diff --git a/memdocs/intune/configuration/apple-settings-catalog-configurations.md b/memdocs/intune/configuration/apple-settings-catalog-configurations.md
index 86f770c4502..b45122d526b 100644
--- a/memdocs/intune/configuration/apple-settings-catalog-configurations.md
+++ b/memdocs/intune/configuration/apple-settings-catalog-configurations.md
@@ -78,15 +78,52 @@ Some settings are available in device configuration templates and in the setting
 ## Apple declarative configurations
 
 This section is specific to the configurations that are under the Declarative Device Management (DDM) category in the settings catalog. You can learn more about DDM at [Intro to declarative device management and Apple devices](https://support.apple.com/guide/deployment/depb1bab77f8/1/web/1.0) on Apple's website.
-	
+
+### Disk Management
+
+Use Disk Management setting to install disk management settings on devices. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Disk Management using the following documentation:
+
+|Apple Platform Guides|Apple Developer|Apple YAML|Intune documentation|
+| -------- | -------- | -------- | -------- |
+|[Storage management declarative configuration](https://support.apple.com/en-tm/guide/deployment/dep2b9f009ed/web)|[Disk Management Settings](https://developer.apple.com/documentation/devicemanagement/diskmanagementsettings)|[Disk Management Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/diskmanagement.settings.yaml)||
+
+**Known issues**
+
+- None
+
+### Math Settings
+
+Use Math Settings to configure the Math and Calculator apps on devices. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Math Settings using the following documentation:
+
+|Apple Platform Guides|Apple Developer|Apple YAML|Intune documentation|
+| -------- | -------- | -------- | -------- |
+|[Math and Calculator app declarative configuration](https://support.apple.com/en-tm/guide/deployment/dep7881be3bb/web)|[Math Settings](https://developer.apple.com/documentation/devicemanagement/mathsettings)|[Math Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/math.settings.yaml)||
+
+**Known issues**
+
+- None
+
 ### Passcode
 Use the passcode configuration to require that devices have a password or passcode that meet your organization's requirements. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Passcode using the following documentation:
 
-| Apple Platform Guides | Apple Developer | Apple YAML | Intune documentation
+| Apple Platform Guides | Apple Developer | Apple YAML | Intune documentation|
 | -------  | ------- | ------- | ------- |
-| <ul><li>[Passcodes and passwords](https://support.apple.com/guide/security/sec20230a10d/web)</li><li>[Passcode declarative configuration](https://support.apple.com/guide/deployment/depf72b010a8/1/web/1.0)</li></ul>| [Passcode](https://developer.apple.com/documentation/devicemanagement/passcode)| [Passcode](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/passcode.settings.yaml)
+| <ul><li>[Passcodes and passwords](https://support.apple.com/guide/security/sec20230a10d/web)</li><li>[Passcode declarative configuration](https://support.apple.com/guide/deployment/depf72b010a8/1/web/1.0)</li></ul>| [Passcode](https://developer.apple.com/documentation/devicemanagement/passcode)| [Passcode](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/passcode.settings.yaml)||
+
+**Known issues**
+
+- None
+
+### Safari Extension Settings
+
+Use the Safari extensions settings to manage extensions in the Safari browser. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Safari Extension Settings using the following documentation:
+
+|Apple Platform Guides|Apple Developer|Apple YAML|Intune documentation|
+| -------- | -------- | -------- | -------- |
+|[Safari extensions management declarative configuration](https://support.apple.com/en-tm/guide/deployment/depff7fad9d8/web)|[Safari Extension Settings](https://developer.apple.com/documentation/devicemanagement/safariextensionsettings)|[Safari Extension Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/safari.extensions.settings.yaml)||
+
+**Known issues**
 
-#### Known issues
 - None
 
 ### Software Update
@@ -96,7 +133,20 @@ Use the Software Update configuration to enforce an update to install at a speci
 | -------  | ------- | ------- | ------- |
 | <ul><li>[Software Update declarative configuration](https://support.apple.com/guide/deployment/depca14ecd4d/1/web/1.0)</li><li>[Installing and enforcing software updates](https://support.apple.com/guide/deployment/depd30715cbb/web)</li></ul>| [Software Update Enforcement Specific](https://developer.apple.com/documentation/devicemanagement/softwareupdateenforcementspecific)| [Software Update Enforcement Specific](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml)| [Use the settings catalog to configure managed software updates](../protect/managed-software-updates-ios-macos.md) |
 
-#### Known issues
+**Known issues**
+
+- None
+
+### Software Update Settings
+
+Use the Software Update Settings configuration to defer OS updates and control how users can manually interact with software updates in System Settings. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Passcode using the following documentation:
+
+|Apple Platform Guides|Apple Developer|Apple YAML|Intune documentation|
+| -------- | -------- | -------- | -------- |
+|[Software Update Settings declarative configuration](https://support.apple.com/en-tm/guide/deployment/dep0578d8b8a/web)|[Software Update Settings](https://developer.apple.com/documentation/devicemanagement/softwareupdatesettings)|[Software Update Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/softwareupdate.settings.yaml)|[Use the settings catalog to configure managed software updates](../protect/managed-software-updates-ios-macos.md)|
+
+**Known issues**
+
 - None
 
 ## Apple MDM payload settings
@@ -111,7 +161,8 @@ Use FileVault configurations to manage disk encryption on macOS devices. These c
 | -------  | ------- | ------- | ------- |
 | <ul><li>[Introduction to FileVault](https://support.apple.com/guide/deployment/dep82064ec40/web)</li><li>[FileVault payload for Apple devices](https://support.apple.com/guide/deployment/dep32bf53500/web)| <ul><li>[FDEFileVault](https://developer.apple.com/documentation/devicemanagement/fdefilevault)</li><li>[FDEFileVaultOptions](https://developer.apple.com/documentation/devicemanagement/fdefilevaultoptions)</li><li>[FDERecoveryKeyEscrow](https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow)</li></ul>|<ul><li>[FileVault](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.MCX.FileVault2.yaml)</li><li>[FileVault Options](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.MCX(FileVault2).yaml)</li><li>[FileVault Recovery Key Escrow](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml)</li></ul> | [Encrypt macOS devices (Microsoft Learn)](../protect/encrypt-devices-filevault.md)| 
 
-#### Known issues
+**Known issues**
+
 - [FileVault failing to enable on macOS devices during Setup Assistant](https://techcommunity.microsoft.com/t5/intune-customer-success/known-issue-filevault-failing-to-enable-on-macos-devices-during/ba-p/4180523)
 
 #### Intune device configuration template to settings catalog mapping
@@ -133,7 +184,8 @@ Use the Firewall configuration to manage the native macOS application firewall.
 | -------- | ------- | ------- | 
 | <ul><li>[Firewall security in macOS](https://support.apple.com/guide/security/seca0e83763f/web) </li><li>[Firewall payload](https://support.apple.com/guide/deployment/dep8d306275f/web)</li></ul> | [Firewall](https://developer.apple.com/documentation/devicemanagement/firewall) | [Firewall (YAML)](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.security.firewall.yaml) | 
 
-#### Known issues
+**Known issues**
+
 - [macOS devices using stealth mode turn noncompliant after upgrading to macOS 15](https://techcommunity.microsoft.com/t5/intune-customer-success/known-issue-macos-devices-using-stealth-mode-turn-non-compliant/ba-p/4250583)
 
 #### Intune device configuration template to settings catalog mapping
@@ -145,7 +197,22 @@ Use the Firewall configuration to manage the native macOS application firewall.
 | Apps allowed | Networking > Firewall | Applications (Allowed = True) |
 | Apps blocked  | Networking > Firewall | Applications (Allowed = False) |
 | Enable stealth mode | Networking > Firewall | Enable Stealth Mode |
-	
+
+### Font
+
+> [!NOTE]
+> Font files being uploaded to Intune must be less than 2MB in size.
+
+Use the Font payload to configure fonts on devices. This configuration is located in the **System Configuration** category of the settings catalog. You can learn more about Font using the following documentation:
+
+|Apple Platform Guides|Apple Developer|Apple YAML|Intune documentation|
+| -------- | -------- | -------- | -------- |
+|[Fonts MDM payload settings](https://support.apple.com/en-tm/guide/deployment/depeba084b8/web)|[Font](https://developer.apple.com/documentation/devicemanagement/font)|[Font](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.font.yaml)||
+
+**Known issues**
+
+- None
+
 ### System Policy Control (Gatekeeper)
 Use the System Policy Control payload to configure Gatekeeper settings. This configuration is located in the **System Policy Control** category of the settings catalog. You can learn more about System Policy Control using the following documentation:
 
