**NOTE**: Starting in August 2024, previous Managed Home Screen workflows will be removed and all devices will be required to use the updated app design. | ❌ | -| Top Bar Primary Element | choice | | Use this key to select whether the primary element of the top bar will be the device Serial Number, Device Name, or Tenant Name. This setting can only be used if **Enable sign in** key is set to **false**. If the **Enable sign in** key is set to **true**, the user's name will be shown as the primary element. **Enable updated user experience** must be set to **true** to make the top bar visible on users devices. If you select serial number, **Show serial number for all supported OS versions on MHS** must be set to `{{SerialNumber}}`. If you select device name, **Show device name for all supported OS version on MHS** must be set to `{{DeviceName}}`. | ❌ | -| Top Bar Secondary Element | choice | | Use this key to select whether the secondary element of the top bar will be the device Serial Number, Device Name, or Tenant Name. **Enable updated user experience** must be set to **true** to make the top bar visible on users devices. If you select serial number, **Show serial number for all supported OS versions on MHS** must be set to `{{SerialNumber}}`. If you select device name, **Show device name for all supported OS version on MHS** must be set to `{{DeviceName}}`. | ❌ | -| Top Bar User Name Style | choice | | Use this setting to select the style of the user's name in the top bar based on the following list:
NOTE: On devices that have a device configuration profile with the [**Enabled System Navigation Features** setting](../configuration/device-restrictions-android-for-work.md#dedicated-devices) set to **Home and Overview buttons**, end users can ignore and skip the sign in screen. | +| Enable sign in | bool | FALSE | Turn this setting to True to enable end-users to sign into Managed Home Screen. When used with Microsoft Entra shared device mode, users who sign in to Managed Home Screen will get automatically signed in to all other apps on the device that have participated with Microsoft Entra shared device mode. By default this setting is off.
NOTE: After rebooting the device, end users must reauthenticate by signing in to Managed Home Screen. | ✔️
NOTE: On devices that have a device configuration profile with the [**Enabled System Navigation Features** setting](../configuration/device-restrictions-android-for-work.md#dedicated-devices) set to **Home and Overview buttons**, end users can ignore and skip the sign in screen. | | Sign in type | string | Microsoft Entra ID | Set this configuration to "AAD" to sign in with a Microsoft Entra account. Otherwise, set this configuration to "Other". Users who sign in with a non-AAD account won't get single sign-on to all apps that have integrated with Microsoft Entra shared device mode, but will still get signed in to Managed Home Screen. By default, this setting uses "AAD" user accounts. This setting can only be used if **Enable sign in** has been set to True. | ✔️ | -| Domain name | string | | Set a domain name to be appended to usernames for sign in. If this is not set, users will need to enter the domain name. To allow users to select between multiple domain name options, add semicolon delimited strings. Enable sign in must be set to TRUE to use this configuration. This configuration is only available when **Enable updated user experience** is set to TRUE.
**NOTE**: This setting does not prevent users from inputting alternative domain names. | ❌ | -| Login hint text | string | | Set a custom login hint string by entering a string. If no string is set, the default string "Enter email or phone number" will be displayed. Enable sign in must be set to TRUE to use this configuration. This configuration is only available when **Enable updated user experience** is set to TRUE. | ❌ | +| Domain name | string | | Set a domain name to be appended to usernames for sign in. If this is not set, users will need to enter the domain name. To allow users to select between multiple domain name options, add semicolon delimited strings. Enable sign in must be set to TRUE to use this configuration.
**NOTE**: This setting does not prevent users from inputting alternative domain names. | ❌ | +| Login hint text | string | | Set a custom login hint string by entering a string. If no string is set, the default string "Enter email or phone number" will be displayed. Enable sign in must be set to TRUE to use this configuration. | ❌ | | Set to the url of wallpaper | string | | Allows you to set a wallpaper of your choice for the sign in screen. To use this setting, enter the URL of the image that you want set for the sign-in screen wallpaper. This image can be different than the Managed Home Screen wallpaper that is configured with **Set device wallpaper**. This setting can only be used if **Enable sign in** has been set to True. | ✔️ | | Enable show organization logo on sign in page | bool | TRUE | Turn this setting to True to use a company logo that will appear on the sign-in screen. This setting is used with **Organization logo on sign in page** and can only be used if **Enable sign in** has been set to TRUE. | ✔️ | | Organization logo on sign in page | string | | Allows you to brand your device with a logo of your choice on the Managed Home Screen sign-in screen. To use this setting, enter the URL of the image that you want set for the logo. This setting can only be used if **Enable show organization logo on sign in page** and **Enable sign in** have been set to True. | ✔️ | @@ -178,7 +180,7 @@ The following table lists the Managed Home Screen available configuration keys, | Maximum number of attempts for session PIN | string | | Define the maximum number of times a user can attempt to enter their session PIN before getting automatically logged out from Managed Home Screen. The default value is zero (0), where zero (0) means the user gets infinite tries. This can be used with any of the complexity values for session PIN. This setting can only be used if **Enable session PIN** and **Enable sign in** have been set to True. | ❌ | | Customer facing folder | Bool | FALSE | Use this specification with **Create Managed Folder for grouping apps** to create a folder that can't be exited without a user entering their Session PIN. This setting can only be used if **Enable session PIN** and **Enable sign in** have been set to True. | ❌ | | Require PIN code after returning from screensaver | bool | FALSE | Turn this setting True if you want to require end-users to enter their Session PIN to resume activity on Managed Home Screen after the screensaver has appeared. This setting can only be used if **Enable sign in** has been set to True. | ✔️ | -| Minimum inactive time before session PIN is required | int | | The number of seconds the device is inactive before end-user input of session PIN is required. If set to 0, the device will always require PIN after screen saver, regardless of the inactive time. This configuration is only available when **Require PIN code after returning from screensaver** and **Enable updated user experience** are set to TRUE. | ✔️ | +| Minimum inactive time before session PIN is required | int | | The number of seconds the device is inactive before end-user input of session PIN is required. If set to 0, the device will always require PIN after screen saver, regardless of the inactive time. This configuration is only available when **Require PIN code after returning from screensaver** is set to TRUE. | ✔️ | | Enable auto sign-out | bool | FALSE | Turn this setting to True to automatically sign current user out of Managed Home Screen after a specified period of inactivity. When used with Microsoft Entra shared device mode, users will also get signed out of all apps on the device that participate with Microsoft Entra shared device mode. By default, this setting is turned off. This setting can only be used if **Enable sign in** has been set to True. | ✔️ | | Auto sign-out time | integer | 300 | Set a period of inactivity, in seconds, that can pass before user gets automatically signed out of Managed Home Screen. This setting can only be used if **Enable auto sign-out** and **Enable sign in** have been set to True. | ✔️ | | Count down time on auto sign-out dialog | integer | 60 | The amount of time, in seconds, to give notice to user before signing them out of Managed Home Screen. This setting can only be used if **Enable auto sign-out** and **Enable sign in** have been set to True. | ✔️ | @@ -348,10 +350,6 @@ The following syntax is an example JSON script with all the available configurat "key": "device_name", "valueString": "{{DeviceName}}" }, - { - "key": "enable_updated_user_experience", - "valueBool": false - }, { "key": "header_primary_element", "valueString": "Tenant Name" diff --git a/memdocs/intune/apps/app-configuration-policies-use-android.md b/memdocs/intune/apps/app-configuration-policies-use-android.md index f033814e503..92bec816946 100644 --- a/memdocs/intune/apps/app-configuration-policies-use-android.md +++ b/memdocs/intune/apps/app-configuration-policies-use-android.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 08/08/2024 +ms.date: 10/09/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps @@ -76,6 +76,7 @@ Android Enterprise has several enrollment methods. The enrollment type depends o > * Camera > * Record audio > * Allow body sensor data + > * Background location 11. If the managed app supports configuration settings, the **Configuration settings format** dropdown box is visible. Select one of the following methods to add configuration information: - **Use configuration designer** @@ -127,7 +128,7 @@ You can use the configuration designer for Managed Google Play apps when the app 2. For each key and value in the configuration, set: - - **Value type**: The data type of the configuration value. For String value types, you can optionally choose a variable or certificate profile as the value type. + - **Value type**: The data type of the configuration value. For string value types, you can optionally choose a variable or certificate profile as the value type. Note that once the policy is created, these value types will show as string. - **Configuration value**: The value for the configuration. If you select variable or certificate for the **Value type**, choose from a list of variables or certificate profiles. If you choose a certificate, then the certificate alias of the certificate deployed to the device is populated at runtime. ### Supported variables for configuration values diff --git a/memdocs/intune/apps/app-protection-framework.md b/memdocs/intune/apps/app-protection-framework.md index 2bed001a63f..8b029770123 100644 --- a/memdocs/intune/apps/app-protection-framework.md +++ b/memdocs/intune/apps/app-protection-framework.md @@ -75,7 +75,7 @@ Administrators can incorporate the below configuration levels within their ring ### Conditional Access Policies -To ensure that only apps supporting App Protection Polices access work or school account data, Microsoft Entra Conditional Access policies are required. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection). +To ensure that only apps supporting App Protection Poliies access work or school account data, Microsoft Entra Conditional Access policies are required. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection). See **Require approved client apps or app protection policy with mobile devices** in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection) for steps to implement the specific policies. Finally, implement the steps in [Block legacy authentication](/azure/active-directory/conditional-access/block-legacy-authentication) to block legacy authentication capable iOS and Android apps. diff --git a/memdocs/intune/apps/app-protection-policies-monitor.md b/memdocs/intune/apps/app-protection-policies-monitor.md index 8b65cb1eda1..ba8a35c1186 100644 --- a/memdocs/intune/apps/app-protection-policies-monitor.md +++ b/memdocs/intune/apps/app-protection-policies-monitor.md @@ -68,7 +68,7 @@ App protection data is retained for a minimum of 90 days. Any app instances that - **Compliance State**: The app meets compliance if it is targeted with MAM policy. >[!NOTE] -> The **Last Sync** column represents the same value in both the in-console User status report and the App Protection Policy [exportable .csv report](/intune/app-protection-policies-monitor#export-app-protection-activities). The difference is a small delay in synchronization between the value in the two reports. +> The **Last Sync** column represents the same value in both the in-console User status report and the App Protection Policy [exportable .csv report](/mem/intune/apps/app-protection-policies-monitor#export-app-protection-activities). The difference is a small delay in synchronization between the value in the two reports. > > The time referenced in Last Sync is when Intune last saw the app instance. When a user launches an app, it might notify the Intune App Protection service at that launch time, depending on when it last checked in. See [the retry interval times for App Protection Policy check-in](app-protection-policy-delivery.md). If a user hasn't used that particular app in the last check-in interval (which is usually 30 minutes for active usage), and they launch the app, then: > diff --git a/memdocs/intune/apps/app-protection-policy-settings-android.md b/memdocs/intune/apps/app-protection-policy-settings-android.md index 59c72dcf829..64d73ce8164 100644 --- a/memdocs/intune/apps/app-protection-policy-settings-android.md +++ b/memdocs/intune/apps/app-protection-policy-settings-android.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 06/14/2024 +ms.date: 09/23/2024 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: apps @@ -153,6 +153,7 @@ By default, several settings are provided with pre-configured values and actions |**Offline grace period** |The number of minutes that managed apps can run offline. Specify the time (in minutes) before the access requirements for the app are rechecked.
*Actions* include:
*Actions* include:
*Actions* include:
*Actions* include:
The following apps support this feature with Company Portal v5.0.5849.0 or later:
*Actions* include:
*Actions* include:
**Values** include:
You must configure the setting “Max allowed device threat level” to use this setting.
There are no **Actions** for this setting.| +|**Non-working time** |There is no value to set for this setting.
*Actions* include:
The following apps support this feature:
**Note**: This setting must only be configured if the tenant has been integrated with the **Working Time API**. For more information on integrating with the **Working Time API**, see [Limit access to Microsoft Teams when frontline workers are off shift](/microsoft-365/frontline/flw-working-time). Configuring this setting without integrating with the Working Time API could result in accounts missing Teams app notifications due to missing working time status for the managed account. | ## Create an iOS/iPadOS and Android quiet time policy diff --git a/memdocs/intune/apps/apps-supported-intune-apps.md b/memdocs/intune/apps/apps-supported-intune-apps.md index bda7aa933b8..2329ae3d9b3 100644 --- a/memdocs/intune/apps/apps-supported-intune-apps.md +++ b/memdocs/intune/apps/apps-supported-intune-apps.md @@ -6,7 +6,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 07/29/2024 +ms.date: 10/08/2024 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: apps @@ -60,47 +60,47 @@ In addition to supporting the core App Protection Policy settings, apps are also The below apps support the Core Intune App Protection Policy settings and are also capable of supporting advanced App Protection Policy and App Configuration Policy settings: -|App|Platform|[Core App Protection Policy settings](apps-supported-intune-apps.md#core-app-settings)|[App configuration](app-configuration-policies-overview.md)|Org allowed accounts ([iOS](app-configuration-policies-use-ios.md#allow-only-configured-organization-accounts-in-apps), [Android](app-configuration-policies-use-android.md#allow-only-configured-organization-accounts-in-apps))|Sync policy managed app data with native apps ([iOS](app-protection-policy-settings-ios.md#functionality), [Android](app-protection-policy-settings-android.md#functionality))|Org data notifications ([iOS](app-protection-policy-settings-ios.md#functionality), [Android](app-protection-policy-settings-android.md#functionality))|Open data into Org documents ([iOS](app-protection-policy-settings-ios.md#data-transfer), [Android](app-protection-policy-settings-android.md#data-transfer))|Save copies of org data ([iOS](app-protection-policy-settings-ios.md#data-transfer), [Android](app-protection-policy-settings-android.md#data-transfer))| +|App|Platform|[Core App Protection Policy settings](apps-supported-intune-apps.md#core-app-settings)|[App configuration](app-configuration-policies-overview.md)|Org allowed accounts ([iOS](app-configuration-policies-use-ios.md#allow-only-configured-organization-accounts-in-apps), [Android](app-configuration-policies-use-android.md#allow-only-configured-organization-accounts-in-apps))|Sync policy managed app data with native apps ([iOS](app-protection-policy-settings-ios.md#functionality), [Android](app-protection-policy-settings-android.md#functionality))|Org data notifications ([iOS](app-protection-policy-settings-ios.md#functionality), [Android](app-protection-policy-settings-android.md#functionality))|Open data into Org documents ([iOS](app-protection-policy-settings-ios.md#data-transfer), [Android](app-protection-policy-settings-android.md#data-transfer))|Save copies of org data ([iOS](app-protection-policy-settings-ios.md#data-transfer), [Android](app-protection-policy-settings-android.md#data-transfer))|Non-working time ([iOS](app-protection-policy-settings-ios.md#conditional-launch), [Android](app-protection-policy-settings-android.md#conditional-launch))| |--- |--- |:-: |--- |:-: |:-: |:-: |:-: |:-: | -|Microsoft Azure|[Android](https://play.google.com/store/apps/details?id=com.microsoft.azure&pcampaignid=web_share)|✔|No settings|✖|N/A|✖|✖|N/A| -|Microsoft Azure|[iOS](https://apps.apple.com/app/microsoft-azure/id1219013620)|✔|No settings|✖|N/A|✖|✖|N/A| -|Microsoft Copilot|[Android](https://play.google.com/store/apps/details?id=com.microsoft.copilot)|✔|No settings|✖|N/A|✖|✖|N/A| -|Microsoft Copilot|[iOS](https://apps.apple.com/us/app/microsoft-copilot/id6472538445)|✔|No settings|✔ Supported for v28.1.420324001 or later|N/A|✖|✖|N/A| -|Microsoft Edge|[Android](https://play.google.com/store/apps/details?id=com.microsoft.emmx)|✔|✔ see [Edge app config](manage-microsoft-edge.md)|✔|N/A|N/A|N/A|✔| -|Microsoft Edge|[iOS](https://apps.apple.com/us/app/microsoft-edge/id1288723196)|✔|✔ see [Edge app config](manage-microsoft-edge.md)|✔|N/A|N/A|N/A|✔| -|Microsoft Excel|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.excel)|✔|No settings|✔|N/A|✖|✖|✔| -|Microsoft Excel|[iOS](https://apps.apple.com/us/app/microsoft-excel/id586683407)|✔|No settings|✔|N/A|✖|✖|✔| -|Microsoft Launcher|[Android](https://play.google.com/store/apps/details?id=com.microsoft.launcher)|✔|✔ see [Launcher app config](configure-microsoft-launcher.md)|✖|N/A|✖|✖|N/A| -|Microsoft Lens - PDF Scanner|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.officelens)|✖|No settings|✖|N/A|✖|✖|N/A| -|Microsoft Lens - PDF Scanner|[iOS](https://apps.apple.com/us/app/microsoft-lens-pdf-scanner/id975925059)|✖|No settings|✖|N/A|✖|✖|N/A| -|Microsoft Lists|[iOS](https://apps.apple.com/us/app/microsoft-lists/id1530637363)|✔|No settings|✔|N/A|N/A|✔|✔| -|Microsoft Lists|[Android](https://play.google.com/store/apps/details?id=com.microsoft.lists.public&gl=US)|✔|No settings|✖|N/A|N/A|✖|✖| -|Microsoft Loop|[iOS](https://apps.apple.com/us/app/microsoft-loop/id1637682491)|✔|No settings|✔|N/A|✖|N/A|N/A| -|Microsoft Loop|[Android](https://play.google.com/store/apps/details?id=com.microsoft.loop)|✔|No settings|✔|N/A|✖|N/A|N/A| -|Office (Microsoft 365)|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.officehubrow)|✔|✔ see [Office app config](manage-microsoft-office.md)|✔|N/A|✖|✖|✔| -|Microsoft 365 (Office)|[iOS](https://apps.apple.com/app/microsoft-office/id541164041)|✔|✔ see [Office app config](manage-microsoft-office.md)|✔|N/A|✔ Supported for v2.72 or later|✖|✔| -|Microsoft OneDrive|[Android](https://play.google.com/store/apps/details?id=com.microsoft.skydrive)|✔|No settings|✔|N/A|✖|✔|N/A| -|Microsoft OneDrive|[iOS](https://apps.apple.com/us/app/onedrive-cloud-storage-for/id477537958)|✔|No settings|✔|N/A|✖|✔|N/A| -|Microsoft OneNote|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.onenote)|✔|No settings|✔|N/A|✖|✖|N/A| -|Microsoft OneNote|[iOS](https://apps.apple.com/us/app/microsoft-onenote-for-iphone/id410395246)|✔|No settings|✔|N/A|✖|✖|N/A| -|Microsoft Outlook|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.outlook)|✔|✔ see [Outlook app config](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune)|✔|✔|✔|✔|✖| -|Microsoft Outlook|[iOS](https://apps.apple.com/us/app/microsoft-outlook/id951937596)|✔|✔ see [Outlook app config](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune)|✔|✔|✔ Supports "Block org data" for v4.34.0 or later|✔|✔| -|Microsoft Planner|[Android](https://play.google.com/store/apps/details?id=com.microsoft.planner)|✔|No settings|✖|N/A|✖|✖|N/A| -|Microsoft Planner|[iOS](https://apps.apple.com/us/app/microsoft-planner/id1219301037)|✔|No settings|✖|N/A|✖|✖|N/A| -|Microsoft PowerPoint|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.powerpoint)|✔|No settings|✔|N/A|✖|✖|✔| -|Microsoft PowerPoint|[iOS](https://apps.apple.com/us/app/microsoft-powerpoint/id586449534)|✔|No settings|✔|N/A|✖|✖|✔| -|Microsoft Remote Desktop|[Android](https://play.google.com/store/apps/details?id=com.microsoft.rdc.androidx)|✔|✔|✖|N/A|N/A|N/A|N/A| -|Microsoft Remote