diff --git a/intune/configmgr/core/misc/pre-release-construction.md b/intune/configmgr/core/misc/pre-release-construction.md
index 70acb0ee70..862d2b894e 100644
--- a/intune/configmgr/core/misc/pre-release-construction.md
+++ b/intune/configmgr/core/misc/pre-release-construction.md
@@ -3,7 +3,7 @@ title: Pre-release content under construction
 description: Content under construction
 ms.date: 01/10/2020
 ms.subservice: other
-ms.topic: conceptual
+ms.topic: article
 robots: NOINDEX, NOFOLLOW
 ms.collection: tier3
 ---
diff --git a/intune/configmgr/core/servers/manage/cmpivot-tsg.md b/intune/configmgr/core/servers/manage/cmpivot-tsg.md
index f6c4397a59..0308e3dfa1 100644
--- a/intune/configmgr/core/servers/manage/cmpivot-tsg.md
+++ b/intune/configmgr/core/servers/manage/cmpivot-tsg.md
@@ -3,7 +3,7 @@ title: Troubleshoot CMPivot
 description: Learn how to troubleshoot CMPivot in Configuration Manager.
 ms.date: 08/02/2021
 ms.subservice: core-infra
-ms.topic: conceptual
+ms.topic: article
 ms.collection: tier3
 ms.topicc: troubleshooting-general
 ---
diff --git a/intune/configmgr/protect/deploy-use/troubleshoot-endpoint-client.md b/intune/configmgr/protect/deploy-use/troubleshoot-endpoint-client.md
index 1a4be44025..14539d8ace 100644
--- a/intune/configmgr/protect/deploy-use/troubleshoot-endpoint-client.md
+++ b/intune/configmgr/protect/deploy-use/troubleshoot-endpoint-client.md
@@ -3,7 +3,7 @@ title: Troubleshoot Endpoint Protection
 description: Learn how to troubleshoot problems with Windows Defender and Endpoint Protection.
 ms.date: 09/10/2019
 ms.subservice: protect
-ms.topic: conceptual
+ms.topic: article
 ms.collection: tier3
 ms.topicc: troubleshooting-general
 ---
diff --git a/intune/device-configuration/settings-catalog/configure-platform-sso-during-enrollment.md b/intune/device-configuration/settings-catalog/configure-platform-sso-during-enrollment.md
new file mode 100644
index 0000000000..8ff4c201d5
--- /dev/null
+++ b/intune/device-configuration/settings-catalog/configure-platform-sso-during-enrollment.md
@@ -0,0 +1,191 @@
+---
+title: Add Platform SSO policy to ADE Profile on macOS devices
+description: Add a settings catalog platform single sign-on (PSSO) policy to an Automated Device Enrollment (ADE) profile and configure it to run during Setup Assistant with modern authentication on macOS devices.
+ms.date: 05/11/2026
+ms.topic: how-to
+appliesto:
+- ✅ macOS
+ms.reviewer: iye, arnab
+ms.collection:
+- M365-identity-device-management
+---
+
+# Configure Platform Single Sign-On (PSSO) during Automated Device Enrollment for macOS devices
+
+On macOS devices, you can configure [Platform Single Sign-On (PSSO)](configure-platform-sso-macos.md) during Automated Device Enrollment (ADE). With Platform SSO, users sign in with their Microsoft Entra account and can get immediate access to Microsoft Entra ID resources. Platform SSO also minimizes the number of times users need to enter their organizational credentials.
+
+When you add the Platform SSO policy and enable the Setup Assistant await final configuration in an ADE enrollment profile, the Platform SSO policy runs during device registration. When users arrive at the desktop, they're already signed into Microsoft Entra resources and can start using productivity apps, like Teams, immediately.
+
+This feature:
+
+- Enables Microsoft Entra device registration during macOS Setup Assistant.
+- Establishes device identity early in the provisioning process.
+- Allows Platform SSO credentials to be set up during initial device configuration.
+- Minimizes delays accessing resources, including resources protected by Conditional Access.
+
+This article lists and describes the settings you need to configure to enable Platform SSO during ADE with Setup Assistant. It also lists the other required steps to use this feature, including adding the Company Portal as a line-of-business app, and configuring the enrollment profile.
+
+To learn more about Platform SSO, see [Platform SSO configuration guide for macOS devices using Microsoft Intune](configure-platform-sso-macos.md).
+
+This feature applies to:
+
+- macOS
+
+## Before you begin
+
+- During enrollment, users are prompted to enter their Microsoft Entra organizational credentials at least twice. The first sign-in starts the regular enrollment process. The second sign-in authenticates the identity in Company Portal, which gets the SSO extension.
+- This feature requires three different policies - settings catalog policy, line-of-business app policy, and enrollment profile. All the policies and settings listed in this article are required and work together. If any of the steps are misconfigured or skipped, the enrollment fails. In this situation, [wipe](../../device-management/actions/wipe.md) the device, follow the steps, and re-enroll the device.
+- Assign all the policies to the same **Assigned (static)** user groups that will use this feature. You can use [assignment filters](../../fundamentals/filters/overview.md) on the static user groups.
+
+  You can create new groups for this feature and add the users to those groups. If you assign these policies to different groups, Platform SSO during enrollment fails.  
+
+  Remember, the groups must be:
+
+  - User groups, not device groups. This feature doesn't work with device groups.
+  - Assigned (static) groups, not dynamic groups. This feature doesn't work with dynamic groups.
+
+- Platform SSO has its own set of requirements and configurations. Make sure to review the requirements before you start configuring this feature. For more information, see [Platform SSO configuration guide for macOS devices using Microsoft Intune](configure-platform-sso-macos.md).
+
+## Prerequisites
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [platform](../../includes/requirements/platform.md)]
+:::column-end:::
+:::column span="3":::
+> This feature supports the following platform:
+>
+> - macOS 26 and newer
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [enrollment-methods](../../includes/requirements/enrollment-methods.md)]
+:::column-end:::
+:::column span="3":::
+> - Devices enrolled using Apple Business 
+:::column-end:::
+:::row-end:::
+
+:::row:::
+:::column span="1":::
+[!INCLUDE [rbac](../../includes/requirements/rbac.md)]
+:::column-end:::
+:::column span="3":::
+> To configure this policy, use an account with at least one of the following roles:
+>
+> - [!INCLUDE [minimum-rbac-role-policy-profile-manager](../../includes/minimum-rbac-role-policy-profile-manager.md)]
+:::column-end:::
+:::row-end:::
+
+## Step 1 - Create or update the Platform SSO settings catalog policy
+
+This policy enables the Platform SSO registration process during Setup Assistant in the ADE enrollment flow.
+
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), create the settings catalog policy (**Devices > Manage devices > Configuration**):
+
+    - If you already use Platform SSO on existing devices, update your existing Platform SSO settings catalog policy. You can apply only one Platform SSO policy to a device.
+    - If you're configuring Platform SSO for the first time, follow the steps in [Platform SSO configuration guide for macOS devices using Microsoft Intune](configure-platform-sso-macos.md).
+
+      When you create the policy, Microsoft recommends using the **Secure Enclave** authentication method.
+
+2. In your settings catalog policy, add and configure the following setting:
+
+    | Name | Configuration value | Description |
+    |---|---|---|
+    | **Authentication > Extensible single sign-on > Platform SSO > Enable Registration During Setup** | Enabled | When enabled, the system enables the Platform SSO registration process during Setup Assistant. |
+
+    **If you're using the **Password** authentication method**, also add and configure the following setting. If you're not using the **Password** authentication method, don't add or configure the following setting.
+
+    | Name | Configuration value | Description |
+    |---|---|---|
