Merge branch 'main' into patch-1

.github/workflows/Stale.yml

@@ -0,0 +1,19 @@
+name: (Scheduled) Mark stale pull requests
+
+permissions:
+  issues: write
+  pull-requests: write
+
+on:
+  schedule:
+  - cron: "0 */6 * * *"
+  workflow_dispatch:
+
+jobs:
+  stale:
+    uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-Stale.yml@workflows-prod
+    with:
+      RunDebug: false
+      RepoVisibility: ${{ github.repository_visibility }}
+    secrets:
+      AccessToken: ${{ secrets.GITHUB_TOKEN }}

.openpublishing.redirection.json

@@ -1,5 +1,55 @@
 {
   "redirections": [
+    {
+      "source_path": "memdocs/intune/enrollment/chrome-enterprise-device-details.md",
+      "redirect_url": "/mem/intune/remote-actions/chrome-enterprise-device-details",
+      "redirect_document_id": true
+    },    
+    {
+      "source_path": "memdocs/intune/enrollment/chrome-enterprise-remote-actions.md",
+      "redirect_url": "/mem/intune/remote-actions/chrome-enterprise-remote-actions",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-zips-android.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },  
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-checkpoint-android.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },    
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-skycure-android.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },    
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-lookout-for-work-android.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },    
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-zips-ios.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-checkpoint-ios.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-skycure-ios.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-lookout-for-work-ios.md",
+      "redirect_url": "/mem/intune/user-help/set-up-mobile-threat-defense",
+      "redirect_document_id": false
+    },
     {
       "source_path": "memdocs/intune/remote-actions/organizational-messages-reporting.md",
       "redirect_url": "/microsoft-365/admin/misc/organizational-messages-microsoft-365",

autopilot/add-devices.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 06/28/2024
+ms.date: 09/13/2024
 ms.topic: how-to
 ms.collection:
   - M365-modern-desktop
@@ -42,7 +42,7 @@ This article provides step-by-step guidance for manual registration. For more in
 - [Manual registration overview](manual-registration.md).
 - [Windows Autopilot for HoloLens 2](/hololens/hololens2-autopilot#2-register-devices-in-windows-autopilot).
 
-## Prerequisites
+## Requirements
 
 - [Intune subscription](/mem/intune/fundamentals/licenses).
 - [Windows automatic enrollment enabled](/mem/intune/enrollment/windows-enroll#enable-windows-automatic-enrollment).

autopilot/device-preparation/known-issues.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 08/07/2024
+ms.date: 10/18/2024
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -40,6 +40,46 @@ This article describes known issues that can often be resolved with:
 
 ## Known issues
 
+## Deployments fail when Managed installer policy is enabled for the tenant
+
+Date added: *October 10, 2024*<br>
+Date updated: *October 18, 2024*
+
+When the [Managed installer policy](/mem/intune/protect/endpoint-security-app-control-policy#managed-installer) is **Active** for a tenant and Win32 apps are selected in the Windows Autopilot device preparation policy, Windows Autopilot device preparation deployments fails. The issue is being investigated.
+
+As a workaround, remove Win32 applications from the list of selected apps in all device preparation policies.
+
+For more information, see [Known issue: Windows Autopilot device preparation with Win32 apps and managed installer policy](https://techcommunity.microsoft.com/t5/intune-customer-success/known-issue-windows-autopilot-device-preparation-with-win32-apps/ba-p/4273286).
+
+## Security group membership update failures might lead to non-compliant devices
+
+Date added: *September 27, 2024*
+
+If security groups aren't properly configured in Microsoft Intune, devices might lose compliance and be left in an unsecured state. The following are potential reasons for security group membership failures:
+
+- **Retry failures**: Security group membership updates might not succeed during retry windows, leading to delays in group updates.
+
+- **Static to dynamic group changes**: After the Windows Autopilot device preparation profiles are configured, changing a security group from static to dynamic could cause failures.
+
+- **Owner removal**: If the **Intune Provisioning Client** service principal is removed as an owner of a configured security group, updates might fail.
+
+- **Group deletion**: If a configured security group is deleted and devices are deployed before Microsoft Intune detects the deletion, security configurations might fail to apply.
+
+To mitigate the issue, follow these steps:
+
+1. **Validate security group configuration before provisioning**:
+
+   - Ensure the correct security group is selected within the Microsoft Intune admin center or the Microsoft Entra admin center.
+   - The security group should be configured within the Windows Autopilot device preparation profile.
+   - The group shouldn't be assignable to other groups.
+   - The **Intune Provisioning Client** service principal should be an owner of the group.
+
+1. **Manually fix the provisioned devices**:
+
+   - If devices are already deployed or the security group isn't applicable, manually add the affected devices to the correct security group.
+
+Security group membership failures can be prevented by following these steps, ensuring devices remain compliant and secure.
+
 ## Deployment fails for devices not in the Coordinated Universal Time (UTC) time zone
 