Desktop|[iOS](https://apps.apple.com/us/app/remote-desktop-mobile/id714464092)|✔|✔|✖|N/A|N/A|N/A|N/A| -|Microsoft SharePoint|[Android](https://play.google.com/store/apps/details?id=com.microsoft.sharepoint)|✔|No settings|✖|N/A|✖|✖|N/A| -|Microsoft SharePoint|[iOS](https://apps.apple.com/us/app/microsoft-sharepoint/id1091505266)|✔|No settings|✖|N/A|✖|✖|N/A| -|Microsoft Teams|[Android](https://play.google.com/store/apps/details?id=com.microsoft.teams)|✔|No settings|✔|N/A|✔|✔|✔| -|Microsoft Teams|[iOS](https://apps.apple.com/us/app/microsoft-teams/id1113153706)|✔|No settings|✔|N/A|✔ Supported for v2.0.22 or later|✔|✔| -|Microsoft To-Do|[Android](https://play.google.com/store/apps/details?id=com.microsoft.todos)|✔|No settings|✖|N/A|✖|✖|N/A| -|Microsoft To-Do|[iOS](https://apps.apple.com/us/app/microsoft-to-do/id1212616790)|✔|No settings|✖|N/A|✖|✖|N/A| -|Microsoft Word|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.word)|✔|No settings|✔|N/A|✖|✖|✔| -|Microsoft Word|[iOS](https://apps.apple.com/us/app/microsoft-word/id586447913)|✔|No settings|✔|N/A|✖|✖|✔| -|Microsoft Viva Engage|[Android](https://play.google.com/store/apps/details?id=com.yammer.v1)|✔|No settings|✔|N/A|✖|✖|N/A| -|Microsoft Viva Engage|[iOS](https://apps.apple.com/us/app/yammer/id289559439)|✔|No settings|✔|N/A|✖|✖|N/A| +|Microsoft Azure|[Android](https://play.google.com/store/apps/details?id=com.microsoft.azure&pcampaignid=web_share)|✔|No settings|✖|N/A|✖|✖|N/A|✖| +|Microsoft Azure|[iOS](https://apps.apple.com/app/microsoft-azure/id1219013620)|✔|No settings|✖|N/A|✖|✖|N/A|✖| +|Microsoft Copilot|[Android](https://play.google.com/store/apps/details?id=com.microsoft.copilot)|✔|No settings|✖|N/A|✖|✖|N/A|✖| +|Microsoft Copilot|[iOS](https://apps.apple.com/us/app/microsoft-copilot/id6472538445)|✔|No settings|✔ Supported for v28.1.420324001 or later|N/A|✖|✖|N/A|✖| +|Microsoft Edge|[Android](https://play.google.com/store/apps/details?id=com.microsoft.emmx)|✔|✔ see [Edge app config](manage-microsoft-edge.md)|✔|N/A|N/A|N/A|✔|✔ Supported for v125.0.2535.96 or later| +|Microsoft Edge|[iOS](https://apps.apple.com/us/app/microsoft-edge/id1288723196)|✔|✔ see [Edge app config](manage-microsoft-edge.md)|✔|N/A|N/A|N/A|✔|✔ Supported for v126.2592.56 or later| +|Microsoft Excel|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.excel)|✔|No settings|✔|N/A|✖|✖|✔|✖| +|Microsoft Excel|[iOS](https://apps.apple.com/us/app/microsoft-excel/id586683407)|✔|No settings|✔|N/A|✖|✖|✔|✖| +|Microsoft Launcher|[Android](https://play.google.com/store/apps/details?id=com.microsoft.launcher)|✔|✔ see [Launcher app config](configure-microsoft-launcher.md)|✖|N/A|✖|✖|N/A|✖| +|Microsoft Lens - PDF Scanner|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.officelens)|✔|No settings|✖|N/A|✖|✖|N/A|✖| +|Microsoft Lens - PDF Scanner|[iOS](https://apps.apple.com/us/app/microsoft-lens-pdf-scanner/id975925059)|✔|No settings|✖|N/A|✖|✖|N/A|✖| +|Microsoft Lists|[iOS](https://apps.apple.com/us/app/microsoft-lists/id1530637363)|✔|No settings|✔|N/A|N/A|✔|✔|✖| +|Microsoft Lists|[Android](https://play.google.com/store/apps/details?id=com.microsoft.lists.public&gl=US)|✔|No settings|✖|N/A|N/A|✖|✖|✖| +|Microsoft Loop|[iOS](https://apps.apple.com/us/app/microsoft-loop/id1637682491)|✔|No settings|✔|N/A|✖|N/A|N/A|✖| +|Microsoft Loop|[Android](https://play.google.com/store/apps/details?id=com.microsoft.loop)|✔|No settings|✔|N/A|✖|N/A|N/A|✖| +|Office (Microsoft 365)|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.officehubrow)|✔|✔ see [Office app config](manage-microsoft-office.md)|✔|N/A|✖|✖|✔|✖| +|Microsoft 365 (Office)|[iOS](https://apps.apple.com/app/microsoft-office/id541164041)|✔|✔ see [Office app config](manage-microsoft-office.md)|✔|N/A|✔ Supported for v2.72 or later|✖|✔|✖| +|Microsoft OneDrive|[Android](https://play.google.com/store/apps/details?id=com.microsoft.skydrive)|✔|No settings|✔|N/A|✖|✔|N/A|✖| +|Microsoft OneDrive|[iOS](https://apps.apple.com/us/app/onedrive-cloud-storage-for/id477537958)|✔|No settings|✔|N/A|✖|✔|N/A|✖| +|Microsoft OneNote|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.onenote)|✔|No settings|✔|N/A|✖|✖|N/A|✖| +|Microsoft OneNote|[iOS](https://apps.apple.com/us/app/microsoft-onenote-for-iphone/id410395246)|✔|No settings|✔|N/A|✖|✖|N/A|✖| +|Microsoft Outlook|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.outlook)|✔|✔ see [Outlook app config](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune)|✔|✔|✔|✔|✖|✖| +|Microsoft Outlook|[iOS](https://apps.apple.com/us/app/microsoft-outlook/id951937596)|✔|✔ see [Outlook app config](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune)|✔|✔|✔ Supports "Block org data" for v4.34.0 or later|✔|✔|✖| +|Microsoft Planner|[Android](https://play.google.com/store/apps/details?id=com.microsoft.planner)|✔|No settings|✖|N/A|✖|✖|N/A|✖| +|Microsoft Planner|[iOS](https://apps.apple.com/us/app/microsoft-planner/id1219301037)|✔|No settings|✖|N/A|✖|✖|N/A|✖| +|Microsoft PowerPoint|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.powerpoint)|✔|No settings|✔|N/A|✖|✖|✔|✖| +|Microsoft PowerPoint|[iOS](https://apps.apple.com/us/app/microsoft-powerpoint/id586449534)|✔|No settings|✔|N/A|✖|✖|✔|✖| +|Microsoft Remote Desktop|[Android](https://play.google.com/store/apps/details?id=com.microsoft.rdc.androidx)|✔|✔|✖|N/A|N/A|N/A|N/A|✖| +|Microsoft Windows App|[iOS](https://apps.apple.com/us/app/remote-desktop-mobile/id714464092)|✔|✔ see [Configure device redirection](/azure/virtual-desktop/client-device-redirection-intune).|✖|N/A|N/A|N/A|N/A|✖| +|Microsoft SharePoint|[Android](https://play.google.com/store/apps/details?id=com.microsoft.sharepoint)|✔|No settings|✖|N/A|✖|✖|N/A|✖| +|Microsoft SharePoint|[iOS](https://apps.apple.com/us/app/microsoft-sharepoint/id1091505266)|✔|No settings|✖|N/A|✖|✖|N/A|✖| +|Microsoft Teams|[Android](https://play.google.com/store/apps/details?id=com.microsoft.teams)|✔|No settings|✔|N/A|✔|✔|✔|✔ Supported for v1416/1.0.0.2023226005 (2023226050) or later| +|Microsoft Teams|[iOS](https://apps.apple.com/us/app/microsoft-teams/id1113153706)|✔|No settings|✔|N/A|✔ Supported for v2.0.22 or later|✔|✔|✔ Supported for v6.9.2 or later| +|Microsoft To-Do|[Android](https://play.google.com/store/apps/details?id=com.microsoft.todos)|✔|No settings|✖|N/A|✖|✖|N/A|✖| +|Microsoft To-Do|[iOS](https://apps.apple.com/us/app/microsoft-to-do/id1212616790)|✔|No settings|✖|N/A|✖|✖|N/A|✖| +|Microsoft Word|[Android](https://play.google.com/store/apps/details?id=com.microsoft.office.word)|✔|No settings|✔|N/A|✖|✖|✔|✖| +|Microsoft Word|[iOS](https://apps.apple.com/us/app/microsoft-word/id586447913)|✔|No settings|✔|N/A|✖|✖|✔|✖| +|Microsoft Viva Engage|[Android](https://play.google.com/store/apps/details?id=com.yammer.v1)|✔|No settings|✔|N/A|✖|✖|N/A|✖| +|Microsoft Viva Engage|[iOS](https://apps.apple.com/us/app/yammer/id289559439)|✔|No settings|✔|N/A|✖|✖|N/A|✖| The below apps support the core Intune App Protection Policy settings. @@ -180,7 +180,7 @@ The following apps support the core Intune App Protection Policy settings. Apps | :::no-loc text="Dooray! for Intune":::
| Dooray! is the all-in-one collaboration solution including Task management, Messenger, Mail, Meeting, Calendar, Drive, Wiki, Workflow, Board, and more. Admins can manage policies to protect corporate data while keeping employees connected through the Microsoft Intune admin center for Dooray! for Intune.
Dooray! for Intune includes the following:
| The Egnyte mobile app allows you to extend the office by working from anywhere with ease. You can securely access data, preview files, upload new content, collaborate on folders and file links, and edit and co-edit files in popular formats. You can also set up permissions for authorized access, create link expirations, and receive notifications when files are accessed.
Egnyte for Intune works with workspaces and devices managed by Microsoft Intune. Intune enables companies to control how the organization’s devices are used and also to configure specific policies. | [App Store link (iOS)](https://apps.apple.com/us/app/egnyte-for-intune/id1596098287) | | :::no-loc text="Egress Secure Mail for Intune":::
| Send and receive encrypted emails and files from your mobile device. Egress Secure Email provides user-friendly tools to secure sensitive data, with end-to-end encryption, access revocation and message restrictions to empower users to stay in control of the information they share.
The Egress Secure Email app requires you to be a licensed user of the Egress platform, with a valid subscription and appropriate infrastructure. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.egress.switchdroid.intune) | -| :::no-loc text="Enterprise Files for Intune":::
| Integrated with Intune Mobile Application Management, the Enterprise Files for Intune app provides safe document access to multiple back-end file stores. You can provide secure access to cloud and on-premises storage with enforceable MAM Protection Polices for your data. Users can have as much control over file actions as your business needs dictate, from viewing only to edit, copy, move and delete. Whether it’s PDF annotation, video, audio or image presentations, folder management, or document review and edit, Enterprise Files for Intune is an ideal tool for the task. | [App Store link (iOS)](https://apps.apple.com/app/id6443992292) |
+| :::no-loc text="Enterprise Files for Intune":::
| Integrated with Intune Mobile Application Management, the Enterprise Files for Intune app provides safe document access to multiple back-end file stores. You can provide secure access to cloud and on-premises storage with enforceable MAM Protection Policies for your data. Users can have as much control over file actions as your business needs dictate, from viewing only to edit, copy, move and delete. Whether it’s PDF annotation, video, audio or image presentations, folder management, or document review and edit, Enterprise Files for Intune is an ideal tool for the task. | [App Store link (iOS)](https://apps.apple.com/app/id6443992292) |
| :::no-loc text="ePRINTit SaaS":::
| ePRINTit SaaS is a mobile printing platform connecting people who need to print with print locations. Offering print services for public and corporate printing, ePRINTit’s robust offerings are convenient and accessible for customers alike. For more information, visit [www.eprintit.com](https://www.eprintit.com). | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.eprintitsaas.mobile&pli=1),
[App Store link (iOS)](https://apps.apple.com/us/app/eprintit-saas/id6443684419) |
| :::no-loc text="EVALARM":::
| EVALARM is a mobile crisis communication system that automatically informs the right group of people about a crisis and provides them with individual instructions and contact lists.
This application supports crisis communication processes as part of hazard prevention management in companies, authorities, universities, schools, kindergartens, hospitals and public institutions.
To configure the EVALARM platform, you define your individual crisis scenarios, determine which people or groups of people are alerted, and determine which instructions and contact lists are to be transmitted. | [App Store link (iOS)](https://apps.apple.com/app/evalarm/id966258645) | | :::no-loc text="F2 Manager Intune":::
| F2 Manager offers a combined calender and list view to view meetings and their related items. F2 Manager supports inline annotation and submittal handling (approval process).
**Note:** To use the F2 Manager app with your business data, you must be a user of the F2 eGovernment platform, with mobile services enabled by your IT department. | [App Store link (iOS)](https://apps.apple.com/app/f2-manager-intune/id1587696871) | @@ -229,7 +229,7 @@ The following apps support the core Intune App Protection Policy settings. Apps | :::no-loc text="MyQ Roger: OCR scanner PDF":::
| Scan all your documents with a few clicks using a smartphone, save them in your device or to your favorite cloud services (OneDrive, iCloud, Google Drive, Dropbox, or Box), and carry them wherever you go. MyQ Roger is your digital workplace assistant, allowing you to have the office in your pocket. This free app simplifies your life: at work, during studies, and on daily personal activities. Download MyQ Roger now and scan your own way. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=cloud.myq.roger&hl=en&gl=US),
[App Store link (iOS)](https://apps.apple.com/us/app/myq-roger-ocr-scanner-pdf/id1543934608) |
| :::no-loc text="Nexis Newsdesk™ Mobile":::
| Newsdesk delivers relevant news from all media types – online, print, social, and broadcast – in a single destination. With the Newsdesk mobile app you will:
| Nine is a full-fledged email application for Android based on Direct Push technology to synchronize with Microsoft Exchange Server using Microsoft Exchange ActiveSync, and also designed for entrepreneurs or ordinary people who want to have efficient communication with their colleagues, friends, and family members at any time, anywhere. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.ninefolders.hd3.work.intune) |
-| :::no-loc text="Notate for Intune":::
| Notate is the ultimate Exchange Information Manager. Go paperless and improve collaboration. Let Notate advance your digital transformation. | [App Store link (iOS)](https://apps.apple.com/app/notate-for-microsoft-intune/id1511979523) |
+| :::no-loc text="Notate for Intune":::
| Notate is the ultimate Exchange Information Manager. Go paperless and improve collaboration. Let Notate advance your digital transformation. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.shafersystems.notate.intune&hl=en_US),
[App Store link (iOS)](https://apps.apple.com/app/notate-for-microsoft-intune/id1511979523) |
| :::no-loc text="Now Mobile - Intune":::
| Now employees can find answers and get work done across IT, HR, Facilities, Finance, Legal and other departments, all from a modern mobile app powered by the Now Platform®.
The Now Platform® delivers employee experiences and productivity through digital workflows across departments, systems and people.
Examples of things you can do in the app:
Now® Mobile powered by the Now Platform® - finally work life can be as great as real life | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.servicenow.requestor.mam.intune),
[App Store link (iOS)](https://apps.apple.com/app/now-mobile-intune/id1494183300) |
| :::no-loc text="OfficeMail Go":::
|OfficeMail Go is an email client app that uses ActiveSync and is integrated with Microsoft Intune. It is not only a secure and safe email client, but also an app that helps reinforce various convenience aspects. The app implements several features, including a shared mailbox and calendars for collaborating with your colleagues. Additionally, OfficeMail Go provides secure email for business use and powerful functions that support Microsoft Exchange Server and Microsoft 365. It also provides internal apps such as email, calendar, contacts, tasks, and notes in Microsoft Exchange.
OfficeMail Go is compatible with MDM solutions such as Microsoft Intune, AirWatch, Citrix, and MobileIron based on Android Enterprise. Additionally, the Intune SDK is integrated into the app, and it supports Intune app protection policies. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=app.officemail.go) | | :::no-loc text="Omnipresence Go":::
| Omnipresence is a Customer Experience Management platform for Life Sciences companies. You can use Omnipresence CXM to engage with customers and patients of Life Sciences companies.
Omnipresence is built by life sciences experts who understand pharma, biotech, and med-device business needs and compliance requirements. As a unified platform, functional teams can work together using a shared view of their customers and plans across devices, online and offline, in harmony with their Microsoft applications. By using Omnipresence, you can focus on enabling great customer experiences based on advanced analytics and AI that deliver insights to enrich every stage of the customer journey.| [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.omnipresence.live),
[App Store link (iOS)](https://apps.apple.com/in/app/omnipresence-technologies/id1504126395#?platform=iphone) |
diff --git a/memdocs/intune/apps/apps-win32-add.md b/memdocs/intune/apps/apps-win32-add.md
index dc417c9304d..e2cb2c9d59c 100644
--- a/memdocs/intune/apps/apps-win32-add.md
+++ b/memdocs/intune/apps/apps-win32-add.md
@@ -6,7 +6,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 08/08/2024
+ms.date: 09/11/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
@@ -247,7 +247,7 @@ On the **Detection rules** pane, configure the rules to detect the presence of t
The Intune agent checks the results from the script. It reads the values written by the script to the STDOUT stream, the standard error (STDERR) stream, and the exit code. If the script exits with a nonzero value, the script fails and the application detection status isn't installed. If the exit code is zero and STDOUT has data, the application detection status is installed.
> [!NOTE]
- > We recommend encoding your script as UTF-8. When the script exits with the value of **0**, the script execution was successful. The second output channel indicates that the app was detected. STDOUT data indicates that the app was found on the client. We don't look for a particular string from STDOUT.
+ > We recommend encoding your script as UTF-8 BOM. When the script exits with the value of **0**, the script execution was successful. The second output channel indicates that the app was detected. STDOUT data indicates that the app was found on the client. We don't look for a particular string from STDOUT.
The version of your Win32 app is displayed in the Microsoft Intune admin center. The app version is provided in the **All apps** list, where you can filter by Win32 apps and select the optional **version** column. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Apps** > **All apps** > **Columns** > **Version** to display the app version in the app list.
diff --git a/memdocs/intune/apps/apps-win32-troubleshoot.md b/memdocs/intune/apps/apps-win32-troubleshoot.md
index 14737350498..291e3dfa616 100644
--- a/memdocs/intune/apps/apps-win32-troubleshoot.md
+++ b/memdocs/intune/apps/apps-win32-troubleshoot.md
@@ -6,7 +6,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 05/13/2024
+ms.date: 09/17/2024
ms.topic: troubleshooting
ms.service: microsoft-intune
ms.subservice: apps
@@ -114,4 +114,4 @@ For more information about troubleshooting Win32 apps, see [Win32 app installati
## Next steps
-- [Troubleshoot app installation issues](/troubleshoot/mem/intune/troubleshoot-app-install)
+- [Troubleshoot app installation issues](/troubleshoot/mem/intune/app-management/troubleshoot-win32-app-install)
diff --git a/memdocs/intune/apps/mam-faq.yml b/memdocs/intune/apps/mam-faq.yml
index e382cc3c825..5b20f335105 100644
--- a/memdocs/intune/apps/mam-faq.yml
+++ b/memdocs/intune/apps/mam-faq.yml
@@ -59,7 +59,7 @@ sections:
questions:
- question: Which apps can be managed by app protection policies?
answer: |
- Any app that has been integrated with the [Intune App SDK](../developer/app-sdk.md) or wrapped by the [Intune App Wrapping Tool](../developer/apps-prepare-mobile-application-management.md) can be managed using Intune app protection policies. See the official list of [Intune-managed apps](https://www.microsoft.com/cloud-platform/microsoft-intune-apps) available for public use.
+ Any app that has been integrated with the [Intune App SDK](../developer/app-sdk.md) or wrapped by the [Intune App Wrapping Tool](../developer/apps-prepare-mobile-application-management.md) can be managed using Intune app protection policies. See the official list of [Intune-managed apps](/mem/intune/apps/apps-supported-intune-apps) available for public use.
- question: What are the baseline requirements to use app protection policies on an Intune-managed app?
answer: |
diff --git a/memdocs/intune/apps/mamedge-1-mamca.md b/memdocs/intune/apps/mamedge-1-mamca.md
index 622ace2452c..084bbfad370 100644
--- a/memdocs/intune/apps/mamedge-1-mamca.md
+++ b/memdocs/intune/apps/mamedge-1-mamca.md
@@ -102,7 +102,7 @@ In the previous steps, you implemented conditional access as a required app prot
:::image type="content" alt-text="Device Platform - Conditional Access policy - Microsoft Intune admin center." source="./media/securing-data-edge-for-business/securing-data-edge-for-business59.png" lightbox="./media/securing-data-edge-for-business/securing-data-edge-for-business59.png":::
-7. Select **Grant** and select **Require device to be market as compliant.** This will provide access through desktop apps only for enrolled and compliant devices.
+7. Select **Grant** and select **Require device to be marked as compliant.** This will provide access through desktop apps only for enrolled and compliant devices.
:::image type="content" alt-text="Grant - Conditional Access policy - Microsoft Intune admin center." source="./media/securing-data-edge-for-business/securing-data-edge-for-business60.png" lightbox="./media/securing-data-edge-for-business/securing-data-edge-for-business60.png":::
diff --git a/memdocs/intune/apps/manage-microsoft-edge.md b/memdocs/intune/apps/manage-microsoft-edge.md
index 60e22aa76da..e1477d4fce6 100644
--- a/memdocs/intune/apps/manage-microsoft-edge.md
+++ b/memdocs/intune/apps/manage-microsoft-edge.md
@@ -8,7 +8,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 02/27/2024
+ms.date: 10/24/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: apps
@@ -150,17 +150,19 @@ Edge supports the following settings for configuration:
These settings can be deployed to the app regardless of device enrollment status.
### New Tab Page layout
-The **Custom** layout is the default one for the new tab page. It shows top site shortcuts and news feed without wallpaper. Users can change the layout according to their preferences. Organizations can also manage the layout settings.
