diff --git a/autopilot/dfci-management.md b/autopilot/dfci-management.md
index 2501ce555d5..ce0e2f4c3aa 100644
--- a/autopilot/dfci-management.md
+++ b/autopilot/dfci-management.md
@@ -90,6 +90,7 @@ For more information, see [Intune devices and apps API overview](/graph/intune-c
 - [Microsoft Surface](/surface/surface-manage-dfci-guide).
 - Panasonic.
 - VAIO.
+- Samsung.
 
 Other OEMs are pending.
 
diff --git a/memdocs/analytics/data-platform-schema.md b/memdocs/analytics/data-platform-schema.md
index 86e4d6a2da9..c3a619b2159 100644
--- a/memdocs/analytics/data-platform-schema.md
+++ b/memdocs/analytics/data-platform-schema.md
@@ -7,7 +7,7 @@ keywords:
 ms.author: smbhardwaj
 author: smritib17 
 manager: dougeby
-ms.date: 02/01/2024
+ms.date: 11/14/2024
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -33,9 +33,7 @@ ms.collection:
 
 *Applies to: Microsoft Intune*
 
-This article goes over the properties supported in the Intune Data Platform.
-
-Device query allows you to quickly assess the state of devices in your environment and take action. When you enter a query on a selected device, Device query runs a query in real time. The data returned can then be filtered, grouped, and refined to answer business questions, troubleshoot issues in your environment, or respond to security threats.
+This article goes over the properties supported in the Intune Data Platform. The Intune Data Platform can be accessed via Device query for single devices, Inventory, and Device query for Multiple Devices.
 
 Each table (entity) in this page lists the types of queries that are supported.
 
@@ -43,7 +41,9 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: Provides basic BIOS Information.  
 
-**Supported for**: Device query, single device on-demand.
+**Supported platforms**: Windows
+
+**Supported for**: Device query, single device on-demand, Inventory.
 
 | **Property** | **Type** | **Description** |
 | --- | --- | --- |
@@ -55,7 +55,10 @@ Each table (entity) in this page lists the types of queries that are supported.
 ## Certificate
 
 **Description**: Certificate Authorities installed in Keychains/ca-bundles. Only certificates for computers are returned.
- **Supported for**: Device query, single device on-demand.
+
+**Supported platforms**: Windows
+
+**Supported for**: Device query, single device on-demand.
 
 | **Property** | **Type** | **Description** |
 | --- | --- | --- |
@@ -78,7 +81,9 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: Retrieves CPU hardware info on the machine.
 
-**Supported for**: Device query, single device on-demand.
+**Supported platforms**: Windows
+
+**Supported for**: Device query, single device on-demand, Inventory.
 
 | **Property** | **Type** | **Description** |
 | --- | --- | --- |
@@ -100,7 +105,9 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: Retrieves basic information about the physical disks of a system.
 
-**Supported for**: Device query, single device on-demand.
+**Supported platforms**: Windows
+
+**Supported for**: Device query, single device on-demand, Inventory.
 
 | **Property** | **Type** | **Description** |
 | --- | --- | --- |
@@ -120,7 +127,9 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: Retrieves encryptable volume status of the machine.
 
-**Supported for**: Device query, single device on-demand
+**Supported platforms**: Windows
+
+**Supported for**: Device query, single device on-demand, Inventory.
 
 | **Property** | **Type** | **Description** |
 | --- | --- | --- |
@@ -136,6 +145,8 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: Lists all file info of the passed file or files under the passed directory.
 
+**Supported platforms**: Windows
+
 **Supported for**: Device query, single device on-demand.
 
 > [!NOTE]
@@ -161,6 +172,8 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: Lists local user groups.  
 
+**Supported platforms**: Windows
+
 **Supported for**: Device query, single device on-demand.
 
 | **Property** | **Type** | **Description** |
@@ -173,6 +186,8 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: Lists local user accounts.
 
+**Supported platforms**: Windows
+
 **Supported for**: Device query, single device on-demand.
 
 | **Property** | **Type** | **Description** |
@@ -187,7 +202,9 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: Details for logical drives on the system. A logical drive generally represents a single partition.
 
-**Supported for**: Device query, single device on-demand.
+**Supported platforms**: Windows
+
+**Supported for**: Device query, single device on-demand, Inventory.
 
 | **Property** | **Type** | **Description** |
 | --- | --- | --- |
@@ -202,7 +219,10 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: Memory Information.
 
-**Supported for**: Device query, single device on-demand.
+**Supported platforms**: Windows
+
+**Supported for**: Device query, single device on-demand, Inventory.
+Note that PhysicalMemoryFreeBytes and VirtualMemoryFreeBytes properties are only supported for Device query, single device on-demand. 
 
 | **Property** | **Type** | **Description** |
 | --- | --- | --- |
@@ -215,7 +235,9 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: A single row containing the operating system name and version.
 
-**Supported for**: Device query, single device on-demand,
+**Supported platforms**: Windows
+
+**Supported for**: Device query, single device on-demand, Inventory.
 
 | **Property** | **Type** | **Description** |
 | --- | --- | --- |
@@ -232,6 +254,8 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: All running processes on the host system.  
 
+**Supported platforms**: Windows
+
 **Supported for**: Device query, single device on-demand.
 
 | **Property** | **Type** | **Description** |
@@ -261,7 +285,9 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: Displays information pertaining to the chassis and its security status.
 
-**Supported for**: Device query, single device on-demand.
+**Supported platforms**: Windows
+
+**Supported for**: Device query, single device on-demand, Inventory.
 
 | **Property** | **Type** | **Description** |
 | --- | --- | --- |
@@ -283,6 +309,8 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: System information of the device.  
 
+**Supported platforms**: Windows
+
 **Supported for**: Device query, single device on-demand.
 
 | **Property** | **Type** | **Description** |
@@ -299,7 +327,9 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: Provides TPM related information of the device.  
 
-**Supported for**: Device query, single device on-demand.
+**Supported platforms**: Windows
+
+**Supported for**: Device query, single device on-demand, Inventory.
 
 | **Property** | **Type** | **Description** |
 | --- | --- | --- |
@@ -317,6 +347,8 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: Provides App Crash info in Windows event log file Application in look back time.
 
+**Supported platforms**: Windows
+
 **Supported for**: Device query, single device on-demand.
 
 | ReportId(Key) | string (max 256 characters) | Report ID of the App crash |
@@ -331,6 +363,8 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: Details for in-use Windows device drivers. This doesn't display installed but unused drivers.
 
+**Supported platforms**: Windows
+
 **Supported for**: Device query, single device on-demand.
 
 | **Property** | **Type** | **Description** |
@@ -350,6 +384,8 @@ Each table (entity) in this page lists the types of queries that are supported.
 
 **Description**: Get Windows Event logs in the specified log name and look back in time.  
 
+**Supported platforms**: Windows
+
 **Supported for**: Device query, single device on-demand.
 
 > [!NOTE]
@@ -369,7 +405,10 @@ possible value:CRITICAL\_ERROR,ERROR,WARNING,INFORMATION,VERBOSE |
 ## WindowsQfe
 
 **Description**: Information about security patches on the device.
-**Supported for**: Device query, single device on-demand.
+
+**Supported platforms**: Windows
+
+**Supported for**: Device query, single device on-demand, Inventory.
 
 | Property | Type | Description |
 | --- | --- | --- |
@@ -385,6 +424,8 @@ possible value:CRITICAL\_ERROR,ERROR,WARNING,INFORMATION,VERBOSE |
 
 **Description**: Lists registry under the passed registry key.  
 
+**Supported platforms**: Windows
+
 **Supported for**: Device query, single device on-demand.
 
 > [!NOTE]
@@ -401,6 +442,8 @@ possible value:CRITICAL\_ERROR,ERROR,WARNING,INFORMATION,VERBOSE |
 
 **Description**: Lists all installed Windows services and their relevant data.
 
+**Supported platforms**: Windows
+
 **Supported for**: Device query, single device on-demand.
 
 | **Property** | **Type** | **Description** |
@@ -418,4 +461,66 @@ possible value:CRITICAL\_ERROR,ERROR,WARNING,INFORMATION,VERBOSE |
 | ServiceDescription | string (max 256 characters) | Service Description |
 | WindowsUserAccount | string (max 256 characters) | The name of the account that the service process is logged on as when it runs. This name can be of the form Domain\UserName |
 
+## Battery
+
+**Description**: Provides details about battery and battery health.
+
+**Supported Features**: Inventory
+
+**Supported Platforms**: Windows
+
+| **Property** | **Type** | **Description** |
+| --- | --- | --- |
+| CycleCount | Long | The number of times a battery has gone through a full charge and discharge. Can be used to assess the battery state|
+| DesignCapacity | Long (milliwatt hours) | The theoretical capacity of the battery when new.|
+| FullChargedCapacity | Long (milliwatt hours) | Full charge capacity of the battery.|
+| InstanceName| String | Name used to identify the battery instance.|
+| Manufacturer| String | Manufacturer of the battery.|
+| Model| String | Display name of the battery.|
+| SerialNumber| String | Battery serial number that is assigned by the manufacturer.|
+
+## NetworkAdapter
+
+**Description**: Provides basic network adapter information.
+
+**Supported Features**: Inventory
+
+**Supported Platforms**: Windows
+
+| **Property** | **Type** | **Description** |
+| --- | --- | --- |
+| Identifier | String | Unique identifier of the adapter from other devices on the system. |
+| Manufacturer | String | Name of the network adapter's manufacturer. |
+| Type | String | Network medium in use. |
+
+> [!NOTE]
+> Inventory will only report up to 20 network adapters per device.
+
+## Time
+
+**Description**: Provides basic time information.
 