@@ -153,7 +220,8 @@ Use the System Policy Control payload to configure Gatekeeper settings. This con
 | -------- | ------- | ------- | 
 | <ul><li>[Gatekeeper and runtime protection](https://support.apple.com/guide/security/sec5599b66df/web) </li><li>[Security MDM payload](https://support.apple.com/guide/deployment/dep61dc030/web)</li></ul>| [SystemPolicyControl](https://developer.apple.com/documentation/devicemanagement/systempolicycontrol)  | [System Policy Control](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.systempolicy.control.yaml) | 
 
-#### Known issues
+**Known issues**
+
 - None
 
 #### Intune device configuration template to settings catalog mapping
@@ -162,7 +230,6 @@ Use the System Policy Control payload to configure Gatekeeper settings. This con
 | -------- | ------- | ------- |
 | Do not allow user to override Gatekeeper  | System Policy Control > System Policy Control | Enable Assessment |
 | Allow apps downloaded from these locations | System Policy Control > System Policy Control | Allow Identified Developers |
-	
 ### System Extensions
 Use the System Extensions payload to configure system extensions to be automatically loaded or prevent users from approving specific extensions. This configuration is located in the **System Configuration** category of the settings catalog. You can learn more about System Extensions using the following documentation:
 
@@ -170,7 +237,8 @@ Use the System Extensions payload to configure system extensions to be automatic
 | -------- | ------- | ------- | 
 | <ul><li>[System and kernel extensions](https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web) </li><li> [System Extensions](https://support.apple.com/guide/deployment/dep5d1584ca4/web)</li></ul>| [System Extensions](https://developer.apple.com/documentation/devicemanagement/systemextensions) | [System Extensions](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.system-extension-policy.yaml)|
 
-#### Known issues
+**Known issues**
+
 - None
 
 #### Intune device configuration template to settings catalog mapping
diff --git a/memdocs/intune/protect/advanced-threat-protection-configure.md b/memdocs/intune/protect/advanced-threat-protection-configure.md
index 2db78c2b781..b2a888bacf0 100644
--- a/memdocs/intune/protect/advanced-threat-protection-configure.md
+++ b/memdocs/intune/protect/advanced-threat-protection-configure.md
@@ -1,13 +1,13 @@
 ---
 # required metadata
 
-title: Configure Microsoft Defender for Endpoint in Microsoft Intune
-description: Configure Microsoft Defender for Endpoint in Intune, including connecting to Defender for Endpoint, onboarding devices, assigning compliance for risk levels, and Conditional Access policies.
+title: Onboard and Configure Devices with Microsoft Defender for Endpoint via Microsoft Intune
+description: Integrate Microsoft Defender for Endpoint with Microsoft Intune, including connecting the products, onboarding devices, and assigning policies for compliance and risk level assessment.
 keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls, microsoft defender for endpoint, mde
 author: brenduns 
 ms.author: brenduns
 manager: dougeby
-ms.date: 04/17/2024
+ms.date: 12/13/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -31,80 +31,89 @@ ms.collection:
 - sub-secure-endpoints
 ---
 
-# Configure Microsoft Defender for Endpoint in Intune
+# Integrate Microsoft Defender for Endpoint with Intune and Onboard Devices
 
-Use the information and procedures in this article to configure integration of Microsoft Defender for Endpoint with Intune. Configuration includes the following general steps:
+Use the information and procedures in this article to connect Microsoft Defender for Endpoint with Intune and to then onboard and configure devices for Defender for Endpoint. Information in this article includes the following general steps:
 
-- **Establish a service-to-service connection between Intune and Microsoft Defender for Endpoint**. This connection lets Microsoft Defender for Endpoint collect data about machine risk from supported devices you manage with Intune. See the [prerequisites](../protect/advanced-threat-protection.md#prerequisites) to use Microsoft Defender for Endpoint with Intune.
-- **Use Intune policy to onboard devices with Microsoft Defender for Endpoint**. You onboard devices to configure them to communicate with Microsoft Defender for Endpoint and to provide data that helps assess their risk level.
-- **Use Intune device compliance policies to set the level of risk you want to allow**. Microsoft Defender for Endpoint reports a devices risk level. Devices that exceed the allowed risk level are identified as noncompliant.
-- **Use a Conditional Access policy** to block users from accessing corporate resources from devices that are noncompliant.
+- **Establish a service-to-service connection between Intune and Microsoft Defender for Endpoint**. This connection enables Intune to interact with Microsoft Defender on devices, including installation (onboarding) and configuration of the Defender for Endpoint client, and integration of machine risk scores from supported devices you manage with Intune. See the [prerequisites](../protect/advanced-threat-protection.md#prerequisites) to use Microsoft Defender for Endpoint with Intune.
+- **Onboard devices to Defender for Endpoint**. You onboard devices to configure them to communicate with Microsoft Defender for Endpoint and to provide data that helps assess their risk level. Each platform has separate requirements to onboard to Defender.
+- **Use Intune device compliance policies to set the level of risk you want to allow**. Microsoft Defender for Endpoint reports on the risk level of devices. Devices that exceed the allowed risk level are identified as noncompliant.
+- **Use Conditional Access policy** to block users from accessing corporate resources while using a device that is identified as noncompliant.
 - **Use** [**app protection policies**](../protect/mtd-app-protection-policy.md) for Android and iOS/iPadOS, to set device risk levels. App protection policies work with both enrolled and unenrolled devices.
 
-In addition to managing settings for Microsoft Defender for Endpoint on devices that enroll with Intune, you can manage Defender for Endpoint security configurations on devices that aren’t enrolled with Intune. This scenario is called *Security Management for Microsoft Defender for Endpoint* and requires configuring the *Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations* toggle to *On*. For more information, see [MDE Security Configuration Management](../protect/mde-security-integration.md).
+In addition to managing settings for Microsoft Defender for Endpoint on devices that enroll with Intune, you can manage Defender for Endpoint security configurations on devices that aren’t enrolled with Intune. This scenario is called *Security Management for Microsoft Defender for Endpoint* and requires configuring the *Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations* toggle to *On*. For more information, see [Microsoft Defender for Endpoint Security Configuration Management](../protect/mde-security-integration.md).
 
  [!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
 
 ## Connect Microsoft Defender for Endpoint to Intune
 
-The first step you take is to set up the service-to-service connection between Intune and Microsoft Defender for Endpoint. Set up requires administrative access to both the Microsoft Defender Security Center, and to Intune.
+Before Intune and Defender for Endpoint can work together, you must set up the service-to-service connection between Intune and Microsoft Defender for Endpoint. This is a one-time action per tenant. Setup requires administrative access to both the Microsoft Defender Security Center and the Microsoft Intune admin center.
 
-You only need to enable Microsoft Defender for Endpoint a single time per tenant.
+### Enable Intune and Microsoft Defender for Endpoint integration
 
-### To enable Microsoft Defender for Endpoint
+1. Open the Microsoft Defender for Endpoint portal at [security.microsoft.com](https://security.microsoft.com). The Intune admin center also includes a link to the Defender for Endpoint portal.
 
-Open the Microsoft Defender for Endpoint portal at [security.microsoft.com](https://security.microsoft.com). The Intune admin center also includes a link to the Defender for Endpoint portal.
+   1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+   2. Select **Endpoint security** > **Microsoft Defender for Endpoint** and review the **Connection status** at the top of the page. If it’s **Enabled**, Defender and Intune are already connected and you can skip to step #2. 
 