+    | **Authentication > Extensible single sign-on > Platform SSO > Enable Create First User During Setup** | Enabled | When enabled, the system enables the password synchronization experience during Setup Assistant. <br/><br/> Remember, only configure this setting if you're using the **Password** authentication method. If you're not using the **Password** authentication method, don't add or configure this setting. |
+
+3. Assign the policy to the static groups you created. 
+
+When you create the Platform SSO settings catalog policy, you add and configure more settings than what's listed in this article. This article only lists the settings that are required to enable Platform SSO during ADE with Setup Assistant. So, add this setting to your existing Platform SSO policy. Or, if you're creating a new Platform SSO policy, add this setting along with the other Platform SSO settings that are required to configure Platform SSO.
+
+## Step 2 - Install Company Portal as a line-of-business app
+
+The Company Portal for macOS deploys and installs the Microsoft Enterprise SSO plug-in. This plug-in enables Platform SSO. Make sure you add the latest Company Portal version. If you install an older version of the Company Portal, Platform SSO fails.
+
+1. Download the Company Portal for macOS PKG app from [https://go.microsoft.com/fwlink/?linkid=853070](https://go.microsoft.com/fwlink/?linkid=853070).
+
+    > [!IMPORTANT]
+    > Company Portal 5.2604.0 and newer is required.
+
+2. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), add the Company Portal as a line-of-business (LOB) app (**Apps > All Apps > Create**):
+
+    - [Add macOS Line-of-Business (LOB) Apps to Microsoft Intune](../../app-management/deployment/add-lob-macos.md)
+
+3. Make it a required app and assign it to the same groups as the Platform SSO policy you created or updated in [Step 1](#step-1---create-or-update-the-platform-sso-settings-catalog-policy).
+
+When Intune detects the Company Portal as a deployed policy, it sends the Company Portal with priority in the enrollment process.
+
+## Step 3 - Set up enrollment profile and configure await final configuration
+
+This policy configures the enrollment profile to run during Setup Assistant with modern authentication and configures the await final configuration. These settings are required for Platform SSO to run correctly during enrollment.
+
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), create the Automated Device Enrollment profile (**Devices** > **Device onboarding** > **Enrollment** > **Apple** tab):
+
+    - [Set up automated device enrollment (ADE)](../../device-enrollment/apple/setup-automated-macos.md)
+
+2. In **Management Settings**, configure the following settings:
+
+    | Name | Configuration value |
+    |---|---|
+    | **User affinity** | Enroll with User Affinity |
+    | **Authentication** | Setup Assistant with modern authentication |
+    | **Await final configuration** | Yes |
+    | **Locked enrollment** | Yes |
+
+3. Assign the profile to the same groups as the Platform SSO policy you created or updated in [Step 1](#step-1---create-or-update-the-platform-sso-settings-catalog-policy).
+
+When devices enroll using this ADE profile, the Platform SSO policy and LOB app policy will automatically apply during Setup Assistant. When enrollment completes and users arrive at the desktop, they have a more integrated sign-in experience on the device and can access Microsoft Entra ID resources.
+
+## Possible issues and resolutions
+
+If there are issues completing the Setup Assistant with Platform SSO (PSSO), make sure all three policies and their settings are configured and assigned correctly. If troubleshooting is still needed after verifying the policies, the following steps can help.
+
+### Unable to sign in message during Setup Assistant
+
+**Issue**: During Setup Assistant, you might see the following error message:
+
+```error
+Unable to sign-in  
+There was an issue with the extension while registering your account for single sign-on. Try again in a few moments or contact your administrator.
+```
+
+The Company Portal includes the SSO extension used by Platform SSO. If the settings catalog policy and/or the Company Portal policy arrive late, Setup Assistant might show this message.
+
+It's possible the Platform SSO settings catalog policy is delivered, and the Company Portal is still downloading or installing. Enrollment actions occur in separate steps rather than as a single transaction.
+
+**Resolution**: Select the **Try again** button on the error message until the Company Portal finishes downloading and installing. When it completes, the SSO extension is available and the error message no longer appears.
+
+### Remove Platform SSO and reenroll if steps are misconfigured
+
+All the steps in this article are required - the settings catalog policy, Company Portal as a LOB app, and using Setup assistant with Modern Authentication and await final configuration enabled in the ADE profile. If any of these steps are misconfigured or missing, then the configuration fails. 
+
+In this situation, remove the existing Platform SSO (PSSO) configuration and re-enroll the devices by using the following steps. Complete all of the following steps. For more information, see [Steps to Opt out of Platform SSO on macOS](/entra/identity/devices/troubleshoot-mac-sso-extension-plugin#steps-to-opt-out-of-platform-sso-on-macos).
+
+1. Unassign the Platform SSO policy that has the **Enable Registration During Setup** setting enabled. [Sync](../../device-management/actions/sync.md) the device to ensure the policy is removed.
+2. Update the Platform SSO policy and set the **Enable Registration During Setup** setting to disabled. [Sync](../../device-management/actions/sync.md) the device to ensure the setting is removed.
+
+    If you use the **Password** authentication method in the Platform SSO policy, set the **Enable Create First User During Setup** to disabled. [Sync](../../device-management/actions/sync.md) the device.
+
+3. [Wipe](../../device-management/actions/wipe.md) the device. Wiping is required as it restarts the enrollment process and applies the updated enrollment profiles.
+
+When complete, follow the steps in this article and make sure all your policies are correctly configured. Ensure you update the Platform SSO policy to set the **Enable Registration During Setup** setting to enabled.
+
+> [!TIP]
+> Platform SSO and its components, including the Microsoft Enterprise SSO Extension plugin, are features of Microsoft Entra. Intune manages the deployment and configuration of these features on enrolled devices. If you need more troubleshooting help, see:
+>
+> - [Troubleshooting the Microsoft Enterprise SSO Extension plugin on Apple devices](/entra/identity/devices/troubleshoot-mac-sso-extension-plugin)
+> - [macOS Platform single sign-on known issues and troubleshooting](/entra/identity/devices/troubleshoot-macos-platform-single-sign-on-extension)
+
+## Related articles
+
+- [Platform SSO configuration guide for macOS devices using Microsoft Intune](configure-platform-sso-macos.md)
+- [Add macOS Line-of-Business (LOB) Apps to Microsoft Intune](../../app-management/deployment/add-lob-macos.md)
+- [Set up automated device enrollment (ADE)](../../device-enrollment/apple/setup-automated-macos.md)
diff --git a/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md b/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
index f226b6f551..ce1dabad57 100644
--- a/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
+++ b/intune/device-configuration/settings-catalog/configure-platform-sso-macos.md
@@ -1,16 +1,16 @@
 ---
 title: Configure Platform SSO for macOS devices
 description: Use Microsoft Intune to configure Platform SSO and deploy the configuration to your macOS devices. Platform SSO enables single sign-on (SSO) using Microsoft Entra ID with the Secure Enclave, smart card, or password authentication methods. You create a settings catalog policy to configure the settings. This article is a step-by-step guide to configure Platform SSO for macOS devices using Intune.
-ms.date: 03/26/2026
+ms.date: 05/11/2026
 ms.topic: how-to
 appliesto:
-- ✅ macOS
+- :::image type="icon" source="../../media/icons/16/check.svg" border="false"::: macOS
 ms.reviewer: arnab, veenasoman
 ms.collection:
 - M365-identity-device-management
 ---
 