+**Supported Features**: Inventory
+
+**Supported Platforms**: Windows
+
+| **Property** | **Type** | **Description** |
+| --- | --- | --- |
+| TimeZone | String | Describes the device's time zone. |
+
+## VideoController
+
+**Description**: Provides video controller and graphics information.
+
+**Supported Features**: Inventory
+
+**Supported Platforms**: Windows
+
+| **Property** | **Type** | **Description** |
+| --- | --- | --- |
+| AdapterDacType | String | Name or identifier of the digital-to-analog converter (DAC) chip. The character set of this property is alphanumeric. |
+| AdapterRam | Long | Memory size of the video adapter. |
+| CurrentScanMode | String | Current scan mode. |
+| GraphicsModel | String | Provides manufacturer and model information of graphics card. |
+| Identifier | String | Identifier (unique to the computer system) for this video controller. |
+| VideoModeDescription | String | Current resolution, color, and scan mode settings of the video controller. |
diff --git a/memdocs/analytics/device-query.md b/memdocs/analytics/device-query.md
index c288c73daef..f69305a9f9a 100644
--- a/memdocs/analytics/device-query.md
+++ b/memdocs/analytics/device-query.md
@@ -35,19 +35,22 @@ Device query allows you to quickly gain on-demand information about the state of
 
 ## Prerequisites
 
-To use Device query in your tenant, you must have a license that includes Microsoft Intune Advanced Analytics. Advanced Analytics features are available with:
+- To use Device query in your tenant, you must have a license that includes Microsoft Intune Advanced Analytics. Advanced Analytics features are available with:
 
-- The Intune Advanced Analytics Add-on
-- Microsoft Intune Suite
+  - The Intune Advanced Analytics Add-on
+  - Microsoft Intune Suite
 
-To use Device query on a device, the device must be enrolled in Endpoint Analytics. Learn [how to enroll a device in Endpoint Analytics](enroll-intune.md).
+- To use Device query on a device, the device must be enrolled in Endpoint Analytics. Learn [how to enroll a device in Endpoint Analytics](enroll-intune.md).
 
-You cannot opt out of cloud notifications (WNS)
+- You cannot opt out of cloud notifications (WNS)
 
-For a user to use Device query, you must assign the **Managed Devices** - **Query** permission to them.  
+- For a user to use Device query, you must assign the **Managed Devices** - **Query** permission to them.  
 
-To use Device query, devices must be Intune managed and corporate owned.
+- To use Device query, devices must be Intune managed and corporate owned.
 
+- To run remote actions, at a minimum, sign into the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) with an account that has the **Help Desk Operator** role. For more information on the different roles, go to [Role-based access control (RBAC) with Microsoft Intune](../intune/fundamentals/role-based-access-control.md).
+
+- To receive the remote action, the device must be connected to the internet and powered on.
 
 ## Supported platforms
 
@@ -64,6 +67,39 @@ For more information on Kusto Query Language, see [Learn more about Kusto Query
 > [!TIP]
 > You can now use Copilot in Intune (public preview) to generate KQL queries for device query using natural language requests. To learn more, go to [Query with Copilot in device query](../intune/copilot/copilot-intune-overview.md#query-with-copilot-in-device-query).
 
+## Remote device actions
+
+Use the Intune remote device actions in Single device query to help you manage your devices remotely. From the device query interface, you can now run device actions based on query results for faster and more efficient troubleshooting.
+
+### Available remote actions
+
+The available device actions depend on the device configuration. Not all actions are available for all devices.
+
+For a complete list of what can be done on your devices, in the Intune admin center, select Devices > All devices, and select a specific device. The available device actions are shown at the top. 
+
+The following list includes supported device actions:
+
+|Action|Description|
+|---|---|
+|[Autopilot reset](/windows/deployment/windows-autopilot/windows-autopilot-reset#reset-devices-with-remote-windows-autopilot-reset)|Restores a device to its original settings and removes personal files, apps, and settings.|
+|[BitLocker key rotation](../intune/protect/encrypt-devices.md#rotate-bitlocker-recovery-keys)|Changes the BitLocker recovery key for a device and uploads the new key to Intune.|
+|[Collect diagnostics](../intune/remote-actions/collect-diagnostics.md)|Collects diagnostic logs from a device and uploads the logs to Intune.|
+|[Delete](../intune/remote-actions/devices-wipe.md)|Removes a device from Intune management, any company data is removed, and the device is retired.|
+|[Fresh start](../intune/remote-actions/device-fresh-start.md)|Reinstalls the latest version of Windows on a device and removes apps that the manufacturer installed.|
+|[Full scan](../intune/configuration/device-restrictions-windows-10.md#microsoft-defender-antivirus)|Initiates a full scan of the device by Microsoft Defender Antivirus.|
+|[Locate device](../intune/remote-actions/device-locate.md)|Shows the approximate location of a device on a map.|
+|[Pause ConfigRefresh](../intune/remote-actions/pause-config-refresh.md)|Pause ConfigRefresh to run remediation on a device for troubleshooting or maintenance or to make changes.|
+|[Quick scan](../intune/configuration/device-restrictions-windows-10.md#microsoft-defender-antivirus)|Initiates a quick scan of the device by Microsoft Defender Antivirus.|
+|[Remote control with Team Viewer](../intune/remote-actions/teamviewer-support.md)|Allows you to remotely control a device using TeamViewer.|
+|[Rename device](../intune/remote-actions/device-rename.md)|Changes the device name in Intune.|
+|[Restart](../intune/remote-actions/device-rename.md)|Restarts a device.|
+|[Retire](../intune/remote-actions/devices-wipe.md#retire)|Removes company data and settings from a device, and leaves personal data intact.|
+|[Rotate Local admin password](../intune/protect/windows-laps-policy.md#manually-rotate-passwords)|Changes the local administrator password for a device and stores the password in Intune.|
+|[Synchronize device](../intune/remote-actions/device-sync.md)|Syncs a device with Intune to apply the latest policies and configurations.|
+|[Update Windows Defender Security Intelligence](/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus)|Updates the security intelligence files for Microsoft Defender Antivirus.|
+|[Windows 10 PIN reset](../intune/remote-actions/device-windows-pin-reset.md)|Resets the PIN of a device that uses Microsoft Entra authentication.|
+|[Wipe](../intune/remote-actions/devices-wipe.md#wipe)|This action restores a device to its factory settings and removes all data and settings.|
+
 ## Supported Operators  
 
 Device query supports only a subset of the operators supported in the Kusto Query Language (KQL). The following operators are currently supported:
diff --git a/memdocs/intune/apps/apps-monitor.md b/memdocs/intune/apps/apps-monitor.md
index 89ea6267ae6..3e53853364e 100644
--- a/memdocs/intune/apps/apps-monitor.md
+++ b/memdocs/intune/apps/apps-monitor.md
@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 09/17/2024
+ms.date: 11/18/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -60,7 +60,7 @@ The **Essentials** section provides the following information about the app if a
 | **Operating system**   | The app operating system (Windows, iOS/iPadOS, Android, and so on) |
 | **Version**            | If applicable, the version number of the app |
 | **MAM SDK enabled**    | If applicable, whether the app uses the Intune MAM SDK (**Yes** or **No**)                  |
-| **Created**             | The date and time when this revision was created <b>**Note**: This date value is updated when an IT admin changes app metadata, such as changing the app category or app description.                        |
+| **Created**             | The date and time when this revision was created <b>**Note**: This date value is updated when an admin changes app metadata, such as changing the app category or app description.                        |
 | **Assigned**           | Whether the app has been assigned (**Yes** or **No**)          
 | **App package file**   | If applicable, the app package file name            |
 
@@ -74,7 +74,7 @@ The graphs show the number of apps for the following status:
 | **Not Installed**     | The number of apps not installed                     |
 | **Failed**            | The number of failed installations                   |
 | **Install Pending**   | The number of apps that are in the process of being installed |
-| **Not Applicable**           | The number of apps for which status is not applicable            |
+| **Not Applicable**           | The number of apps for which status isn't applicable            |
 