+The **inspirational** layout is the default one for the new tab page. It shows top site shortcuts, wallpaper and news feed. Users can change the layout according to their preferences. Organizations can also manage the layout settings.
|Key |Value |
|:-----------|:-------------|
-|com.microsoft.intune.mam.managedbrowser.NewTabPageLayout |**focused** Focused is selected
**inspirational** Inspirational is selected
**informational** (iPad/Tablet only) Informational is selected
**custom** (Default) Custom is selected, top site shortcuts toggle is on, wallpaper toggle is off, and news feed toggle is on|
-|com.microsoft.intune.mam.managedbrowser.NewTabPageLayout.Custom |**topsites** Turn on top site shortcuts
**wallpaper** Turn on wallpaper
**newsfeed** Turn on news feed
In order for this policy to take effect, com.microsoft.intune.mam.managedbrowser.NewTabPageLayout must be set to **custom**
The default value is `topsites|newsfeed` |
+|com.microsoft.intune.mam.managedbrowser.NewTabPageLayout |**focused** Focused is selected
**inspirational** (Default) Inspirational is selected
**informational** Informational is selected
**custom** Custom is selected, top site shortcuts toggle is on, wallpaper toggle is on, and news feed toggle is on|
+|com.microsoft.intune.mam.managedbrowser.NewTabPageLayout.Custom |**topsites** Turn on top site shortcuts
**wallpaper** Turn on wallpaper
**newsfeed** Turn on news feed
In order for this policy to take effect, com.microsoft.intune.mam.managedbrowser.NewTabPageLayout must be set to **custom**
The default value is `topsites|wallpaper|newsfeed|` |
|com.microsoft.intune.mam.managedbrowser.NewTabPageLayout.UserSelectable |**true** (Default) Users can change the page layout settings
**false** Users cannot change the page layout settings. The page layout is determined by the values specified via the policy or default values will be used |
-> [!NOTE]
+> [!IMPORTANT]
> **NewTabPageLayout** policy is intended to set the initial layout. Users can change page layout settings based on their reference. Therefore, **NewTabPageLayout** policy only takes effect if users do not change layout settings. You can enforce **NewTabPageLayout** policy by configuring **UserSelectable**=false.
+> [!NOTE]
+> As of version 129.0.2792.84, the default page layout is changed to **inspirational**.
An example of turning off the news feeds
- com.microsoft.intune.mam.managedbrowser.NewTabPageLayout=**custom**
@@ -188,7 +190,7 @@ This setting allows you to configure a homepage shortcut for Edge for iOS and An
|Key |Value |
|:-----------|:-------------|
-|com.microsoft.intune.mam.managedbrowser.homepage |Specify a valid URL. Incorrect URLs are blocked as a security measure.
For example: `https://www.bing.com` |
+|com.microsoft.intune.mam.managedbrowser.homepage
This policy name has been replaced by the UI of **Homepage shortcut URL** under Edge Configuration settings |Specify a valid URL. Incorrect URLs are blocked as a security measure.
For example: `https://www.bing.com` |
#### Multiple top site shortcuts
@@ -230,7 +232,7 @@ For ease of access, you can configure bookmarks that you'd like your users to ha
|Key |Value |
|:-----------|:-------------|
-|com.microsoft.intune.mam.managedbrowser.bookmarks |The value for this configuration is a list of bookmarks. Each bookmark consists of the bookmark title and the bookmark URL. Separate the title and URL with the `|` character.
For example: `Microsoft Bing|https://www.bing.com`
To configure multiple bookmarks, separate each pair with the double character `||`.
For example: `Microsoft Bing|https://www.bing.com||Contoso|https://www.contoso.com`|
+|com.microsoft.intune.mam.managedbrowser.bookmarks
This policy name has been replaced by the UI of **Managed bookmarks** under Edge Configuration settings |The value for this configuration is a list of bookmarks. Each bookmark consists of the bookmark title and the bookmark URL. Separate the title and URL with the `|` character.
For example: `Microsoft Bing|https://www.bing.com`
To configure multiple bookmarks, separate each pair with the double character `||`.
For example: `Microsoft Bing|https://www.bing.com||Contoso|https://www.contoso.com`|
#### My Apps bookmark
@@ -280,7 +282,7 @@ Edge for iOS and Android allows organizations to disable certain features that a
|Key |Value |
|:-----------|:-------------|
-|com.microsoft.intune.mam.managedbrowser.disabledFeatures|**password** disables prompts that offer to save passwords for the end user
**inprivate** disables InPrivate browsing
**autofill** disables "Save and Fill Addresses" and "Save and Fill Payment info". Autofill will be disabled even for previously saved information
**translator** disables translator
**readaloud** disables read aloud
**drop** disables drop
**coupons** disables coupons
**extensions** disables extensions (Edge for Android only)
**developertools** grays out the build version numbers to prevent users from accessing Developer options (Edge for Android only)
**UIRAlert** suppress re-verify account popups in new tab page screen
To disable multiple features, separate values with `|`. For example, `inprivate|password` disables both InPrivate and password storage. |
+|com.microsoft.intune.mam.managedbrowser.disabledFeatures|**password** disables prompts that offer to save passwords for the end user
**inprivate** disables InPrivate browsing
**autofill** disables "Save and Fill Addresses" and "Save and Fill Payment info". Autofill will be disabled even for previously saved information
**translator** disables translator
**readaloud** disables read aloud
**drop** disables drop
**coupons** disables coupons
**extensions** disables extensions (Edge for Android only)
**developertools** grays out the build version numbers to prevent users from accessing Developer options (Edge for Android only)
**UIRAlert** suppress re-verify account popups in new tab page screen
**share** disables Share under menu
**sendtodevices** disables Send to devices under menu
**weather** disables weather in NTP (New Tab Page)
To disable multiple features, separate values with `|`. For example, `inprivate|password` disables both InPrivate and password storage. |
#### Disable import passwords feature
@@ -314,9 +316,12 @@ Edge for Android can be enabled as a kiosk app with the following settings:
|com.microsoft.intune.mam.managedbrowser.showAddressBarInKioskMode |**true** shows the address bar in kiosk mode
**false** (default) hides the address bar when kiosk mode is enabled|
|com.microsoft.intune.mam.managedbrowser.showBottomBarInKioskMode |**true** shows the bottom action bar in kiosk mode
**false** (default) hides the bottom bar when kiosk mode is enabled |
+> [!NOTE]
+> Kiosk mode is not supported on iOS devices. However, you may want to use Locked View Mode (MDM policy only) to achieve a similar user experience, where users are unable to navigate to other websites, as the URL address bar becomes read-only in Locked View Mode.
+
### Locked view mode
-Edge for iOS and Android can be enabled as locked view mode with MDM policy EdgeLockedViewModeEnabled.
+Edge for iOS and Android can be enabled as locked view mode with MDM policy **[EdgeLockedViewModeEnabled](/deployedge/microsoft-edge-mobile-policies#edgelockedviewmodeenabled)**.
|Key |Value |
|:---------|:---------|
@@ -483,20 +488,11 @@ Organizations can configure a search provider for users. To configure a search p
|com.microsoft.intune.mam.managedbrowser.DefaultSearchProviderName | The corresponding value is a string
**Example** `My Intranet Search` |
|com.microsoft.intune.mam.managedbrowser.DefaultSearchProviderSearchURL | The corresponding value is a string
**Example** `https://search.my.company/search?q={searchTerms}`|
-### Open external apps
-When a web page requests to open an external app, users will see a pop-up asking them to open the external app or not. Organizations can manage the behavior.
-
-|Key |Value |
-|:-----------|:-------------|
-|com.microsoft.intune.mam.managedbrowser.OpeningExternalApps |**0** (default) Show the pop-up for users to choose stay in Edge or open by external apps.
**1** Always open within Edge without showing the pop-up.
**2** Always open with external apps without showing the pop-up. If external apps aren't installed, the behavior will be the same as value 1|
-
-> [!NOTE]
-> As of version 120.2210.99, the app jump blocker feature is removed. External apps will be opened from Edge by default. Therefore, this policy is no longer valid from version 120.2210.99.
-
### Copilot
> [!NOTE]
-> As of version 128, Copilot for work or school accounts has been deprecated. Therefore, the following policies will no longer be valid in version 128
+> As of version 128, Copilot for work or school accounts has been deprecated. Therefore, the following policies will no longer be valid in version 128.
+> If you want to block access to the web version of Copilot, copilot.microsoft.com, you can use policy AllowListURLs or BlockListURLs.
Copilot is available on Microsoft Edge for iOS and Android. Users can start Copilot by clicking on Copilot button in bottom bar.
@@ -546,6 +542,16 @@ Organizations can define which sites users can access within the work or school
Organizations also define what happens when a user attempts to navigate to a restricted web site. By default, transitions are allowed. If the organization allows it, restricted web sites can be opened in the personal account context, the Microsoft Entra account’s InPrivate context, or whether the site is blocked entirely. For more information on the various scenarios that are supported, see [Restricted website transitions in Microsoft Edge mobile](https://techcommunity.microsoft.com/t5/intune-customer-success/restricted-website-transitions-in-microsoft-edge-mobile/ba-p/1381333). By allowing transitioning experiences, the organization's users stay protected, while keeping corporate resources safe.
+To enhance the profile-switching experience by reducing the need for users to manually switch to personal profiles or InPrivate mode to open blocked URLs, we’ve introduced two new policies:
+- `com.microsoft.intune.mam.managedbrowser.AutoTransitionModeOnBlock`
+- `com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork`
+
+Since these policies bring different results based on their configurations and combinations, we recommend trying our policy suggestions below for a quick evaluation to see if the profile-switching experience aligns well with your organization’s needs before exploring detailed documentation. Suggested profile-switching configuration settings include the following values:
+- `com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock=true`
+- `com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked=true`
+- `com.microsoft.intune.mam.managedbrowser.AutoTransitionModeOnBlock=1`
+- `com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork=2`
+
> [!NOTE]
> Edge for iOS and Android can block access to sites only when they're accessed directly. It doesn't block access when users use intermediate services (such as a translation service) to access the site. URLs that start with **Edge**, such as `Edge://*`, `Edge://flags`, and `Edge://net-export`, aren't supported in app configuration policy **AllowListURLs** or **BlockListURLs** for managed apps. You can disable these URLs with **com.microsoft.intune.mam.managedbrowser.InternalPagesBlockList**.
If your devices are managed, you can also use app configuration policy [URLAllowList](/deployedge/microsoft-edge-mobile-policies#urlallowlist) or [URLBlocklist](/deployedge/microsoft-edge-mobile-policies#urlblocklist) for managed devices. For related information, see [Microsoft Edge mobile policies](/deployedge/microsoft-edge-mobile-policies).
@@ -553,13 +559,13 @@ Use the following key/value pairs to configure either an allowed or blocked site
|Key |Value |
|:--|:----|
-|com.microsoft.intune.mam.managedbrowser.AllowListURLs |The corresponding value for the key is a list of URLs. You enter all the URLs you want to allow as a single value, separated by a pipe `|` character.
**Examples:**
`URL1|URL2|URL3`
`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
-|com.microsoft.intune.mam.managedbrowser.BlockListURLs |The corresponding value for the key is a list of URLs. You enter all the URLs you want to block as a single value, separated by a pipe `|` character.
**Examples:**
`URL1|URL2|URL3`
`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
+|com.microsoft.intune.mam.managedbrowser.AllowListURLs
This policy name has been replaced by the UI of **Allowed URLs** under Edge Configuration settings|The corresponding value for the key is a list of URLs. You enter all the URLs you want to allow as a single value, separated by a pipe `|` character.
**Examples:**
`URL1|URL2|URL3`
`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
+|com.microsoft.intune.mam.managedbrowser.BlockListURLs
This policy name has been replaced by the UI of **Blocked URLs** under Edge Configuration settings|The corresponding value for the key is a list of URLs. You enter all the URLs you want to block as a single value, separated by a pipe `|` character.
**Examples:**
`URL1|URL2|URL3`
`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` |
|com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock |**true** (default) allows Edge for iOS and Android to transition restricted sites. When personal accounts aren't disabled, users are prompted to either switch to the personal context to open the restricted site, or to add a personal account. If com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked is set to true, users have the capability of opening the restricted site in the InPrivate context.
**false** prevents Edge for iOS and Android from transitioning users. Users are simply shown a message stating that the site they are trying to access is blocked. |
-|com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked |**true** allows restricted sites to be opened in the Microsoft Entra account's InPrivate context. If the Microsoft Entra account is the only account configured in Edge for iOS and Android, the restricted site is opened automatically in the InPrivate context. If the user has a personal account configured, the user is prompted to choose between opening InPrivate or switch to the personal account.
**false** (default) requires the restricted site to be opened in the user's personal account. If personal accounts are disabled, then the site is blocked.
In order for this setting to take effect, com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock must be set to true. |
+|com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked
This policy name has been replaced by the UI of **Redirect restricted sites to personal context** under Edge Configuration settings |**true** allows restricted sites to be opened in the Microsoft Entra account's InPrivate context. If the Microsoft Entra account is the only account configured in Edge for iOS and Android, the restricted site is opened automatically in the InPrivate context. If the user has a personal account configured, the user is prompted to choose between opening InPrivate or switch to the personal account.
**false** (default) requires the restricted site to be opened in the user's personal account. If personal accounts are disabled, then the site is blocked.
In order for this setting to take effect, com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock must be set to true. |
|com.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBar | Enter the number of seconds that users will see the snack bar notification "Access to this site is blocked by your organization. We’ve opened it in InPrivate mode for you to access the site." By default, the snack bar notification is shown for 7 seconds.|
-The following sites are always allowed regardless of the defined allow list or block list settings:
+The following sites except copilot.microsoft.com are always allowed regardless of the defined allow list or block list settings:
- `https://*.microsoft.com/*`
- `http://*.microsoft.com/*`
- `https://microsoft.com/*`
@@ -568,6 +574,22 @@ The following sites are always allowed regardless of the defined allow list or b
- `https://*.microsoftonline.com/*`
- `https://*.microsoftonline-p.com/*`
+### Control the behavior of the Site Blocked popup
+When attempting to access blocked websites, users will be prompted to use either switch to InPrivate or personal account to open the blocked websites. You can choose preferences between InPrivate and personal account.
+
+|Key |Value |
+|:--|:----|
+|com.microsoft.intune.mam.managedbrowser.AutoTransitionModeOnBlock |**0**: (Default) Always show the popup window for user to choose.
**1**: Automatically switch to personal account when personal account is signed in.If personal account is not signed in, the behavior will be changed to value 2.
**2**:Automatically switch to InPrivate if InPrivate switch is allowed by com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked=true. |
+
+### Control the behavior of switching personal profile to work profile
+When Edge is under the personal profile and users are attempting to open a link from Outlook or Microsoft Teams which are under the work profile, by default, Intune will use the Edge work profile to open the link because both Edge, Outlook, and Microsoft Teams are managed by Intune. However, when the link is blocked, the user will be switched to the the personal profile. This causes a friction experience for users
+
+You can configure a policy to enhance users' experience. This policy is recommended to be used together with AutoTransitionModeOnBlock as it may switch users to the personal profile according to the policy value you configured.
+
+|Key |Value |
+|:--|:----|
+|com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork |**1**: (Default) Switch to work profile even if the URL is blocked by Edge policy.
**2**: The blocked URLs will open under personal profile if personal profile is signed in. If personal profile is not signed in, the blocked URL will opened in InPrivate mode. |
+
#### URL formats for allowed and blocked site list
You can use various URL formats to build your allowed/blocked sites lists. These permitted patterns are detailed in the following table.
@@ -611,13 +633,6 @@ You can disable Edge internal pages such as `Edge://flags` and `Edge://net-expor
|:--|:----|
|com.microsoft.intune.mam.managedbrowser.InternalPagesBlockList | The corresponding value for the key is a list of page names. You can enter the internal pages you want to block as a single value, separated by a pipe `|` character.
**Examples:**
`flags|net-export`|
-### Control the behavior of the Site Blocked popup
-When attempting to access blocked websites, users will be prompted to use either switch to InPrivate or personal account to open the blocked websites. You can choose preferences between InPrivate and personal account.
-
-|Key |Value |
-|:--|:----|
-|com.microsoft.intune.mam.managedbrowser.AutoTransitionModeOnBlock |**0**: (Default) Always show the popup window for user to choose.
**1**: Automatically switch to personal account when personal account is signed in.If personal account is not signed in, the behavior will be changed to value 2.
**2**:Automatically switch to InPrivate if InPrivate switch is allowed by com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked=true. |
-
### Manage websites to allow upload files
There may be scenarios where users are only allowed to view websites, without the ability to upload files. Organizations have the option to designate which websites can receive file uploads.
@@ -660,7 +675,7 @@ Target Edge for iOS and Android with the following key/value pair, to enable App
|Key |Value|
|:-------------|:-------------|
-|com.microsoft.intune.mam.managedbrowser.AppProxyRedirection |**true** enables Microsoft Entra application proxy redirection scenarios
**false** (default) prevents Microsoft Entra application proxy scenarios |
+|com.microsoft.intune.mam.managedbrowser.AppProxyRedirection
This policy name has been replaced by the UI of **Application proxy redirection** under Edge Configuration settings |**true** enables Microsoft Entra application proxy redirection scenarios
**false** (default) prevents Microsoft Entra application proxy scenarios |
For more information about how to use Edge for iOS and Android and Microsoft Entra application proxy in tandem for seamless (and protected) access to on-premises web apps, see [Better together: Intune and Microsoft Entra team up to improve user access](https://techcommunity.microsoft.com/t5/enterprise-mobility-security/better-together-intune-and-azure-active-directory-team-up-to/ba-p/250254). This blog post references the Intune Managed Browser, but the content applies to Edge for iOS and Android as well.
@@ -670,6 +685,14 @@ Organizations may require users to authenticate with NTLM to access intranet web
Organizations can enable NTLM credential caching for particular web sites. For these sites, after the user enters credentials and successfully authenticates, the credentials are cached by default for 30 days.
+> [!NOTE]
+> If you're using a proxy server, ensure that it's configured using the NTLMSSOURLs policy where you specifically specify both **https** and **http** as part of the key value.
+>
+> Currently, both **https** and **http** schemes need to be specified in the NTLMSSOURLs key value. For example, you need to configure both `https://your-proxy-server:8080`
+> and `http://your-proxy-server:8080`. Currently, specifying the format as host:port (such as `your-proxy-server:8080`) is not sufficient.
+>
+> In addition, the wildcard symbol (*) is not supported when configuring proxy servers in the NTLMSSOURLs policy.
+
|Key |Value |
|:---------|:---------|
|com.microsoft.intune.mam.managedbrowser.NTLMSSOURLs |The corresponding value for the key is a list of URLs. You enter all the URLs you want to allow as a single value, separated by a pipe `|` character.
**Examples:**
`URL1|URL2`
`http://app.contoso.com/|https://expenses.contoso.com`
For more information on the types of URL formats that are supported, see [URL formats for allowed and blocked site list](#url-formats-for-allowed-and-blocked-site-list). |
diff --git a/memdocs/intune/apps/manage-microsoft-office.md b/memdocs/intune/apps/manage-microsoft-office.md
index d7e8ccd0c00..757629b2953 100644
--- a/memdocs/intune/apps/manage-microsoft-office.md
+++ b/memdocs/intune/apps/manage-microsoft-office.md
@@ -8,7 +8,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 03/25/2024
+ms.date: 09/18/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: apps
@@ -192,7 +192,7 @@ To manage the Microsoft 365 Feed, you can use the following key:
This key can be used by managed devices and managed apps.
-### Copilot with commercial data protection
+### Copilot with enterprise data protection
Admins can now enable or disable Copilot in Microsoft 365 app by configuring the following setting in the Intune admin center. To deploy this app setting, use an [app configuration policy](app-configuration-policies-overview.md) in Intune.
diff --git a/memdocs/intune/apps/manage-without-gms.md b/memdocs/intune/apps/manage-without-gms.md
index 909d0dba6fc..06790467988 100644
--- a/memdocs/intune/apps/manage-without-gms.md
+++ b/memdocs/intune/apps/manage-without-gms.md
@@ -38,10 +38,9 @@ Microsoft Intune uses Google Mobile Services (GMS) to communicate with the Micro
> These GMS related limitations also apply to Device Administrator management and Android (AOSP) Management.
> [!NOTE]
-> Microsoft Intune is ending support for [Android device administrator management](../enrollment/android-enroll-device-administrator.md) on devices with access to Google Mobile Services (GMS) on August 30, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable.
+> Microsoft Intune is ending support for [Android device administrator management](../enrollment/android-enroll-device-administrator.md) on devices with access to Google Mobile Services (GMS) on December 31, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable.
> For devices running Android 15 or earlier that don't have access GMS (excluding Microsoft Teams certified Android devices), Intune will continue allowing device administrator enrollment and will maintain limited support, since Android Enterprise management is unavailable to these devices. However, device administrator use on these devices is still not recommended, since Google's device administrator deprecation means there could be future functionality impact outside Intune's ability to mitigate.