-# Platform SSO configuration guide for macOS devices using Microsoft Intune
+# Configure Platform SSO for macOS devices in Microsoft Intune
 
 You can configure Platform SSO to enable single sign-on (SSO) for your macOS devices using passwordless authentication, Microsoft Entra ID user accounts, or smart cards. Platform SSO is a Microsoft Entra feature that enhances the [Microsoft Enterprise SSO plug-in](/entra/identity-platform/apple-sso-plugin) and the [SSO app extension](../templates/configure-enterprise-sso-plugin-macos.md).
 
@@ -18,11 +18,11 @@ This feature applies to:
 
 - macOS
 
-Platform SSO can sign users into their managed Mac devices using their Microsoft Entra ID credentials and Touch ID. You can use Intune to configure Platform SSO and deploy the Platform SSO configuration to your macOS devices.
+Platform SSO signs users into their managed Mac devices by using their Microsoft Entra ID credentials and Touch ID. Use Intune to configure Platform SSO and deploy the Platform SSO configuration to your macOS devices.
 
 The [Microsoft Enterprise SSO plug-in](/entra/identity-platform/apple-sso-plugin) in Microsoft Entra ID includes two SSO features - **Platform SSO** and the **SSO app extension**. This article focuses on configuring [Platform SSO with Microsoft Entra ID](/entra/identity/devices/macos-psso).
 
-This article shows you how to configure Platform SSO for macOS devices in Intune. For some common Platform SSO scenarios you can also configure, go to [Common Platform SSO scenarios for macOS devices](./configure-platform-sso-scenarios-macos.md).
+This article shows you how to configure Platform SSO for macOS devices in Intune. For some common Platform SSO scenarios you can also configure, see [Common Platform SSO scenarios for macOS devices](./configure-platform-sso-scenarios-macos.md).
 
 ## Benefits
 
@@ -36,11 +36,11 @@ Some benefits of Platform SSO include:
 - You get the benefits of Microsoft Entra join, which allows any organization user to sign into the device.
 - It's included with all [Microsoft Intune licensing plans](../../fundamentals/licensing/index.md).
 
-## How it works
+## How Platform SSO works
 
 When Mac devices join a Microsoft Entra ID tenant, the devices get a workplace join (WPJ) certificate. This WPJ certificate is hardware-bound and is only accessible by the [Microsoft Enterprise SSO plug-in](/entra/identity-platform/apple-sso-plugin). To access resources protected using Conditional Access, apps and web browsers need this WPJ certificate.
 
-With Platform SSO configured, the SSO app extension acts as the broker for Microsoft Entra ID authentication and Conditional Access.
+When you configure Platform SSO, the SSO app extension acts as the broker for Microsoft Entra ID authentication and Conditional Access.
 
 You configure Platform SSO using the Intune [settings catalog](../../device-configuration/settings-catalog/index.md). When the settings catalog policy is ready, you assign the policy. Microsoft recommends you assign the policy when the user enrolls the device in Intune. But, it can be assigned at any time, including on existing devices.
 
@@ -48,7 +48,7 @@ You configure Platform SSO using the Intune [settings catalog](../../device-conf
 
 - Devices must be running macOS 13.0 and newer.
 
-- Microsoft Intune [Company Portal app](../../app-management/deployment/add-company-portal-macos.md) version **5.2404.0** and newer is required on the devices. This version includes Platform SSO.
+- Devices require Microsoft Intune [Company Portal app](../../app-management/deployment/add-company-portal-macos.md) version **5.2404.0** or newer. This version includes Platform SSO.
 
 - The following web browsers support Platform SSO:
 
@@ -58,32 +58,32 @@ You configure Platform SSO using the Intune [settings catalog](../../device-conf
     Using an [Intune preference file (.plist) policy](../templates/configure-preference-file-macos.md), you can force this extension to install. In your `.plist` file, you need some of the information at [Chrome Enterprise policy - ExtensionInstallForcelist](https://chromeenterprise.google/policies/?policy=ExtensionInstallForcelist) (opens Google's web site).
 
     > [!WARNING]
-    > There are sample `.plist` files at [ManagedPreferencesApplications examples on GitHub](https://github.com/ProfileCreator/ProfileManifests/tree/master/Manifests/ManagedPreferencesApplications). This GitHub repository is not owned, not maintained, and not created by Microsoft. Use the information at your own risk.
+    > There are sample `.plist` files at [ManagedPreferencesApplications examples on GitHub](https://github.com/ProfileCreator/ProfileManifests/tree/master/Manifests/ManagedPreferencesApplications). Microsoft doesn't own, maintain, or create this GitHub repository. Use the information at your own risk.
 
   - Safari
   - Firefox - Configure the [MicrosoftEntraSSO policy](https://mozilla.github.io/policy-templates/#microsoftentrasso) (opens Mozilla's web site).
 
-  You can use Intune to add web browser apps, including [package (`.pkg`)](../../app-management/deployment/add-lob-macos.md) and [disk image (`.dmg`)](../../app-management/deployment/add-dmg-macos.md) files, and deploy the app to your macOS devices. To get started, go to [Add apps to Microsoft Intune](../../app-management/deployment/index.md).
+  Use Intune to add web browser apps, including [package (`.pkg`)](../../app-management/deployment/add-lob-macos.md) and [disk image (`.dmg`)](../../app-management/deployment/add-dmg-macos.md) files, and deploy the app to your macOS devices. To get started, go to [Add apps to Microsoft Intune](../../app-management/deployment/index.md).
 
 - Platform SSO uses the Intune settings catalog to configure the required settings. To create the settings catalog policy, at a minimum, sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) with an account that has the following Intune permissions:
 
   - Device Configuration **Read**, **Create**, **Update**, and **Assign** permissions
 
-  There are some built-in roles that have these permissions, including the **Policy and Profile Manager** Intune role. For more information on RBAC roles in Intune, go to [Role-based access control (RBAC) with Microsoft Intune](../../fundamentals/role-based-access-control/overview.md).
+  Some built-in roles have these permissions, including the **Policy and Profile Manager** Intune role. For more information about RBAC roles in Intune, see [Role-based access control (RBAC) with Microsoft Intune](../../fundamentals/role-based-access-control/overview.md).
 
-- In [Step 2 - Create the Platform SSO policy](#step-2---create-the-platform-sso-policy-in-intune) (this article), you create a settings catalog policy that configures the required settings for Platform SSO. There are other common scenarios and settings you can configure in this policy. For more information, go to [Common Platform SSO scenarios for macOS devices](./configure-platform-sso-scenarios-macos.md).
+- In [Step 2 - Create the Platform SSO policy](#step-2---create-the-platform-sso-policy-in-intune) (this article), you create a settings catalog policy that configures the required settings for Platform SSO. You can configure other common scenarios and settings in this policy. For more information, see [Common Platform SSO scenarios for macOS devices](./configure-platform-sso-scenarios-macos.md).
 
-  We recommend you review the [scenarios](./configure-platform-sso-scenarios-macos.md) **before** you create the settings catalog policy. This way, you can configure the settings you need/want when you initially create the policy. If you don't configure the optional scenario settings initially, you can always edit the policy later. Only one SSO policy can be assigned to your groups. So, add these scenario settings to your existing Platform SSO settings catalog policy.
+  Review the [scenarios](./configure-platform-sso-scenarios-macos.md) **before** you create the settings catalog policy. This way, you can configure the settings you need when you initially create the policy. If you don't configure the optional scenario settings initially, you can always edit the policy later. You can assign only one SSO policy to your groups. So, add these scenario settings to your existing Platform SSO settings catalog policy.
 
-- Devices with an existing Platform SSO policy reregister in Microsoft Entra when the the **Platform SSO > Authentication Method** or **Platform SSO > Use Shared Device Keys** settings are changed in the policy. For the other settings you add or change, if the Platform SSO policy is unassigned and reassigned, the device reregisters.
+- Devices with an existing Platform SSO policy reregister in Microsoft Entra when you change the **Platform SSO > Authentication Method** or **Platform SSO > Use Shared Device Keys** settings in the policy. For the other settings you add or change, if you unassign and reassign the Platform SSO policy, the device reregisters.
 
-- In [Step 5 - Register the device](#step-5---register-the-device) (this article), users register their devices. These users must be allowed to join devices to Microsoft Entra ID. For more information, go to [Configure your device settings](/entra/identity/devices/device-join-plan#configure-your-device-settings).
+- In [Step 5 - Register the device](#step-5---register-the-device) (this article), users register their devices. These users must be allowed to join devices to Microsoft Entra ID. For more information, see [Configure your device settings](/entra/identity/devices/device-join-plan#configure-your-device-settings).
 