-2. Select **Endpoint security** > **Microsoft Defender for Endpoint**, and then select **Open the Microsoft Defender Security Center**.
+      If the status is **Unavailable**, continue here. 
 
+   3. Scroll down to the bottom of the *Microsoft Defender for Endpoint* page and select the link **Open the Microsoft Defender Security Center** to open the Microsoft Defender for portal and continue with the next numbered step. 
 
    > [!TIP]
    >
-   > In the Intune admin center, if the **Connection status** at the top of the Microsoft Defender for Endpoint page is already set to **Enabled**, the connection to Intune is already active and the admin center displays different UI text for the link. In this event, select **Open the Microsoft Defender for Endpoint admin console** to open the Microsoft Defender for portal. Then you can use the guidance in the following step to confirm that the **Microsoft Intune connection** is set to **On**.
+   > If the connection is already active, the link to open the Defender portal reads: **Open the Microsoft Defender for Endpoint admin console**.
 
    :::image type="content" source="./media/advanced-threat-protection-configure/atp-device-compliance-open-microsoft-defender.png" alt-text="Screen shot that shows the patch to open the Microsoft Defender Security Center.":::
 
-3. In **Microsoft Defender** portal (previously the *Microsoft Defender Security Center*):
-   1. Select [**Settings** > **Endpoints** >**Advanced features**](https://security.microsoft.com/preferences2/integration).
-   2. For **Microsoft Intune connection**, choose **On**:
+2. In [**Microsoft Defender** portal](https://security.microsoft.com/):
+
+   1. Use the left-hand pane to scroll down and select **Settings** > **Endpoints** >**Advanced features**.
+   2. On the advanced features pane, scroll down to locate the entry for **Microsoft Intune connection** and set the toggle to **On**.
 
       :::image type="content" source="./media/advanced-threat-protection-configure/atp-security-center-intune-toggle.png" alt-text="Screen shot of the Microsoft Intune connection setting.":::
 
-   3. Select **Save preferences**.
+   3. Select **Save preferences** to complete the connection between Intune and Defender for Endpoint.
 
    > [!NOTE]
    > Once the connection is established, the services are expected to sync with each other _at least_ once every 24 hours. The number of days without sync until the connection is considered unresponsive is configurable in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). Select **Endpoint security** > **Microsoft Defender for Endpoint** > **Number of days until partner is unresponsive**
 
-4. Return to **Microsoft Defender for Endpoint** page in the Microsoft Intune admin center.
+3. Return to **Microsoft Defender for Endpoint** page in the Microsoft Intune admin center where you configure aspects of the Defender for Endpoint integration. The Connection status should now display **Enabled**.
+
+   On this page, review each category and the available configurations for platform support and platforms specific options you plan to use, and set those toggles to **On**. You can return later to enable or disable any of these options.
+
+   To set up the following integrations of Microsoft Defender for Endpoint, your account must be assigned an Intune [role-based access control]( /mem/intune/fundamentals/role-based-access-control) (RBAC) role that includes *Read* and *Modify* for the *Mobile Threat Defense* permission in Intune. The *Endpoint Security Manager* built-in admin role for Intune has these permissions included.
+
+   **Compliance policy evaluation** - To use Defender for Endpoint with **compliance policies**, configure the following under **Compliance policy evaluation** for the platforms you support:
+
+   - Set **Connect Android devices** to Microsoft Defender for Endpoint to **On**
+   - Set **Connect iOS/iPadOS devices** to Microsoft Defender for Endpoint to **On**
+   - Set **Connect Windows devices** to Microsoft Defender for Endpoint to **On**
 
-   1. To use Defender for Endpoint with **compliance policies**, configure the following under **Compliance policy evaluation** for the platforms you support:
-      - Set **Connect Android devices** to Microsoft Defender for Endpoint to **On**
-      - Set **Connect iOS/iPadOS  devices** to Microsoft Defender for Endpoint to **On**
-      - Set **Connect Windows devices** to Microsoft Defender for Endpoint to **On**
+   When these configurations are *On*, applicable devices that you manage with Intune, and devices you enroll in the future, are connected to Microsoft Defender for Endpoint for compliance.
 
-      When these configurations are *On*, applicable devices that you manage with Intune, and devices you enroll in the future, are connected to Microsoft Defender for Endpoint for compliance.
+   For iOS devices, Defender for Endpoint also supports the following settings that help provide the Vulnerability Assessment of apps on Microsoft Defender for Endpoint for iOS. For more information about using the following two settings, see [Configure vulnerability assessment of apps](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-vulnerability-assessment-of-apps).
 
-      For iOS devices, Defender for Endpoint also supports the following settings that help provide the Vulnerability Assessment of apps on Microsoft Defender for Endpoint for iOS. For more information about using the following two settings, see [Configure vulnerability assessment of apps](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-vulnerability-assessment-of-apps).
+   - **Enable App Sync for iOS Devices**: Set to **On** to allow Defender for Endpoint to request metadata of iOS applications from Intune to use for threat analysis purposes. The iOS device must be MDM-enrolled and provide updated app data during device check-in.
 
-      - **Enable App Sync for iOS Devices**: Set to **On** to allow Defender for Endpoint to request metadata of iOS applications from Intune to use for threat analysis purposes. The iOS device must be MDM-enrolled and provide updated app data during device check-in.
+   - **Send full application inventory data on personally owned iOS/iPadOS Devices**: This setting controls the application inventory data that Intune shares with Defender for Endpoint when Defender for Endpoint syncs app data and requests the app inventory list.
 
-      - **Send full application inventory data on personally owned iOS/iPadOS Devices**: This setting controls the application inventory data that Intune shares with Defender for Endpoint when Defender for Endpoint syncs app data and requests the app inventory list.
+     When set to **On**, Defender for Endpoint can request a list of applications from Intune for personally owned iOS/iPadOS devices. This list includes unmanaged apps and apps that were deployed through Intune.
 
-        When set to **On**, Defender for Endpoint can request a list of applications from Intune for personally owned iOS/iPadOS devices. This list includes unmanaged apps and apps that were deployed through Intune.
+     When set to **Off**, data about unmanaged apps isn’t provided. Intune does share data for the apps that were deployed through Intune.
 
-        When set to **Off**, data about unmanaged apps isn’t provided. Intune does share data for the apps that were deployed through Intune.
+   For more information, see [Mobile Threat Defense toggle options](../protect/mtd-connector-enable.md#mobile-threat-defense-toggle-options).
 
-      For more information, see [Mobile Threat Defense toggle options](../protect/mtd-connector-enable.md#mobile-threat-defense-toggle-options).
 
-   2. To use Defender for Endpoint with **app protection policies** for Android and iOS/iPadOS, configure the following under **App protection policy evaluation** for the platforms you use:
-      - Set **Connect Android devices to Microsoft Defender** for Endpoint to **On**.
-      - Set **Connect iOS/iPadOS devices to Microsoft Defender for Endpoint** on to **On**.
+   **App protection policy evaluation** - Configure the following toggles to use Defender for Endpoint with Intune **app protection policies** for Android and iOS/iPadOS, configure the following under **App protection policy evaluation** for the platforms you use:
 
-    To set up an integration Microsoft Defender for Endpoint for compliance and app protection policy evaluation, you must have a role that includes *Read* and *Modify* for the *Mobile Threat Defense* permission in Intune. The *Endpoint Security Manager* built-in admin role for Intune has these permissions included. For more information about both MDM Compliance Policy Settings and App Protection Policy Settings, see [Mobile Threat Defense toggle options](../protect/mtd-connector-enable.md#mobile-threat-defense-toggle-options).
+   - Set **Connect Android devices to Microsoft Defender** for Endpoint to **On**.
+   - Set **Connect iOS/iPadOS devices to Microsoft Defender for Endpoint** on to **On**.
 
-5. Select **Save**.
+   For more information, see [Mobile Threat Defense toggle options](../protect/mtd-connector-enable.md#mobile-threat-defense-toggle-options).
+
+4. Select **Save**.
 