-> For more information, see [Ending support for Android device administrator on GMS devices](https://techcommunity.microsoft.com/t5/intune-customer-success/microsoft-intune-ending-support-for-android-device-administrator/ba-p/3915443).
-
+> For more information, and to learn about alternatives to device administrator, see [Ending support for Android device administrator on GMS devices](https://techcommunity.microsoft.com/t5/intune-customer-success/microsoft-intune-ending-support-for-android-device-administrator/ba-p/3915443).
## Install the Intune Company Portal app without access to the Google Play Store
### For users outside of People's Republic of China
diff --git a/memdocs/intune/apps/media/apps-eam-supersedence/apps-eam-supersedence-01.png b/memdocs/intune/apps/media/apps-eam-supersedence/apps-eam-supersedence-01.png
new file mode 100644
index 00000000000..4da1ade4346
Binary files /dev/null and b/memdocs/intune/apps/media/apps-eam-supersedence/apps-eam-supersedence-01.png differ
diff --git a/memdocs/intune/apps/media/apps-eam-supersedence/apps-eam-supersedence-02.png b/memdocs/intune/apps/media/apps-eam-supersedence/apps-eam-supersedence-02.png
new file mode 100644
index 00000000000..1a033a93db6
Binary files /dev/null and b/memdocs/intune/apps/media/apps-eam-supersedence/apps-eam-supersedence-02.png differ
diff --git a/memdocs/intune/apps/media/apps-eam-supersedence/apps-eam-supersedence-03.png b/memdocs/intune/apps/media/apps-eam-supersedence/apps-eam-supersedence-03.png
new file mode 100644
index 00000000000..5a946c997e8
Binary files /dev/null and b/memdocs/intune/apps/media/apps-eam-supersedence/apps-eam-supersedence-03.png differ
diff --git a/memdocs/intune/apps/media/apps-eam-supersedence/apps-eam-supersedence-04.png b/memdocs/intune/apps/media/apps-eam-supersedence/apps-eam-supersedence-04.png
new file mode 100644
index 00000000000..975dcbb794e
Binary files /dev/null and b/memdocs/intune/apps/media/apps-eam-supersedence/apps-eam-supersedence-04.png differ
diff --git a/memdocs/intune/apps/media/apps-eam-supersedence/apps-eam-supersedence-05.png b/memdocs/intune/apps/media/apps-eam-supersedence/apps-eam-supersedence-05.png
new file mode 100644
index 00000000000..dad1145306f
Binary files /dev/null and b/memdocs/intune/apps/media/apps-eam-supersedence/apps-eam-supersedence-05.png differ
diff --git a/memdocs/intune/apps/protect-mam-windows.md b/memdocs/intune/apps/protect-mam-windows.md
index 2c42cc79503..667771bb9c6 100644
--- a/memdocs/intune/apps/protect-mam-windows.md
+++ b/memdocs/intune/apps/protect-mam-windows.md
@@ -49,7 +49,7 @@ You can enable protected Mobile Application Management (MAM) access to org data
> For more information about MAM, see [Mobile Application Management (MAM) basics](../apps/app-management.md#mobile-application-management-mam-basics).
> [!NOTE]
-> The Mobile Threat Defense (MTD) Connector for the Windows Security Center (WSC) component is only supported on Windows 11.
+> The Mobile Threat Defense (MTD) Connector for the Windows Security Center (WSC) component is only supported on Windows 11 version 22631 (23H2) or later.
Both end-users and organizations need to have protected organizational access from personal devices. Organizations need to ensure that corporate data is protected on personal, unmanaged devices. As an Intune admin, you have the responsibility to determine how members (end-users) of your organization access corporate resources in a protected way from an unmanaged device. You need to ensure when accessing organizational data, that the unmanaged devices are healthy, the applications adhere to your organization data's protection policies, and that the end-user’s unmanaged assets on their device aren't impacted by your organization's policies.
diff --git a/memdocs/intune/apps/store-apps-microsoft.md b/memdocs/intune/apps/store-apps-microsoft.md
index 1179b58d2e3..a4958e2dfbb 100644
--- a/memdocs/intune/apps/store-apps-microsoft.md
+++ b/memdocs/intune/apps/store-apps-microsoft.md
@@ -77,6 +77,9 @@ An [Intune administrator](../fundamentals/users-add.md#types-of-administrators)
The Microsoft Store provides a large variety of apps designed to work on your Microsoft devices. Within Intune, you can search and add the apps you want to assign to your workforce at your organization.
+> [!IMPORTANT]
+> There is no age restriction when searching for apps in the Microsoft Store.
+
1. Select **Search the Microsoft Store app** to display the search panel which features a search bar and includes the following columns:
- **Name** – The name of the app.
@@ -90,9 +93,8 @@ The Microsoft Store provides a large variety of apps designed to work on your Mi
> Specific Microsoft Store apps may not be displayed and available in Intune. Common reasons an app doesn't appear when searching within Intune include the following:
>
> - The app is not available in US region.
- > - The app is not available if there is an age restriction.
> - The app is a paid app, which is not supported.
- > - The app is an Android app.
+ > - The app platform isn't supported in the Microsoft Store.
3. Choose the app that you want to deploy and choose **Select**.
@@ -124,7 +126,7 @@ The Microsoft Store provides a large variety of apps designed to work on your Mi
You can choose how you want to assign Microsoft Store apps to users and devices.
> [!NOTE]
-> If you assign an app to a device that is located in a region where that app is not supported or where that app does not meet the age restrictions, the app will not install on the device. However, if the device is moved to a region that supports the app, the app will install on the device.
+> If you assign an app to a device that is located in a region where that app is not supported, the app will not install on the device. However, if the device is moved to a region that supports the app, the app will install on the device.
The following table provides assignment type details:
diff --git a/memdocs/intune/configuration/bundle-ids-built-in-ios-apps.md b/memdocs/intune/configuration/bundle-ids-built-in-ios-apps.md
index abdaa073463..edf468b3732 100644
--- a/memdocs/intune/configuration/bundle-ids-built-in-ios-apps.md
+++ b/memdocs/intune/configuration/bundle-ids-built-in-ios-apps.md
@@ -78,6 +78,7 @@ This feature applies to:
| com.apple.mobilenotes | Notes | Apple |
| com.apple.Numbers | Numbers | Apple |
| com.apple.Pages | Pages | Apple |
+| com.apple.Passwords | Passwords | Apple |
| com.apple.mobilephone | Phone | Apple |
| com.apple.Photo-Booth | Photo Booth | Apple |
| com.apple.mobileslideshow | Photos | Apple |
diff --git a/memdocs/intune/configuration/custom-settings-android.md b/memdocs/intune/configuration/custom-settings-android.md
index 20173f1fabf..57a7e577a63 100644
--- a/memdocs/intune/configuration/custom-settings-android.md
+++ b/memdocs/intune/configuration/custom-settings-android.md
@@ -41,9 +41,9 @@ Android custom profiles use Open Mobile Alliance Uniform Resource Identifier (OM
Using a custom profile, you can configure and assign the following Android settings. The following settings aren't built in to Intune:
-- [Create a Wi-Fi profile with a pre-shared key](/intune/wi-fi-profile-shared-key)
-- [Create a per-app VPN profile](/intune/android-pulse-secure-per-app-vpn)
-- [Allow and block apps for Samsung Knox Standard devices](/intune/samsung-knox-apps-allow-block)
+- [Create a Wi-Fi profile with a pre-shared key](/mem/intune/configuration/wi-fi-profile-shared-key)
+- [Create a per-app VPN profile](/mem/intune/configuration/android-pulse-secure-per-app-vpn)
+- [Allow and block apps for Samsung Knox Standard devices](/mem/intune/configuration/samsung-knox-apps-allow-block)
- [Configure web protection in Microsoft Defender for Endpoint for Android](../protect/advanced-threat-protection-manage-android.md)
> [!IMPORTANT]
diff --git a/memdocs/intune/configuration/device-profiles.md b/memdocs/intune/configuration/device-profiles.md
index b32b193043a..ace0952e590 100644
--- a/memdocs/intune/configuration/device-profiles.md
+++ b/memdocs/intune/configuration/device-profiles.md
@@ -8,7 +8,7 @@ author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 07/18/2024
+ms.date: 09/23/2024
ms.topic: overview
ms.service: microsoft-intune
ms.subservice: configuration
@@ -207,6 +207,11 @@ This feature supports:
## Endpoint protection
+> [!IMPORTANT]
+> This template is deprecated in the August 2024 service release (2408). Existing policies continue to work. But, you can't create new policies using this template.
+>
+> Instead, use the settings catalog to create new policies that configure the FileVault, Firewall, and System Policy Control (Gatekeeper) payloads. To learn more, go to [macOS settings catalog](settings-catalog.md).
+
[Endpoint protection](../protect/endpoint-protection-configure.md) configures BitLocker and Microsoft Defender settings for Windows client devices. On macOS devices, you can also configure the firewall, gateway, and other resources.
To onboard Microsoft Defender for Endpoint with Microsoft Intune, see [Configure endpoints using Mobile Device Management (MDM) tools](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm).
@@ -228,6 +233,11 @@ This feature supports:
## Extensions
+> [!IMPORTANT]
+> This template is deprecated in the August 2024 service release (2408). Existing policies continue to work. But, you can't create new policies using this template.
+>
+> Instead, use the settings catalog to create new policies that configure the System Extensions payload. To learn more, go to [macOS settings catalog](settings-catalog.md).
+
[macOS system extensions and kernel extensions](kernel-extensions-overview-macos.md) allows administrators to add features or programs that extend the native capabilities of the operating system. Configure these settings to trust all extensions from a specific developer or partner, or allow specific extensions.
This feature supports:
diff --git a/memdocs/intune/configuration/device-restrictions-android-for-work.md b/memdocs/intune/configuration/device-restrictions-android-for-work.md
index 92d15f11299..17ce9a929b3 100644
--- a/memdocs/intune/configuration/device-restrictions-android-for-work.md
+++ b/memdocs/intune/configuration/device-restrictions-android-for-work.md
@@ -360,11 +360,11 @@ Use these settings to configure a kiosk-style experience on your dedicated or fu
>
> Modern displays have higher pixel densities and can display equivalent 2K/4K definition images.
- - **Shortcut to settings menu**: **Disable** hides the Managed Settings shortcut on the Managed Home Screen. Users can still swipe down to access the settings. On the updated Managed Home Screen workflow, the **Managed Settings** menu is available from the top bar. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the Managed Settings shortcut is shown on devices. Users can also swipe down to access these settings. On the updated Managed Home Screen workflow, users can select the settings icon to access settings.
+ - **Shortcut to settings menu**: **Disable** hides the Managed Settings shortcut on the Managed Home Screen. Users can still access the **Managed Settings** menu from the top bar. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the Managed Settings shortcut is shown on devices. Users can select the settings icon to access settings.
- **Quick access to debug menu**: This setting controls how users access the debug menu. Your options:
- - **Enable**: Users can access the debug menu easier. Specifically, they can swipe down, or use the Managed Settings shortcut or Managed Settings menu on the updated Managed Home Screen workflow. As always, they can continue to select the back button 15 times.
+ - **Enable**: Users can access the debug menu easier. Specifically, they can access it from the Managed Settings menu. As always, they can continue to select the back button 15 times.
- **Not configured** (default): Intune doesn't change or update this setting. By default, easy access to the debug menu is turned off. Users must select the back button 15 times to open the debug menu.
In the debug menu, users can:
diff --git a/memdocs/intune/configuration/device-restrictions-android.md b/memdocs/intune/configuration/device-restrictions-android.md
index 95beb899c40..c1bb4752902 100644
--- a/memdocs/intune/configuration/device-restrictions-android.md
+++ b/memdocs/intune/configuration/device-restrictions-android.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 10/23/2023
+ms.date: 09/23/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: configuration
@@ -36,8 +36,7 @@ This feature applies to:
- Android device administrator (DA)
-
- [!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
+ [!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
>[!TIP]
>If the settings you want are not available, you might be able to configure your devices using a [custom profile](custom-settings-android.md).
@@ -48,25 +47,25 @@ Create an [Android device administrator device restrictions configuration profil
## General
-- **Camera**: **Block** prevents access to the device camera. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow access to the device camera.
+- **Camera (Android 9 and earlier, Samsung KNOX Android 15 and earlier only)**: **Block** prevents access to the device camera. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow access to the device camera.
Intune only manages access to the device camera. It doesn't have access to pictures or videos.
- **Copy and paste (Samsung Knox only)**: **Block** prevents copy-and-paste. **Not configured** allows copy and paste functions on devices.
- **Clipboard sharing between apps (Samsung Knox only)**: **Block** prevents using the clipboard to copy-and-paste between apps. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow copy and paste functions on devices.
- **Diagnostic data submission (Samsung Knox only)**: **Block** stops users from submitting bug reports from devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow users to submit the data.
-- **Wipe (Samsung Knox only)**: Allows users to run a [wipe](../remote-actions/devices-wipe.md) action on devices. When set to **Not configured** (default), Intune doesn't change or update this setting.
+- **Factory reset (Samsung KNOX Android 15 and earlier only)**: **Block** prevents users from factory resetting the device. When set to **Not configured** (default), Intune doesn't change or update this setting.
- **Geolocation (Samsung Knox only)**: **Block** disables devices from using location information. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow devices to use the location information.
- **Power off (Samsung Knox only)**: **Block** prevents users from powering off device. It also prevents the **Number of sign-in failures before wiping device** setting from being configured, and from working. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow users to power off devices.
-- **Screen capture (Samsung Knox only)**: **Block** prevents screenshots. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might let users capture the screen contents as an image.
-- **Voice assistant (Samsung Knox only)**: **Block** disables the S Voice service. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow using the S Voice service and app on devices. This setting doesn't apply to Bixby or the voice assistant for accessibility that reads the screen content aloud.
+- **Screen capture (Samsung KNOX Android 15 and earlier only)**: **Block** prevents screenshots. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might let users capture the screen contents as an image.
+- **Voice assistant (Samsung KNOX Android 15 and earlier only)**: **Block** disables the S Voice service. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow using the S Voice service and app on devices. This setting doesn't apply to Bixby or the voice assistant for accessibility that reads the screen content aloud.
- **YouTube (Samsung Knox only)**: **Block** prevents users from using the YouTube app. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow using the YouTube app on devices.
- **Shared devices (Samsung Knox only)**: Configure a managed Samsung Knox Standard device as shared. **Allow** lets users sign in and out of devices with their Microsoft Entra credentials. Devices stay managed, whether they're in use or not.
When used in with a SCEP certificate profile, this feature allows users to share a device with the same apps for all users. But, each user has their own SCEP user certificate. When users sign out, all app data is cleared. This feature is limited to LOB apps only.
When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might prevent multiple users from signing in to the Company Portal app on devices using their Microsoft Entra credentials.
-- **Block date and time changes (Samsung Knox)**: **Block** prevents users from changing the date and time settings on devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow users to change the date and time settings.
+- **Block date and time changes (Samsung KNOX Android 15 and earlier only)**: **Block** prevents users from changing the date and time settings on devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow users to change the date and time settings.
## Password
@@ -80,13 +79,13 @@ Create an [Android device administrator device restrictions configuration profil
### All Android devices
-These settings apply to Android 4.0 and newer, and Knox 4.0 and newer.
+These settings apply to all Android OS versions and manufacturers, except where specified.
- **Maximum minutes of inactivity until screen locks**: Enter the length of time a device must be idle before the screen is automatically locked. For example, enter `5` to lock devices after 5 minutes of being idle. When the value is blank or set to **Not configured**, Intune doesn't change or update this setting.
On a device, users can't set a time value greater than the configured time in the profile. Users can set a lower time value. For example, if the profile is set to `15` minutes, users can set the value to 5 minutes. Users can't set the value to 30 minutes.
-- **Number of sign-in failures before wiping device**: Enter the number of wrong passwords allowed before devices are wiped, from 4-11. `0` (zero) might disable device wipe functionality. When the value is blank, Intune doesn't change or update this setting.
+- **Number of sign-in failures before wiping device (Samsung KNOX Android 15 and earlier only)**: Enter the number of wrong passwords allowed before devices are wiped, from 4-11. `0` (zero) might disable device wipe functionality. When the value is blank, Intune doesn't change or update this setting.
- **Password**: **Require** users to enter a password to access devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow users to access devices without entering a password.
@@ -118,7 +117,9 @@ These settings apply to Android 4.0 and newer, and Knox 4.0 and newer.
>
> If you set **Password complexity** to something other than **None**, then also set the **Password** setting to **Require**, which is found under the *All Android devices* section. Users with passwords that don't meet your complexity requirements receive a warning to update their password. If you don't set the **Password** setting to **Require**, users with weak passwords won't receive the warning.
-### Android 9 and earlier, or Samsung Knox (any version)
+### Android 9 and earlier, or Samsung Knox Android 15 and earlier
+
+These settings apply to devices running Android 9 or earlier, and all Samsung Knox devices running any Android OS version 15 and earlier.
- **Minimum password length**: Enter the minimum number of characters required, from 4-16. For example, enter `6` to require at least six numbers or characters in the password length.
@@ -127,8 +128,8 @@ These settings apply to Android 4.0 and newer, and Knox 4.0 and newer.
- **Required password type**: Enter the required password complexity level, and whether biometric devices can be used. Your options:
- **Device default**
- **Low security biometric**: [Strong vs. weak biometrics](https://android-developers.googleblog.com/2018/06/better-biometrics-in-android-p.html) (opens Android's web site)
- - **At least numeric**: Includes numeric characters, such as `123456789`.
- - **Numeric complex**: Repeated or consecutive numbers, such as "1111" or "1234", aren't allowed. Before you assign this setting to devices, be sure to update the Company Portal app to the latest version on those devices.
+ - **At least numeric**: Includes numeric characters, like `123456789`.
+ - **Numeric complex**: Repeated or consecutive numbers, like "1111" or "1234", aren't allowed. Before you assign this setting to devices, be sure to update the Company Portal app to the latest version on those devices.
When set to **Numeric complex**, and you assign the setting to devices running an Android version earlier than 5.0, then the following behavior applies:
@@ -161,8 +162,8 @@ This feature is supported on Android and Samsung Knox Standard devices.
- **Type of restricted apps list**: Create a list of apps to allow or block on devices. This feature is supported on Android and Samsung Knox Standard devices. Your options:
- **Not configured** (default): Intune doesn't change or update this setting.
- - **Prohibited apps**: List the apps (not managed by Intune) that users aren't allowed to install and run. If a user installs an app from this list, you're notified by Intune.
- - **Approved apps**: List the apps that users are allowed to install. To stay compliant, users must not install other apps. Apps that are managed by Intune are automatically allowed, including the Company Portal app.
+ - **Prohibited apps**: List the apps (not managed by Intune) that users aren't allowed to install and run. If a user installs an app from this list, Intune notifies you.
+ - **Approved apps**: List the apps that users are allowed to install. To stay compliant, users must not install other apps. Intune-managed apps are automatically allowed, including the Company Portal app.
- **Apps list**: **Add** your app:
@@ -171,7 +172,7 @@ This feature is supported on Android and Samsung Knox Standard devices.
To find the URL of an app, open the [Google Play store](https://play.google.com/store/apps), and search for the app. For example, search for `Microsoft Remote Desktop Play Store` or `Microsoft Planner`. Select the app, and copy the URL.
- **App bundle ID**: Enter the app bundle ID. To get the bundle ID of an app added to Intune, [you can use the Intune admin center](../apps/get-app-bundle-id-intune-admin-center.md).
- **App name**: Enter the name you want. This name is shown to users.
- - **Publisher** (optional): Enter the publisher of the app, such as `Microsoft`.
+ - **Publisher** (optional): Enter the publisher of the app, like `Microsoft`.
You can also **Import** a CSV file with details about the app, including the URL. Use the <*app url*>, <*app name*>, <*app publisher*> format. Or, **Export** an existing list that includes the restricted apps list in the same format.
@@ -208,27 +209,27 @@ For each setting, add your apps:
## Cloud and Storage
-- **Google backup (Samsung Knox only)**: **Block** prevents devices from syncing to Google backup. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow using Google backup.
+- **Google backup (Samsung KNOX Android 15 and earlier only)**: **Block** prevents devices from syncing to Google backup. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow using Google backup.
- **Google account auto sync (Samsung Knox only)**: **Block** prevents the Google account auto sync feature on devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow Google account settings to be automatically synchronized.
- **Removable storage (Samsung Knox only)**: **Block** prevents devices from using removable storage. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow devices to use removable storage, like an SD card.
-- **Encryption on storage cards (Samsung Knox only)**: **Require** enforces that storage cards must be encrypted. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow unencrypted storage cards to be used. Not all devices support storage card encryption. To confirm, check with the device manufacturer.
+- **Encryption on storage cards (Samsung KNOX Android 15 and earlier only)**: **Require** enforces that storage cards must be encrypted. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow unencrypted storage cards to be used. Not all devices support storage card encryption. To confirm, check with the device manufacturer.