 > [!NOTE]
 > Be aware that Android LOB apps (.APK) deployed as **Available with or without enrollment** only report app installation status for enrolled devices. App installation status is not available for devices that are not enrolled in Intune.
@@ -108,6 +108,54 @@ A user status list is shown when you select **User install status** in the **Mon
 | **Failures**        | The number of failed app installations for the user     |
 | **Not installed**   | The number of apps not installed by the user |
 
+## App installation error reporting
+
+Additional error details are available for Line of Business (LOB) apps on Android Open Source Project (AOSP) devices. You can view installation error codes for LOB apps in Intune.
+
+### LOB apps on AOSP devices
+
+The following table provides addition installation error code details for LOB apps on AOSP devices:
+
+| Error code | Error string | Retry automatically | Additional information |
+|---|---|---|---|
+| 0x87D54FB0 | Couldn't install the app because the user didn't allow it or accept permissions. | Yes | Ask the end user to accept any installation request when prompted. |
+| 0x87D54FB1 | The operating system couldn't install the app. | No | The Android system failed to install the app. |
+| 0x87D54FB2 | The operating system blocked installation. | Yes | A device policy or the Android package verifier may have blocked the operation. |
+| 0x87D54FB3 | Either the user or the system stopped the installation. | Yes | The end user may have declined a permission request or is missing permissions. The OS might also block the APK for security reasons. For example, the APK could have been marked as "dangerous" by Google Play Protect. |
+| 0x87D54FB4 | Couldn't install the app because it's corrupt or not valid. | No | The Android system detected the APK as being invalid. This error could have occurred for several reasons. For example, the APK isn't signed, or the package manifest is missing or is malformed. Upload a new APK. Check that the APK wasn't corrupted before upload. |
+| 0x87D54FB5 | Installation failed. | No |  |
+| 0x87D54FB6 | Couldn't install the app because it conflicts with the version of the app already on the device. Remove the existing app first. | Yes | The conflict could be for a variety of reasons. For example, the package on the device could have a different signature than the one being installed. If the policy is intended to upgrade an existing application, sign the upgraded version with the same certificate used for the original app. If not, uninstall the existing app before deploying the new one. Or, there could be an existing package that defines a permission that the installing app also defines. In that case, the OS rejects the installation because certain permissions can only be owned by one app. Uninstall the existing application for the policy to succeed. |
+| 0x87D54FB7 | Install failed. Insufficient storage space on device. | Yes | Free up space on the device. |
+| 0x87D54FB8 | Installation failed because this app won't work with the device. | No | Upload a new APK that is compatible with the device architecture and SDK version running on the device, or upgrade the device. |
+| 0x87D54FB9 | Installation failed because it took too long. | Yes |  |
+| 0x87D54FBA | Installation failed because it took too long. | No |  |
+| 0x87D54FBB | Couldn't uninstall the app.  | No |  |
+| 0x87D55014 | Couldn't download the app. | Yes | A generic download failure occurred. |
+| 0x87D55015 | Couldn't download the app because there's not enough room on the device. | Yes | Free up space on the device. |
+| 0x87D55016 | Couldn't download the app because the service gave a bad response. | Yes |  |
+| 0x87D55017 | Couldn't download the app because it was too large. | No | The admin uploaded an APK that exceeded the allowable download size of 2GB. Upload a smaller APK. |
+| 0x87D55018 | Couldn't download the app because there was no network connection. | Yes | The download resumes when the network resumes. |
+| 0x87D55019 | Couldn't download the app because of a network error. | Yes | The download failed due to an unspecified network error. The admin may have a firewall restriction, or something else is blocking the network. The admin could temporarily enroll the device using a different Wi-Fi network, which may allow enrollment SCEP certificates to be installed and more secure firewall rules to take effect. |
+| 0x87D5501A | Couldn't download the app. | No | Confirm the network connection and sufficient bandwidth. Additionally, confirm nothing is interfering with network traffic. |
+| 0x87D5501B | Couldn't download the app. Contact Microsoft Intune support and include the error code. | No | The app couldn't be downloaded. Contact Microsoft Intune support and include the error code. |
+| 0x87D5501C | Couldn't download the app because the downloaded file couldn't be found. | No | The downloaded content was corrupted or deleted before it was installed. The downloaded app files were removed before the app could install. Make sure the app is installed immediately after downloading. Ask the end user to accept the installation request when prompted. |
+| 0x87D5501D | Couldn't download the app because of an input/output error. | Yes |  |
+| 0x87D5501E | Couldn't download the app because it took too long. | Yes | If a download takes more than 8 hours, Intune cancels and retries the download. |
+| 0x87D5501F | The downloaded app couldn't be validated.  | Yes | The hash code of the downloaded content doesn't equal the hash code of the content from the policy. There are multiple reasons this could occur. The OS may not support encryption/decryption. In this case, you should try updating the OS to latest version. Alternatively, an intermittent issue occurred which may have corrupted the download. Lastly, a less likely scenario where this error occurs is due to a machine in the middle (MITM) attack. |
+| 0x87D55078 | Couldn't download the app because Intune had an error. | Yes |  |
+| 0x87D55079 | Couldn't download the app because of a network error. | Yes | A generic HTTP failure occurred. |
+| 0x87D5507A | Couldn't download the app because it doesn't seem to exist or it isn't assigned to this device. | No | While the policy was being applied, the policy was removed by the admin. |
+| 0x87D5507B | Couldn't download the app because Intune had an error. | Yes |  |
+| 0x87D5507C | Couldn't download the app because Intune had an error. | Yes |  |
+| 0x87D5507D | Couldn't download the app because Intune had an error.  | Yes |  |
+| 0x87D550DC | The uploaded app is missing the versionCode property. | No | The versionCode is missing from the uploaded APK. For more information on versionCode, see Android documentation. |
+| 0x87D550DD | The uploaded app is missing the minSdkVersion value. | No | Ensure the android:minSdkVersion parameter is specified in the APK manifest. |
+| 0x87D550DE | The policy is missing the minSdkVersion value. | No | If the admin creates the policy in the admin portal, there's a requirement that the admin specifies what the minimum SDK version the policy supports. If the admin creates the policy by Graph, this property isn't always required. If this parameter is missing, this exception is thrown. |
+| 0x87D550DF | Couldn't uninstall this app because there's another policy to install the same app. | No | If you have two policies that target the same package and version, but one is an install and one is an uninstall, the install is applied and the uninstall is marked as a conflict. |
+| 0x87D550E0 | Couldn't install this app because there's another policy to install a newer version of the same app. | No | If there is more than one install policy for the same package but with different versions, the policy with the highest package version takes priority. Remove the conflicting policy. |
+| 0x87D550E1 | Couldn't find the app on the device. Intune will try to reinstall it. | Yes | Data indicates that the install policy was previously applied successfully (package was installed), but the package isn't found on the device anymore. The end user shouldn't be able to uninstall any required apps, so this scenario is less likely. |
+| 0x87D550E2 | Intune will try to uninstall the app.  | Yes | This error may happen if the end user manually reinstalled an app that was supposed to be uninstalled. This error is unlikely to persist. |
+
 ## Next steps
 