 > [!TIP]
 >
@@ -112,39 +121,55 @@ Open the Microsoft Defender for Endpoint portal at [security.microsoft.com](http
 
 ## Onboard devices
 
-When you enable support for Microsoft Defender for Endpoint in Intune, you established a service-to-service connection between Intune and Microsoft Defender for Endpoint. You can then onboard devices you manage with Intune to Microsoft Defender for Endpoint. Onboarding enables collection of data about device risk levels.
+After establishing the service-to-service connection between Intune and Microsoft Defender for Endpoint, use Intune to onboard your managed devices to Microsoft Defender for Endpoint. Onboarding involves enrolling devices into the Defender for Endpoint service to ensure they're protected and monitored for security threats and enables collection of data about device risk levels. 
 
 When onboarding devices, be sure to use the most recent version of Microsoft Defender for Endpoint for each platform.
 
+The process to onboard devices to Defender for Endpoint varies by platform.
+
 ### Onboard Windows devices
 
-- [**Endpoint detection and response**](../protect/endpoint-security-edr-policy.md) (EDR) policy. The *Microsoft Defender for Endpoint* page in the Intune admin center includes a link that directly opens the EDR policy creation workflow, which is part of endpoint security in Intune.
+With a connection between Intune and Defender established, Intune automatically receives an onboarding configuration package from Defender that can be used by Intune to onboard Windows devices. This package is used by Intune EDR policy to configure devices to communicate with [Microsoft Defender for Endpoint services](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and to scan files and detect threats. The onboarded devices also report their risk level to Microsoft Defender for Endpoint based on your compliance policies. 
 
-  Use EDR policies to configure device security without the overhead of the larger body of settings found in device configuration profiles. You can also use EDR policy with tenant attached devices, which are devices you manage with Configuration Manager.
+Onboarding of a device using the configuration package is a one-time action.
 
-  When you configure EDR policy after connecting Intune to Defender, the policy setting *Microsoft Defender for Endpoint client configuration package type* has a new configuration option: **Auto from connector**. With this option, Intune automatically gets the onboarding package (blob) from your Defender for Endpoint deployment, replacing the need to manually configure an Onboard package.
+To deploy the onboarding package for Windows devices, you can choose to use a preconfigured EDR policy option, which deploys to the *All devices* group to onboard all applicable Windows devices, or you can manually create the EDR Policy for more granular deployments, which requires you to complete a few additional steps. 
 
-- **Device configuration policy**. When creating a device configuration policy to onboard Windows devices, select the *Microsoft Defender for Endpoint* template.   When you connected Intune to Defender, Intune received an onboarding configuration package from Defender.  This package is used by the template to configure devices to communicate with [Microsoft Defender for Endpoint services](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and to scan files and detect threats. The onboarded devices also report their risk level to Microsoft Defender for Endpoint based on your compliance policies.
-After onboarding a device using the configuration package, you don't need to do it again.
+#### Use the preconfigured policy
 
-- [**Group policy or Microsoft Configuration Manager**](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). [Onboard Windows machines using Microsoft Configuration Manager](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) has more details on the Microsoft Defender for Endpoint settings.
+With this path, you provide a name for the onboarding policy and select both the *platform* and *profile*. Other settings are preselected and include use of the onboarding package without additional settings, use of the *Default* scope tag, and assignment to the *All Devices* group. You can’t change these options during policy creation, but can return later to edit the policy details.
 
-> [!TIP]
->
-> When using multiple policies or policy types like *device configuration* policy and *endpoint detection and response* policy to manage the same device settings (such as onboarding to Defender for Endpoint), you can create policy conflicts for devices. To learn more about conflicts, see [Manage conflicts](../protect/endpoint-security-policy.md#manage-conflicts) in the *Manage security policies* article.
+1. Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Endpoint security** > **Endpoint detection and response** > and select the **EDR Onboarding Status** tab.
+
+2. On this tab, select **Deploy preconfigured policy**.
 
-### Create the device configuration profile to onboard Windows devices
+   :::image type="content" source="./media/advanced-threat-protection-configure/select-preconfigured-policy.jpg" alt-text="Screen shot that displays the path to the preconfigured policy option.":::
+
+3. For Platform, select **Windows** for devices managed directly by Intune, or **Windows (ConfigMgr)** for devices managed through the Tenant Attach scenario.  For Profile select **Endpoint detection and response**.
+
+4. Specify a Name for the policy.
+
+5. On the **Review and Create** page you can review this policies configuration. When ready select **Save** to save this policy, which immediately begins to deploy to the *All Devices* group.
+
+#### Create your own EDR policy: 
+
+With this path, you can define all aspects of the initial onboarding policy before it begins to deploy to devices.
 
 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Select **Endpoint security** > **Endpoint detection and response** > **Create Policy**.
-3. For **Platform**, select **Windows 10, Windows 11, and Windows Server**.
-4. For **Profile type**, select **Endpoint detection and response**, and then select **Create**.
-5. On the **Basics** page, enter a *Name* and *Description* (optional) for the profile, then choose **Next**.
-6. On the **Configuration settings** page, configure the following options for **Endpoint Detection and Response**:
 
-   - **Microsoft Defender for Endpoint client configuration package type**: Select *Auto from connector* to use the onboarding package (blob) from your Defender for Endpoint deployment. If you are onboarding to a different or disconnected Defender for Endpoint deployment, select *Onboard* and paste the text from the WindowsDefenderATP.onboarding blob file into the *Onboarding (Device)* field.
+2.	Select **Endpoint security** > **Endpoint detection and response** > and in the *Summary* tab, select **Create Policy**.
+
+3. For *Platform* select **Windows**, for Profile select **Endpoint detection and response**, and then select **Create**.
+
+4. On the **Basics** page, enter a *Name and Description* (optional) for the profile, then choose Next.
+
+5. On the **Configuration settings** page, configure the following options depending on your needs:
+
+   - **Microsoft Defender for Endpoint client configuration package type**: Select **Auto from connector**. With this option, the onboarding policy automatically uses the onboarding blob that Intune received from Microsoft Defender. If you're onboarding to a different or disconnected Defender for Endpoint deployment, select Onboard and paste the text from the WindowsDefenderATP.onboarding blob file into the *Onboarding (Device)* field.
+
    - **Sample Sharing**: Returns or sets the Microsoft Defender for Endpoint Sample Sharing configuration parameter.
-   - **[Deprecated] Telemetry Reporting Frequency**: For devices that are at high risk, **Enable** this setting so it reports telemetry to the Microsoft Defender for Endpoint service more frequently.
+
+   - **[Deprecated] Telemetry Reporting Frequency**: This setting is deprecated and no longer applies to new devices. The setting remains visible in the policy UI for visibility for older policies that had this configured.
 
    :::image type="content" source="./media/advanced-threat-protection-configure/automatic-package-configuration.png" alt-text="Screen shot of the configuration options for Endpoint Detection and Response.":::
 
@@ -154,65 +179,83 @@ After onboarding a device using the configuration package, you don't need to do
    >
    > If you haven’t configured this connection successfully, the setting *Microsoft Defender for Endpoint client configuration package type* only includes options to specify onboard and offboard blobs.
 
-7. Select **Next** to open the **Scope tags** page. Scope tags are optional. Select **Next** to continue.
+6. Select **Next** to open the **Scope tags** page. Scope tags are optional. Select **Next** to continue.
 
-8. On the **Assignments** page, select the groups that will receive this profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
+7. On the **Assignments** page, select the groups that will receive this profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
 
    When you deploy to user groups, a user must sign in on a device before the policy applies and the device can onboard to Defender for Endpoint.
 
-   Select **Next**.
+   Select **Next** to continue.
 
-9. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.
- **OK**, and then **Create** to save your changes, which creates the profile.
+8. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created.
+
+   > [!TIP]
+   > When using multiple policies or policy types like *device configuration* policy and *endpoint detection and response* policy to manage the same device settings, you can create policy conflicts for devices. To learn more about conflicts, see [Manage conflicts](../protect/endpoint-security-policy.md#manage-conflicts) in the *Manage security policies* article.
 
 ### Onboard macOS devices
 
 After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard macOS devices to Microsoft Defender for Endpoint. Onboarding configures devices to communicate with Microsoft Defender Endpoint, which then collects data about devices risk level.
 