## Cellular and Connectivity
- **Data roaming (Samsung Knox only)**: **Block** prevents data roaming over the cellular network. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow data roaming.
-- **SMS/MMS messaging (Samsung Knox only)**: **Block** prevents text messaging on devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow using SMS and MMS messaging.
+- **SMS/MMS messaging (Samsung KNOX Android 15 and earlier only)**: **Block** prevents text messaging on devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow using SMS and MMS messaging.
- **Voice dialing (Samsung Knox only)**: **Block** prevents users from using the voice dialing feature on devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow voice dialing.
- **Voice roaming (Samsung Knox only)**: **Block** prevents voice roaming over the cellular network. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow voice roaming.
-- **Bluetooth (Samsung Knox only)**: **Block** prevents using Bluetooth on devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow using Bluetooth.
+- **Bluetooth (Samsung KNOX Android 15 and earlier only)**: **Block** prevents using Bluetooth on devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow using Bluetooth.
- **NFC (Samsung Knox only)**: **Block** disables operations that use near field communication (NFC) on devices that support it. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow NFC operations.
-- **Wi-Fi (Samsung Knox only)**: **Block** prevents using Wi-Fi on devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow using Wi-Fi.
-- **Wi-Fi tethering (Samsung Knox only)**: **Block** prevents using Wi-Fi tethering on devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow using Wi-Fi tethering.
+- **Wi-Fi (Samsung KNOX Android 15 and earlier only)**: **Block** prevents using Wi-Fi on devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow using Wi-Fi.
+- **Wi-Fi tethering (Samsung KNOX Android 15 and earlier only)**: **Block** prevents using Wi-Fi tethering on devices. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow using Wi-Fi tethering.
## Kiosk
Kiosk settings apply only to Samsung Knox Standard devices running Android 10 or earlier, and only to apps you manage using Intune.
-- Add apps you want to run when the device is in kiosk mode. In kiosk mode, only the apps you add run; apps not added don't run. Pre-installed browsers don't run as an app when the device is in kiosk mode. If a browser is required, consider using the [Managed Browser](../apps/manage-microsoft-edge.md).
+- Add apps you want to run when the device is in kiosk mode. In kiosk mode, only the apps you add run; apps not added don't run. Preinstalled browsers don't run as an app when the device is in kiosk mode. If a browser is required, consider using the [Managed Browser](../apps/manage-microsoft-edge.md).
Your app options:
diff --git a/memdocs/intune/configuration/device-restrictions-ios.md b/memdocs/intune/configuration/device-restrictions-ios.md
index 3cb23e0c936..6074512f15a 100644
--- a/memdocs/intune/configuration/device-restrictions-ios.md
+++ b/memdocs/intune/configuration/device-restrictions-ios.md
@@ -801,6 +801,9 @@ You can also:
- When set to **Yes**, be sure the device has a Wi-Fi profile. If you don't assign a Wi-Fi profile, then this setting can prevent devices from connecting to the internet. For example, if this device restrictions profile is assigned before a Wi-Fi profile, then the device might be blocked from connecting to the internet.
- If the device can't connect, then unenroll the device, and re-enroll with a Wi-Fi profile. Then, set this setting to **Yes** in a device restrictions profile, and assign the profile to the device.
+
+ > [!NOTE]
+ > **Require devices to use Wi-Fi networks set up via configuration profiles** does not support Wi-Fi profiles deployed using [custom profiles](custom-settings-ios.md).
This feature applies to:
- iOS/iPadOS 14.5 and newer
diff --git a/memdocs/intune/configuration/device-restrictions-windows-10.md b/memdocs/intune/configuration/device-restrictions-windows-10.md
index 10070f19011..21ac048ffc0 100644
--- a/memdocs/intune/configuration/device-restrictions-windows-10.md
+++ b/memdocs/intune/configuration/device-restrictions-windows-10.md
@@ -1187,6 +1187,8 @@ You can exclude certain files from Microsoft Defender Antivirus scans by modifyi
- **File extensions to exclude from scans and real-time protection**: Add one or more file extensions like **jpg** or **txt** to the exclusions list. Any files with these extensions aren't included in any real-time or scheduled scans.
- **Processes to exclude from scans and real-time protection**: Add one or more processes of the type **.exe**, **.com**, or **.scr** to the exclusions list. These processes aren't included in any real-time, or scheduled scans.
+For more information, see [Exclusions overview](/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions) in the Microsoft Defender documentation.
+
## Power settings
These settings use the [power policy CSP](/windows/client-management/mdm/policy-csp-power), which also lists the supported Windows editions.
diff --git a/memdocs/intune/configuration/kernel-extensions-overview-macos.md b/memdocs/intune/configuration/kernel-extensions-overview-macos.md
index 11b5b8886a4..9ba602f763b 100644
--- a/memdocs/intune/configuration/kernel-extensions-overview-macos.md
+++ b/memdocs/intune/configuration/kernel-extensions-overview-macos.md
@@ -8,7 +8,7 @@ keywords: macos, kernel extensions, system extensions, microsoft intune, endpoin
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 01/11/2024
+ms.date: 09/11/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: configuration
@@ -114,6 +114,11 @@ For more information on kernel extensions, go to [kernel extensions](https://dev
## Create the kernel extension policy
+> [!IMPORTANT]
+> This macOS extensions template is deprecated in the August 2024 service release (2408). Existing policies continue to work. But, you can't create new policies using this template.
+>
+> Instead, use the settings catalog to create new policies that configure the System Extension payload. To learn more about the settings catalog, go to [settings catalog](settings-catalog.md).
+
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy**.
3. Enter the following properties:
diff --git a/memdocs/intune/configuration/kiosk-settings-windows.md b/memdocs/intune/configuration/kiosk-settings-windows.md
index ab12dbee5b8..5324b12ffb8 100644
--- a/memdocs/intune/configuration/kiosk-settings-windows.md
+++ b/memdocs/intune/configuration/kiosk-settings-windows.md
@@ -100,7 +100,7 @@ Runs only one app on the device, such as a web browser or Store app.
For more information on these options, see [Deploy Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy#supported-configuration-types).
- - **Add Kiosk browser**: Select **Kiosk browser settings**. These settings control a web browser app on the kiosk. Be sure you get the [Kiosk browser app](https://businessstore.microsoft.com/store/details/kiosk-browser/9NGB5S5XG2KP) from the Store, add it to Intune as a [Client App](../apps/apps-add.md). Then, assign the app to the kiosk devices.
+ - **Add Kiosk browser**: Select **Kiosk browser settings**. These settings control a web browser app on the kiosk. Be sure you get the [Kiosk browser app](https://apps.microsoft.com/detail/9ngb5s5xg2kp?) from the Store, add it to Intune as a [Client App](../apps/apps-add.md). Then, assign the app to the kiosk devices.
Enter the following settings:
diff --git a/memdocs/intune/configuration/oemconfig-managed-home-screen-permissions-android.md b/memdocs/intune/configuration/oemconfig-managed-home-screen-permissions-android.md
index f8dbf6f4974..1105223cf5e 100644
--- a/memdocs/intune/configuration/oemconfig-managed-home-screen-permissions-android.md
+++ b/memdocs/intune/configuration/oemconfig-managed-home-screen-permissions-android.md
@@ -46,7 +46,7 @@ This feature applies to:
Supported OEMs include:
-- Samsung
+- Samsung (devices running OS 13+)
- Zebra
> [!NOTE]
@@ -170,7 +170,7 @@ When you use the schema settings in the **Knox Service Plugin** app, the Intune
For guidance on configuring the OEM app schema, use the following links:
- [Blog - Frontline workers get a better experience from Microsoft and Samsung](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/frontline-workers-get-a-better-experience-from-microsoft-and/ba-p/4078801)
- - [Knox Service Plugin - Overview](https://docs.samsungknox.com/admin/knox-platform-for-enterprise/knox-service-plugin/welcome/) (opens Samsung's web site)
+ - [Knox Service Plugin - Grant special permissions for an app](https://docs.samsungknox.com/admin/knox-platform-for-enterprise/knox-service-plugin/kbas/kba-1261-grant-special-permissions-for-an-app/) (opens Samsung's web site)
When you create the Intune policy, you enter the following info:
diff --git a/memdocs/intune/configuration/platform-sso-macos.md b/memdocs/intune/configuration/platform-sso-macos.md
index 1c4ce1c4a08..0ded4892380 100644
--- a/memdocs/intune/configuration/platform-sso-macos.md
+++ b/memdocs/intune/configuration/platform-sso-macos.md
@@ -162,6 +162,14 @@ This option:
For more information, go to [Microsoft Entra certificate-based authentication on iOS and macOS](/entra/identity/authentication/concept-certificate-based-authentication-mobile-ios).
+#### Configure keyvault recovery (optional)
+
+When using password sync authentication you can enable keyvault recovery to ensure that data can be recovered in the event that a user forgets their password. IT Admins should review Apple's documentation and evaluate whether using Institutional FileVault Recovery Keys is a good option for them.
+
+- [Manage FileVault with mobile device management](https://support.apple.com/en-ie/guide/deployment/dep0a2cb7686/web)
+
+- [FileVault MDM payload settings for Apple devices](https://support.apple.com/en-ie/guide/deployment/dep32bf53500/1/web/1.0)
+-
## Step 2 - Create the Platform SSO policy in Intune
To configure the Platform SSO policy, use the following steps to create an [Intune settings catalog](settings-catalog.md) policy. The Microsoft Enterprise SSO plug-in requires the settings listed.
diff --git a/memdocs/intune/copilot/copilot-devices.md b/memdocs/intune/copilot/copilot-devices.md
index 21481ca688a..df5f72f2d2d 100644
--- a/memdocs/intune/copilot/copilot-devices.md
+++ b/memdocs/intune/copilot/copilot-devices.md
@@ -4,8 +4,8 @@
title: Copilot in Intune shows device information and errors
description: Microsoft Copilot in Intune can help you get information about your devices, compare devices, and get error information. Use this information to help you manage and troubleshoot device issues.
keywords: security copilot, intune, microsoft intune, copilot, device information, device errors, device troubleshooting, analyze error code, compare devices, AI, generative-AI
-author: MandiOhlinger
-ms.author: mandia
+author: Erikre
+ms.author: erikre
manager: dougeby
ms.date: 04/01/2024
ms.topic: how-to
diff --git a/memdocs/intune/copilot/copilot-intune-faq.md b/memdocs/intune/copilot/copilot-intune-faq.md
index ae8ff1703f4..86c00f6728e 100644
--- a/memdocs/intune/copilot/copilot-intune-faq.md
+++ b/memdocs/intune/copilot/copilot-intune-faq.md
@@ -4,8 +4,8 @@
title: Copilot in Intune FAQ
description: Get answers to common questions when using Copilot in Microsoft Intune.
keywords: security copilot, intune, microsoft intune, copilot, faq
-author: MandiOhlinger
-ms.author: mandia
+author: Erikre
+ms.author: erikre
manager: dougeby
ms.date: 04/01/2024
ms.topic: how-to
diff --git a/memdocs/intune/copilot/copilot-intune-overview.md b/memdocs/intune/copilot/copilot-intune-overview.md
index 2f4e60be50b..c15da3ceec2 100644
--- a/memdocs/intune/copilot/copilot-intune-overview.md
+++ b/memdocs/intune/copilot/copilot-intune-overview.md
@@ -4,8 +4,8 @@
title: Microsoft Copilot in Intune features overview
description: Microsoft Copilot in Intune is an AI platform. It can help you create policies, get information about existing policies, and show more details on specific settings, including their impacts on users and devices. You can also use Copilot to troubleshoot device issues.
keywords: Security Copilot, Intune, Microsoft Intune, AI, Copilot, settings catalog, policies, device details, troubleshooting
-author: MandiOhlinger
-ms.author: mandia
+author: Erikre
+ms.author: erikre
manager: dougeby
ms.date: 04/01/2024
ms.topic: get-started
@@ -164,7 +164,7 @@ For more information about using Copilot with your devices, go to [Use Microsoft
### Query with Copilot in device query
-You can use Copilot to help you create KQL queries to run when using device query in Intune.
+You can use Copilot to help you create Kusto Query Language (KQL) queries to run when using device query in Intune.
> [!NOTE]
> To use Device query in your tenant, you must have a license that includes Microsoft Intune Advanced Analytics. For more information, see [Intune add-ons](../fundamentals/intune-add-ons.md#microsoft-intune-advanced-analytics).
diff --git a/memdocs/intune/copilot/security-copilot.md b/memdocs/intune/copilot/security-copilot.md
index 1f227db1441..5f312d6a034 100644
--- a/memdocs/intune/copilot/security-copilot.md
+++ b/memdocs/intune/copilot/security-copilot.md
@@ -4,8 +4,8 @@
title: Use Copilot for Security to get device and policy information
description: You can use Copilot for Security to get information about your Intune data, including devices, apps, policies, and groups managed in Intune. You can also compare policies, get device specific details, and get target info for policies.
keywords:
-author: MandiOhlinger
-ms.author: mandia
+author: Erikre
+ms.author: erikre
manager: dougeby
ms.date: 04/01/2024
ms.topic: concept-article
diff --git a/memdocs/intune/developer/app-sdk-android-phase1.md b/memdocs/intune/developer/app-sdk-android-phase1.md
index 2b90fbda21d..0204f285ba7 100644
--- a/memdocs/intune/developer/app-sdk-android-phase1.md
+++ b/memdocs/intune/developer/app-sdk-android-phase1.md
@@ -166,8 +166,8 @@ The user is ***not*** required to sign into or even launch the Company Portal ap
> [!NOTE]
> Ensure that your app is compatible with the [Google Play requirements](https://developer.android.com/google/play/requirements/target-sdk).
-The SDK fully supports Android API 28 (Android 9.0) through Android API 34 (Android 14).
-In order to target Android API 34 (Android 14), you must use Intune App SDK `v10.0.0` or later.
+The SDK fully supports Android API 28 (Android 9.0) through Android API 35 (Android 15).
+In order to target Android API 35 (Android 15), you must use Intune App SDK `v11.0.0` or later.
APIs 26 through 27 (Android 8.0 - 8.1) are in limited support.
The Company Portal app isn't supported below Android API 26 (Android 8.0).
diff --git a/memdocs/intune/developer/app-sdk-android-phase3.md b/memdocs/intune/developer/app-sdk-android-phase3.md
index 238d78cf475..4f761255e49 100644
--- a/memdocs/intune/developer/app-sdk-android-phase3.md
+++ b/memdocs/intune/developer/app-sdk-android-phase3.md
@@ -7,7 +7,7 @@ keywords: SDK
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 11/01/2023
+ms.date: 10/14/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/app-sdk-android-phase4.md b/memdocs/intune/developer/app-sdk-android-phase4.md
index aabf770f712..abb83cced5e 100644
--- a/memdocs/intune/developer/app-sdk-android-phase4.md
+++ b/memdocs/intune/developer/app-sdk-android-phase4.md
@@ -95,7 +95,7 @@ MAMStrictMode.global().setHandler(handler);
If a check fails in a situation where your app is doing nothing
incorrect, report it as mentioned above.
In the meantime, it may be necessary to disable the check encountering a false positive, at least while waiting for an updated SDK.
-The check, which failed will be shown in the error raised by the default handler, or will be passed to a custom handler if set.
+The check that failed will be shown in the error raised by the default handler or it will be passed to a custom handler, if set.
Although suppressions can be done globally, temporarily disabling per-thread at the specific call site is preferred.
The following examples show various ways to disable [MAMStrictCheck.IDENTITY_NO_SUCH_FILE][MAMStrictCheck] (raised if an
@@ -389,7 +389,7 @@ If the enrollment attempt fails, the account's status may change over time as th
| `UNENROLLMENT_SUCCEEDED` | Unenrollment was successful.|
| `UNENROLLMENT_FAILED` | The unenrollment request failed. Further details can be found in the device logs. In general, this won't occur as long as the app passes a valid (neither null nor empty) UPN. There's no direct, reliable remediation the app can take. If this value is received when unregistering a valid UPN, report as a bug to the Intune MAM team.|
| `PENDING` | The initial enrollment attempt for the account is in progress. The app can block access to corporate data until the enrollment result is known, but isn't required to do so. |
-| `COMPANY_PORTAL_REQUIRED` | The account is licensed for Intune, but the app can't be enrolled until the Company Portal app is installed on the device. The Intune App SDK attempts to block access to the app for the given account and direct them to install the Company Portal app. When sending this notification to the app, the Intune App SDK will show a nonblocking UI on top of the current Activity if the Activity is currently visible to the user or the next time `onResume` is called. If the user cancels out this nonblocking UI, the Intune App SDK will show a blocking UI the next time `onCreate` is called for an Activity and the current identity is managed (see below for details on troubleshooting). |
+| `COMPANY_PORTAL_REQUIRED` | The account is licensed for Intune, but the app can't be enrolled until the Company Portal app is installed on the device. The Intune App SDK attempts to block access to the app for the given account and directs the user to install the Company Portal app. When sending this notification to the app, the Intune App SDK will show a nonblocking UI on top of the current Activity if the Activity is currently visible to the user or the next time `onResume` is called. If the user cancels out this nonblocking UI, the Intune App SDK will show a blocking UI the next time `onCreate` is called for an Activity and the current identity is managed (see below for details on troubleshooting). |
## (Recommended) Logging
@@ -678,7 +678,7 @@ If you're unsure if any of these sections apply to your app, revisit [Key Decisi
[First Policy Application Test]:#first-policy-application-test
[Data Protection Tests]:#data-protection-tests
[Diagnostics Information]:#recommended-diagnostics-information
-[My app is not receiving or enforcing any policies]:#my-app-is-not-receiving-or-enforcing-any-policies
+[My app isn't receiving or enforcing any policies]:#my-app-isnt-receiving-or-enforcing-any-policies
[Stage 1: Plan the Integration]:app-sdk-android-phase1.md
diff --git a/memdocs/intune/developer/app-sdk-get-started.md b/memdocs/intune/developer/app-sdk-get-started.md
index aa084fae543..32d5f711591 100644
--- a/memdocs/intune/developer/app-sdk-get-started.md
+++ b/memdocs/intune/developer/app-sdk-get-started.md
@@ -7,7 +7,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 11/14/2023
+ms.date: 10/14/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
@@ -51,7 +51,7 @@ You _**do not need**_ to register your app. For internal [line-of-business (LOB)
You _**must**_ first register your app with Microsoft Intune and agree to the registration terms. IT administrators can then apply an app protection policy to the managed app, which will be listed as an [Partner productivity apps](../apps/apps-supported-intune-apps.md#partner-productivity-apps).
-Until registration has been finished and confirmed by the Microsoft Intune team, Intune administrators won't have the option to apply app protection policy to your app's deep link. Microsoft will also add your app to its [Microsoft Intune Partners page](https://www.microsoft.com/cloud-platform/microsoft-intune-apps). There, the app's icon will be displayed to show that it supports Intune app protection policies.
+Until registration has been finished and confirmed by the Microsoft Intune team, Intune administrators won't have the option to apply app protection policy to your app's deep link. Microsoft will also add your app to its Microsoft Intune Partners page. There, the app's icon will be displayed to show that it supports Intune app protection policies.
### The registration process
To begin the registration process, and if you aren't already working with a Microsoft contact, fill out the [Microsoft Intune App Partner Questionnaire](https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR80SNPjnVA1KsGiZ89UxSdVUMEpZNUFEUzdENENOVEdRMjM5UEpWWjJFVi4u).
@@ -67,7 +67,7 @@ We'll use the email addresses listed in your questionnaire response to reach out
2. After we receive all necessary information from you, we'll send you the Microsoft Intune App Partner Agreement to sign. This agreement describes the terms that your company must accept before it becomes a Microsoft Intune app partner.
-3. You'll be notified when your app is successfully registered with the Microsoft Intune service and when your app is featured on the [Microsoft Intune partners](https://www.microsoft.com/cloud-platform/microsoft-intune-apps) site.
+3. You'll be notified when your app is successfully registered with the Microsoft Intune service and when your app is featured on the Microsoft Intune partners site.
4. Finally, your app's deep link will be added to the next monthly Intune Service update. For example, if the registration information is finished in July, the deep link will be supported in mid-August.
diff --git a/memdocs/intune/developer/app-sdk-ios-appendix.md b/memdocs/intune/developer/app-sdk-ios-appendix.md
index 4970305c5a8..e2c3f845dc3 100644
--- a/memdocs/intune/developer/app-sdk-ios-appendix.md
+++ b/memdocs/intune/developer/app-sdk-ios-appendix.md
@@ -7,7 +7,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 11/01/2023
+ms.date: 10/14/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
@@ -61,16 +61,16 @@ To do this, the application should make use of the `registeredAccounts:` method.
### How often does the SDK retry enrollments?
-The SDK will automatically retry all previously failed enrollments on a 24-hour interval. The SDK does this to ensure that if a user's organization enabled MAM after the user signed in to the application, the user will successfully enroll and receive policies.
+The SDK automatically retries all previously failed enrollments on a 24-hour interval. The SDK does this to ensure that if a user's organization enabled MAM after the user signed in to the application, the user will successfully enroll and receive policies.