 Date added: *July 8, 2024* <br>
@@ -92,9 +132,7 @@ The issue is being investigated. As a workaround, add the following additional r
 For more information, see [Required RBAC permissions](requirements.md?tabs=rbac#required-rbac-permissions).
 
 > [!NOTE]
->
 > The [Required RBAC permissions](requirements.md?tabs=rbac#required-rbac-permissions) article doesn't list the **Device configurations** - **Assign** permission. This permission requirement is only temporary until the issue is resolved. However, the article can be used as a guide on how to properly add this permission.
-
 **This issue was resolved in July 2024.**
 
 ### Device is stuck at 100% during the out-of-box experience (OOBE)

autopilot/device-preparation/requirements.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 06/28/2024
+ms.date: 09/05/2024
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -67,7 +67,7 @@ The following editions are supported:
 - Windows 11 Pro.
 - Windows 11 Pro Education.
 - Windows 11 Pro for Workstations.
-- Windows 11 Enterprise/[Windows 11 IoT Eneterprise](/windows/iot/iot-enterprise/overview).
+- Windows 11 Enterprise.
 - Windows 11 Education.
 
 ## [:::image type="icon" source="../images/icons/wifi-ethernet-18.svg"::: **Networking**](#tab/networking)
@@ -200,7 +200,7 @@ To provide needed Microsoft Entra ID and MDM functionality, including automatic
 
 > [!NOTE]
 >
-> When a Microsoft 365 subscription is used, licenses still need to be assigned to users so they can enroll device in Intune. For more information, see [assign licenses to users so they can enroll devices in Intune](/intune/fundamentals/licenses-assign).
+> When a Microsoft 365 subscription is used, licenses still need to be assigned to users so they can enroll device in Intune. For more information, see [assign licenses to users so they can enroll devices in Intune](/mem/intune/fundamentals/licenses-assign).
 
 Additionally, the following are also recommended, but not required:
 

autopilot/device-preparation/tutorial/user-driven/entra-join-workflow.md

@@ -7,7 +7,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 06/19/2024
+ms.date: 09/13/2024
 ms.topic: tutorial
 ms.collection:
   - tier1
@@ -23,7 +23,7 @@ This step by step tutorial guides through using Intune to perform a Windows Auto
 
 The purpose of this tutorial is a step by step guide for all the configuration steps required for a successful Windows Autopilot device preparation user-driven Microsoft Entra join deployment using Intune. The tutorial is also designed as a walkthrough in a lab or testing scenario, but can be expanded for use in a production environment.
 
-Before beginning, refer to the [How to: Plan your Microsoft Entra join implementation](/azure/active-directory/devices/azureadjoin-plan) to make sure all prerequisites are met for joining devices to Microsoft Entra ID.
+Before beginning, refer to the [How to: Plan your Microsoft Entra join implementation](/azure/active-directory/devices/azureadjoin-plan) to make sure all requirements are met for joining devices to Microsoft Entra ID.
 
 ## Windows Autopilot device preparation user-driven Microsoft Entra join overview
 

autopilot/device-preparation/whats-new.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 manager: aaroncz
 ms.reviewer: jubaptis
-ms.date: 08/21/2024
+ms.date: 10/15/2024
 ms.collection:
   - M365-modern-desktop
   - tier2
@@ -31,6 +31,26 @@ appliesto:
 >
 > For more information on using RSS for notifications, see [How to use the docs](/mem/use-docs#notifications) in the Intune documentation.
 