-For configuration guidance for Intune, see [Microsoft Defender for Endpoint for macOS](../apps/apps-advanced-threat-protection-macos.md).
+Intune doesn't support an automatic onboarding package for macOS as it does for Windows devices. For configuration guidance for Intune, see [Microsoft Defender for Endpoint for macOS](../apps/apps-advanced-threat-protection-macos.md).
 
 For more information about Microsoft Defender for Endpoint for Mac including what's new in the latest release, see [Microsoft Defender for Endpoint for Mac](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac?view=o365-worldwide&preserve-view=true) in the Microsoft 365 security documentation.
 
 ### Onboard Android devices
 
-After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard Android devices to Microsoft Defender for Endpoint. Onboarding configures devices to communicate with Defender for Endpoint, which then collects data about the devices risk level.
+After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard Android devices to Microsoft Defender for Endpoint.
 
-There isn't a configuration package for devices that run Android. Instead, see [Overview of Microsoft Defender for Endpoint for Android](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android) in the Microsoft Defender for Endpoint documentation for the prerequisites and onboarding instructions for Android.
+Intune doesn't support an automatic onboarding package for Android as it does for Windows devices. For configuration guidance for Intune, see [Overview of Microsoft Defender for Endpoint for Android](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android) in the Microsoft Defender for Endpoint documentation for the prerequisites and onboarding instructions for Android.
 
 For devices that run Android, you can also use Intune policy to modify Microsoft Defender for Endpoint on Android. For more information, see [Microsoft Defender for Endpoint web protection](../protect/advanced-threat-protection-manage-android.md).
 
 ### Onboard iOS/iPadOS devices
 
-After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard iOS/iPadOS devices to Microsoft Defender for Endpoint. Onboarding configures devices to communicate with Defender for Endpoint, which then collects data about the devices risk level.
+After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard iOS/iPadOS devices to Microsoft Defender for Endpoint.
 
-There isn't a configuration package for devices that run iOS/iPadOS. Instead, see [Overview of Microsoft Defender for Endpoint for iOS](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios) in the Microsoft Defender for Endpoint documentation for prerequisites and onboarding instructions for iOS/iPadOS.
+Intune doesn't support an automatic onboarding package for iOS/iPadOS as it does for Windows devices. For configuration guidance for Intune, see [Overview of Microsoft Defender for Endpoint for iOS](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios) in the Microsoft Defender for Endpoint documentation for prerequisites and onboarding instructions for iOS/iPadOS.
 
-For devices that run iOS/iPadOS (in Supervised Mode), there's specialized ability given the increased management capabilities provided by the platform on these types of devices. To take advantage of these capabilities, the Defender app needs to know if a device is in Supervised Mode. Intune allows you to configure the Defender for iOS app through an App Configuration policy (for managed devices) that should be targeted to all iOS Devices as a best practice. For more information, see [Complete deployment for supervised devices](/microsoft-365/security/defender-endpoint/ios-install?#complete-deployment-for-supervised-devices).
+For devices that run iOS/iPadOS (in Supervised Mode), there's specialized ability given the increased management capabilities provided by the platform on these types of devices. To take advantage of these capabilities, the Defender app needs to know if a device is in *Supervised Mode*. For more information, see [Complete deployment for supervised devices](/microsoft-365/security/defender-endpoint/ios-install?#complete-deployment-for-supervised-devices).
 
 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
 2. Select **Apps** > **App configuration policies** > **+ Add**, and then select**Managed devices** from the drop down list.
+
 3. On the **Basics** page, enter a *Name* and *Description* (optional) for the profile, select **Platform** as **iOS/iPadOS** then choose **Next**.
+
 4. Select **Targeted app** as **Microsoft Defender for iOS**.
+
 5. On the **Settings** page, set the **Configuration key** as **issupervised**, then **Value type** as **string** with the **{{issupervised}}** as the **Configuration value**.
+
 6. Select **Next** to open the **Scope tags** page. Scope tags are optional. Select **Next** to continue.
+
 7. On the **Assignments** page, select the groups that will receive this profile. For this scenario, it's a best practice to target **All Devices**. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
 
-   When deploying policy to user groups, a user must sign-in on a device before the policy applies.
+   When you deploy policy to user groups, a user must sign-in on a device before the policy applies.
 
    Select **Next**.
 
 8. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles.
 
-Further, for devices that run iOS/iPadOS (in Supervised Mode), the Defender for iOS team has made available a custom .mobileconfig profile to deploy to iPad/iOS devices. The .mobileconfig profile is used to analyze network traffic to ensure a safe browsing experience - a feature of Defender for iOS.
+<!-- The .mobileconfig profile download from Defender is missing, with resolution pending. This information is not accurate at this time.
+
+Further, for devices that run iOS/iPadOS (in Supervised Mode), the Defender for iOS team provides a custom .mobileconfig profile to deploy to iPad/iOS devices. The .mobileconfig profile is used to analyze network traffic to ensure a safe browsing experience - a feature of Defender for iOS.
 
 1. Download the .mobile profile, which is hosted here: [https://aka.ms/mdatpiossupervisedprofile](https://aka.ms/mdatpiossupervisedprofile).
+
 2. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
 3. Select **Devices** > **Manage devices** > **Configuration** > On the *Policies* tab, select **+ Create**.
+
 4. For **Platform**, select **iOS/iPadOS**
+
 5. For **Profile type**, select **Custom**, and then select **Create**.
+
 6. On the **Basics** page, enter a *Name* and *Description* (optional) for the profile, then choose **Next**.
+
 7. Enter a *Configuration profile name*, and select a `.mobileconfig` file to Upload.
+
 8. Select **Next** to open the **Scope tags** page. Scope tags are optional. Select **Next** to continue.
+
 9. On the **Assignments** page, select the groups that will receive this profile. For this scenario, it's a best practice to target **All Devices**. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
 
    When you deploy to user groups, a user must sign in on a device before the policy applies.
@@ -220,12 +263,12 @@ Further, for devices that run iOS/iPadOS (in Supervised Mode), the Defender for
    Select **Next**.
 
 10. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles.
+-->
 
 ### View the count of devices that are onboarded to Microsoft Defender for Endpoint
+You can view a report on device onboarding status from within the Intune admin center by going to **Endpoint security** > **Endpoint detection and response** > and selecting the **EDR Onboarding Status** tab. 
 
-To view the onboarded devices from Microsoft Defender for Endpoint within the Microsoft Defender for Endpoint connector page, you need an Intune role that includes *Read* for  the *Microsoft Defender Advanced Threat Protection* permission.
-
-:::image type="content" source="./media/advanced-threat-protection-configure/onboard-report.png" alt-text="Sample view of the onboarded device report.":::
+To view this information, your account must be assigned an Intune role that includes *Read* for the *Microsoft Defender Advanced Threat Protection* permission.
 
 ## Create and assign compliance policy to set device risk level
 
@@ -235,7 +278,7 @@ If you're not familiar with creating compliance policy, reference the [Create a
 
 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
-2. Select **Devices** > **Compliance**. On the **Policies** tab, select  **+ Create policy**.  
+2. Select **Devices** > **Compliance**. On the **Policies** tab, select **+ Create policy**.
 
 3. For **Platform**, use the drop-down box to select one of the following options:
    - **Android device administrator**
@@ -263,7 +306,7 @@ If you're not familiar with creating compliance policy, reference the [Create a
 Use the procedure to [create an application protection policy for either iOS/iPadOS or Android](../apps/app-protection-policies.md#app-protection-policies-for-iosipados-and-android-apps), and use the following information on the *Apps*, *Conditional launch*, and *Assignments* pages:
 
 - **Apps**: Select the apps you wish to be targeted by app protection policies. For this feature set, these apps are blocked or selectively wiped based on device risk assessment from your chosen Mobile Threat Defense vendor.
-- **Conditional launch**:  Below *Device conditions*, use the drop-down box to select **Max allowed device threat level**.
+- **Conditional launch**: Below *Device conditions*, use the drop-down box to select **Max allowed device threat level**.
 