 - To learn more about working with your Intune data, see [Use the Intune Data Warehouse](../developer/reports-nav-create-intune-reports.md).
diff --git a/memdocs/intune/apps/apps-supported-intune-apps.md b/memdocs/intune/apps/apps-supported-intune-apps.md
index 0b510eb6c85..a6194468ccc 100644
--- a/memdocs/intune/apps/apps-supported-intune-apps.md
+++ b/memdocs/intune/apps/apps-supported-intune-apps.md
@@ -6,7 +6,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 10/31/2024
+ms.date: 11/05/2024
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -66,6 +66,8 @@ The below apps support the Core Intune App Protection Policy settings and are al
 |Microsoft Azure|[iOS](https://apps.apple.com/app/microsoft-azure/id1219013620)|✔|No settings|✖|N/A|✖|✖|N/A|✖| 
 |Microsoft Copilot|[Android](https://play.google.com/store/apps/details?id=com.microsoft.copilot)|✔|No settings|✖|N/A|✖|✖|N/A|✖|
 |Microsoft Copilot|[iOS](https://apps.apple.com/us/app/microsoft-copilot/id6472538445)|✔|No settings|✔ Supported for v28.1.420324001 or later|N/A|✖|✖|N/A|✖|
+|Microsoft Designer|[Android](https://play.google.com/store/apps/details?id=com.microsoft.designer&hl=en_IN)|✔|No settings|✔|N/A|✔|✔|✔|✖|
+|Microsoft Designer|[iOS](https://apps.apple.com/us/app/microsoft-designer/id6448308247)|✔|No settings|✔|N/A|✔|✔|✔|✖|
 |Microsoft Edge|[Android](https://play.google.com/store/apps/details?id=com.microsoft.emmx)|✔|✔ see [Edge app config](manage-microsoft-edge.md)|✔|N/A|N/A|N/A|✔|✔ Supported for v125.0.2535.96 or later|
 |Microsoft Edge|[iOS](https://apps.apple.com/us/app/microsoft-edge/id1288723196)|✔|✔ see [Edge app config](manage-microsoft-edge.md)|✔|N/A|N/A|N/A|✔|✔ Supported for v126.2592.56 or later|
 |Microsoft Excel|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.excel)|✔|No settings|✔|N/A|✖|✖|✔|✖|
diff --git a/memdocs/intune/configuration/properties-catalog.md b/memdocs/intune/configuration/properties-catalog.md
new file mode 100644
index 00000000000..70b0c358afa
--- /dev/null
+++ b/memdocs/intune/configuration/properties-catalog.md
@@ -0,0 +1,166 @@
+---
+# required metadata
+
+title: Properties catalog in Microsoft Intune
+description: Configure Properties catalog policy to manage Device Inventory settings on Windows devices you manage with Intune.
+keywords:
+author: smbhardwaj
+ms.author: smbhardwaj
+manager: dougeby
+ms.date: 11/14/2024
+ms.topic: how-to
+ms.service: microsoft-intune
+ms.subservice: configuration
+ms.localizationpriority: high
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.suite: ems
+#ms.tgt_pltfrm:
+ms.custom: intune-azure
+ms.collection:
+- tier2
+- M365-identity-device-management
+ms.reviewer: abbystarr
+---
+# Properties catalog in Microsoft Intune
+
+## Device inventory
+
+With Intune, you can use Device inventory to collect and view more hardware properties from your managed devices to help you better understand the state of your devices and make business decisions.  
+
+This article describes how to configure Device Inventory settings as part of an Intune device configuration profile. After you create a profile, you then assign or deploy that profile to your Windows devices.
+
+This feature applies to:
+
+Windows 11
+
+Windows 10
+
+## Prerequisites
+
+- To use Inventory, devices must be corporate owned, Intune managed (includes co-managed), and Microsoft Entra joined.
+
+- For a user to configure a policy to start collecting inventory data from devices, they must have the Device Configurations **Create** permission.
+
+- For a user to view collected data about devices, they must have the Managed Devices **Read** permission.
+
+## Supported platforms
+
+Inventory is currently only supported on devices running Windows 10 and later. Inventory is only supported on the following minimum Windows versions:
+
+- Windows 11, version 23H2 (22631.2506 or later) with KB5031455
+- Windows 11, version 22H2 (22621.2215 or later) with KB5029351
+- Windows 11, version 21H2 (22000.2713 or later) with KB5034121
+- Windows 10, version 22H2 (19045.3393 or later) with KB5030211
+- Windows 10, version 21H2 (19044.3393 or later) with KB5030211
+
+## How to use
+
+To configure Inventory collection, create a new **Properties Catalog** profile in the Intune admin center. This profile allows you to select which properties you would like to collect from your devices.
+
+After the profile is created, you can apply the profile to specific devices in the selected groups.
+
+### Create the profile
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+2. Select **Devices** > **Manage devices** > **Configuration** > **Create** > **New Policy**.
+
+3. Enter the following properties:
+
+   - **Platform**: Select **Windows 10 and later**.
+   - **Profile type**: Select **Properties catalog**.
+
+4. Select **Create**.
+
+5. In **Basics**, enter the following properties:
+
+   - **Name**: Enter a descriptive name for the new profile.
+   - **Description**: Enter a description for the profile. This setting is optional, but recommended.
+
+6. Select **Next**.
+
+7. Select **Add properties**.Expand out categories to view individual properties and then select which properties you would like to collect from the Properties Picker.
+
+   When you're done, select **Next**.
+
+8. On the **Scope (Tags)** page, select **Select scope tags** to open the *Select tags* pane to assign scope tags to the profile.
+  
+   Select **Next** to continue.
+
+9. On the **Assignments** page, select the groups that receive this profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
+
+   Select **Next**.
+
+10. On the **Applicability Rules** page, use the **Rule**, **Property**, and **Value** options to define how this profile applies within assigned groups.
+
+11. On the **Review + create** page, when you're done, choose **Create**. The profile is created and is shown in the list.
+
+The next time each device checks in, the policy is applied.
+
+### View collected data
+
+To view collected inventory information, navigate to **Devices** > **Windows Devices** and select a device.
+
+Under **Monitor** select **Resource Explorer**. Choose a category to view hardware information.
+
+After a device syncs with Intune, it can take up to 24 hours for initial harvesting of inventory data.  
+
+### Required Properties
+
+Certain **required** properties are automatically collected when you collect any properties in that category.
+
+The following properties are required:
+
+- **Battery**: Instance Name
+- **Bios Info**: Bios Name, Software Element ID, Software Element State, Target Operating System
+- **Cpu**: Processor ID
+- **Disk Drive**: Drive ID
+- **Encryptable Volume**: Volume ID
+- **Logical Drive**: Drive Identifier
+- **Network Adapter**: Identifier
+- **System Enclosure**: Serial Number
+- **Video Controller**: Identifier
+- **Windows Qfe**: Hot Fix ID
+
+## Known Limitations
+
+Collection of properties can only be stopped (deleted) at the category level. 
+
+To stop collecting properties, navigate to the **Properties catalog** profile, and remove collection for every property in a particular category.
+
+## Supported Properties
+
+Inventory supports the following entities. To learn more about what properties are supported for each entity, see [Intune Data Platform Schema](../../analytics/data-platform-schema.md).
+
+- Battery
+- Bios Info
+- Cpu
+- Disk Drive
+- Encryptable Volume
+- Logical Drive
+- Memory Info
+- Network Adapter
+- Os Version
+- System Enclosure
+- Time
+- Tpm
+- Video Controller
+- Windows Qfe
+
+## Frequently Asked Questions
+
+### Is Resource Explorer different than the Hardware tab for a device?
+
+Yes, the **Hardware** tab data and **Resource Explorer** data come from different places. We recommend using Inventory and Resource Explorer for the most up-to-date and comprehensive data about your devices. In the future, the data source for **Hardware** tab and the Resource Explorer will be the same.
+
+### I'm using Co-management with Tenant Attach and I see two Resource Explorer nodes. Which one should I use?
+
+You'll see a **Resource Explorer** tab for Intune collected data and a **Resource Explorer** tab for Configuration Manager collected data. Feel free to use the source that best fits your use case. In the future, we recommend using the Intune-based Resource Explorer.
+
+### How can I troubleshoot this feature?
+
+Client logs are available at `C:\Program Files\Microsoft Device Inventory Agent\Logs` and logs can also be collected via Collect MDM Diagnostics.
\ No newline at end of file
diff --git a/memdocs/intune/configuration/vpn-settings-macos.md b/memdocs/intune/configuration/vpn-settings-macos.md
index f2391ab5732..1a3f03b3dbc 100644
--- a/memdocs/intune/configuration/vpn-settings-macos.md
+++ b/memdocs/intune/configuration/vpn-settings-macos.md
@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 04/15/2024
+ms.date: 11/19/2024
 ms.topic: reference
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -35,7 +35,8 @@ Depending on the settings you choose, not all values in the following list are c
 
 This feature applies to:
 
-- macOS
+- macOS  
+
 
 ## Before you begin
 
@@ -47,11 +48,20 @@ This feature applies to:
 
 ## Base VPN
 
-**Connection name**: Enter a name for this connection. End users see this name when they browse their device for the list of available VPN connections.
+- **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are stored, so it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. To change it, you must create a new profile. 
+
+  >[!NOTE]
+  > We recommend rechecking the deployment channel setting in existing profiles when the linked authentication certificates are up for renewal to ensure the intended channel is selected. If it isn't, create a new profile with the correct deployment channel.   
+
+   You have two options:  
+   - **User channel**: Always select the user deployment channel in profiles with user certificates. This option stores certificates in the user keychain.     
+   - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the system keychain.   
+   
+- **Connection name**: Enter a name for this connection. End users see this name when they browse their device for the list of available VPN connections.
 