 ## Step 1 - Decide the authentication method
 
 When you create the platform SSO policy in Intune, you need to decide the authentication method you want to use.
 
-The Platform SSO policy and the authentication method you use changes how users sign in to the devices.
+The Platform SSO policy and the authentication method you choose change how users sign in to the devices.
 
 - When you configure Platform SSO, users sign in to their macOS devices with the authentication method you configure.
 - When you don't use Platform SSO, users sign in to their macOS devices with a local account. Then, they sign into apps and websites with their Microsoft Entra ID.
@@ -95,20 +95,20 @@ In this step, use the information to learn the differences with the authenticati
 
 | Feature | Secure Enclave | Smart Card | Password |
 |---|---|---|---|
-|**Passwordless (phishing resistant)**|✅|✅|❌|
-|**TouchID supported for unlock**|✅|✅|✅|
-|**Can be used as passkey**|✅|❌|❌|
-|**MFA mandatory for setup** </br></br> Multifactor authentication (MFA) is always recommended|✅|✅|❌|
-|**Local Mac password synced with Entra ID**|❌|❌|✅|
-|**Supported on macOS 13.x +**|✅|❌|✅|
-|**Supported on macOS 14.x +**|✅|✅|✅|
-|**Optionally, allow new users to log in with Entra ID credentials (macOS 14.x +)**|✅|✅|✅|
+|**Passwordless (phishing resistant)**|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|:::image type="icon" source="../../media/icons/16/error.svg" border="false":::|
+|**TouchID supported for unlock**|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|
+|**Can be used as passkey**|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|:::image type="icon" source="../../media/icons/16/error.svg" border="false":::|:::image type="icon" source="../../media/icons/16/error.svg" border="false":::|
+|**MFA mandatory for setup** </br></br> Multifactor authentication (MFA) is always recommended|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|:::image type="icon" source="../../media/icons/16/error.svg" border="false":::|
+|**Local Mac password synced with Entra ID**|:::image type="icon" source="../../media/icons/16/error.svg" border="false":::|:::image type="icon" source="../../media/icons/16/error.svg" border="false":::|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|
+|**Supported on macOS 13.x +**|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|:::image type="icon" source="../../media/icons/16/error.svg" border="false":::|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|
+|**Supported on macOS 14.x +**|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|
+|**Optionally, allow new users to log in with Entra ID credentials (macOS 14.x +)**|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|:::image type="icon" source="../../media/icons/16/check.svg" border="false":::|
 
-### Option 1 - Secure Enclave (recommended)
+# [Secure Enclave (recommended)](#tab/secure-enclave)
 
 When you configure Platform SSO with the **Secure Enclave** authentication method, the SSO plug-in uses hardware-bound cryptographic keys. It doesn't use the Microsoft Entra credentials to authenticate the user to apps and websites.
 
-For more information on Secure Enclave, go to [Secure Enclave](https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/protecting_keys_with_the_secure_enclave) (opens Apple's web site).
+For more information on Secure Enclave, see [Secure Enclave](https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/protecting_keys_with_the_secure_enclave) (opens Apple's web site).
 
 Secure Enclave:
 
@@ -120,7 +120,7 @@ Secure Enclave:
 - Its setup can be bootstrapped with an authentication app for MFA authentication or Microsoft [Temporary Access Pass (TAP)](/entra/identity/authentication/howto-authentication-temporary-access-pass).
 - Enables the creation and usage of Microsoft Entra ID passkeys.
 
-### Option 2 - Smart Card
+# [Smart Card](#tab/smart-card)
 
 When you configure Platform SSO with the **Smart card** authentication method, users can use the smart card certificate and the associated PIN to sign in to the device and authenticate to apps and websites.
 
@@ -129,9 +129,9 @@ This option:
 - Is considered password-less.
 - Leaves the local account username and password as-is. These values aren't changed.​
 
-For more information, go to [Microsoft Entra certificate-based authentication on iOS and macOS](/entra/identity/authentication/concept-certificate-based-authentication-mobile-ios).
+For more information, see [Microsoft Entra certificate-based authentication on iOS and macOS](/entra/identity/authentication/concept-certificate-based-authentication-mobile-ios).
 
-### Option 3 - Password
+# [Password](#tab/password)
 
 When you configure Platform SSO with the **Password** authentication method, users sign in to the device with their Microsoft Entra ID user account instead of their local account password.
 
@@ -139,11 +139,11 @@ This option enables SSO across apps that use Microsoft Entra ID for authenticati
 
 With the **Password** authentication method:
 
-- The Microsoft Entra ID password​ replaces the local account password, and the two passwords are kept in sync.
+- The Microsoft Entra ID password​ replaces the local account password, and the two passwords stay in sync.
 
   The local account machine password isn't completely removed from the device. This behavior is by design due to Apple's FileVault disk encryption, which uses the local password as the unlock key.
 
-- The local account username isn't changed and stays as-is.
+- The local account username doesn't change and stays as-is.
 - End users can use Touch ID to sign in to the device.
 - There are fewer passwords for users and admins to remember and manage.​
 - Users must enter their Microsoft Entra ID password after a device reboots. After this initial machine unlock​, Touch ID can unlock the device.
@@ -154,13 +154,15 @@ With the **Password** authentication method:
 >
 > Make sure your Intune password policy and/or compliance policy matches your Microsoft Entra password policy. If the policies don't match, then the password might not sync and end users are denied access.
 
-#### Configure keyvault recovery (optional)
+#### Configure KeyVault recovery (optional)
 
-When using password sync authentication, you can enable keyvault recovery to ensure that data can be recovered if a user forgets their password. IT Admins should review Apple's documentation and evaluate whether using Institutional FileVault Recovery Keys is a good option for them.
+When you use password sync authentication, you can enable keyvault recovery to ensure that data can be recovered if a user forgets their password. IT admins should review Apple's documentation and evaluate whether using Institutional FileVault Recovery Keys is a good option for them.
 
 - [Manage FileVault with mobile device management](https://support.apple.com/en-ie/guide/deployment/dep0a2cb7686/web)
 - [FileVault MDM payload settings for Apple devices](https://support.apple.com/en-ie/guide/deployment/dep32bf53500/1/web/1.0)
 
+---
+
 ## Step 2 - Create the Platform SSO policy in Intune
 
 To configure the Platform SSO policy, use the steps in this section to create an [Intune settings catalog](../../device-configuration/settings-catalog/index.md) policy. The Microsoft Enterprise SSO plug-in requires the settings listed.
@@ -181,7 +183,7 @@ To configure the Platform SSO policy, use the steps in this section to create an
 6. Select **Next**.
 7. In **Configuration settings**, select **Add settings**. In the settings picker, expand **Authentication**, and select **Extensible Single Sign On (SSO)**:
 
-    :::image type="content" source="./media/configure-platform-sso-macos/settings-picker-authentication-extensible-sso.png" alt-text="Screenshot that shows the Settings Catalog settings picker, and selecting authentication and extensible SSO category in Microsoft Intune.":::
+    :::image type="content" source="./media/configure-platform-sso-macos/settings-picker-authentication-extensible-sso.png" alt-text="Screenshot of the settings catalog picker showing authentication and extensible SSO category selection in Microsoft Intune.":::
 
     In the list, select the following settings:
 
@@ -223,11 +225,11 @@ To configure the Platform SSO policy, use the steps in this section to create an
     | **URLs** | Copy and paste all the following URLs: <br/><br/>`https://login.microsoftonline.com` <br/> `https://login.microsoft.com` <br/> `https://sts.windows.net` <br/><br/> If your environment needs to allow sovereign cloud domains, like Azure Government or Azure China 21Vianet, then also add the following URLs: <br/><br/> `https://login.partner.microsoftonline.cn` <br/> `https://login.chinacloudapi.cn` <br/> `https://login.microsoftonline.us` <br/> `https://login-us.microsoftonline.com` | These URL prefixes are the identity providers that do SSO app extensions. The URLs are required for **redirect** payloads and are ignored for **credential** payloads. <br/><br/>For more information on these URLs, go to [Microsoft Enterprise SSO plug-in for Apple devices](/entra/identity-platform/apple-sso-plugin). |
 
     > [!IMPORTANT]
-    > If you have a mix of macOS 13 and macOS 14+ devices in your environment, then configure the **Platform SSO** > **Authentication Method** and the **Authentication Method (Deprecated)** authentication settings in the same profile.
+    > If your environment includes a mix of macOS 13 and macOS 14+ devices, configure the **Platform SSO** > **Authentication Method** and the **Authentication Method (Deprecated)** authentication settings in the same profile.
 