+## Diagnostics logs automatically available in Windows Autopilot device preparation deployment status report
+
+Date added: *October 9, 2024*
+
+Admins can now download diagnostics logs for failed Autopilot device preparation deployments directly from the **Windows Autopilot device preparation deployment status** report. Logs are available for download in the **Device deployment details** when you select a failed deployment under the **Device** tab. Logs are automatically collected when an error occurs during deployment.
+
+## Windows Autopilot Device Preparation Support in Intune operated by 21Vianet in China
+
+Date added: *September 18, 2024*
+
+As part of the 2409 Intune release, we're announcing support for Windows Autopilot Device Preparation policy in [Intune operated by 21Vianet in China](/mem/intune/fundamentals/china) cloud. Customers with tenants located in China can now provision devices and manage through Microsoft Intune. For an overview, see [Overview of Windows Autopilot device preparation](overview.md). For a tutorial on how to set up Windows Autopilot device preparation, see [Windows Autopilot device preparation scenarios](tutorial/scenarios.md).
+
+<!-- MAXADO-9313795 / INADO-28687730 -->
+
+## enrollmentProfileName property is now populated with the Device preparation policy name
+
+Date added: *September 13, 2024*
+
+As part of the 2409 Intune release, the **enrollmentProfileName** property is now populated with the Device preparation policy name during Autopilot device preparation deployments. The Enrollment profile property of Intune and Microsoft Entra device objects are automatically populated with the name of the Device preparation policy that was applied to the device during provisioning. The **enrollmentProfileName** property enables admins to configure assignment filters and dynamic groups based on the **enrollmentProfileName** property for configurations post-enrollment.
+
 <!-- INADO-28533819 -->
 
 ## Windows Autopilot device preparation deployment status report available in the Monitor tab under Enrollment

autopilot/dfci-management.md

@@ -8,7 +8,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 06/11/2024
+ms.date: 10/09/2024
 ms.collection:
   - M365-modern-desktop
   - tier2
@@ -24,7 +24,7 @@ With Windows Autopilot Deployment and Intune, Unified Extensible Firmware Interf
 
 If a user reinstalls a previous Windows version, installs a separate OS, or formats the hard drive, they can't override DFCI management. This feature can also prevent malware from communicating with OS processes, including elevated OS processes. DFCI's trust chain uses public key cryptography, and doesn't depend on local UEFI password security. This layer of security blocks local users from accessing managed settings from the device's UEFI menus.
 
-For an overview of DFCI benefits, scenarios, and prerequisites, see [Device Firmware Configuration Interface (DFCI) Introduction](https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Dfci_Feature/).
+For an overview of DFCI benefits, scenarios, and requirements, see [Device Firmware Configuration Interface (DFCI) Introduction](https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Dfci_Feature/).
 
 > [!IMPORTANT]
 >
@@ -55,12 +55,12 @@ See the following figure:
 
 - A currently supported version of Windows and a supported UEFI is required.
 - The device manufacturer must have DFCI added to their UEFI firmware in the manufacturing process, or as a firmware update that can be installed. Work with the device vendors to determine the [manufacturers that support DFCI](#oems-that-support-dfci), or the firmware version needed to use DFCI.
-- The device must be managed with Microsoft Intune. For more information, see [Enroll Windows devices in Intune using Windows Autopilot](/intune/enrollment/enrollment-autopilot).
+- The device must be managed with Microsoft Intune. For more information, see [Enroll Windows devices in Intune using Windows Autopilot](/mem/intune/enrollment/enrollment-autopilot).
 - The device must be registered for Windows Autopilot by a [Microsoft Cloud Solution Provider (CSP) partner](https://partner.microsoft.com/membership/cloud-solution-provider), or registered directly by the OEM. For Surface devices, Microsoft registration support is available at [Microsoft Devices Autopilot Support](https://prod.support.services.microsoft.com/supportrequestform/0d8bf192-cab7-6d39-143d-5a17840b9f5f).
 
 > [!IMPORTANT]
 >
-> Devices manually registered for Autopilot (such as by [importing from a CSV file](/intune/enrollment/enrollment-autopilot#add-devices)) aren't allowed to use DFCI. By design, DFCI management requires external attestation of the device's commercial acquisition through an OEM or a Microsoft CSP partner registration to Windows Autopilot. When the device is registered, its serial number is displayed in the list of Windows Autopilot devices.
+> Devices manually registered for Autopilot (such as by [importing from a CSV file](/mem/intune/enrollment/enrollment-autopilot#add-devices)) aren't allowed to use DFCI. By design, DFCI management requires external attestation of the device's commercial acquisition through an OEM or a Microsoft CSP partner registration to Windows Autopilot. When the device is registered, its serial number is displayed in the list of Windows Autopilot devices.
 