 - **VPN server address**: Enter the IP address or fully qualified domain name of the VPN server that devices connect to. For example, enter `192.168.1.1` or `vpn.contoso.com`.
 - **Authentication method**: Choose how devices authenticate to the VPN server. Your options:
-  - **Certificates**: Under **Authentication certificate**, select a SCEP or PKCS certificate profile you previously created to authenticate the connection. For more information about certificate profiles, go to [How to configure certificates](../protect/certificates-configure.md).
+  - **Certificates**: Under **Authentication certificate**, select a SCEP or PKCS certificate profile you previously created to authenticate the connection. For more information about certificate profiles, go to [How to configure certificates](../protect/certificates-configure.md). Choose the certificates that align with your deployment channel selection. If you selected the user channel, your certificate options are limited to user certificate profiles. If you selected the device channel, you have both user and device certificate profiles to choose from. However, we recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the system keychain increases security risks.       
   - **Username and password**: End users must enter a username and password to sign into the VPN server.
 
 - **Connection type**: Select the VPN connection type from the following list of vendors:
diff --git a/memdocs/intune/configuration/wi-fi-settings-macos.md b/memdocs/intune/configuration/wi-fi-settings-macos.md
index 03de0653506..48bc97cce36 100644
--- a/memdocs/intune/configuration/wi-fi-settings-macos.md
+++ b/memdocs/intune/configuration/wi-fi-settings-macos.md
@@ -8,7 +8,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 06/25/2024
+ms.date: 11/19/2024
 ms.topic: reference
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -39,17 +39,17 @@ This feature applies to:
 
 These Wi-Fi settings are separated in to two categories: Basic settings and Enterprise settings.
 
-This article describes the settings you can configure.
+This article describes the settings you can configure.  
 
 ## Before you begin
 
 - Create a [macOS Wi-Fi device configuration profile](wi-fi-settings-configure.md).
 
-- These settings are available for all enrollment types. For more information on the enrollment types, go to [macOS enrollment](../enrollment/macos-enroll.md).
+- These settings are available for all enrollment types. For more information on the enrollment types, go to [macOS enrollment](../enrollment/macos-enroll.md). 
 
 ## Basic profiles
 
-Basic or personal profiles use WPA/WPA2 to secure the Wi-Fi connection on devices. Typically, WPA/WPA2 is used on home networks or personal networks. You can also add a pre-shared key to authenticate the connection.
+Basic or personal profiles use WPA/WPA2 to secure the Wi-Fi connection on devices. Typically, WPA/WPA2 is used on home networks or personal networks. You can also add a preshared key to authenticate the connection.
 
 - **Wi-Fi type**: Select **Basic**.
 - **SSID**: This **service set identifier** (SSID) property is the real name of the wireless network that devices connect to. However, users only see the network name you configured when they choose the connection.
@@ -72,6 +72,14 @@ Basic or personal profiles use WPA/WPA2 to secure the Wi-Fi connection on device
 
 Enterprise profiles use Extensible Authentication Protocol (EAP) to authenticate Wi-Fi connections. EAP is often used by enterprises, as you can use certificates to authenticate and secure connections, and configure more security options.
 
+- **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are stored, so it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. To do so, you must create a new profile.    
+
+  >[!NOTE]
+  > We recommend rechecking the deployment channel setting in existing profiles when the linked authentication certificates are up for renewal to ensure the intended channel is selected. If it isn't, create a new profile with the correct deployment channel.   
+
+   You have two options:  
+   - **User channel**: Always select the user deployment channel in profiles with user certificates. This option stores certificates in the user keychain.     
+   - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the system keychain.   
 - **Wi-Fi type**: Select **Enterprise**.
 - **SSID**: Short for **service set identifier**. This property is the real name of the wireless network that devices connect to. However, users only see the network name you configured when they choose the connection.
 - **Connect automatically**: Select **Enable** to automatically connect to this network when the device is in range. Select **Disable** to prevent devices from automatically connecting.
@@ -92,7 +100,7 @@ Enterprise profiles use Extensible Authentication Protocol (EAP) to authenticate
     - **Certificate server names**: **Add** one or more common names used in the certificates issued by your trusted certificate authority (CA). When you enter this information, you can bypass the dynamic trust window displayed on user's devices when they connect to this Wi-Fi network.
     - **Root certificate for server validation**: Select one or more existing trusted root certificate profiles. When the client connects to the network, these certificates are used to establish a chain of trust with the server. If your authentication server uses a public certificate, then you don't need to include a root certificate.
 
-    - **Certificates**: Select the SCEP or PKCS client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection.
+    - **Certificates**: Select the SCEP or PKCS client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection. Choose the certificates that align with your deployment channel selection. If you selected the user channel, your certificate options are limited to user certificate profiles. If you selected the device channel, you have both user and device certificate profiles to choose from. However, we recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the system keychain increases security risks.       
 
     - **Identity privacy (outer identity)**: Enter the text sent in the response to an EAP identity request. This text can be any value, such as `anonymous`. During authentication, this anonymous identity is initially sent. Then, the real identification is sent in a secure tunnel.
 
diff --git a/memdocs/intune/configuration/wired-network-settings-macos.md b/memdocs/intune/configuration/wired-network-settings-macos.md
index 5b83fc6d797..c274edd3cda 100644
--- a/memdocs/intune/configuration/wired-network-settings-macos.md
+++ b/memdocs/intune/configuration/wired-network-settings-macos.md
@@ -8,7 +8,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 06/25/2024
+ms.date: 11/19/2024
 ms.topic: reference
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -39,13 +39,13 @@ This feature applies to:
 
 - macOS
 
-This article describes the settings you can configure.
+This article describes the settings you can configure.  
 
 ## Before you begin
 
 - Create a [macOS wired network device configuration profile](wired-networks-configure.md).
 
-- These settings are available for all enrollment types. For more information on the enrollment types, go to [macOS enrollment](../enrollment/macos-enroll.md).
+- These settings are available for all enrollment types. For more information on the enrollment types, go to [macOS enrollment](../enrollment/macos-enroll.md).  
 
 ## Wired Network
 
@@ -61,6 +61,15 @@ This article describes the settings you can configure.
 
   Options with "active" in the title use interfaces that are actively working on the device. If there are no active interfaces, the next interface in service-order priority is configured. By default, **First active Ethernet** is selected, which is also the default setting configured by macOS.
 
+- **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are stored, so it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. To do so, you must create a new profile.      
+
+  >[!NOTE]
+  > We recommend rechecking the deployment channel setting in existing profiles when the linked authentication certificates are up for renewal to ensure the intended channel is selected. If it isn't, create a new profile with the correct deployment channel.  
+
+   You have two options:  
+   - **User channel**: Always select the user deployment channel in profiles with user certificates. This option stores certificates in the user keychain.     
+   - **Device channel**: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the system keychain. 
+
 - **EAP type**: To authenticate secured wired connections, select the Extensible Authentication Protocol (EAP) type. Your options:
 
   - **EAP-FAST**: Enter the **Protected Access Credential (PAC) Settings**. This option uses protected access credentials to create an authenticated tunnel between the client and the authentication server. Your options:
@@ -87,7 +96,7 @@ This article describes the settings you can configure.
           - **Challenge Handshake Authentication Protocol (CHAP)**
           - **Microsoft CHAP (MS-CHAP)**
           - **Microsoft CHAP Version 2 (MS-CHAP v2)**
-      - **Certificates**: Select an existing SCEP client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection. PKCS certificates aren't supported.
+      - **Certificates**: Select an existing SCEP client certificate profile that is also deployed to the device. This certificate is the identity presented by the device to the server to authenticate the connection. PKCS certificates aren't supported. Choose the certificate that aligns with your deployment channel selection. If you selected the user channel, your certificate options are limited to user certificate profiles. If you selected the device channel, you have both user and device certificate profiles to choose from. However, we recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the system keychain increases security risks.  
       - **Identity privacy (outer identity)**: Enter the text sent in the response to an EAP identity request. This text can be any value, such as `anonymous`. During authentication, this anonymous identity is initially sent. Then, the real identification is sent in a secure tunnel.
 