     When the profile is ready, it looks similar to the following example:
 
-    :::image type="content" source="./media/configure-platform-sso-macos/intune-psso-device-profile.png" alt-text="Screenshot that shows the recommended Platform SSO settings in an Intune MDM profile.":::
+    :::image type="content" source="./media/configure-platform-sso-macos/intune-psso-device-profile.png" alt-text="Screenshot of the recommended Platform SSO settings in an Intune MDM profile.":::
 
 10. Select **Next**.
 11. In **Scope tags** (optional), assign a tag to filter the profile to specific IT groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. For more information about scope tags, go to [Use RBAC roles and scope tags for distributed IT](../../fundamentals/role-based-access-control/scope-tags.md).
@@ -242,7 +244,7 @@ To configure the Platform SSO policy, use the steps in this section to create an
     > - If the Platform SSO settings are applied incorrectly, or,
     > - If the Company Portal app bypasses Microsoft Entra device registration when Platform SSO isn't enabled
 
-    For more information on assigning profiles, go to [Assign user and device profiles](../assign-device-profile.md).
+    For more information on assigning profiles, see [Assign user and device profiles](../assign-device-profile.md).
 
     Select **Next**.
 
@@ -250,10 +252,10 @@ To configure the Platform SSO policy, use the steps in this section to create an
 
 The next time the device checks for configuration updates, the settings you configured are applied.
 
-### Learn more
+### Learn more about the SSO plug-in
 
-- To learn more about the plug-in, go to [Microsoft Enterprise SSO plug-in for Apple devices](/entra/identity-platform/apple-sso-plugin).
-- For details about the payload settings for the Extensible Single Sign-on extension, go to [Extensible Single Sign-on MDM payload settings for Apple devices](https://support.apple.com/guide/deployment/depfd9cdf845/web) (opens Apple's web site).
+- To learn more about the plug-in, see [Microsoft Enterprise SSO plug-in for Apple devices](/entra/identity-platform/apple-sso-plugin).
+- For details about the payload settings for the Extensible Single Sign-on extension, see [Extensible Single Sign-on MDM payload settings for Apple devices](https://support.apple.com/guide/deployment/depfd9cdf845/web) (opens Apple's web site).
 
 ## Step 3 - Deploy the Company Portal app for macOS
 
@@ -262,11 +264,11 @@ The Company Portal app for macOS deploys and installs the Microsoft Enterprise S
 Using Intune, you can add the Company Portal app and deploy it as a required app to your macOS devices:
 
 - [Add the Company Portal app for macOS](../../app-management/deployment/add-company-portal-macos.md) lists the steps.
-- Configure the Company Portal app to include your organization information (optional). For the steps, go to [How to configure the Intune Company Portal apps, Company Portal website, and Intune app](../../app-management/configuration/configure-company-portal.md).
+- Configure the Company Portal app to include your organization information (optional). For the steps, see [How to configure the Intune Company Portal apps, Company Portal website, and Intune app](../../app-management/configuration/configure-company-portal.md).
 
 There aren't any specific steps to configure the app for Platform SSO. Just make sure the latest Company Portal app is added to Intune and deployed to your macOS devices.
 
-If you have an older version of the Company Portal app installed, then Platform SSO fails.
+If you have an older version of the Company Portal app installed, Platform SSO fails.
 
 ## Step 4 - Enroll the devices and apply the policies
 
@@ -279,15 +281,15 @@ To use Platform SSO, the devices must be MDM enrolled in Intune using one of the
 
 - For **personally-owned devices**, create a [Device enrollment](../../device-enrollment/apple/guide-macos.md#byod-device-enrollment) policy. With this enrollment method, end users open the Company Portal app and sign in with their Microsoft Entra ID. When they successfully sign in, the enrollment policy applies.
 
-For **new devices**, we recommend you precreate and configure all the necessary policies, including the enrollment policy. Then, when the devices enroll in Intune, the policies automatically apply.
+For **new devices**, precreate and configure all the necessary policies, including the enrollment policy. Then, when the devices enroll in Intune, the policies automatically apply.
 
-For **existing devices** already enrolled in Intune, assign the Platform SSO policy to your users or user groups. The next time the devices sync or check-in with the Intune service, they receive the Platform SSO policy settings you create.
+For **existing devices** already enrolled in Intune, assign the Platform SSO policy to your users or user groups. The next time the devices sync or check in with the Intune service, they receive the Platform SSO policy settings you create.
 
 ## Step 5 - Register the device
 
-When the device receives the policy, there's a **Registration required** notification that shows in the Notification Center.
+When the device receives the policy, a **Registration required** notification appears in the Notification Center.
 
-:::image type="content" border="false" source="./media/configure-platform-sso-macos/platform-sso-macos-registration-required.png" alt-text="Screenshot that shows the registration required prompt on end user devices when you configure Platform SSO in Microsoft Intune.":::
+:::image type="content" border="false" source="./media/configure-platform-sso-macos/platform-sso-macos-registration-required.png" alt-text="Screenshot of the registration required prompt on end user devices when you configure Platform SSO in Microsoft Intune.":::
 
 - End users select this notification, sign in to the Microsoft Entra ID plug-in with their organization account, and complete multifactor authentication (MFA), if required.
 
@@ -305,7 +307,7 @@ The following articles show the user experience, depending on the enrollment met
 
 When Platform SSO registration completes, you can confirm that Platform SSO is configured. For the steps, go to [Microsoft Entra ID - Check your device registration status](/entra/identity/devices/device-join-macos-platform-single-sign-on#check-your-device-registration-status).
 
-On Intune enrolled devices, you can also go to **Settings** > **Privacy and security** > **Profiles**. Your Platform SSO profile is shown under `com.apple.extensiblesso Profile`. Select the profile to see the settings you configured, including the URLs.
+On Intune enrolled devices, you can also go to **Settings** > **Privacy and security** > **Profiles**. Your Platform SSO profile appears under `com.apple.extensiblesso Profile`. Select the profile to see the settings you configured, including the URLs.
 
 To troubleshoot Platform SSO, go to [macOS Platform single sign-on known issues and troubleshooting](/entra/identity/devices/troubleshoot-macos-platform-single-sign-on-extension).
 
@@ -315,19 +317,19 @@ After you confirm that your settings catalog policy is working, unassign any exi
 
 If you keep both policies, conflicts can occur.
 
-## Other MDMs
+## Configure Platform SSO with other MDMs
 
 You can configure Platform SSO with other mobile device management services (MDMs), if that MDM supports Platform SSO. When using another MDM service, use the following guidance:
 
-- The settings listed in this article are the Microsoft-recommended settings you should configure. You can copy/paste the setting values from this article in your MDM service policy.
+- The settings listed in this article are the Microsoft-recommended settings you should configure. You can copy and paste the setting values from this article in your MDM service policy.
 
-  The configuration steps in your MDM service can be different. We recommend you work with your MDM service vendor to correctly configure and deploy these Platform SSO settings.
+  The configuration steps in your MDM service can be different. Work with your MDM service vendor to correctly configure and deploy these Platform SSO settings.
 
 - Device registration with Platform SSO is more secure and uses hardware-bound device certificates. These changes can affect some MDM flows, like integration with [device compliance partners](../../device-security/compliance/third-party-partners.md).
 