-The SDK will stop retrying when it detects that a user has successfully enrolled the application. This is because only one user can enroll an application at a particular time. If the user is unenrolled, the retries will begin again on the same 24-hour interval.
+The SDK stops retrying when it detects that a user has successfully enrolled the application. This is because only one user can enroll an application at a particular time. If the user is unenrolled, the retries begin again on the same 24-hour interval.
### Why does the user need to be deregistered?
-The SDK will take these actions in the background periodically:
+The SDK takes these actions in the background periodically:
-* If the application isn't yet enrolled, it will try to enroll all registered accounts every 24 hours.
-* If the application is enrolled, the SDK will check for MAM policy updates every 8 hours.
+* If the application isn't yet enrolled, it tries to enroll all registered accounts every 24 hours.
+* If the application is enrolled, the SDK checks for MAM policy updates every 8 hours.
Deregistering a user notifies the SDK that the user will no longer use the application, and the SDK can stop any of the periodic events for that user account. It also triggers an app unenroll and selective wipe if necessary.
@@ -80,7 +80,7 @@ This method should be called before the user is signed out of the application.
### Are there any other ways that an application can be unenrolled?
-Yes, the IT admin can send a selective wipe command to the application. This will deregister and unenroll the user, and it will wipe the user's data. The SDK automatically handles this scenario and sends a notification via the unenroll delegate method.
+Yes, the IT admin can send a selective wipe command to the application. This will deregister and unenroll the user, and it wipes the user's data. The SDK automatically handles this scenario and sends a notification via the unenroll delegate method.
### Is there a sample app that demonstrates how to integrate the SDK?
diff --git a/memdocs/intune/developer/app-sdk-ios-phase1.md b/memdocs/intune/developer/app-sdk-ios-phase1.md
index 6d56f7568bc..b604b982fae 100644
--- a/memdocs/intune/developer/app-sdk-ios-phase1.md
+++ b/memdocs/intune/developer/app-sdk-ios-phase1.md
@@ -7,7 +7,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 11/01/2023
+ms.date: 10/14/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/app-sdk-ios-phase2.md b/memdocs/intune/developer/app-sdk-ios-phase2.md
index 66ca3087b1d..0e3fa962ec8 100644
--- a/memdocs/intune/developer/app-sdk-ios-phase2.md
+++ b/memdocs/intune/developer/app-sdk-ios-phase2.md
@@ -7,7 +7,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 11/01/2023
+ms.date: 10/14/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/app-sdk-ios-phase3.md b/memdocs/intune/developer/app-sdk-ios-phase3.md
index 99cda664cbb..b8ae1b08e10 100644
--- a/memdocs/intune/developer/app-sdk-ios-phase3.md
+++ b/memdocs/intune/developer/app-sdk-ios-phase3.md
@@ -7,7 +7,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 11/01/2023
+ms.date: 10/14/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
diff --git a/memdocs/intune/developer/mam-tunnel-ios-xamarin-bindings.md b/memdocs/intune/developer/mam-tunnel-ios-xamarin-bindings.md
index 94f1b603111..9ddaa6d4b1b 100644
--- a/memdocs/intune/developer/mam-tunnel-ios-xamarin-bindings.md
+++ b/memdocs/intune/developer/mam-tunnel-ios-xamarin-bindings.md
@@ -4,7 +4,7 @@ description: Use Xamarin Bindings to allow Microsoft Tunnel capabilities for iOS
author: oluchic
ms.author: brenduns
manager: dougeby
-ms.date: 09/26/2023
+ms.date: 09/12/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: developer
@@ -27,9 +27,15 @@ ms.collection:
# Microsoft Tunnel for MAM iOS Xamarin Bindings
-> [!NOTE]
+> [!IMPORTANT]
+>
+> Xamarin support ended on May 1, 2024 for all Xamarin SDKs including Xamarin.Forms and Intune App SDK Xamarin Bindings. The information in this article is maintained as a reference for previously created Xamarin Bindings.
+>
+> Xamarin.Forms has evolved into .NET Multi-platform App UI (MAUI). Existing Xamarin projects should be migrated to .NET MAUI. For more information about upgrading Xamarin projects to .NET, see the [Upgrade from Xamarin to .NET & .NET MAUI](/dotnet/maui/migration/?WT.mc_id=dotnet-35129-website) documentation.
>
-> The current Xamarin bindings for IOS platform only support apps targeting iOS 15.0 and higher.
+> For Intune support on Android and iOS platforms, see [Intune App SDK for .NET MAUI - Android](https://www.nuget.org/packages/Microsoft.Intune.Maui.Essentials.android) and [Microsoft Intune App SDK for MAUI.iOS](https://www.nuget.org/packages/Microsoft.Intune.Maui.Essentials.iOS).
+>
+>
> [!NOTE]
>
@@ -40,6 +46,7 @@ ms.collection:
The Microsoft Tunnel iOS SDK Xamarin Bindings facilitate the integration of Microsoft Tunnel for MAM functionality for MAM iOS applications developed with Xamarin. These bindings empower developers by providing a straightforward means to embed tunnel connectivity features directly into their Xamarin-based applications, ensuring seamless and secure connectivity for end users.
## How it works
+
The Intune MAM Xamarin.iOS bindings are the native MAM Tunnel SDK with a wrapper/bridge to its public APIs. Since Xamarin/.NET apps typically use ADAL or MSAL for .NET as their Microsoft Entra auth library, and the native Intune SDK doesn't know how to call into those libraries for its own enrollment/auth scenarios, the Xamarin bindings depend on the MAM SDK bindings that also contain Objective-C MSAL library, which can share a common token cache with ADAL/MSAL for .NET.
These bindings are also available as a NuGet package which developers can pull into their Xamarin.iOS project directly via the Visual Studio UI.
diff --git a/memdocs/intune/enrollment/android-aosp-corporate-owned-user-associated-enroll.md b/memdocs/intune/enrollment/android-aosp-corporate-owned-user-associated-enroll.md
index f3004c1b6a4..880a8923032 100644
--- a/memdocs/intune/enrollment/android-aosp-corporate-owned-user-associated-enroll.md
+++ b/memdocs/intune/enrollment/android-aosp-corporate-owned-user-associated-enroll.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 04/02/2024
+ms.date: 09/24/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -40,7 +40,10 @@ Set up enrollment in Intune for corporate-owned, user-associated devices built o
This article describes how to set up Android (AOSP) device management and enroll AOSP devices for use at work.
-## Prerequisites
+## Prerequisites
+
+>[!NOTE]
+> Beginning October 1st, AOSP devices must have the Microsoft Intune app, version 24.7.0 or later to sync with the Microsoft Intune service.
To enroll and manage AOSP devices, you must have:
@@ -59,12 +62,12 @@ Create an enrollment profile to enable enrollment on devices.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Go to **Devices** > **Enrollment**.
3. Select the **Android** tab.
-4. Under **Android Open Source Project (AOSP) (Preview)**, choose **Corporate-owned, user-associated devices (Preview)**.
+4. Under **Android Open Source Project (AOSP)**, choose **Corporate-owned, user-associated devices**.
5. Select **Create profile**.
6. Enter the basics for your profile:
- **Name**: Give the profile a name. Note the name down for later, because you'll need it when you set up the dynamic device group.
- **Description**: Enter a description for the profile. This setting is optional, but recommended.
- - **Token expiration date**: Select the date the token expires, up to 90 days in the future.
+ - **Token expiration date**: Select the date the token expires, which can be up to 65 years in the future.
- **SSID**: Identifies the network that the device will connect to.
> [!NOTE]
@@ -85,7 +88,7 @@ Create an enrollment profile to enable enrollment on devices.
After you create a profile, Intune generates a token that's needed for enrollment. The token appears as a QR code. During device setup, when prompted to, scan the QR code to enroll the device in Intune.
To view the token as a QR code, select your enrollment profile from the enrollment profile list. Then select **Token**.
-You can also export the enrollment profile JSON file. To create a JSON file, select Export**.
+You can also export the enrollment profile JSON file. To create a JSON file, select **Export**.
> [!IMPORTANT]
>- The QR code will contain any credentials provided in the profile in plain text to allow the device to successfully authenticate with the network. This is required as the user will not be able to join a network from the device.
@@ -98,10 +101,10 @@ You can generate a new token to replace one that's nearing its expiration date.
1. In the [admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**.
2. Select the **Android** tab.
-3. In the **Android Open Source Project (AOSP) (Preview)** section, choose **Corporate-owned, user-associated devices (Preview)**.
+3. In the **Android Open Source Project (AOSP)** section, choose **Corporate-owned, user-associated devices**.
3. Choose the profile that you want to work with.
4. Select **Token** > **Replace token**.
-5. Enter the new token expiration date. Tokens must be replaced at least every 90 days.
+5. Enter the token's new expiration date, which can be up to 65 years in the future.
6. Select **OK**.
### Revoke a token
@@ -114,7 +117,7 @@ Revoke a token to immediately expire it and make it unusable. For example, it's
1. In the [admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**.
2. Select the **Android** tab.
-3. In the **Android Open Source Project (AOSP) (Preview)** section, choose **Corporate-owned, user-associated devices (Preview)**.
+3. In the **Android Open Source Project (AOSP)** section, choose **Corporate-owned, user-associated devices**.
4. Choose the profile that you want to work with.
5. Select **Token** > **Revoke token** > **Yes**.
@@ -180,6 +183,7 @@ You can take action on one device at a time. For more information about where to
## Troubleshooting
### View app versions
+
Find out which version of the Intune app or Microsoft Authenticator app is installed on a device.
1. Go to **Devices** and select the device name.
diff --git a/memdocs/intune/enrollment/android-aosp-corporate-owned-userless-enroll.md b/memdocs/intune/enrollment/android-aosp-corporate-owned-userless-enroll.md
index e8b7e943aac..2e29e256472 100644
--- a/memdocs/intune/enrollment/android-aosp-corporate-owned-userless-enroll.md
+++ b/memdocs/intune/enrollment/android-aosp-corporate-owned-userless-enroll.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 01/23/2024
+ms.date: 09/18/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -46,9 +46,10 @@ Devices enrolled into Intune with this management mode are automatically set up
Devices are configured in [Microsoft Entra shared device mode](/azure/active-directory/develop/msal-shared-devices) during enrollment. Devices enable single sign-on (SSO) between users across [participating apps](/azure/active-directory/develop/msal-android-shared-devices#microsoft-applications-that-support-shared-device-mode). By installing Company Portal, users can also leverage SSO when signing out of [apps that are integrated with the Intune SDK](../apps/apps-supported-intune-apps.md), even apps that don't yet participate with shared device mode.
+## Prerequisites
-
-## Prerequisites
+>[!NOTE]
+> Beginning October 1st, AOSP devices must have the Microsoft Intune app, version 24.7.0 or later to sync with the Microsoft Intune service.
To enroll and manage AOSP devices, you must have:
@@ -59,7 +60,7 @@ You must also:
* [Set Microsoft Intune as the mobile device management (MDM) authority in your tenant](../fundamentals/mdm-authority-set.md). You only need to do this once, when you first set up Intune for mobile device management.
-* Assign valid licenses to all RealWear device users. For more information, see [Microsoft Intune licensing](../fundamentals/licenses.md).
+* Assign valid licenses to all specialized device users. For more information, see [Microsoft Intune licensing](../fundamentals/licenses.md) and [Managing specialty devices with Microsoft Intune](../fundamentals/specialty-devices-with-intune.md).
## Create an enrollment profile
@@ -71,12 +72,12 @@ Create an enrollment profile to enable enrollment on devices.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Go to **Devices** > **Enrollment**.
3. Select the **Android** tab.
-4. In the **Android Open Source Project (AOSP) (Preview)** section, choose **Corporate-owned, userless devices (Preview)**.
+4. In the **Android Open Source Project (AOSP)** section, choose **Corporate-owned, userless devices**.
5. Select **Create profile**.
6. Enter the basics for your profile:
- **Name**: Give the profile a name. Note the name down for later, because you'll need it when you set up the dynamic device group.
- **Description**: Enter a description for the profile. This setting is optional, but recommended.
- - **Token expiration date**: Select the date the token expires, up to 90 days in the future.
+ - **Token expiration date**: Select the date the token expires, which can be up to 90 days in the future.
- **SSID**: Identifies the network that the device will connect to.
> [!NOTE]
@@ -97,12 +98,12 @@ Create an enrollment profile to enable enrollment on devices.
### Access enrollment token
After you create a profile, Intune generates a token that's needed for enrollment. To access the token:
-1. Go to **Corporate-owned, userless devices (Preview)**.
+1. Go to **Corporate-owned, userless devices**.
2. From the list, select your enrollment profile.
3. Select **Tokens**.
Another way to find the token is:
-1. Go to **Corporate-owned, userless devices (Preview)**.
+1. Go to **Corporate-owned, userless devices**.
2. Locate your profile in the list, and then select the **More** (**...**) menu that's next to it.
3. Select **View enrollment token**.
@@ -110,7 +111,7 @@ The token appears as a QR code. During device setup, when prompted to, scan the
You can also export the enrollment profile JSON file. To create a JSON file:
-1. Go to **Corporate-owned, userless devices (Preview)**.
+1. Go to **Corporate-owned, userless devices**.
2. From the list, select your enrollment profile.
3. Select **Token > Export**.
@@ -124,10 +125,10 @@ Generate a new token to replace one that's nearing its expiration date. Replacin
1. In the [admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**.
2. Select the **Android** tab.
-3. In the **Android Open Source Project (AOSP) (Preview)** section, choose **Corporate-owned, userless devices (Preview)**.
+3. In the **Android Open Source Project (AOSP)** section, choose **Corporate-owned, userless devices**.
4. Choose the profile that you want to work with.
5. Select **Token** > **Replace token**.
-6. Enter the new token expiration date. Tokens must be replaced at least every 90 days.
+6. Enter the token's new expiration date. The token must be replaced at least every 90 days.
7. Select **OK**.
### Revoke token
@@ -140,7 +141,7 @@ Revoke a token to immediately expire it and make it unusable. For example, it's
1. In the [admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**.
2. Select the **Android** tab.
-3. In the **Android Open Source Project (AOSP) (Preview)** section, choose **Corporate-owned, userless devices (Preview)**.
+3. In the **Android Open Source Project (AOSP)** section, choose **Corporate-owned, userless devices**.
4. Choose the profile that you want to work with.
5. Select **Token** > **Revoke token** > **Yes**.
diff --git a/memdocs/intune/enrollment/android-corporate-owned-work-profile-enroll.md b/memdocs/intune/enrollment/android-corporate-owned-work-profile-enroll.md
index a0578dc8780..d6a511ea3a4 100644
--- a/memdocs/intune/enrollment/android-corporate-owned-work-profile-enroll.md
+++ b/memdocs/intune/enrollment/android-corporate-owned-work-profile-enroll.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 05/17/2024
+ms.date: 10/28/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -34,7 +34,7 @@ ms.collection:
Android Enterprise corporate-owned devices with a work profile are single user devices intended for corporate and personal use.
-End users can keep their work and personal data separate and are guaranteed that personal data and applications will remain private. Admins can control some settings and features for the entire device, including:
+End users can keep their work and personal data separate and are guaranteed that personal data and applications remain private. Admins can control some settings and features for the entire device, including:
- Setting requirements for the device password
- Controlling Bluetooth and data roaming
@@ -47,7 +47,8 @@ Intune helps you deploy apps and settings to Android Enterprise corporate-owned
Devices must meet these requirements to be managed as Android Enterprise corporate-owned work profile devices:
- Android OS version 8.0 and above.
-- Devices must run a distribution of Android that has Google Mobile Services (GMS) connectivity. Devices must have GMS available and must be able to connect to GMS.
+- Devices must run a distribution of Android that has Google Mobile Services (GMS) connectivity. Devices must have GMS available and must be able to connect to GMS.
+
## Set up Android Enterprise corporate-owned work profile device management
@@ -92,14 +93,14 @@ You must create an enrollment profile so that users can enroll corporate-owned w
8. Select **Next** to continue to **Scope tags**.
-9. Optionally, apply one or more scope tags to limit restriction visibility and management to certain admin users in Intune. For more information about how to use scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](../fundamentals/scope-tags.md).
+9. Optionally, apply one or more scope tags to limit restriction visibility and management to certain admin users in Intune. For more information about how to use scope tags, see [Use role-based access control and scope tags for distributed IT](../fundamentals/scope-tags.md).
10. Choose **Next** to continue to **Create + review**.
11. Review your choices, and then select **Create** to finish creating the profile.
### Access enrollment token
-After you create a profile, Intune generates a token that's needed for enrollment.
+After you create a profile, Intune generates the token you need for enrollment.
1. Return to **Devices** > **Enrollment**, and select the Android tab.
@@ -167,7 +168,7 @@ When you create the enrollment profile in the admin center, you have to select a
The default token, *corporate-owned work profile*, enrolls devices into Microsoft Intune as standard Android Enterprise corporate-owned devices with work profiles. This token requires you to complete pre-provisioning steps before you distribute the devices. End users complete the remaining steps on the device when they sign in with their work or school account.
-The device staging token, *Corporate-owned work profile, via staging*, enrolls devices into Microsoft Intune in a staging mode so that you or a third party vendor can complete all pre-provisioning steps. End users complete the last step of provisioning by signing into the Microsoft Intune app with their work or school account. Devices are ready to use upon sign-in. Intune supports device staging for Android Enterprise devices running Android 8 or later.
+The device staging token, *Corporate-owned work profile, via staging*, enrolls devices into Microsoft Intune in a staging mode so that you or a partner vendor can complete all pre-provisioning steps. End users complete the last step of provisioning by signing into the Microsoft Intune app with their work or school account. Devices are ready to use upon sign-in. Intune supports device staging for Android Enterprise devices running Android 8 or later.
For more information, see [Device staging overview](device-staging-overview.md).
@@ -181,6 +182,12 @@ To remove an app from Android Enterprise corporate-owned work profile devices, y
- Delete the Required app deployment.
- Create an uninstall deployment for the app.
+## Limitations
+
+The limitations in this section apply to corporate-owned devices with a work profile.
+
+Private space is a feature introduced with Android 15 that lets people create a space on their device for sensitive apps and data they want to keep hidden. The private space is considered a personal profile. Microsoft Intune doesn't support mobile device management within the private space or provide technical support for devices that attempt to enroll the private space.
+
## Next steps
- [Deploy Android apps](../apps/apps-deploy.md)
- [Add Android configuration policies](../configuration/device-profiles.md)
diff --git a/memdocs/intune/enrollment/android-dedicated-devices-fully-managed-enroll.md b/memdocs/intune/enrollment/android-dedicated-devices-fully-managed-enroll.md
index 9b4cc58982b..2be5a0094cb 100644
--- a/memdocs/intune/enrollment/android-dedicated-devices-fully-managed-enroll.md
+++ b/memdocs/intune/enrollment/android-dedicated-devices-fully-managed-enroll.md
@@ -160,9 +160,12 @@ For corporate-owned work profile (COPE) devices, the NFC enrollment method is on
## Enroll by using a token
We recommend this method for new or factory-reset devices, in scenarios where the QR code or NFC method aren't available. It requires the person provisioning the device to type in the enrollment token string (example: `12345`) that they're provided. When you're ready for enrollment, share the token directly with targeted users or post it to your organization's support site for easy retrieval. The token works for all Intune-licensed users and doesn't expire.
-This method is supported on corporate-owned devices running Android 8.0 and later. It isn't supported with device enrollment manager accounts.
+This method is supported on corporate-owned devices running Android 8.0 and later. It isn't supported on:
-You can use this method in conjunction with the Microsoft Intune DPC identifier to set up fully managed devices. The DPC identifier method isn't supported on corporate-owned, personally enabled (COPE) devices running Android 11 and later.
+* Corporate-owned, personally enabled (COPE) devices running Android 11 and later.
+* Devices enrolled via device enrollment manager accounts.
+
+You can use this method in conjunction with the Microsoft Intune DPC identifier to set up fully managed devices.
1. Turn on the device.
2. On the **Welcome** screen, select your language.
diff --git a/memdocs/intune/enrollment/android-enroll-device-administrator.md b/memdocs/intune/enrollment/android-enroll-device-administrator.md
index 6415449397b..c13c4eac4ec 100644
--- a/memdocs/intune/enrollment/android-enroll-device-administrator.md
+++ b/memdocs/intune/enrollment/android-enroll-device-administrator.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 04/05/2024
+ms.date: 10/28/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -34,7 +34,7 @@ ms.collection:
[!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
-Android device administrator (sometimes referred to *legacy* Android management and released with Android 2.2) is a way to manage Android devices. However, improved management functionality is available with [Android Enterprise](https://www.android.com/enterprise/management/) in [countries where Android Enterprise is available](https://support.google.com/work/android/answer/6270910). In an effort to move to modern, richer, and more secure device management, Google deprecated Android device administrator management in 2020 and Intune will be ending support for device administrator devices with access to Google Mobile Services at the end of 2024.