   - **LEAP**
diff --git a/memdocs/intune/protect/certificates-pfx-configure.md b/memdocs/intune/protect/certificates-pfx-configure.md
index 06c5940cecb..dcfb48092df 100644
--- a/memdocs/intune/protect/certificates-pfx-configure.md
+++ b/memdocs/intune/protect/certificates-pfx-configure.md
@@ -5,7 +5,7 @@ keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 10/01/2024
+ms.date: 11/19/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -16,7 +16,7 @@ ms.localizationpriority: high
 #ROBOTS:
 #audience:
 
-ms.reviewer: lacranda
+ms.reviewer: sheetg
 ms.suite: ems
 search.appverid: MET150
 #ms.tgt_pltfrm:
@@ -303,17 +303,18 @@ For guidance, see [Install and configure the Certificate Connector for Microsoft
    
    |Setting     | Platform     | Details   |
    |------------|------------|------------|
-   |**Renewal threshold (%)**        |<ul><li>All         |Recommended is 20%  |
-   |**Certificate validity period**  |<ul><li>All         |If you didn't change the certificate template, this option might be set to one year. <br><br> Use a validity period of five days or up to 24 months. When the validity period is less than five days, there's a high likelihood of the certificate entering a near-expiry or expired state, which can cause the MDM agent on devices to reject the certificate before it’s installed. |
-   |**Key storage provider (KSP)**   |<ul><li>Windows 10/11  |For Windows, select where to store the keys on the device. |
-   |**Certification authority**      |<ul><li>All         |Displays the internal fully qualified domain name (FQDN) of your Enterprise CA.  |
-   |**Certification authority name** |<ul><li>All         |Lists the name of your Enterprise CA, such as "Contoso Certification Authority." |
-   |**Certificate template name**    |<ul><li>All         |Lists the name of your certificate template. |
-   |**Certificate type**             |<ul><li>Android Enterprise (*Corporate-Owned and Personally-Owned Work Profile*)</li><li>iOS</li><li>macOS</li><li>Windows 10/11 |Select a type: <ul><li> **User** certificates can contain both user and device attributes in the subject and subject alternative name (SAN) of the certificate. </li><li>**Device** certificates can only contain device attributes in the subject and SAN of the certificate. Use Device for scenarios such as user-less devices, like kiosks or other shared devices.  <br><br> This selection affects the Subject name format. |
-   |**Subject name format**          |<ul><li>All         |For details on how to configure the subject name format, see [Subject name format](#subject-name-format) later in this article.  <br><br>For the following platforms, the Subject name format is determined by the certificate type: <ul><li>Android Enterprise (*Work Profile*)</li><li>iOS</li><li>macOS</li><li>Windows 10/11 </li></ul>  <p>  |
-   |**Subject alternative name**     |<ul><li>All         |For *Attribute*, select **User principal name (UPN)** unless otherwise required, configure a corresponding *Value*, and then select **Add**. <br><br> You can use variables or static text for the SAN of both certificate types. Use of a variable isn't required.<br><br>For more information, see [Subject name format](#subject-name-format) later in this article.|
+   |**Deployment channel**|macOS|Select how you want to deploy the profile. This setting also determines the keychain where the linked certificates are stored, so it's important to select the proper channel. <br><br/>Always select the user deployment channel in profiles with user certificates. The user channel stores certificates in the user keychain. Always select the device deployment channel in profiles with device certificates. The device channel stores certificates in the system keychain. <br><br/> It's not possible to edit the deployment channel after you deploy the profile. You must create a new profile to select a different channel.
+   |**Renewal threshold (%)**        |All         |Recommended is 20%  |
+   |**Certificate validity period**  |All         |If you didn't change the certificate template, this option might be set to one year. <br><br> Use a validity period of five days or up to 24 months. When the validity period is less than five days, there's a high likelihood of the certificate entering a near-expiry or expired state, which can cause the MDM agent on devices to reject the certificate before it’s installed. |
+   |**Key storage provider (KSP)**   |Windows 10/11  |For Windows, select where to store the keys on the device. |
+   |**Certification authority**      |All         |Displays the internal fully qualified domain name (FQDN) of your Enterprise CA.  |
+   |**Certification authority name** |All         |Lists the name of your Enterprise CA, such as "Contoso Certification Authority." |
+   |**Certificate template name**    |All         |Lists the name of your certificate template. |
+   |**Certificate type**             |<ul><li>Android Enterprise (*Corporate-Owned and Personally-Owned Work Profile*)</li><li>iOS</li><li>macOS</li><li>Windows 10/11 |Select a type: <ul><li> **User** certificates can contain both user and device attributes in the subject and subject alternative name (SAN) of the certificate. </li><li>**Device** certificates can only contain device attributes in the subject and SAN of the certificate. Use Device for scenarios such as user-less devices, like kiosks or other shared devices.  <br><br> This selection affects the Subject name format. <br><br/>For macOS, if this profile is configured to use the device deployment channel, you can select **User** or **Device**. If the profile is configured to use the user deployment channel, you can select only **User**. |
+   |**Subject name format**          |All         |For details on how to configure the subject name format, see [Subject name format](#subject-name-format) later in this article.  <br><br>For the following platforms, the Subject name format is determined by the certificate type: <ul><li>Android Enterprise (*Work Profile*)</li><li>iOS</li><li>macOS</li><li>Windows 10/11 </li></ul>  <p>  |
+   |**Subject alternative name**     |All         |For *Attribute*, select **User principal name (UPN)** unless otherwise required, configure a corresponding *Value*, and then select **Add**. <br><br> You can use variables or static text for the SAN of both certificate types. Use of a variable isn't required.<br><br>For more information, see [Subject name format](#subject-name-format) later in this article.|
    |**Extended key usage**           |<ul><li> Android device administrator </li><li>Android Enterprise (*Device Owner*, *Corporate-Owned and Personally-Owned Work Profile*) </li><li>Windows 10/11 |Certificates usually require *Client Authentication* so that the user or device can authenticate to a server. |
-   |**Allow all apps access to private key** |<ul><li>macOS  |Set to **Enable** to give apps that are configured for the associated mac device access to the PKCS certificate's private key. <br><br> For more information on this setting, see *AllowAllAppsAccess* the Certificate Payload section of [Configuration Profile Reference](https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf) in the Apple developer documentation. |
+   |**Allow all apps access to private key** |macOS  |Set to **Enable** to give apps that are configured for the associated mac device access to the PKCS certificate's private key. <br><br> For more information on this setting, see *AllowAllAppsAccess* the Certificate Payload section of [Configuration Profile Reference](https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf) in the Apple developer documentation. |
    |**Root Certificate**             |<ul><li>Android device administrator </li><li>Android Enterprise (*Device Owner*, *Corporate-Owned and Personally-Owned Work Profile*) |Select a root CA certificate profile that was previously assigned. |
 
 8. This step applies only to **Android Enterprise** devices profiles for **Fully Managed, Dedicated, and Corporate-Owned work Profile**.  
diff --git a/memdocs/intune/protect/certificates-profile-scep.md b/memdocs/intune/protect/certificates-profile-scep.md
index c44baf140eb..21ed1993773 100644
--- a/memdocs/intune/protect/certificates-profile-scep.md
+++ b/memdocs/intune/protect/certificates-profile-scep.md
@@ -5,7 +5,7 @@ keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 10/15/2024
+ms.date: 11/19/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -15,7 +15,7 @@ ms.subservice: protect
 #ROBOTS:
 #audience:
 
-ms.reviewer: lacranda
+ms.reviewer: sheetg
 ms.suite: ems
 search.appverid: MET150
 #ms.tgt_pltfrm:
@@ -124,6 +124,11 @@ For more information about the KDC's requirements and enforcement date for stron
 
 7. In **Configuration settings**, complete the following configurations:
 
+   - **Deployment channel**: Select how you want to deploy the profile. This setting also determines the keychain where the linked certificates are stored, so it's important to select the proper channel. 
+   
+     Always select the user deployment channel in profiles with user certificates. The user channel stores certificates in the user keychain. Always select the device deployment channel in profiles with device certificates. The device channel stores certificates in the system keychain. 
+     
+     It's not possible to edit the deployment channel after you deploy the profile. You must create a new profile to select a different channel.
    - **Certificate type**:
 
      *(Applies to:  Android, Android Enterprise, Android (AOSP), iOS/iPadOS, macOS, Windows 8.1, and Windows 10/11)*
@@ -134,11 +139,13 @@ For more information about the KDC's requirements and enforcement date for stron
 
      - **Device**:  *Device* certificates can only contain device attributes in the subject and SAN of the certificate.
 
-       Use **Device** for scenarios such as user-less devices, like kiosks, or for Windows devices. On Windows devices, the certificate is placed in the Local Computer certificate store.
+       Use **Device** for scenarios such as user-less devices, like kiosks, or for Windows devices. On Windows devices, the certificate is placed in the Local Computer certificate store.  
+
+       For macOS, if this profile is configured to use the device deployment channel, you can select **User** or **Device**. If the profile is configured to use the user deployment channel, you can select only **User**. 
 
      > [!NOTE]
      > Storage of certificates provisioned by SCEP:
-     > - *macOS* - Certificates you provision with SCEP are always placed in the system keychain (System store) of the device.
+     > - *macOS* - Certificates you provision with SCEP are always placed in the system keychain (also called *system store* or *device keychain*) of the device, unless you select the user deployment channel. 
      >
      > - *Android* - Devices have both a *VPN and apps* certificate store, and a *WIFI* certificate store.  Intune always stores SCEP certificates in the VPN and apps store on a device. Use of the VPN and apps store makes the certificate available for use by any other app.  
      >
diff --git a/memdocs/intune/protect/compliance-policy-create-windows.md b/memdocs/intune/protect/compliance-policy-create-windows.md
index 341fbb4bf61..32a36401240 100644
--- a/memdocs/intune/protect/compliance-policy-create-windows.md
+++ b/memdocs/intune/protect/compliance-policy-create-windows.md
@@ -7,7 +7,7 @@ keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 6/18/2024
+ms.date: 11/19/2024
 ms.topic: reference
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -279,6 +279,21 @@ For additional information on Microsoft Defender for Endpoint integration in con
   
   To set up Microsoft Defender for Endpoint as your defense threat service, see [Enable Microsoft Defender for Endpoint with Conditional Access](advanced-threat-protection.md).
 