-  You should talk to your MDM service vendor to understand if the MDM tested Platform SSO, certified that their software works properly with Platform SSO, and is ready to support customers using Platform SSO.
+  Talk to your MDM service vendor to understand if the MDM tested Platform SSO, certified that their software works properly with Platform SSO, and is ready to support customers using Platform SSO.
 
-## Common errors
+## Common Platform SSO errors
 
 When you configure Platform SSO, you might see the following errors:
 
@@ -335,18 +337,18 @@ When you configure Platform SSO, you might see the following errors:
 
   This error can occur if:
 
-  - There's a required setting that isn't configured in the settings catalog profile.
-  - There's a setting in the settings catalog profile that you configured that's not applicable for the [redirect type payload](../enterprise-sso-plugin.md#sso-app-extension).
+  - You didn't configure a required setting in the settings catalog profile.
+  - You configured a setting in the settings catalog profile that isn't applicable for the [redirect type payload](../enterprise-sso-plugin.md#sso-app-extension).
 
   The authentication settings you configure in the settings catalog profile are different for macOS 13.x and 14.x devices.
 
-  If you have macOS 13 and macOS 14 devices in your environment, then you must create one settings catalog policy, and configure their respective authentication settings in the same policy. This information is documented in [Step 2 - Create the Platform SSO policy in Intune](#step-2---create-the-platform-sso-policy-in-intune) (in this article).
+  If you have macOS 13 and macOS 14 devices in your environment, you must create one settings catalog policy, and configure their respective authentication settings in the same policy. This information is documented in [Step 2 - Create the Platform SSO policy in Intune](#step-2---create-the-platform-sso-policy-in-intune) (in this article).
 
 - `10002: multiple SSOe payloads configured.`
 
   Multiple SSO extension payloads are applying to the device and are in conflict. There should only be one extension profile on the device, and that profile should be the settings catalog profile.
 
-  If you previously created an SSO app extension profile using the Device Features template, then unassign that profile. The settings catalog profile is the only profile that should be assigned to the device.
+  If you previously created an SSO app extension profile by using the Device Features template, unassign that profile. The settings catalog profile is the only profile that should be assigned to the device.
 
 ## Related articles
 
diff --git a/intune/device-configuration/settings-catalog/configure-platform-sso-scenarios-macos.md b/intune/device-configuration/settings-catalog/configure-platform-sso-scenarios-macos.md
index f9bef6207c..efe5449c16 100644
--- a/intune/device-configuration/settings-catalog/configure-platform-sso-scenarios-macos.md
+++ b/intune/device-configuration/settings-catalog/configure-platform-sso-scenarios-macos.md
@@ -1,7 +1,9 @@
 ---
 title: Platform SSO scenarios for macOS devices
 description: Use Microsoft Intune to configure common Platform SSO scenarios for macOS devices. You can enable Kerberos SSO to on-premises Active Directory and cloud-based Microsoft Entra ID, use Touch ID biometric policy with Secure Enclave authentication, and enable SSO on non-Microsoft apps. You can also configure end user experience settings.
-ms.date: 08/26/2025
+ms.date: 05/11/2026
+author: MandiOhlinger
+ms.author: mandia
 ms.topic: how-to
 appliesto:
 - ✅ macOS
@@ -10,11 +12,11 @@ ms.collection:
 - M365-identity-device-management
 ---
 
-# Common Platform SSO scenarios for macOS devices
+# Common Platform SSO scenarios for macOS devices in Microsoft Intune
 
-On macOS devices, you can configure [Platform SSO](./configure-platform-sso-macos.md) to enable single sign-on (SSO) with your Microsoft Entra accounts. Platform SSO allows users to access resources on their macOS devices without needing to enter their credentials repeatedly.
+On macOS devices, you can configure [Platform SSO](./configure-platform-sso-macos.md) to enable single sign-on (SSO) with your Microsoft Entra accounts. Platform SSO users can access resources on their macOS devices without needing to enter their credentials repeatedly.
 
-When Platform SSO is configured, you can use the scenarios described in this article to use Kerberos SSO authentication to on-premises resources, enhance security with biometrics, enable SSO on non-Microsoft apps, and improve the user experience.
+When you configure Platform SSO, use the scenarios described in this article to use Kerberos SSO authentication to on-premises resources, enhance security with biometrics, enable SSO on non-Microsoft apps, and improve the user experience.
 
 This feature applies to:
 
@@ -22,15 +24,15 @@ This feature applies to:
 
 ## Before you begin
 
-- You must [configure Platform SSO for macOS devices in Microsoft Intune](./configure-platform-sso-macos.md) before you configure the scenarios in this article. When it's configured, you have an existing Platform SSO settings catalog policy that you use to add the scenarios described in this article.
+- You must [configure Platform SSO for macOS devices in Microsoft Intune](./configure-platform-sso-macos.md) before you configure the scenarios in this article. When you configure it, you create a Platform SSO settings catalog policy that you use to add the scenarios described in this article.
 
-- Only one SSO policy can be assigned to your groups. So if you already configured Platform SSO, then add these scenario settings to your existing Platform SSO settings catalog policy.
+- You can assign only one SSO policy to your groups. So if you already configured Platform SSO, add these scenario settings to your existing Platform SSO settings catalog policy.
 
-- To update you existing settings catalog policy, at a minimum, sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) with an account that has the following Intune permissions:
+- To update your existing settings catalog policy, at a minimum, sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) with an account that has the following Intune permissions:
 
   - Device Configuration **Read**, **Create**, **Update**, and **Assign** permissions
 
-  There are some built-in roles that have these permissions, including the built-in **Policy and Profile Manager** Intune role. For more information on RBAC roles in Intune, go to [Role-based access control (RBAC) with Microsoft Intune](../../fundamentals/role-based-access-control/overview.md).
+  Some built-in roles have these permissions, including the built-in **Policy and Profile Manager** Intune role. For more information on RBAC roles in Intune, see [Role-based access control (RBAC) with Microsoft Intune](../../intune-service/fundamentals/role-based-access-control.md).
 
 ## Enable Kerberos SSO to on-premises Active Directory and Microsoft Entra ID
 
@@ -40,7 +42,7 @@ Applies to:
 
 Microsoft Entra issues on-premises and cloud-based Kerberos Ticket Granting Tickets (TGTs). Using Platform SSO, you can configure these TGTs to access on-premises Active Directory and Microsoft Entra ID using [Apple's Kerberos SSO extension](https://support.apple.com/guide/deployment/depe6a1cda64/web) (opens Apple's website).
 
-If you want your users to have SSO access to on-premises and cloud resources that use Kerberos authentication, then this scenario is for you. To learn more about Kerberos SSO in Microsoft Entra, see [Enable Kerberos SSO to on-premises Active Directory and Microsoft Entra ID Kerberos resources in Platform SSO](/entra/identity/devices/device-join-macos-platform-single-sign-on-kerberos-configuration).
+If you want your users to have SSO access to on-premises and cloud resources that use Kerberos authentication, this scenario is for you. To learn more about Kerberos SSO in Microsoft Entra, see [Enable Kerberos SSO to on-premises Active Directory and Microsoft Entra ID Kerberos resources in Platform SSO](/entra/identity/devices/device-join-macos-platform-single-sign-on-kerberos-configuration).
 
 In your existing Platform SSO settings catalog policy, add the **Extension Data** setting. The **Extension Data** setting is a similar concept to an open text field; you can configure any values you need.
 
@@ -65,9 +67,9 @@ In your existing Platform SSO settings catalog policy, add the **Extension Data*
     | &nbsp; | &nbsp; | `2` | **Cloud TGT Only** – Maps only the cloud-based TGT. |
     | &nbsp; | &nbsp; | `3` | **No TGTs** – Disables TGT mapping entirely. |
 
-3. Select **Next** to save your changes, and complete the policy. If the policy is already assigned to users or groups, then these groups receive the policy changes the next time they [sync with the Intune service](../troubleshoot-device-profiles.md#policy-refresh-intervals).
+1. Select **Next** to save your changes, and complete the policy. If the policy is already assigned to users or groups, these groups receive the policy changes the next time they [sync with the Intune service](../troubleshoot-device-profiles.md#policy-refresh-intervals).
 