+Android device administrator (sometimes referred to *legacy* Android management and released with Android 2.2) is a way to manage Android devices. However, improved management functionality is available with [Android Enterprise](https://www.android.com/enterprise/management/) in [countries/regions where Android Enterprise is available](https://support.google.com/work/android/answer/6270910). Google deprecated Android device administrator management in 2020. Intune is ending support for device administrator devices with access to Google Mobile Services at the end of 2024.
Therefore, we advise against enrolling new devices using the device administrator process described here and we also recommend that you migrate devices off of device administrator management.
@@ -44,7 +44,7 @@ If you still decide to have users enroll their Android devices with device admin
## Set up device administrator enrollment
-1. To prepare to manage mobile devices, you must set the mobile device management (MDM) authority to **Microsoft Intune**. See [Set the MDM authority](../fundamentals/mdm-authority-set.md) for instructions. You set this item only once, when you are first setting up Intune for mobile device management.
+1. To prepare to manage mobile devices, you must set the mobile device management (MDM) authority to **Microsoft Intune**. See [Set the MDM authority](../fundamentals/mdm-authority-set.md) for instructions. You only need to configure this setting in your tenant once.
2. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
3. Go to **Devices** > **Enrollment.
4. Select the **Android** tab.
@@ -52,11 +52,13 @@ If you still decide to have users enroll their Android devices with device admin
6. Select the checkmark next to **Use device administrator to manage devices**.
7. [Tell your users how to enroll their devices](../user-help/enroll-device-android-company-portal.md).
-After a user has enrolled, you can begin managing their devices in Intune, including [assigning compliance policies](../protect/compliance-policy-create-android.md), [managing apps](../apps/app-management.md), and more.
+After a user enrolls, you can begin managing their devices in Intune, including [assigning compliance policies](../protect/compliance-policy-create-android.md), [managing apps](../apps/app-management.md), and more.
-For information about other user tasks, see these articles:
-- [Resources about the end-user experience with Microsoft Intune](../fundamentals/intune-planning-guide.md)
-- [Using your Android device with Intune](../user-help/why-enroll-android-device.md)
+For information about other user tasks, see these articles:
+
+- [Microsoft Intune planning guide](../fundamentals/intune-planning-guide.md)
+
+- [Android device enrollment overview ](../user-help/why-enroll-android-device.md)
## Block device administrator enrollment
To block Android device administrator devices, or to block only personally owned Android device administrator devices from enrollment, see [Set device type restrictions](enrollment-restrictions-set.md).
@@ -65,7 +67,24 @@ To block Android device administrator devices, or to block only personally owned
[Microsoft Teams certified Android devices](/microsoftteams/devices/teams-ip-phones) should continue being managed with device administrator management until [AOSP user-associated](android-aosp-corporate-owned-user-associated-enroll.md) management becomes available for these devices.
-To unenroll a Microsoft Teams certified Android device that's enrolled in Android device administrator, sign in to the [Microsoft 365 admin center](https://admin.microsoft.com/) and deselect the Intune license from the Teams account for the Android device. After you remove an Intune license, there is a 30 day grace period in which the device still functions. The device will have to sign in again after this step to avoid enrolling in Intune under device administrator management again.
+To unenroll a Microsoft Teams-certified Android device you manage with Android device administrator, you must:
+
+1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com/).
+1. Deselect the Intune license from the Teams account for the Android device.
+
+After you remove an Intune license, there's a 30 day grace period, during which the device still functions. The device must sign in again after this step to avoid enrolling in Intune under device administrator management again.
+
+## Limitations
+
+The limitations in this section apply to devices managed with device administrator.
+
+Private space is a feature introduced with Android 15 that lets people create a space on their device for sensitive apps and data they want to keep hidden.
+
+ * The private space is considered a personal profile. Microsoft Intune doesn't support mobile device management within the private space or provide technical support for devices that attempt to enroll the private space.
+
+ * Users might try to create a work profile-like experience on their devices by enrolling only the private space, leading to partial device management. Microsoft Intune doesn't provide support for this scenario. To avoid this issue, we recommend using [personal work profile management](android-work-profile-enroll.md) or [corporate-owned work profile management](android-corporate-owned-work-profile-enroll.md) instead of device administrator management.
+
+ * After a user enrolls their personal device, if they attempt to enroll the private space, Intune will initiate the personal work profile enrollment flow. However, in this scenario the enrollment process will fail without any notification.
## Next steps
- [Assign compliance policies](../protect/compliance-policy-create-android.md)
diff --git a/memdocs/intune/enrollment/android-fully-managed-enroll.md b/memdocs/intune/enrollment/android-fully-managed-enroll.md
index 605aae55f8c..6aa7144dc92 100644
--- a/memdocs/intune/enrollment/android-fully-managed-enroll.md
+++ b/memdocs/intune/enrollment/android-fully-managed-enroll.md
@@ -67,7 +67,7 @@ To create a new enrollment profile:
1. Go to **Devices** > **Enrollment**.
1. Select the **Android** tab.
1. Under **Android Enterprise** > **Enrollment Profiles**, choose **Corporate-owned, fully managed user devices**.
-1. Select **Create profile**.
+1. Select **Create policy**.
1. Enter the basics for your profile:
- **Name**: Give the profile a name. Note the name down for later, because you need it when you set up the dynamic device group.
diff --git a/memdocs/intune/enrollment/android-work-profile-enroll.md b/memdocs/intune/enrollment/android-work-profile-enroll.md
index a0bcad7f741..a76861d2d56 100644
--- a/memdocs/intune/enrollment/android-work-profile-enroll.md
+++ b/memdocs/intune/enrollment/android-work-profile-enroll.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 6/28/2024
+ms.date: 10/28/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -33,7 +33,7 @@ ms.collection:
# Set up enrollment of Android Enterprise personally owned work profile devices
-Set up enrollment for bring-your-own-device (BYOD) and personal device scenarios using the *Android Enterprise personally owned work profile* management solution. During enrollment, a work profile is created on the device to house work apps and work data. The work profile can be managed by Microsoft Intune policies. Personal apps and data stay separate in another part of the device and remain unaffected by Intune.
+Set up enrollment for bring-your-own-device (BYOD) and personal device scenarios using the *Android Enterprise personally owned work profile* management solution. During enrollment, a work profile is created on the device to house work apps and work data. You can use Microsoft Intune policies to manage the work profile and its contents. Personal apps and data stay separate in another part of the device and remain unaffected by Intune.
For more information about Android Enterprise work profile features, see [Work profiles](https://support.google.com/work/android/answer/9563584) (opens Android Enterprise Help).
@@ -68,7 +68,7 @@ Complete these steps to set up enrollment for Android Enterprise devices in BYOD
[!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)]
10. Select **Next** to continue to **Scope tags**.
-11. Optionally, apply one or more scope tags to limit visibility and management of restrictions to certain admin users in Intune. For more information about how to use scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](../fundamentals/scope-tags.md).
+11. Optionally, apply one or more scope tags to limit visibility and management of restrictions to certain admin users in Intune. For more information about how to use scope tags, see [Use role-based access control and scope tags for distributed IT](../fundamentals/scope-tags.md).
12. Select **Next** to continue to **Assignments**.
13. Assign the restriction to all users, or select specific groups.
14. Select **Next** to continue to **Review + create**.
@@ -86,7 +86,17 @@ For more information and screenshots of the end user experience, see [Enroll dev
## Data shared with Google
-Microsoft Intune shares certain user and device information with Google when Android Enterprise device management is enabled. For more information, see [Data Intune sends to Google](../protect/data-intune-sends-to-google.md).
+Microsoft Intune shares certain user and device information with Google when Android Enterprise device management is enabled. For more information, see [Data Intune sends to Google](../protect/data-intune-sends-to-google.md).
+
+## Limitations
+
+The limitations in this section apply to personal devices with a work profile.
+
+Private space is a feature introduced with Android 15 that lets people create a space on their device for sensitive apps and data they want to keep hidden.
+
+ * The private space is considered a personal profile. Microsoft Intune doesn't support mobile device management within the private space or provide technical support for devices that attempt to enroll the private space.
+
+ * If users attempt to enroll the private space after they enroll the device, Intune will initiate the device administrator enrollment process. The second enrollment causes two enrollment records to appear in the Microsoft Intune admin center: one under work profile management and one under device administrator management. Microsoft Intune doesn't provide support for this scenario.
## Next steps
- [Deploy Android Enterprise apps](../apps/apps-add-android-for-work.md)
diff --git a/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md b/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md
index 621d4f8bf0e..90e0bf05376 100644
--- a/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md
+++ b/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 08/19/2024
+ms.date: 09/09/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -84,8 +84,6 @@ Deploy the web app version of the Intune Company Portal website so that users ha
Apple User Enrollment requires you to create and provide managed Apple IDs to enrolling users. If you enable federated authentication, which consists of linking Apple Business Manager with Microsoft Entra ID, you don't have to create and provide unique Apple IDs to each user. Instead, a device user can sign in to their apps with the same credentials they use for their work account. For more information, see [Intro to federated authentication with Apple Business Manager](https://support.apple.com/guide/apple-business-manager/intro-to-federated-authentication-axmb19317543/1/web/1) in the Apple Business Manager User Guide.
## Step 1: Set up just in time registration and assign Microsoft Authenticator
-> [!IMPORTANT]
-> This feature is in public preview. For more information, see [Public preview in Microsoft Intune](../fundamentals/public-preview.md).
Configure just-in-time registration and assign Microsoft Authenticator as a required app. For steps, see [Set up JIT registration in Intune](set-up-just-in-time-registration.md). Return to this article when you're done so you can continue to the next step.
diff --git a/memdocs/intune/enrollment/apple-mdm-push-certificate-get.md b/memdocs/intune/enrollment/apple-mdm-push-certificate-get.md
index 1f043d8a346..d71f42a9501 100644
--- a/memdocs/intune/enrollment/apple-mdm-push-certificate-get.md
+++ b/memdocs/intune/enrollment/apple-mdm-push-certificate-get.md
@@ -90,7 +90,7 @@ The Apple MDM push certificate is valid for 365 days. You must renew it annually
Renew the MDM push certificate with the same Apple account you used to create it.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Go to **Devices** > **Enrollment**.
+2. Go to **Devices** > **Device onboarding** > **Enrollment**.
3. Select the **Apple** tab.
4. Select **Apple MDM Push Certificate**. Your MDM push certificate settings open.
5. Select **Download your CSR** to download and save the request file locally. The file is used to request a trust relationship certificate from the Apple Push Certificates Portal.
diff --git a/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md b/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md
index cfcc7dae956..812b2fd0bcd 100644
--- a/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md
+++ b/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md
@@ -181,5 +181,5 @@ Apple School Manager devices managed by Intune must be assigned an enrollment pr
You have enabled management and syncing between Apple and Intune, and assigned a profile to let your Apple School devices enroll. You can now distribute devices to users. When an iOS/iPadOS Apple School Manager device is turned on, it's enrolled for management by Intune. Profiles can't be applied to activated devices currently in use until the device is wiped.
-## School data sync
+## Connect School Data Sync
Microsoft Education is transitioning to a new School Data Sync (SDS) experience with enhanced features, starting August 2024 for the Northern Hemisphere and January 2025 for the Southern Hemisphere. The current Apple School Manager support will be retired by December 31, 2024. This new experience offers various enhancements over SDS (Classic) including decoupled data ingestion, faster syncs with fewer errors, support for larger organizations, and a modern user interface. If you have further questions, please contact Microsoft Education support with questions regarding the transition to the new School Data Sync experience.
diff --git a/memdocs/intune/enrollment/apple-user-enrollment-with-company-portal.md b/memdocs/intune/enrollment/apple-user-enrollment-with-company-portal.md
index 9e3856840f0..2ceb990673d 100644
--- a/memdocs/intune/enrollment/apple-user-enrollment-with-company-portal.md
+++ b/memdocs/intune/enrollment/apple-user-enrollment-with-company-portal.md
@@ -32,6 +32,9 @@ ms.collection:
# Set up user enrollment with Company Portal
+>[!NOTE]
+> Microsoft Intune doesn't support this enrollment profile type for newly enrolled devices. This article is only applicable to existing devices with this profile type. We recommend [account-driven user enrollment](apple-account-driven-user-enrollment.md) for new enrollments.
+
Set up user enrollment with Company Portal for iOS/iPadOS personal devices enrolling in Microsoft Intune. This Apple User Enrollment method gives you access to a limited but appropriate set of device management settings and actions, so you can protect work data without affecting the device user's personal data or apps.
When the device owner attempts to sign into an app with their work or school account, Intune prompts them to enroll their device and provides instructions for next steps. The device user authenticates and initiates enrollment by signing into the Intune Company Portal app. From there, they're redirected to Safari and the device settings app, where they download and install the enrollment profile.
diff --git a/memdocs/intune/enrollment/chrome-enterprise-remote-actions.md b/memdocs/intune/enrollment/chrome-enterprise-remote-actions.md
deleted file mode 100644
index f3ac946680b..00000000000
--- a/memdocs/intune/enrollment/chrome-enterprise-remote-actions.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-# required metadata
-
-title: Remote actions for ChromeOS devices | Microsoft Intune
-description: Remotely run Microsoft Intune device actions on ChromeOS devices in the Microsoft Intune admin center.
-keywords:
-author: Lenewsad
-ms.author: lanewsad
-manager: dougeby
-ms.date: 10/26/2022
-ms.topic: how-to
-ms.service: microsoft-intune
-ms.subservice: protect
-ms.localizationpriority: high
-
-# optional metadata
-
-#ROBOTS:
-#audience:
-
-ms.reviewer: shsivak
-ms.suite: ems
-search.appverid: MET150
-#ms.tgt_pltfrm:
-ms.custom: intune-azure
-ms.collection:
-- tier2
-- M365-identity-device-management
----
-
-# Remote device actions for ChromeOS
-
-> [!IMPORTANT]
-> This feature is in public preview. For more information, see [Public preview in Microsoft Intune](../fundamentals/public-preview.md).
-
-Remotely run device actions on ChromeOS devices synced with Microsoft Intune. There are four remote actions supported on ChromeOS devices:
-
-* Deprovision
-* Lost mode, known in Chrome Enterprise as *disabling a device*
-* Wipe
-* Restart (only for kiosk devices and managed guest session devices)
-
-To access remote actions, select a device in your **Chrome Enterprise (preview)** list or go to **Devices** > **All devices** and select a device. This article describes the remote actions, and provides information about required permissions and known issues.
-
-## Prerequisites
-[Set up the Chrome Enterprise connector](chrome-enterprise-connector-configure.md) with Microsoft Intune, and enroll devices using the Google Admin console.
-
-Permission requirements are provided in the sections that follow.
-
-## Deprovision
-Select **Deprovision** to remove Google Admin policies from devices your organization no longer uses. To deprovision a ChromeOS device, you must be assigned a role that has the *Remote tasks: Retire* permission.
-
-After you deprovision a device, it remains in the Intune admin center and the Google Admin console. Then on the admin center **System info** page, the device status changes to **DEPROVISIONED**. The device can't be enrolled again until it's restored to factory settings. For more information about the deprovision action, such as how to select the best reason for deprovisioning, see the [Chrome Enterprise and Education Help documentation](https://support.google.com/chrome/a/answer/3523633?).
-
-## Lost mode
-Select **Lost mode** to prevent people from using a ChromeOS device that's lost or stolen. Devices in lost mode display the contact information and message you configured in the Google Admin console. To deprovision a device, you must be assigned a role that has the following permissions:
-
-* *Remote tasks: Enable lost mode*
-* *Remote tasks: Disable lost mode*
-
->[!TIP]
-> Chrome Enterprise and the Google Admin console refer to devices in lost mode as *disabled*. For more information about how to disable a device, see the Chrome Enterprise and Education Help documentation.
-
- ## Wipe
- Select **Wipe** to remove data from a device. With this action, you can either:
-
- * **Remove user profiles only**: This option removes all user account data. Device and enrollment policies remain on the device.
- * **Factory reset (powerwash)**: This option fully restores a device to its factory state, removing all personal and work data. Before using this action, [deprovision](chrome-enterprise-remote-actions.md#deprovision) the device. Otherwise, once it connects to Wi-Fi, it will automatically enroll again.
-
-To wipe a device, you must be assigned a role that has the *Remote tasks: Wipe* permission. For more information about wiping ChromeOS devices, see [Wipe ChromeOS device data](https://support.google.com/chrome/a/answer/1360642) (opens Google Chrome Enterprise Help).
-
-## Restart
-Select **Restart** to restart a device. To restart a device, you must be assigned a role that has the *Remote tasks: Reboot now* permission.
-
->[!IMPORTANT]
-> Device users aren't automatically notified of restarts, and might lose unsaved work if you don't tell them about it ahead of time.
-
-Restart is only available for kiosk devices and managed guest session devices. The restart will fail on any other type of device. For more information, see [Kiosk apps, managed guest sessions, and smart cards](https://support.google.com/chrome/a/topic/6128720?) (opens Google Chrome Enterprise Help).
-
-## Bulk device actions
-You can issue all of these remote actions as part of a bulk device action. For more information about how to do that, see [Use bulk device actions](../remote-actions/bulk-device-actions.md).
-
-## Known issues
-In some cases, device commands remain in a pending state even if they’ve already completed or failed.
diff --git a/memdocs/intune/enrollment/corporate-identifiers-add.md b/memdocs/intune/enrollment/corporate-identifiers-add.md
index dbbce515741..8de4cc4aa20 100644
--- a/memdocs/intune/enrollment/corporate-identifiers-add.md
+++ b/memdocs/intune/enrollment/corporate-identifiers-add.md
@@ -247,7 +247,15 @@ To confirm the reason for an enrollment failure, go to **Devices** > **Enrollmen
## Known issues and limitations
-- Windows corporate device identifiers are only supported for devices running Windows 10 version 22H2 and later and Windows 11 version 22H2 and later. Earlier versions can't render the model and manufacturer property. As a result, the property appears in the admin center as **Unknown**. We're working on expanding corporate identifer support to devices running earlier versions of Windows.
+- Windows corporate device identifiers are only supported for devices running:
+
+ - Windows 10 version 22H2 (OS build 19045.4598) or later.
+
+ - Windows 11 version 22H2 (OS build 22621.3374) or later.
+
+ - Windows 11 version 23H2 (OS build 22631.3374) or later.
+
+ Earlier versions can't render the model and manufacturer property. As a result, the property appears in the admin center as **Unknown**.
- You can upload up to 10 CSV files for Windows corporate identifiers in the admin center. If you need to upload more data, we recommend using PowerShell or the Microsoft Intune Graph API to add corporate identifiers.
diff --git a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md
index cb73c3cfc12..97e38d865e2 100644
--- a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md
+++ b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md
@@ -1,14 +1,14 @@
---
# required metadata
-title: Enroll iOS/iPadOS devices with Apple ADE
+title: Set up automated device enrollment (ADE) for iOS/iPadOS
titleSuffix: Microsoft Intune
-description: Learn how to enroll corporate-owned iOS/iPadOS devices by using Automated Device Enrollment (ADE).
+description: Learn how to enroll corporate-owned iOS/iPadOS devices into Microsoft Intune with Apple Automated Device Enrollment (ADE).
keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 11/15/2023
+ms.date: 09/19/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -30,7 +30,7 @@ ms.collection:
- highpri
---
-# Set up automated device enrollment in Intune
+# Set up automated device enrollment (ADE) for iOS/iPadOS
*Applies to iOS/iPadOS*
@@ -50,10 +50,19 @@ The following table shows the features and scenarios supported with automated de
| Devices are associated with a single user. | ✔️ |
| Devices are user-less, such as kiosk or dedicated device. | ✔️ |
| Devices are in shared device mode. | ✔️ |
-| Devices are personal or BYOD. | ❌
Not recommended. Applications on BYOD or personal devices can be managed using [MAM](../fundamentals/deployment-guide-enrollment-mamwe.md), or [User and Device enrollment](../enrollment/ios-user-enrollment.md). |
-| Devices are managed by another MDM provider. | ❌
To be fully managed by Intune, users must unenroll from the current MDM provider, and then enroll in Intune. Or, you can use MAM to manage specifics apps on the device. Since these devices are owned by the organization, we recommend enrolling them in Intune. |
+| Devices are personal or bring-your-own (BYOD). | ❌
Not recommended. Applications on BYOD or personal devices can be managed using [MAM](../fundamentals/deployment-guide-enrollment-mamwe.md), or [User and Device enrollment](../enrollment/ios-user-enrollment.md). |
+| Devices are managed by another MDM provider. | ❌
If you want to fully manage a device in Intune, users must unenroll from the current MDM provider, and then enroll in Intune. Or, you can use MAM to manage specifics apps on the device. Since these devices are owned by the organization, we recommend enrolling them in Intune. |
| You use the device enrollment manager (DEM) account. | ❌
The DEM account isn't supported. |
+## Certificates
+This enrollment type supports the Automated Certificate Management Environment (ACME) protocol. When new devices enroll, the management profile from Intune receives an ACME certificate. The ACME protocol provides better protection than the SCEP protocol against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management.