   Options for the threat level **Value**:
 
@@ -291,22 +334,22 @@ Conditional Access policies can use data from Microsoft Defender for Endpoint to
 > Conditional Access is a Microsoft Entra technology. The *Conditional Access* node found in the Microsoft Intune admin center is the node from *Microsoft Entra*.
 
 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Select **Endpoint security** > **Conditional Access** > **Create new policy**.  Because Intune presents the policy creation user interface for Conditional Access from the Azure portal, the interface is different than the policy creation workflow you might be familiar with.
+2. Select **Endpoint security** > **Conditional Access** > **Create new policy**. Because Intune presents the policy creation user interface for Conditional Access from the Azure portal, the interface is different than the policy creation workflow you might be familiar with.
 3. Enter a policy **Name**.
 4. For **Users**, use the *Include* and *Exclude* tabs to configure groups that will receive this policy.
 5. For **Target resources**, set *Select what this policy applies to* to **Cloud apps**, and then choose which apps to protect. For example, choose **Select apps** and then for *Select*, search for and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**.
 
-6. For **Conditions**, select **Client apps** and then set *Configure* to **Yes**.  Next, select the checkboxes for **Browser** and **Mobile apps and desktop clients**.   Then, select **Done** to save the client app configuration.
-7. For **Grant**, configure this policy to apply  based on device compliance rules. For example:
+6. For **Conditions**, select **Client apps** and then set *Configure* to **Yes**. Next, select the checkboxes for **Browser** and **Mobile apps and desktop clients**. Then, select **Done** to save the client app configuration.
+7. For **Grant**, configure this policy to apply based on device compliance rules. For example:
 
    1. Select **Grant access**.
    2. Select the checkbox for **Require device to be marked as compliant**.
    3. Select **Require all the selected controls**.
 Choose **Select** to save the Grant configuration.
-8. For **Enable policy**, select **On** and then  **Create** to save your changes.
+8. For **Enable policy**, select **On** and then **Create** to save your changes.
 
 
-## Next steps
+## Related content
 
 - [Configure Microsoft Defender for Endpoint settings on Android](../protect/advanced-threat-protection-manage-android.md)
 - [Monitor compliance for risk levels](../protect/advanced-threat-protection-monitor.md)
diff --git a/memdocs/intune/protect/compliance-policy-create-ios.md b/memdocs/intune/protect/compliance-policy-create-ios.md
index 2ef3da3e5c0..dbac286ed8f 100644
--- a/memdocs/intune/protect/compliance-policy-create-ios.md
+++ b/memdocs/intune/protect/compliance-policy-create-ios.md
@@ -7,7 +7,7 @@ keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 05/15/2024
+ms.date: 12/13/2024
 ms.topic: reference
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -140,7 +140,7 @@ For details about email profiles, see [configure access to organization email us
   *Supported for iOS 8.0 and later*
 
   - **Not configured** (*default*) - Users can create simple passwords like **1234** or **1111**.
-  - **Block** - Users can't create simple passwords, such as **1234** or **1111**.
+  - **Block** - Users can't create simple passwords, such as **1234** or **1111**. 
 
 - **Minimum password length**  
   *Supported for iOS 8.0 and later*
@@ -150,30 +150,34 @@ For details about email profiles, see [configure access to organization email us
 - **Required password type**  
   *Supported for iOS 8.0 and later*
 
-  Choose if a password should have only **Numeric** characters, or if there should be a mix of numbers and other characters (**Alphanumeric**).
+  Choose the password type required on the device. When set to **Not configured**, which is the default choice, Intune doesn't change or update this setting. Your options:  
+  
+  - **Not configured**: The password is determined by the device's default settings. A user's OS might allow simple passwords, like *0000* and *1234*.  
+  - **Alphanumeric**: The password must contain a mix of uppercase letters, lowercase letters, and numeric characters.  
+  - **Numeric**: The password at minimum must be a set of numeric characters, such as *123456789*. Alphabetic passwords and alphanumeric passwords are also supported.  
 
 - **Number of non-alphanumeric characters in password**  
-  Enter the minimum number of special characters, such as `&`, `#`, `%`, `!`, and so on, that must be in the password.
+  Enter the minimum number of special characters, such as `&`, `#`, `%`, `!`, and so on, that must be in the password. 
 
   Setting a higher number requires the user to create a password that is more complex.
 
 - **Maximum minutes after screen lock before password is required**  
   *Supported for iOS 8.0 and later*
 
-  Specify how soon after the screen is locked before a user must enter a password to access the device. Options include the default of *Not configured*, *Immediately*, and from *1 Minute* to *4 hours*.
+  Select how much time is allowed to pass after the screen locks before users have to enter a password to access their device. Options include the default of **Not configured**, **Immediately**, and from **1 minute** to **4 hours**.  
 
 - **Maximum minutes of inactivity until screen locks**  
-  Enter the idle time before the device locks its screen. Options include the default of *Not configured*, *Immediately*, and from *1 Minute* to *15 Minutes*.
+  Select the amount of idle time allowed before the device locks its screen. Options include the default of **Not configured**, **Immediately**, and from **1 minute** to **15 minutes**.
 
 - **Password expiration (days)**  
   *Supported for iOS 8.0 and later*
 
-  Select the number of days before the password expires, and they must create a new one.
+  Enter how long, in days, a password is valid before the user must create a new one. 
 
 - **Number of previous passwords to prevent reuse**  
   *Supported for iOS 8.0 and later*
 
-  Enter the number of previously used passwords that can't be used.
+  Enter the number of previously used passwords that can't be used. For example, if you enter 5, users can't reuse their 5 most recent passwords.    
 
 ### Device Security
 
@@ -181,20 +185,20 @@ For details about email profiles, see [configure access to organization email us
   You can restrict apps by adding their bundle IDs to the policy. If a device has the app installed, the device is marked as noncompliant.
 
   - **App name** - Enter a user-friendly name to help you identify the bundle ID.
-  - **App Bundle ID** - Enter the unique bundle identifier assigned by the app provider.
+  - **App bundle ID** - Enter the unique bundle identifier assigned by the app provider.
 
     To get the app bundle ID:
 
-    - Apple's web site has a list of [built-in Apple apps](https://support.apple.com/HT211833).
-    - For apps added to Intune, [you can use the Intune admin center](../apps/get-app-bundle-id-intune-admin-center.md).
-    - For some examples, go to [Bundle IDs for built-in iOS/iPadOS apps](../configuration/bundle-ids-built-in-ios-apps.md).
+    - The Apple website has a list of [built-in Apple apps](https://support.apple.com/HT211833).  
+    - For apps added to Intune, [you can use the Intune admin center](../apps/get-app-bundle-id-intune-admin-center.md).  
+    - For examples, see [Bundle IDs for built-in iOS/iPadOS apps](../configuration/bundle-ids-built-in-ios-apps.md).  
 
   > [!NOTE]
   >
-  > The *Restricted apps* setting applies to un-managed applications that are installed outside of management context.
+  > The *Restricted apps* setting applies to un-managed apps that are installed outside of management context.
 
 ## Next steps
 
 - [Add actions for noncompliant devices](actions-for-noncompliance.md).and [use scope tags to filter policies](../fundamentals/scope-tags.md).
 - [Monitor your compliance policies](compliance-policy-monitor.md).
-- See the [compliance policy settings for macOS](compliance-policy-create-mac-os.md) devices.
\ No newline at end of file
+- See the [compliance policy settings for macOS](compliance-policy-create-mac-os.md) devices.
diff --git a/memdocs/intune/protect/create-compliance-policy.md b/memdocs/intune/protect/create-compliance-policy.md
index aeedab1c731..3610ea4b894 100644
--- a/memdocs/intune/protect/create-compliance-policy.md
+++ b/memdocs/intune/protect/create-compliance-policy.md
@@ -7,7 +7,7 @@ keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 03/13/2024
+ms.date: 12/13/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -81,7 +81,8 @@ For more information about using custom compliance settings, including supported
 
 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
-2. Go to **Devices** > **Compliance** and choose **Create policy**.   
+2. Go to **Devices**.
+3. Under **Manage devices**, select **Compliance**. Then choose **Create policy**.   
 