+## Windows Subsystem for Linux  
+
+The settings in this section require the Windows Subsystem for Linux (WSL) plug-in. For more information, see [Evaluate compliance for Windows Subsystem for Linux](compliance-wsl.md). 
+
+For **Allowed Linux distributions and versions**, enter at least one Linux distribution name. Optionally, enter a minimum or maximum OS version.
+
+  > [!NOTE]
+  > The distribution names and versions you enter affect the compliance policy in the following ways:  
+  > - If no distribution is provided, all distributions are allowed. This is the default behavior.  
+  > - If only distribution names are provided, all installed versions of that distribution are allowed. 
+  > - If a distribution name and a minimum OS version are provided, all installed distributions with the provided name and minimum version or later are allowed.  
+  > - If a distribution name and a maximum OS version are provided, all installed distributions with the provided name and maximum version or earlier are allowed.
+  > - If a distribution name, a minimum OS version, and a maximum OS version are provided, all installed distributions and OS versions within the provided range are allowed. 
+
+
 ## Windows Holographic for Business
 
 Windows Holographic for Business uses the **Windows 10 and later** platform. Windows Holographic for Business supports the following setting:
diff --git a/memdocs/intune/protect/compliance-wsl.md b/memdocs/intune/protect/compliance-wsl.md
index 84e041d8f62..47c5d6df5ab 100644
--- a/memdocs/intune/protect/compliance-wsl.md
+++ b/memdocs/intune/protect/compliance-wsl.md
@@ -6,8 +6,8 @@ description: Evaluate WSL attributes on a host device for compliance.
 keywords:
 author: lenewsad
 ms.author: lanewsad
-manager: dougeby
-ms.date: 11/15/2024 
+manager: dougeby 
+ms.date: 11/19/2024 
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -41,128 +41,91 @@ Create a Microsoft Intune policy that checks the compliance of devices running W
 
 This article describes how to set up compliance checks for WSL.  
 
-> [!IMPORTANT]
-> This feature is in public preview. For more information, see [Public preview in Microsoft Intune](../fundamentals/public-preview.md).   
-
 ## Requirements   
 
-These resources are required to create your custom compliance script:   
-
-- [Intune WSL plugin](https://github.com/microsoft/shell-intune-samples/blob/master/Linux/WSL/IntuneWSLPluginInstaller/IntuneWSLPluginInstaller.msi): Use the example PowerShell script to get the installation package file for the Intune WSL plugin.    
-
-- [Custom compliance script](https://github.com/microsoft/shell-intune-samples/blob/master/Linux/WSL/WSL%20Management%20Example/WSLDistroVersionCompliance.ps1): The example PowerShell script calculates compliance against WSL distros based on Distro and Distro Version.  
-
-- [JSON for validation](https://github.com/microsoft/shell-intune-samples/blob/master/Linux/WSL/WSL%20Management%20Example/WSLDetectionRule.json): Use the example JSON to define WSL detection rules.  
+To create your compliance policy with WSL settings, you must meet these requirements:  
 
-## Step 1: Install Intune WSL plugin    
+- The [Intune WSL plugin](https://go.microsoft.com/fwlink/?linkid=2296896) must be installed for compliance evaluation.  
+  
+- The Microsoft Intune management extension must be installed on the target device. Make sure devices meet one of the following conditions so that the management extension can install:
+  
+   - Assign a PowerShell script or a proactive remediation to the user or device.  
+   - Deploy a Win32 app or Microsoft Store app to the user or device.
+   - Assign a custom compliance policy to the user or device.
 
-Use the Intune WSL plugin resource to install the Intune WSL plugin on the target machine.   
+## Before you begin
 
-## Step 2: Add policy for line-of-business app 
+Unassign and remove existing custom compliance policies for WSL. Then review the [limitations](#limitations) with WSL settings in compliance policies so that you know what to expect.  
 
-Create an app policy for the Intune WSL plugin. The Intune WSL plugin is considered a Windows line-of-business app. 
+## Add Intune WSL plugin as a Win32 app
 
-1. In the Microsoft Intune admin center, go to **Apps** > **Windows**.  
+Create a Win32 app policy for the [Intune WSL plugin](https://github.com/microsoft/shell-intune-samples/blame/master/Linux/WSL/IntuneWSLPluginInstaller/IntuneWSLPluginInstaller.msi), and assign it to the target Microsoft Entra group.  
 
-2. Enter app information:  
-   - **Select file**: Select this option to upload the installation package file for the Intune WSL plugin.  
-   - **Name**: Enter **Intune WSL Plugin**.  
-   - **Description**: Enter a description for the app. This setting is optional but recommended. 
-   - **Publisher**: Enter **Microsoft Intune**.  
+1. Use the [Microsoft Win32 Content Prep Tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) to convert the Intune WSL plugin to the *.intunewin* format. For more information, see [Convert the Win32 app content](../apps/apps-win32-prepare.md#convert-the-win32-app-content).
 
-3. Select **Next** to go to **Assignments**.  
+2. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) as at least an Intune administrator.
 
-4. Add Microsoft Entra users under **Required** to assign the policy.  
+3. Go to **Apps** > **All apps** > **Add**.  
 
-5. Select **Next** to go to **Review + create**.  
+4. For **App type**, scroll down to **Other**, and then select **Windows app (Win32)**.  
 
-6. Review the summary and then select **Create** to save the policy.  
+5. Choose **Select**. The **Add app** steps appear.  
 
-## Step 3: Set up custom script  
-In a command line, complete the following steps:  
+6. Choose **Select app package file**.
 
-1. Modify the following properties in lines 23-28 of the custom compliance script to match your organization's requirements:   
+7. Select the **Folder** button and browse your files for the app package file. Upload the Intune WSL plugin installation file with the *.intunewin* extension.  
 
-   - Distros    
+8. Select **OK** to continue.  
 
-   - Minimum/maximum version    
-
-   - Number of days since last check-in a device can remain compliant  
-  
-1.  In the JSON for validation resource, modify the following fields with your organization's custom values: 
-
-    - **MoreInfoUrl** - Enter the URL where device users can go to learn more about how to meet compliance requirements.  
- 
-    - **RemediationStrings**:  Enter helpful information for the device user about the compliance requirement for WSL. 
-    
-      - **Language** - Example: `en-us`  
-      - **Title** - Example: `WSL distros not in compliance with company policy` 
-      - **Description** - Example: `Make sure only allowed distros and versions are registered in WSL.` 
+9. Enter the following app information:  
+   - **Select file**: The app package file you selected in the previous step appears here. Select the file to upload a different installation package file for the Intune WSL plugin.   
+   - **Name**: Enter **Intune WSL Plugin**.  
+   - **Description**: Select **Edit Description** to enter a description for the app. For example, you can describe its purpose or how your organization plans to use it. This setting is optional but recommended.  
+   - **Publisher**: Enter **Microsoft Intune**.  
 
-## Step 4: Deploy custom compliance policy  
- Deploy the custom compliance policy to targeted devices.  
+10. Select **Next** to go to **Program**.  
 
- 1. In the admin center, go to **Endpoint security** > **Device compliance**.  
- 
- 1. Go to **Scripts**.   
- 
- 1. Select **Add** > **Windows 10 and later**.  
- 
- 1. Enter the basic information for your policy, including name and description. 
- 
- 1. Select **Next** to go to **Settings**.    
- 
- 1. Copy and paste your custom compliance script into **Detection Script**. 
- 
- 1. Leave all other settings as is.  
+11. Review the settings that are prepopulated so that you're familiar with how the app behaves. Leave the settings as-is.  
 
-## Step 5: Create device compliance policy  
-Create a new device compliance policy for devices running Windows 10 and later. 
+12. Select **Next** to go to **Requirements**.  
 
-1. In the admin center, go to **Endpoint security** > **Device compliance**. 
+13. Enter the requirements devices must meet to install the app.  
 
-1. Go to **Policies**.    
+14. Select **Next** to go to **Detection rules**.
 
-1. Select **Create policy**. 
+15. Review the detection rules that are prepopulated. These rules are app-specific and detect the presence of the app. Leave the settings as-is.    
 
-1. For platform, choose **Windows 10 and later**.  
+16. Select **Next** to go to **Dependencies**. Leave the settings as-is.
 
-1. Select **Create**. 
+17. Select **Next** to go to **Supersedence**. Leave the settings as-is.
 