-## Touch ID biometric policy with Secure Enclave authentication
+## Configure Touch ID biometric policy with Secure Enclave authentication
 
 On devices that support Touch ID biometric authentication, you can use the Secure Enclave authentication option, as described in [Configure Platform SSO for macOS devices in Microsoft Intune](./configure-platform-sso-macos.md).
 
@@ -93,9 +95,9 @@ Add the **Extension Data** setting to your existing Platform SSO settings catalo
     | --- | --- | --- | --- |
     | **enable_se_key_biometric_policy**  | Boolean | True | Copy and paste this value. |
 
-3. Select **Next** to save your changes, and complete the policy. If the policy is already assigned to users or groups, then these groups receive the policy changes the next time they [sync with the Intune service](../troubleshoot-device-profiles.md#policy-refresh-intervals).
+1. Select **Next** to save your changes, and complete the policy. If the policy is already assigned to users or groups, these groups receive the policy changes the next time they [sync with the Intune service](../troubleshoot-device-profiles.md#policy-refresh-intervals).
 
-## Non-Microsoft apps and Microsoft Enterprise SSO Extension settings
+## Enable SSO for non-Microsoft apps with Microsoft Enterprise SSO Extension
 
 If you previously used the Microsoft Enterprise SSO Extension, and/or want to enable SSO on non-Microsoft apps, then add the **Extension Data** setting to your existing Platform SSO settings catalog policy.
 
@@ -132,7 +134,13 @@ The following settings are commonly recommended for configuring SSO settings, in
 
     :::image type="content" source="./media/configure-platform-sso-scenarios-macos/extension-data-appprefixallowlist.png" alt-text="Screenshot that shows how to configure Extension Data settings, such as AppPrefixAllowList." lightbox="./media/configure-platform-sso-scenarios-macos/extension-data-appprefixallowlist.png":::
 
-3. Select **Next** to save your changes, and complete the policy. If the policy is already assigned to users or groups, then these groups receive the policy changes the next time they [sync with the Intune service](../troubleshoot-device-profiles.md#policy-refresh-intervals).
+1. Select **Next** to save your changes, and complete the policy. If the policy is already assigned to users or groups, these groups receive the policy changes the next time they [sync with the Intune service](../troubleshoot-device-profiles.md#policy-refresh-intervals).
+
+## Apply Platform SSO policy during Automated Device Enrollment with Setup Assistant
+
+When you enroll macOS devices using Automated Device Enrollment (ADE), you can apply the Platform SSO policy during the Setup Assistant experience. When users arrive at the desktop, they have a more integrated sign-in experience on the device and can access Microsoft Entra ID resources immediately.
+
+For more information, see [Configure Platform Single Sign-On (PSSO) during Automated Device Enrollment for macOS devices](configure-platform-sso-during-enrollment.md).
 
 ## End user experience settings
 
diff --git a/intune/device-configuration/settings-catalog/configure-universal-print.md b/intune/device-configuration/settings-catalog/configure-universal-print.md
index 5ee39b29d9..7336ef36b4 100644
--- a/intune/device-configuration/settings-catalog/configure-universal-print.md
+++ b/intune/device-configuration/settings-catalog/configure-universal-print.md
@@ -1,7 +1,7 @@
 ---
 title: "Configure Universal Print Policy Using Settings Catalog"
 description: Learn how to configure a Universal Print policy using the settings catalog in Microsoft Intune to automatically install printers on managed Windows devices.
-ms.date: 04/30/2026
+ms.date: 05/13/2026
 ms.topic: how-to
 ms.reviewer: laarrizz, mayurjadhav
 ms.collection:
@@ -151,9 +151,9 @@ For information on the reporting data you can view, see [Intune reports](../../d
 
 ### Enable tracing for Universal Print issues
 
-If the [common issues](#common-issues) (in this article) don't resolve your issue, you can use Fiddler tracing, the Print-Collect script, and `UPPrinterInstaller.exe` to resync the Intune installation of the universal printer. You can review these logs for possible issues. You can also work with the Intune support team to review and analyze these logs.
+If the [common issues](#common-issues) (in this article) don't resolve your issue, you can use TSS (Troubleshooting Script for Support) together with `UPPrinterInstaller.exe` to capture client-side traces for the Intune installation of the universal printer. You can review these logs for possible issues. You can also work with the Intune support team to review and analyze these logs.
 
-For more information and specific steps, see [Universal Print troubleshooting guide - Use PrintCollect, Fiddler, and UPPrinterInstaller](/universal-print/fundamentals/universal-print-troubleshooting-support-howto#use-printcollect-fiddler-and-upprinterinstaller).
+For more information and specific steps, see [Universal Print troubleshooting guide - Use TSS and UPPrinterInstaller](/universal-print/fundamentals/universal-print-troubleshooting-support-howto#use-tss-and-upprinterinstaller).
 
 ## Related articles
 
diff --git a/intune/device-configuration/toc.yml b/intune/device-configuration/toc.yml
index 52cf2ee987..680c3c6ce0 100644
--- a/intune/device-configuration/toc.yml
+++ b/intune/device-configuration/toc.yml
@@ -122,6 +122,9 @@ items:
       - name: Platform SSO scenarios for macOS
         displayName: single sign-on, macos
         href: ./settings-catalog/configure-platform-sso-scenarios-macos.md
+      - name: Platform SSO in Automated Device Enrollment for macOS
+        displayName: single sign-on, macos, ade
+        href: ./settings-catalog/configure-platform-sso-during-enrollment.md
       - name: Enterprise SSO plug-in for macOS
         displayName: single sign-on, macos
         href: ./templates/configure-enterprise-sso-plugin-macos.md
diff --git a/intune/device-enrollment/apple/setup-automated-macos.md b/intune/device-enrollment/apple/setup-automated-macos.md
index 80f6c6f8a6..b2035fcad3 100644
--- a/intune/device-enrollment/apple/setup-automated-macos.md
+++ b/intune/device-enrollment/apple/setup-automated-macos.md
@@ -1,7 +1,7 @@
 ---
 title: Set up automated device enrollment (ADE) for macOS
 description: Learn how to enroll corporate-owned Macs into Microsoft Intune with Apple Automated Device Enrollment (ADE).
-ms.date: 04/29/2026
+ms.date: 05/13/2026
 ms.topic: how-to
 ms.reviewer: beflamm
 ai-usage: ai-assisted
@@ -24,6 +24,7 @@ This article describes how to create an enrollment policy for macOS automated de
 :::column span="1":::
 [!INCLUDE [platform](../../includes/requirements/platform.md)]
 
+
 :::column-end:::
 :::column span="3":::
 
@@ -51,6 +52,8 @@ This article describes how to create an enrollment policy for macOS automated de
 
 When enrolling macOS devices using ADE with user affinity and Setup Assistant with modern authentication, users must sign in to the Company Portal app with their Microsoft Entra credentials to complete device registration in Microsoft Entra ID. To add the Company Portal app to macOS devices, see [Add the Company Portal for macOS app](../../app-management/deployment/add-company-portal-macos.md).  
 