 4. Select a **Platform** for this policy from the following options:
    - **Android device administrator**
@@ -89,19 +90,20 @@ For more information about using custom compliance settings, including supported
    - **Android Enterprise**
    - **iOS/iPadOS**
    - **Linux** - (Ubuntu Desktop, version 20.04 LTS and 22.04 LTS, RedHat Enterprise Linux 8, or RedHat Enterprise Linux 9) 
-   - **macOS**
-   - **Windows 8.1 and later**
-   - **Windows 10 and later**   
+   - **macOS**  
+   - **Windows 10 and later** 
+   - **Windows 8.1 and later**  
+  
 
-    For *Android Enterprise*, you also select a **Policy type**:
+    For *Android Enterprise*, you also select a **Profile type**. Your options:
      - **Fully managed, dedicated, and corporate-owned work profile**  
      - **Personally-owned work profile**  
 
     Then select **Create** to open the configuration page.  
 
-5. On the **Basics** tab, specify a **Name** that helps you identify them later. For example, a good policy name is **Mark iOS/iPadOS jailbroken devices as not compliant**.
+5. On the **Basics** tab, enter a **Name** that helps you identify this policy later. For example, a good policy name is **Mark iOS/iPadOS jailbroken devices as not compliant**.
 
-   You can also choose to specify a **Description**.
+   Optionally, enter a **Description** for the policy.  
   
 6. On the **Compliance settings** tab, expand the available categories, and configure settings for your policy. The following articles describe the available compliance settings for each platform:
    - [Android device administrator](compliance-policy-create-android.md)
@@ -113,32 +115,32 @@ For more information about using custom compliance settings, including supported
    - [Windows 8.1 and later](compliance-policy-create-windows-8-1.md)
    - [Windows 10/11](compliance-policy-create-windows.md)  
 
-7. Add custom settings to policies for supported platforms.
+7. Optionally, you can add custom settings for supported platforms.  
 
    > [!TIP]  
-   > This is an optional step that’s supported only for the following platforms:  
+   > This is an optional step that’s supported for the following platforms:  
    >
    > - Linux - Ubuntu Desktop, version 20.04 LTS and 22.04 LTS
-   > - Windows 10/11
+   > - Windows 10 and later  
    > Before you can add custom settings to a policy, you must have uploaded a detection script to Intune, and have ready a JSON file that defines the settings you want to use for compliance. See [Custom compliance settings](../protect/compliance-use-custom-settings.md).
 
    On the **Compliance settings** page, expand the **Custom Compliance** category:
 
    **For Windows**:  
    1. On the *Compliance settings* page, expand **Custom Compliance** and set *Custom compliance* to **Require**.
-   2. For *Select your discovery script*, select **Click to select**, and then specify a script that’s been previously added to the Microsoft Intune admin center. This script must be uploaded before you begin to create the policy.  
-   3. For *Upload and validate the JSON file with your custom compliance settings*, select the folder icon and then locate and add the JSON file for Windows that you want to use with this policy. For assistance with the JSON, see [Create a JSON for custom compliance settings](compliance-custom-json.md).
+   2. For *Select your discovery script*, select **Click to select**, and then enter the name of a script that you previously added to the Microsoft Intune admin center. This script must be uploaded before you begin to create the policy. Choose **Select** to continue to the next step.    
+   3. For *Upload and validate the JSON file with your custom compliance settings*, select the folder icon, and then find and add the JSON file for Windows that you want to use with this policy. For assistance with the JSON, see [Create a JSON for custom compliance settings](compliance-custom-json.md).  
 
    **For Linux**:  
-   1. On the *Compliance settings* page, select **Add settings** to open the *Settings picker* pane.
-   2. Select **Custom Compliance**, and then select 8.
-   3. Back on the *Compliance settings* page, select the toggle for *Require Custom Compliance* to change it to be **True**.
-   4. For *Select your discovery script*, select **Set reusable settings**, and then specify a script that’s been previously added to the Microsoft Intune admin center. This script must have been uploaded before you begin to create the policy.
-   5. For *Select your rules file*, select the folder icon and then locate and add the JSON file for Linux that you want to use with this policy. For assistance with the JSON, see [Create a JSON for custom compliance settings](compliance-custom-json.md).
+   1. On the *Compliance settings* page, select **Add settings** to open the **Settings picker**.  
+   2. Select **Custom Compliance**. Then close the settings picker.  
+   3. Switch **Require Custom Compliance** to **True**. T
+   4. For **Select your discovery script**, select **Select a script**. Then select a script that’s been previously added to the Microsoft Intune admin center. This script must be uploaded before you begin to create the policy.
+   6. For **Select your rules file**, select the folder icon and then locate and add the JSON file for Linux that you want to use with this policy. For assistance with the JSON, see [Create a JSON for custom compliance settings](compliance-custom-json.md).
 
-   The JSON you enter is validated and any problems are displayed. After validation of the JSON contents, the rules from the JSON are displayed in table format.
+   Wait while Intune validates the JSON. Problems that need to be fixed appear onscreen. After validation of the JSON contents, the rules from the JSON appear in table format.  
 
-8. On the **Actions for noncompliance** tab, specify a sequence of actions to apply automatically to devices that don't meet this compliance policy.
+8. On the **Actions for noncompliance** tab, select a sequence of actions to apply automatically to devices that don't meet this compliance policy.
 
    You can add multiple actions, and configure schedules and details for some actions. For example, you might change the schedule of the default action *Mark device noncompliant* to occur after one day. You can then add an action to send an email to the user when the device isn't compliant to warn them of that status. You can also add  actions that lock or retire devices that remain noncompliant.
 
@@ -152,7 +154,7 @@ For more information about using custom compliance settings, including supported
 
 10. On the **Assignments** tab, assign the policy to your groups.  
 
-   Select **+ Select groups to include** and then assign the policy to one or more groups. The policy will apply to these groups when you save the policy after the next step.
+   Select **Add groups**, and then assign the policy to one or more groups. The policy will apply to these groups when you save the policy after the next step.
 
    Policies for Linux don't support user-based assignments and can only be assigned to device groups.
 
@@ -205,4 +207,4 @@ For example, a device has three compliance policies assigned to it: one Unknown
 
 ## Next steps
 
-[Monitor your policies](compliance-policy-monitor.md).  
\ No newline at end of file
+[Monitor your policies](compliance-policy-monitor.md).  
diff --git a/memdocs/intune/protect/media/advanced-threat-protection-configure/atp-security-center-intune-toggle.png b/memdocs/intune/protect/media/advanced-threat-protection-configure/atp-security-center-intune-toggle.png
index 02f3b4cfba5..f46587c8150 100644
Binary files a/memdocs/intune/protect/media/advanced-threat-protection-configure/atp-security-center-intune-toggle.png and b/memdocs/intune/protect/media/advanced-threat-protection-configure/atp-security-center-intune-toggle.png differ
diff --git a/memdocs/intune/protect/media/advanced-threat-protection-configure/onboard-report.png b/memdocs/intune/protect/media/advanced-threat-protection-configure/onboard-report.png
deleted file mode 100644
index 97bfe933863..00000000000
Binary files a/memdocs/intune/protect/media/advanced-threat-protection-configure/onboard-report.png and /dev/null differ
diff --git a/memdocs/intune/protect/media/advanced-threat-protection-configure/select-preconfigured-policy.jpg b/memdocs/intune/protect/media/advanced-threat-protection-configure/select-preconfigured-policy.jpg
new file mode 100644
index 00000000000..4cf35040813
Binary files /dev/null and b/memdocs/intune/protect/media/advanced-threat-protection-configure/select-preconfigured-policy.jpg differ
diff --git a/windows-365/business/in-development.md b/windows-365/business/in-development.md
index 3bf6c28e3be..6e2b6a3b77c 100644
--- a/windows-365/business/in-development.md
+++ b/windows-365/business/in-development.md
@@ -7,7 +7,7 @@ keywords:
 author: ErikjeMS
 ms.author: erikje
 manager: dougeby
-ms.date: 09/25/2024
+ms.date: 12/13/2024
 ms.topic: conceptual
 ms.service: windows-365
 
@@ -51,11 +51,7 @@ To help in your readiness and planning, this page lists Windows 365 Business upd
 -->
 
 <!-- ***********************************************-->
-## Device management
-
-### Upgrade Cloud PCs to more storage, RAM, and CPU<!--48540819-->
-
-By using the upcoming Resize action, you'll be able to upgrade Cloud PCs to more storage, RAM, and CPU.
+<!--## Device management-->
 
 <!-- ***********************************************-->
 ## Monitor and troubleshoot
@@ -65,11 +61,7 @@ By using the upcoming Resize action, you'll be able to upgrade Cloud PCs to more
 End users will be able to manually run connectivity checks on their Cloud PCs from [windows365.microsoft.com](https://windows365.microsoft.com).
 
