba-1261-grant-special-permissions-for-an-app/) (opens Samsung's web site)
 
     When you create the Intune policy, you enter the following info:
 

memdocs/intune/enrollment/corporate-identifiers-add.md

@@ -247,7 +247,15 @@ To confirm the reason for an enrollment failure, go to **Devices** > **Enrollmen
 
 ## Known issues and limitations  
 
-- Windows corporate device identifiers are only supported for devices running Windows 10 version 22H2 and later and Windows 11 version 22H2 and later. Earlier versions can't render the model and manufacturer property. As a result, the property appears in the admin center as **Unknown**. We're working on expanding corporate identifer support to devices running earlier versions of Windows.  
+- Windows corporate device identifiers are only supported for devices running:  
+
+  -  Windows 10 version 22H2 (OS build 19045.4598) or later.
+
+  -  Windows 11 version 22H2 (OS build 22621.3374) or later.
+
+  -  Windows 11 version 23H2 (OS build 22631.3374) or later.  
+
+  Earlier versions can't render the model and manufacturer property. As a result, the property appears in the admin center as **Unknown**.  
 
 - You can upload up to 10 CSV files for Windows corporate identifiers in the admin center. If you need to upload more data, we recommend using PowerShell or the Microsoft Intune Graph API to add corporate identifiers.  
 

memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md

@@ -54,6 +54,15 @@ The following table shows the features and scenarios supported with automated de
 | Devices are managed by another MDM provider. | ❌ <br/><br/> If you want to fully manage a device in Intune, users must unenroll from the current MDM provider, and then enroll in Intune. Or, you can use MAM to manage specifics apps on the device. Since these devices are owned by the organization, we recommend enrolling them in Intune. |  
 | You use the device enrollment manager (DEM) account. | ❌ <br/><br/> The DEM account isn't supported. |  
 
+## Certificates  
+This enrollment type supports the Automated Certificate Management Environment (ACME) protocol. When new devices enroll, the management profile from Intune receives an ACME certificate. The ACME protocol provides better protection than the SCEP protocol against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management.
+
+Devices that are already enrolled do not get an ACME certificate unless they re-enroll into Microsoft Intune. ACME is supported on devices running: 
+
+- iOS 16.0 or later  
+
+- iPadOS 16.1 or later 
+
 ## Prerequisites 
 Before you create the enrollment profile, you must have:       
 

memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md

@@ -44,8 +44,14 @@ This article describes how to set up an automated device enrollment profile for
 4. [Assign DEP profile to devices](#assign-an-enrollment-profile-to-devices)
 5. [Distribute devices to users](#end-user-experience-with-managed-devices)
 -->  
+## Certificates  
+
+This enrollment type supports the Automated Certificate Management Environment (ACME) protocol. When new devices enroll, the management profile from Intune receives an ACME certificate. The ACME protocol provides better protection than the SCEP protocol against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management.
+
+Devices that are already enrolled do not get an ACME certificate unless they re-enroll into Microsoft Intune. ACME is supported on devices running macOS 13.1 and later.  
 
 ## Limitations  
+
 Automated device enrollment via Apple Business Manager and Apple School Manager isn't supported with [device enrollment manager accounts](device-enrollment-manager-enroll.md).    
 
 ## Prerequisites