+To make Microsoft Entra ID single sign-on (SSO) available during Setup Assistant, create a platform SSO policy before devices enroll. Platform SSO policies are deployed to enrolling macOS devices during automated device enrollment (ADE) and allow users to sign in with their organization credentials during device setup. This configuration enables users to automatically access Microsoft Entra–protected apps and resources after enrollment. For more information, see [Configure platform SSO during automated device enrollment for macOS](../../device-configuration/settings-catalog/configure-platform-sso-during-enrollment.md).  
+
 ## Create an enrollment policy
 
 Create an automated device enrollment policy in the admin center. The policy defines the enrollment experience for your organization's Mac devices, and enforces enrollment policies and settings on enrolling devices. The policy is deployed to assigned devices over-the-air.
diff --git a/intune/fundamentals/aosp-supported-devices.md b/intune/fundamentals/aosp-supported-devices.md
index 58b3971395..7d425fc6de 100644
--- a/intune/fundamentals/aosp-supported-devices.md
+++ b/intune/fundamentals/aosp-supported-devices.md
@@ -3,7 +3,7 @@ title: Android Open Source Project Supported Devices
 description: Lists Android open source project devices (AOSP) supported devices
 author: MandiOhlinger
 ms.author: mandia
-ms.date: 05/12/2025
+ms.date: 05/13/2026
 ms.topic: reference
 ms.reviewer: Priyar
 ms.collection:
@@ -25,6 +25,7 @@ Before setting up Microsoft Intune for Android Open Source Project devices, ensu
 |**OEM**     | **Device**              | **Minimum Firmware**    | **Type of Device** | **Restrictions**       |
 | ------- | -------------------| ------------------- | -------------- | ------------------ |
 | DigiLens Inc.| DigiLens ARGO    | DigiOS 2068 (B1.0001.2068)            | AR/VR Headset  |                    |
+| HMD     | Cupra              | 1.220                | Phone          |                    |
 | HTC     | HTC Vive Focus 3   | 5.2 - 5.0.999.624    | AR/VR Headset  |                    |
 | HTC     | HTC Vive XR Elite  | 4.0 - 1.0.999.350    | AR/VR Headset  |                    |
 | HTC     | Vive Focus Vision   | 7.0.999.159    | AR/VR Headset  |                    |
@@ -41,4 +42,4 @@ Before setting up Microsoft Intune for Android Open Source Project devices, ensu
 | Vuzix   | Blade 2            | Vuzix Blade 2 Version 1.2.1   | AR/VR Headset  |                    |
 | Vuzix   | M400               | M-Series Version 3.0.2    | AR/VR Headset  |                    |
 | Vuzix   | M4000              | M-Series Version 3.0.2   | AR/VR Headset  |                    |
-| Zebra   | WS50               | 11-49-15.00               | Wearable scanner         |                    |
\ No newline at end of file
+| Zebra   | WS50               | 11-49-15.00               | Wearable scanner         |                    |
diff --git a/intune/whats-new/in-development.md b/intune/whats-new/in-development.md
index b6a2e84de7..967431ceff 100644
--- a/intune/whats-new/in-development.md
+++ b/intune/whats-new/in-development.md
@@ -1,7 +1,7 @@
 ---
 title: In development - Microsoft Intune
 description: This article describes Microsoft Intune features that are in development.
-ms.date: 05/04/2026
+ms.date: 05/11/2026
 ms.topic: whats-new
 ms.reviewer: intuner
 ms.collection:
@@ -145,33 +145,6 @@ Other requirements include adding the Intune first-party app as a security group
 > - iOS/iPadOS Automated Device Enrollment (ADE)
 > - macOS Automated Device Enrollment (ADE)
 
-### Complete Platform SSO registration during macOS Automated Device Enrollment<!-- 36767290 -->
-
-On macOS devices enrolled with Automated Device Enrollment (ADE), you can enable and complete Platform SSO device registration:
-
-- In a settings catalog policy, add and configure the `Enable Registration During Setup` setting, save your policy, and assign it to a static group.
-- Configure the Automated Device Enrollment policy to use Setup Assistant with modern authentication and enable await final configuration. 
-- During enrollment, users sign in twice:
-  - The first sign-in starts the regular enrollment process.
-  - The second sign-in authenticates the user identity in Company Portal and gets the SSO extension.
-
-  We're working on updates to reduce the number of sign-ins for Platform SSO during Setup Assistant.
-
-When this feature is enabled, users have access to resources immediately when they arrive at desktop.
-
-Prerequisites:
-
-- Before you enroll:
-  - Create a [settings catalog policy](../device-configuration/settings-catalog/index.md), and configure the **Enable Registration During Setup** setting and assign to the device via static group. 
-  - Deploy the Company Portal (5.2604.0 and newer is required) as a line-of-business app.
-- Devices must be enrolled through Apple Business Manager or Apple School Manager using ADE.
-- The ADE enrollment profile must be configured to use Setup Assistant with modern authentication and have the **Await final configuration** setting turned on.
-
-> [!div class="checklist"]
-> Applies to:
->
-> - macOS Automated Device Enrollment (ADE)
-
 <!-- *********************************************** -->
 
 ## Device management
@@ -181,7 +154,7 @@ Prerequisites:
 The Intune Policy Configuration Agent will update to use a Microsoft Entra agentic identity instead of a human user identity. This enables the agent to run policy configuration actions securely and independently.
 
 For existing agents, admins will be able to transition to an agentic identity from the agent's **Settings** tab by selecting **Create new identity**. After the identity is provisioned, the agent will now run on behalf of the logged in user and the information will be scoped by the permissions of that account. For new agents, an agentic identity will be auto provisioned at setup.
- 
+
 ### Silence apps on Managed Home Screen to prevent session PIN bypass<!-- 34929486 -->
 
 For devices using Managed Home Screen (MHS), you'll be able to silence apps whenever MHS is prompting the user for authentication, such as during sign-in or at the session PIN screen. When silenced, apps won't be able to start activities, display notifications, appear in recent apps, or trigger toasts, dialogs, or device ringing. You'll be able to configure an allowlist of apps that remain unsilenced during the locked state, ensuring that critical communications like calls aren't interrupted. This feature will be opt-in and configurable, allowing your organization to tailor the experience to its operational needs. Once the device is unlocked, all apps will automatically return to their normal state.
@@ -362,10 +335,6 @@ Intune will add new guidance to the compliance policy reporting documentation to
 
 <!-- *********************************************** -->
 
-<!-- ## Role-based access control -->
-
-<!-- *********************************************** -->
-
 <!-- ## Tenant administration -->
 
 <!-- ***********************************************-->
diff --git a/intune/whats-new/index.md b/intune/whats-new/index.md
index 4726424d4e..ff27c1e78b 100644
--- a/intune/whats-new/index.md
+++ b/intune/whats-new/index.md
@@ -1,7 +1,7 @@
 ---
 title: What's new in Microsoft Intune
 description: Find out what's new in Microsoft Intune.
-ms.date: 05/01/2026
+ms.date: 05/11/2026
 ms.topic: whats-new
 ms.reviewer: intuner
 ms.collection:
@@ -53,6 +53,28 @@ You can use RSS to be notified when this page is updated. For more information,
 ### Tenant administration
 
 -->
+## Week of May 11, 2026
+
+### Device enrollment
+
+#### Complete Platform SSO registration during macOS Automated Device Enrollment <!-- 36767290 -->
+
+On macOS devices enrolled with Automated Device Enrollment (ADE), you can run Platform SSO during device registration. Before you enroll, you:
+
+1. Create an Intune [settings catalog policy](../device-configuration/settings-catalog/index.md) and configure the **Enable Registration During Setup** setting.
+1. Deploy the Company Portal (5.2604.0 and newer) as a line-of-business app.
+1. Configure the Automated Device Enrollment policy to use Setup Assistant with modern authentication and enable await final configuration.
+
+When this feature is enabled, users have access to Microsoft Entra ID resources immediately when they arrive at desktop.
+
+To learn more, see [Configure Platform Single Sign-On (PSSO) during Automated Device Enrollment for macOS devices](../device-configuration/settings-catalog/configure-platform-sso-during-enrollment.md).
+
+> [!div class="checklist"]
+> Applies to:
+>
+> - macOS 26 and newer
+> - Company Portal 5.2604.0 and newer
+
 ## Week of May 4, 2026
 
 ### Monitor and troubleshoot