 <!-- ***********************************************-->
-## Security
-
-### Single sign-on (public preview)
-
-Windows 365 Business will support single sign-on for new and existing Cloud PCs. You'll be able to turn on single sign-on in **Organizational settings**. When turned on, users no longer have to sign in to the operating system.
+<!--## Security-->
 
 ## Next steps
 
diff --git a/windows-365/link/conditional-access-policies-synchronize.md b/windows-365/link/conditional-access-policies-synchronize.md
index 08e206a22fc..378827f5bb4 100644
--- a/windows-365/link/conditional-access-policies-synchronize.md
+++ b/windows-365/link/conditional-access-policies-synchronize.md
@@ -7,7 +7,7 @@ keywords:
 author: ErikjeMS  
 ms.author: erikje
 manager: dougeby
-ms.date: 11/19/2024
+ms.date: 12/13/2024
 ms.topic: overview
 ms.service: windows-365-link
 ms.subservice:
@@ -31,24 +31,64 @@ ms.collection:
 
 # Conditional Access policies for Windows 365 Link
 
-As part of [setting up your organization's environment to support Windows 365 Link](deployment-overview.md), you must make sure that your organization's sign-in and connection (if any) Conditional Access policies are synchronized. If Conditional Access is used to protect the resources used to access Windows 365 Cloud PCs, a matching policy must also be used to protect the user action to register or join devices.
+As part of [setting up your organization's environment to support Windows 365 Link](deployment-overview.md), you must make sure that your Conditional Access policies accommodate both the login through and connection from Windows Cloud PC devices. If Conditional Access is used to protect the resources used to access Windows 365 Cloud PCs as described in [Set conditional access policies for Windows 365](/windows-365/enterprise/set-conditional-access-policies), a separate but matching Conditional Access policy must also be used to protect the user action to register or join devices.
 
 ## Authentication process for Windows 365 Link devices
 
 1. When the user signs in on the Windows 365 Link interactive **Sign in** screen, their account is authenticated against the device registration service.
 2. Windows 365 Link silently authenticates against the other required cloud resources (like Microsoft Graph and the Windows 365 service by using single sign-on (SSO)).
 
-## Create Conditional Access policies to synchronize sign in and connection authentication
+Windows 365 Cloud PC devices have two distinct stages of authentication:
 
-If Conditional Access policies enforcing multifactor authentication (MFA) are used to protect the resources used to access Windows 365 Cloud PCs, you must create a Conditional Access policy enforcing MFA on the user action to register or join devices. This second policy must make sure the user's authentication token has the right MFA claims after the initial sign in to Windows 365 Link.
+- Interactive sign-in: When the user signs in on the Windows 365 Link sign in screen, the device registration service is used to get an authentication token.
+- Non-interactive connections: The token obtained from the user sign in is then used to perform non-interactive sign-ins when connecting to other cloud app resources like Windows 365 services.
 
-Also review any existing Conditional Access policies that apply to **All resources**. These policies trigger when connecting but not at sign in. Use the [What If tool](/entra/identity/conditional-access/what-if-tool) to help determine what Conditional Access policies are applied.
+Sign-ins from Windows 365 Link devices don't trigger any Conditional Access policies that are targeted to *All resources (formerly cloud apps)* or directly to the *Device Registration Service* resource. Also, the non-interactive connection can't prompt a user to satisfy those requirements.
 
-For more information about creating Conditional Access policies for user actions to register or join devices, see [Create a Conditional Access policy](/entra/identity/conditional-access/policy-all-users-device-registration#create-a-conditional-access-policy).
+If a Conditional Access policy is assigned to any of the Windows 365 resources, then another policy with the same Access control settings must also be applied to the User Actions to Register or join devices. This policy can trigger an interactive sign-in and obtain the claims that are necessary for the connection.
 
-For more information about creating Conditional Access policies for resources used for Windows 365, see [Set Conditional Access policies](../enterprise/set-conditional-access-policies.md).
+Without a matching set of policies, the connection is interrupted, and users can't connect to their Cloud PC.
+
+These activities can be seen in the Entra Conditional Access sign-in logs:
+
+1. Sign in to the [Microsoft Entra admin center](https://aad.portal.azure.com/) > **Protection** > **Conditional Access** > **Sign-in logs**.
+2. On the **User sign-ins (interactive)** tab, use filters to find events from the sign in screen.
+3. On the **User sign-ins (non-interactive)** tab, use filters to find events from the connections. 
+
+## Create a Conditional Access policy for interactive sign in
+
+1. Sign in to the [Microsoft Entra admin center](https://aad.portal.azure.com/) > **Protection** > **Conditional Access** > **Policies** > **What if**.
+2. For **User or Workload identity** select a user to test with.
+3. For Cloud apps, actions, or authentication context, select **Any cloud app**.
+4. For **Select target type** leave **Cloud app** selected.
+5. Select **Select apps** then select the following resources, if they're available:
+    - **Windows 365** (app ID 0af06dc6-e4b5-4f28-818e-e78e62d137a5).
+    - **Azure Virtual Desktop** (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07).
+    - **Microsoft Remote Desktop** (app ID a4a365df-50f1-4397-bc59-1a1564b8bb9c).
+    - **Windows Cloud Login** (app ID 270efc09-cd0d-444b-a71f-39af4910ec45).
+6. Select **What If**.
+
+Review each of the **Policies that will apply** and determine the access controls used to grant access to those resources and session settings.
 
-For more information about Conditional Access and user actions, see [User actions](/entra/identity/conditional-access/concept-conditional-access-cloud-apps#user-actions).
+You can now create a new Conditional Access policy to [Require MFA for device registration](/entra/identity/conditional-access/policy-all-users-device-registration#create-a-conditional-access-policy) using the same Access controls.
+
+1. Sign in to the [Microsoft Entra admin center](https://aad.portal.azure.com/) > **Protection** > **Conditional Access** > **Polices** > **New policy**
+2. Give your policy a name. Consider using a meaningful standard for policy names.
+3. Under **Assignments** > **Users**, select **0 users and groups selected**.
+4. Under **Include**, select **All users** or select a group of users who will sign-in through Windows 365 Link devices.
+5. Under **Exclude**, select **Users and groups** > select your organization's emergency access or break-glass accounts.
+6. Under **Target resources** > **User actions**, select **Register or join devices**.
+7. Under **Access controls** > **Grant**, use the same controls found earlier using the What If tool.
+8. Under **Access controls** > **Session**, use the same controls found earlier using the What If tool.
+9. Confirm your settings and set **Enable policy** to **Report-only**.
+10. Select **Create**.
+11. After confirming the settings using report-only mode, change the **Enable policy** toggle from **Report-only** to **On**.
+
+For more information about creating Conditional Access policies for device registration, including potential conflicts, see [Require multifactor authentication for device registration](/entra/identity/conditional-access/policy-all-users-device-registration#create-a-conditional-access-policy).
+
+For more information about user actions with Conditional Access, see [User actions](/entra/identity/conditional-access/concept-conditional-access-cloud-apps#user-actions).
+
+For more information about creating Conditional Access policies for resources used for Windows 365, see [Set Conditional Access policies](../enterprise/set-conditional-access-policies.md).
 
 <!-- ########################## -->
 ## Next steps