-1. Enter the basic information for your policy, including **Name** and **Description**. 
+18. Select **Next** to go to **Assignments**.  
 
-1. Select **Next** to go to **Compliance settings**.    
+19. To assign the policy, add Microsoft Entra users under **Required**.   
 
-1. Expand **Custom Compliance**: 
-  
-   1. Select the custom compliance script file as the discovery script.    
-  
-   1. Upload your JSON validation file. 
+20. Select **Next** to go to **Review + create**.  
 
-1. Leave all other settings as is. Select **Next**. 
+21. Review the summary, and then select **Create** to save the policy.  
 
-1. Review the summary of your policy, and then select **Create** to save it.  
+> [!NOTE]
+> When you create a compliance policy with WSL settings, it automatically generates a read-only custom script. Editing the compliance policy also edits the associated custom script. These scripts appear in the Microsoft Intune admin center in **Devices** > **Compliance** > **Scripts** and are called *Built-in WSL Compliance-< compliance policy id >*.  
 
-## Remediation  
+## Limitations
 
-A quick way to get a device back to a compliant state is to unregister the noncompliant distro on the device. Use the following command to unregister a distro:     
+This section describes the known limitations with using the Intune WSL plugin for compliance evaluation. 
 
-```PowerShell  
+- Compliance evaluation requires the installed Linux distributions in WSL to run at least one time before it works. If you install a Linux distribution with the `--no-launch` [command for WSL](/windows/wsl/basic-commands), the compliance evaluation won't work.   
 
-wsl --unregister [DISTRONAME] 
+- Compliance evaluation might not function as expected on custom Linux images or Linux images without the `etc/os-release` directory. 
 
-```  
-## Troubleshooting  
+- Even with the Intune WSL plugin, it's possible for malicious software or user actions to compromise the compliance evaluation mechanism. 
 
-**Wsl/Service/CreateInstance/CreateVm/Plugin/ERROR_MOD_NOT_FOUND**
+## Next steps
 
-Restart the WSL service. In an elevated PowerShell window, run the following commands: 
- 
-```PowerShell  
- sc.exe stop wslservice 
+- [Create a compliance policy](create-compliance-policy.md#create-the-policy), and set the **Platform** to **Windows 10 and later**. For more information about the compliance settings for Windows Subsystem for Linux, see [Windows Subsystem for Linux](compliance-policy-create-windows.md#windows-subsystem-for-linux).   
 
- wsl.exe echo “test” 
+- [Add actions for noncompliant devices](actions-for-noncompliance.md) and [use scope tags to filter policies](../fundamentals/scope-tags.md).  
 
-```   
+- [Monitor your compliance policies](compliance-policy-monitor.md).  
 
-For WSL troubleshooting help, see [Windows Subsystem for Linux](/windows/wsl/troubleshooting).  
+- For troubleshooting help, see [Troubleshooting Windows Subsystem for Linux](/windows/wsl/troubleshooting).   
diff --git a/memdocs/intune/remote-actions/device-inventory.md b/memdocs/intune/remote-actions/device-inventory.md
index 4ae88d5a78b..d2f6d14edb4 100644
--- a/memdocs/intune/remote-actions/device-inventory.md
+++ b/memdocs/intune/remote-actions/device-inventory.md
@@ -7,7 +7,7 @@ keywords:
 author: Smritib17
 ms.author: smbhardwaj
 manager: dougeby
-ms.date: 10/27/2023
+ms.date: 11/05/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: remote-actions
@@ -105,7 +105,7 @@ Depending on the carrier used by the devices, not all details might be collected
 |Cellular technology|The radio system used by the device.|Windows, iOS/iPadOS, Android|
 |Wi-Fi MAC|The device's Media Access Control address.|Windows, macOS, iOS/iPadOS, Android<br><br>**NOTE**: As of October 2021, Intune doesn't display Wi-Fi MAC addresses for newly enrolled personally owned work profile devices and devices managed with device administrator running Android 9 and later. |
 |Ethernet MAC|The primary Ethernet MAC address for the device. For macOS devices with no ethernet, the device reports the Wi-Fi MAC address.|macOS|
-|ICCID|The Integrated Circuit Card Identifier, which is a SIM card's unique identification number.|Windows, iOS/iPadOS, Android<br/><br/>ICCID isn't inventoried on Android Enterprise Dedicated, Fully Managed, or Corporate-Owned Work Profile devices.|
+|ICCID|The Integrated Circuit Card Identifier, which is a SIM card's unique identification number.|Windows, iOS/iPadOS, Android BYOD, Android Enterprise Dedicated, Android Fully Managed <br/><br/>**Note**:Reporting for ICCID isn't supported for Android Enterprise corporate-owned work profile devices. For Android Enterprise fully managed and dedicated devices, reporting for ICCID is supported; however, certain SIM cards won't write the data and therefore the ICCID isn't reported in such cases.|
 |EID|The eSIM identifier, which is a unique identifier for the embedded SIM (eSIM) for cellular devices that have an eSIM.|iOS/iPadOS|
 |Wi-Fi IPv4 address|The device's IPv4 address.|Windows, Android Enterprise fully managed, dedicated and corp-owned work profiles.<br/><br/>**NOTE**: Any change to IPv4 or subnet ID may take up to 8 hours to reflect in Intune admin center from the time that network changes on device.|
 |Wi-Fi subnet ID|The device's subnet ID.|Android Enterprise fully managed, dedicated and corp-owned work profiles.<br/><br/>**NOTE**: Any change to IPv4 or subnet ID may take up to 8 hours to reflect in Intune admin center from the time that network changes on device.|
diff --git a/memdocs/intune/toc.yml b/memdocs/intune/toc.yml
index 685c2b099db..ca39498f989 100644
--- a/memdocs/intune/toc.yml
+++ b/memdocs/intune/toc.yml
@@ -1169,6 +1169,9 @@ items:
           - name: Universal Print policy
             displayName: printers, gpo, admx, windows
             href: ./configuration/settings-catalog-printer-provisioning.md
+        - name: Properties catalog
+          displayName: windows
+          href: ./configuration/properties-catalog.md
         - name: Custom settings & scripts
           items:
           - name: Create custom profiles
diff --git a/windows-365/enterprise/connection-errors.md b/windows-365/enterprise/connection-errors.md
index b4e43cf1156..a9bc3127398 100644
--- a/windows-365/enterprise/connection-errors.md
+++ b/windows-365/enterprise/connection-errors.md
@@ -86,6 +86,24 @@ If you only manage the user's physical device through Group Policy or you don't
 
 **Possible solution**: If the issue persists, sign in to [windows365.microsoft.com](https://windows365.microsoft.com) > select the cog icon next to the Cloud PC > **Restart**.
 
+### Connection Attempt timed out, Please try again or An error occurred while accessing this resource or Connection attempt timed out. Please try again.
+
+If you encounter these errors, make sure that you don't have a configured CSP or GPO that blocks remote desktop connections.
+
+**Intune CSP policy**
+
+Settings Catalog: Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections
+
+- *Allow users to connect remotely by using Remote Desktop Services*
+
+**GPO configuration path**
+
+Computer Configuration\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections 
+
+- *Allow users to connect remotely by using Remote Desktop Services*
+
+If you continue to experience issues, run the Inspect Connection option within  Windows App or the Troubleshoot option under the Manage my Cloud PC located under the three dots.
+
 ## Other connection error causes
 
 Some other possible causes for Cloud PC connection failures include:
diff --git a/windows-365/enterprise/introduction-windows-365-frontline.md b/windows-365/enterprise/introduction-windows-365-frontline.md
index a3fe8f1afc1..c1425a5f91d 100644
--- a/windows-365/enterprise/introduction-windows-365-frontline.md
+++ b/windows-365/enterprise/introduction-windows-365-frontline.md
@@ -35,7 +35,7 @@ Windows 365 Frontline is a version of [Windows 365](../overview.md) that helps o
 
 Windows 365 Frontline is currently only available for Azure Global Cloud.
 
-Frontline Cloud PCs can't be accessed directly from Remote Desktop app. Instead, you must use [https://windows.cloud.microsoft/](https://windows.cloud.microsoft/) if you want to access your Frontline Cloud PC. You can also find Windows App at the [Microsoft Store](https://apps.microsoft.com/detail/9n1f85v9t8bn?ocid=pdpshare&hl=en-us&gl=US).
+Frontline Cloud PCs can't be accessed directly from Remote Desktop app. Instead, you must use Windows App if you want to access your Frontline Cloud PC. You can find [Windows App](/windows-app/overview) at the [Microsoft Store](https://apps.microsoft.com/detail/9n1f85v9t8bn?ocid=pdpshare&hl=en-us&gl=US).
 
 Windows 365 Frontline has two different modes: dedicated mode and shared mode.