 ## Managing DFCI profile with Windows Autopilot
 
@@ -71,9 +71,9 @@ There are four basic steps in managing DFCI profile with Windows Autopilot:
 1. Create a DFCI profile
 1. Assign the profiles
 
-See [Create the profiles](/intune/configuration/device-firmware-configuration-interface-windows#create-the-profiles) and [Assign the profiles, and reboot](/intune/configuration/device-firmware-configuration-interface-windows#assign-the-profiles-and-reboot) for details.
+See [Create the profiles](/mem/intune/configuration/device-firmware-configuration-interface-windows#create-the-profiles) and [Assign the profiles, and reboot](/mem/intune/configuration/device-firmware-configuration-interface-windows#assign-the-profiles-and-reboot) for details.
 
-The existing [DFCI settings](/intune/configuration/device-firmware-configuration-interface-windows#update-existing-dfci-settings) can also be changed on devices that are in use. In the existing DFCI profile, change the settings and save the changes. Since the profile is already assigned, the new DFCI settings take effect when next time the device syncs or the device reboots.
+The existing [DFCI settings](/mem/intune/configuration/device-firmware-configuration-interface-windows#update-existing-dfci-settings) can also be changed on devices that are in use. In the existing DFCI profile, change the settings and save the changes. Since the profile is already assigned, the new DFCI settings take effect when next time the device syncs or the device reboots.
 
 To identify whether a device is DFCI ready, the following Intune Graph API call can be used:
 
@@ -89,9 +89,18 @@ For more information, see [Intune devices and apps API overview](/graph/intune-c
 - Fujitsu.
 - [Microsoft Surface](/surface/surface-manage-dfci-guide).
 - Panasonic.
+- VAIO.
 
 Other OEMs are pending.
 
+## Known issues
+
+### DFCI enrollment fails for Professional editions of Windows 11, version 24H2
+
+Date added: *October 9, 2024*
+
+DFCI can't currently be used on devices with Professional editions of Windows 11, version 24H2. The issue is being investigated. As a workaround, ensure the device is upgraded to the Enterprise edition of Windows 11, version 24H2 during or after OOBE onboarding. After upgrading to the Enterprise edition of Windows 11, version 24H2, sync the device. Once the device is synced, reboot it to get it enrolled in DFCI.
+
 ## Related content
 
 - [Microsoft DFCI Scenarios](https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Scenarios/DfciScenarios/).

autopilot/enrollment-autopilot.md

@@ -5,7 +5,7 @@ author: frankroj
 ms.author: frankroj
 ms.reviewer: jubaptis
 manager: aaroncz
-ms.date: 06/28/2024
+ms.date: 09/13/2024
 ms.topic: how-to
 ms.localizationpriority: high
 ms.service: windows-client
@@ -93,10 +93,6 @@ For more information including a list of supported OEMs, see [Return of key func
 >
 > Assigning a licensed user to a specific Autopilot device only affects pre-populating the UPN and setting of a custom greeting name. It doesn't affect assigned policies and applications that are deployed to the device or to the user. The assigned policies and applications are still deployed regardless of the OEM. For more information, see [Windows Autopilot for pre-provisioned deployment](pre-provision.md#preparation).
 
-Prerequisites:
-
-- Microsoft Entra ID [Company Branding](/azure/active-directory/fundamentals/customize-branding) is configured.
-
 > [!IMPORTANT]
 >
 > Assigning a user to a specific Autopilot device doesn't work if using Active Directory Federation Services (ADFS).

autopilot/enrollment-status.md

@@ -33,7 +33,7 @@ An administrator can deploy ESP profiles to a licensed Intune user and configure
 - Allow users to collect troubleshooting logs.
 - Specify what a user can do if device setup fails.
 
-For more information, see [Set up the Enrollment Status Page](/intune/windows-enrollment-status).
+For more information, see [Set up the Enrollment Status Page](/mem/intune/enrollment/windows-enrollment-status).
 
 :::image type="content" source="images/enrollment-status-page.png" alt-text="Screenshot that shows Enrollment Status Page":::