+
+Devices that are already enrolled do not get an ACME certificate unless they re-enroll into Microsoft Intune. ACME is supported on devices running:
+
+- iOS 16.0 or later
+
+- iPadOS 16.1 or later
+
## Prerequisites
Before you create the enrollment profile, you must have:
@@ -70,9 +79,9 @@ Read through these enrollment requirements and best practices to prepare for a s
### Choose an authentication method
-Before you create the enrollment profile, decide how you want users to authenticate on their devices: via the Intune Company Portal app, Setup Assistant (legacy), or Setup Assistant with modern authentication. Using the Company Portal app or Setup Assistant with modern authentication is considered modern authentication and has features like multi-factor authentication.
+Before you create the enrollment profile, decide how you want users to authenticate on their devices: via the Intune Company Portal app, Setup Assistant (legacy), or Setup Assistant with modern authentication. Using the Company Portal app or Setup Assistant with modern authentication is considered modern authentication and has features like multifactor authentication.
-Intune also supports Just in Time Registration for Setup Assistant with modern authentication, which eliminates the need for the Company Portal app for Microsoft Entra registration and compliance. To use JIT Registration, you'll need to create a device configuration policy *before* you create the Apple enrollment profile and configure Setup Assistant with modern authentication.
+Intune also supports just-in-time registration (JIT registration) for Setup Assistant with modern authentication, which eliminates the need for the Company Portal app for Microsoft Entra registration and compliance. To use JIT registration, you have to create a device configuration policy *before* you create the Apple enrollment profile and configure Setup Assistant with modern authentication.
Setup Assistant with modern authentication is supported on devices running iOS/iPadOS 13.0 and later. Older iOS/iPadOS devices given this profile will instead use Setup Assistant (legacy) for authentication.
@@ -102,7 +111,7 @@ Deploying the Intune Company Portal app through Intune is the best way to provid
Deploy the app as a required VPP app [with device licensing](../apps/vpp-apps-ios.md#how-are-purchased-apps-licensed). For information about how to sync, assign, and manage a VPP app, see [assign a volume-purchased app](../apps/vpp-apps-ios.md#assign-a-volume-purchased-app).
-To enable automatic app updates for Company Portal, go to your app token settings in the admin center and change **Automatic app updates** to **Yes**. See [Upload an Apple VPP or Apple Business Manager location token](../apps/vpp-apps-ios.md#upload-an-apple-vpp-or-apple-business-manager-location-token) for the steps to access your token settings. If you don't enable automatic updates, the device user will need to manually check for them on their own.
+To enable automatic app updates for Company Portal, go to your app token settings in the admin center and change **Automatic app updates** to **Yes**. See [Upload an Apple VPP or Apple Business Manager location token](../apps/vpp-apps-ios.md#upload-an-apple-vpp-or-apple-business-manager-location-token) for the steps to access your token settings. If you don't enable automatic updates, the device user must manually check for them on their own.
*Device staging* is used to transition a device without user affinity to a device with user affinity. To stage a device, set up VPP deployment as described earlier in this section. Then configure and deploy an [app configuration policy](../apps/app-configuration-policies-use-ios.md#configure-the-company-portal-app-to-support-ios-and-ipados-devices-enrolled-with-automated-device-enrollment). Make sure the policy only targets those ADE devices without user affinity.
@@ -115,7 +124,7 @@ To enable automatic app updates for Company Portal, go to your app token setting
- Maximum Automated Device Enrollment tokens per Intune account: 2,000
- Maximum Automated Device Enrollment devices per token: 200,000
- We recommend that you don't exceed 200,000 devices per token. Otherwise, you might have sync problems. If you have more than 200,000 devices, split the devices into multiple ADE tokens.
- - Apple Business Manager and Apple School Manager sync about 3,000 devices over to Intune per minute. We recommend that you hold off manually syncing from the admin center again until enough time has passed for all of the devices to finish syncing (total number of devices/3,000 devices per minute).
+ - Apple Business Manager and Apple School Manager sync about 3,000 devices over to Intune per minute. We recommend that you hold off manually syncing from the admin center again until enough time passes for all of the devices to finish syncing (total number of devices/3,000 devices per minute).
### Troubleshoot enrollment
If you experience sync problems during the enrollment process, you can look for solutions at [Troubleshoot iOS/iPadOS device enrollment problems](/troubleshoot/mem/intune/troubleshoot-ios-enrollment-errors#error-messages).
@@ -127,7 +136,7 @@ Before you can enroll iOS/iPadOS devices with ADE, you need an automated device
Use [Apple Business Manager (ABM)](https://business.apple.com/) or [Apple School Manager (ASM)](https://school.apple.com/) to create a token and assign devices to Intune for management.
> [!NOTE]
-> You can use either the ABM portal or the ASM portal to enable ADE. The rest of this article refers to the ABM portal, but the steps are the same for both portals.
+> You can use either of the Apple portals to enable ADE. The rest of this article refers to Apple Business Manager, but the steps are the same for Apple School Manager.
### Step 1: Download the Intune public key certificate
@@ -143,7 +152,7 @@ Use [Apple Business Manager (ABM)](https://business.apple.com/) or [Apple School
2. Select **Download the Intune public key certificate required to create the token**. This step downloads and saves the encryption key (.pem) file locally. The .pem file is used to request a trust-relationship certificate from the Apple Business Manager portal.
- You'll upload this .pem file in Apple Business Manager in [Step 2: Go to the Apple Business Manager portal](#step-2-go-to-the-apple-business-manager-portal) (in this article).
+ Later, in [Step 2: Go to the Apple Business Manager portal](#step-2-go-to-the-apple-business-manager-portal), you upload this .pem file in Apple Business Manager.
3. Keep this web browser tab and page open. If you close the tab:
@@ -167,7 +176,7 @@ Use the Apple Business Manager portal to create and renew your ADE token (MDM se
Use the server name to identify the mobile device management (MDM) server. It isn't the name or URL of the Microsoft Intune service.
- - After you save the MDM server, select it, and then download the token (.p7m file). You'll upload this .p7m token in Intune in [Step 4: Upload your token and finish](#step-4-upload-your-token-and-finish) (in this article).
+ - After you save the MDM server, select it, and then download the token (.p7m file). Later, in [Step 4: Upload your token and finish](#step-4-upload-your-token-and-finish), you upload the .p7m token in Intune.
#### Assign devices to the Apple token (MDM server)
@@ -176,16 +185,17 @@ Use the Apple Business Manager portal to create and renew your ADE token (MDM se
### Step 3: Save the Apple ID
-1. In your web browser, go back to the **Add enrollment program token** page in Intune. You should have kept this page open, as noted in [Step 1: Download the Intune public key certificate](#step-1-download-the-intune-public-key-certificate) (in this article).
+1. In your web browser, go back to the tab that has the Microsoft Intune **Add enrollment program token** page, where you started in [Step 1: Download the Intune public key certificate](#step-1-download-the-intune-public-key-certificate).
2. In **Apple ID**, enter your ID. This step saves the ID. The ID can be used in the future.
:::image type="content" source="./media/device-enrollment-program-enroll-ios/image03.png" alt-text="Sreenshot that shows the Apple ID box on the Basics tab.":::
### Step 4: Upload your token and finish
-1. In **Apple token**, browse to the .p7m certificate file, and then select **Open**.
+1. In **Apple token**, browse to the .p7m certificate file, and then select **Open**.
- You downloaded this .p7m token in [Step 2: Go to the Apple Business Manager portal](#step-2-go-to-the-apple-business-manager-portal).
+ >[!TIP]
+ > You downloaded the token in [Step 2: Go to the Apple Business Manager portal](#step-2-go-to-the-apple-business-manager-portal).
2. Select **Next**.
@@ -253,12 +263,12 @@ Now that you've installed your token, you can create an enrollment profile for a
1. In the **Locked enrollment** list, select **Yes** or **No**. Locked enrollment disables iOS/iPadOS settings that allow the management profile to be removed. If you enable locked enrollment, the button in the Settings app that lets users remove a management profile will be hidden and users won't be able to unenroll their device. If you're setting up devices in Microsoft Entra ID shared mode, select **Yes**.
- Locked enrollment works a little differently, at first, on devices not originally purchased through Apple Business Manager but later added to be a part of automated device enrollment: users on these devices will see the remove management button in the Settings app for the first 30 days after activating their device. After that provisional period, the option will be hidden. For more information, see [Prepare devices manually](https://help.apple.com/configurator/mac/2.8/#/cad99bc2a859) (opens Apple Configurator Help docs).
+ Locked enrollment works a little differently, at first, on devices not originally purchased through Apple Business Manager but later added to be a part of automated device enrollment: users on these devices can see the remove management button in the Settings app for the first 30 days after activating their device. After that provisional period, this option is hidden. For more information, see [Prepare devices manually](https://help.apple.com/configurator/mac/2.8/#/cad99bc2a859) (opens Apple Configurator Help docs).
> [!IMPORTANT]
> This setting is different from the remove and reset options in the Company Portal app. Regardless of how you configure locked enrollment, the **Remove Device** or **Factory Reset** options in the Company Portal app remain unavailable on devices enrolled through automated device enrollment. Users won't be able to remove the device on the Company Portal website either. For more information about the self-service actions available on enrolled devices, see [Self-service actions](../apps/company-portal-app.md#self-service-actions).
-1. If you selected **Enroll without User Affinity** and **Supervised** in the previous steps, you need to decide whether to configure the devices to be [Apple Shared iPad for Business devices](https://support.apple.com/guide/mdm/shared-ipad-overview-cad7e2e0cf56/web). Select **Yes** for **Shared iPad** to enable multiple users to sign in to a single device. Users will authenticate by using their Managed Apple IDs and federated authentication accounts or by using a temporary session (like the Guest account). This option requires iOS/iPadOS 13.4 or later. With Shared iPad, all Setup Assistant panes after activation are automatically skipped.
+1. If you selected **Enroll without User Affinity** and **Supervised** in the previous steps, you need to decide whether to configure the devices to be [Apple Shared iPad for Business devices](https://support.apple.com/guide/mdm/shared-ipad-overview-cad7e2e0cf56/web). Select **Yes** for **Shared iPad** to enable multiple users to sign in to a single device. Users authenticate by using their Managed Apple IDs and federated authentication accounts or by using a temporary session (like the Guest account). This option requires iOS/iPadOS 13.4 or later. With Shared iPad, all Setup Assistant panes after activation are automatically skipped.
> [!NOTE]
>
@@ -274,7 +284,7 @@ Now that you've installed your token, you can create an enrollment profile for a
* **Maximum seconds after screen lock before password is required**: Enter the amount of time in seconds. Accepted values include: 0, 60, 300, 900, 3600, and 14400. If the screen lock exceeds this amount of time, a device password will be required to unlock the device. Available for devices in Shared iPad mode running iPadOS 13.0 and later.
- * **Maximum seconds of inactivity until user session logs out**: The minimum allowed value for this setting is 30. If there isn't any activity after the defined period, the user session ends and signs the user out. If you leave the entry blank or set it to zero (0), the session won't end due to inactivity. Available for devices in Shared iPad mode running iPadOS 14.5 and later.
+ * **Maximum seconds of inactivity until user session logs out**: The minimum allowed value for this setting is 30. If there isn't any activity after the defined period, the user session ends and signs the user out. If you leave the entry blank or set it to zero (0), the session will never end due to inactivity. Available for devices in Shared iPad mode running iPadOS 14.5 and later.
* **Require Shared iPad temporary session only**: Configures the device so that users only see the guest version of the sign-in experience and must sign in as guests. They can't sign in with a Managed Apple ID. Available for devices in Shared iPad mode running iPadOS 14.5 and later.
@@ -284,7 +294,7 @@ Now that you've installed your token, you can create an enrollment profile for a
- Maximum seconds after screen lock before password is required
- Maximum seconds of inactivity until user session logs out
- * **Maximum seconds of inactivity until temporary session logs out**: The minimum allowed value for this setting is 30. If there isn't any activity after the defined period, the temporary session ends and signs the user out. If you leave the entry blank or set it to zero (0), the session won't end due to inactivity. Available for devices in Shared iPad mode running iPadOS 14.5 and later.
+ * **Maximum seconds of inactivity until temporary session logs out**: The minimum allowed value for this setting is 30. If there isn't any activity after the defined period, the temporary session ends and signs the user out. If you leave the entry blank or set it to zero (0), the session will never end due to inactivity. Available for devices in Shared iPad mode running iPadOS 14.5 and later.
This setting is available when **Require Shared iPad temporary session only** is set to **Yes**.
@@ -304,7 +314,10 @@ Now that you've installed your token, you can create an enrollment profile for a
1. For **Await final configuration**, your options are:
* **Yes**: Enable a locked experience at the end of Setup Assistant to ensure your most critical device configuration policies are installed on the device. Just before the home screen loads, Setup Assistant pauses and lets Intune check in with the device. The end-user experience locks while users await final configurations.
- The amount of time that users are held on the Awaiting final configuration screen varies, and depends on the total number of policies and apps you apply to the device. The more policies and apps assigned to the device, the longer the waiting time. Neither Setup Assistant nor Intune enforce a minimum or maximum time limit during this portion of setup. During product validation, the majority of devices we tested were released and able to access the home screen within fifteen minutes. If you enable this feature and are using a third party to help you provision devices, tell them about the potential for increased provisioning time. Note that only device configuration policies start installing during the awaiting final configuration screen, and applications are not included in this.
+ The amount of time that users are held on the Awaiting final configuration screen varies, and depends on the total number of policies and apps you apply to the device. The more policies and apps assigned to the device, the longer the waiting time. Setup Assistant and Microsoft Intune do not enforce a minimum or maximum time limit during this portion of setup. During product validation, most devices we tested were released and able to access the home screen within 15 minutes. If you enable this feature and are using someone outside of Microsoft to help you provision devices, tell them about the potential for increased provisioning time.
+
+ >[!NOTE]
+ > Only device configuration policies start installing during the awaiting final configuration screen, and applications are not included in this.
The locked experience works on devices targeted with new and existing enrollment profiles. Supported devices include:
* iOS/iPadOS 13+ devices enrolling with Setup Assistant with modern authentication
@@ -313,7 +326,7 @@ Now that you've installed your token, you can create an enrollment profile for a
This setting is applied once during the out-of-box automated device enrollment experience in Setup Assistant. The device user doesn't experience it again unless they re-enroll their device. **Yes** is the default setting for new enrollment profiles.
- * **No**: The device is released to the home screen when Setup Assistant ends, regardless of policy installation status. Device users may be able to access the home screen or change device settings before all policies are installed. **No** is the default setting for existing enrollment profiles.
+ * **No**: The device is released to the home screen when Setup Assistant ends, regardless of policy installation status. Device users might be able to access the home screen or change device settings before all policies are installed. **No** is the default setting for existing enrollment profiles.
The await configuration setting is unavailable in profiles with this combination of configurations:
* User affinity: **Enroll without user affinity** (Step 6 in this section)
@@ -323,7 +336,7 @@ Now that you've installed your token, you can create an enrollment profile for a
1. Under **Apply device name template**, select **Yes** .
2. In the **Device Name Template** box, enter the template you want to use to construct device names. The template can include the device type and serial number. It can't contain more than 63 characters, including the variables. Example: `{{DEVICETYPE}}-{{SERIAL}}`
-1. You can activate a cellular data plan. This setting applies to devices running iOS/iPadOS 13.0 and later. Configuring this option will send a command to activate cellular data plans for your eSim-enabled cellular devices. Your carrier must provision activations for your devices before you can activate data plans using this command. To activate cellular data plan, click **Yes** and then enter your carrier’s activation server URL.
+1. You can activate a cellular data plan. This setting applies to devices running iOS/iPadOS 13.0 and later. Configuring this option sends a command to activate cellular data plans for your eSim-enabled cellular devices. Your carrier must provision activations for your devices before you can activate data plans using this command. To activate cellular data plan, select **Yes**, and then enter your carrier’s activation server URL.
1. Select **Next**.
@@ -335,8 +348,8 @@ Now that you've installed your token, you can create an enrollment profile for a
| **Department Phone** | Appears when users tap the **Need Help** button during activation. |
You can hide Setup Assistant screens on the device during user setup. For a description of all screens, see [Setup Assistant screen reference](#setup-assistant-screen-reference) (in this article).
- - If you select **Hide**, the screen won't be displayed during setup. After setting up the device, the user can still go to the **Settings** menu to set up the feature.
- - If you select **Show**, the screen will be displayed during setup, but only if there are steps to complete after the restore or after the software update. Users can sometimes skip the screen without taking action. They can then later go to the device's **Settings** menu to set up the feature.
+ - If you select **Hide**, the screen isn't shown during setup. After setting up the device, the user can still go to the **Settings** menu to set up the feature.
+ - If you select **Show**, the screen is shown during setup, but only if there are steps to complete after the restore or after the software update. Users can sometimes skip the screen without taking action. They can then later go to the device's **Settings** menu to set up the feature.
- With Shared iPad, all Setup Assistant panes after activation are automatically skipped regardless of the configuration.
1. Select **Next**.
@@ -351,40 +364,46 @@ You can use the enrollment **Name** field to create a dynamic group in Microsoft
You can use the profile name to define the [enrollmentProfileName parameter](/azure/active-directory/users-groups-roles/groups-dynamic-membership#rules-for-devices) to assign devices with this enrollment profile.
-Prior to device setup, and to ensure quick delivery to devices with user affinity, make sure the enrolling user is a member of a Microsoft Entra user group.
+Before device setup, and to ensure quick delivery to devices with user affinity, make sure the enrolling user is a member of a Microsoft Entra user group.
If you assign dynamic groups to enrollment profiles, there might be a delay in delivering applications and policies to devices after the enrollment.
### Setup Assistant screen reference
-The following table describes the Setup Assistant screens shown during automated device enrollment for iOS/iPadOS. You can show or hide these screens on supported devices during enrollment.
+The following table describes the Setup Assistant screens shown during automated device enrollment for iOS/iPadOS. You can show or hide these screens on supported devices during enrollment. For more information about how each Setup Assistant screen affects the user experience, see these Apple resources:
+
+- [Apple Platform Deployment guide: Manage Setup Assistant for Apple devices](https://support.apple.com/en-mide/guide/deployment/depdeff4a547/web)
+- [Apple Developer documentation: ShipKeys](https://developer.apple.com/documentation/devicemanagement/skipkeys)
| Setup Assistant screen | What happens when visible |
|------------------------------------------|------------------------------------------|
-| **Passcode** | Prompt the user for a passcode. Always require a passcode for unsecured devices unless access is controlled in some other way. (For example, a kiosk mode configuration that restricts the device to one app.) For iOS/iPadOS 7.0 and later. |
-| **Location Services** | Prompt the user for their location. For macOS 10.11 and later, and iOS/iPadOS 7.0 and later. |
-| **Restore** | Display the Apps & Data screen. This screen gives users the option to restore or transfer data from iCloud Backup when they set up the device. For macOS 10.9 and later, and iOS/iPadOS 7.0 and later. |
-| **Apple ID** | Give the user the options to sign in with their Apple ID and use iCloud. For macOS 10.9 and later, and iOS/iPadOS 7.0 and later. |
-| **Terms and conditions** | Require the user to accept Apple's terms and conditions. For macOS 10.9 and later, and iOS/iPadOS 7.0 and later. |
-| **Touch ID and Face ID** | Give the user the option to set up fingerprint or facial identification on their device. For macOS 10.12.4 and later, and iOS/iPadOS 8.1 and later. On iOS/iPadOS 14.5 and later, the Passcode and Touch ID Setup Assistant screens during device setup aren’t working. If you use version 14.5+, then don't configure the Passcode or Touch ID Setup Assistant screens. If you require a passcode on devices, then use a device configuration policy or a compliance policy. After the user enrolls and they receive the policy, they're prompted for a passcode. |
-| **Apple Pay** | Give the user the option to set up Apple Pay on the device. For macOS 10.12.4 and later, and iOS/iPadOS 7.0 and later. |
-| **Zoom** | Give the user to the option to zoom the display when they set up the device. For iOS/iPadOS 8.3 and later. |
-| **Siri** | Give the user the option to set up Siri. For macOS 10.12 and later, and iOS/iPadOS 7.0 and later. |
-| **Diagnostics Data** | Display the Diagnostics screen. This screen gives the user the option to send diagnostic data to Apple. For macOS 10.9 and later, and iOS/iPadOS 7.0 and later. |
-| **Display Tone** | Give the user the option to turn on Display Tone. For macOS 10.13.6 and later, and iOS/iPadOS 9.3.2 and later. |
-| **Privacy** | Display the Privacy screen. For macOS 10.13.4 and later, and iOS/iPadOS 11.3 and later. |
-| **Android Migration** | Give the user the option to migrate data from an Android device. For iOS/iPadOS 9.0 and later.|
-| **iMessage & FaceTime** | Give the user the option to set up iMessage and FaceTime. For iOS/iPadOS 9.0 and later. |
-| **Onboarding** | Display onboarding informational screens for user education, like Cover Sheet and Multitasking and Control Center. For iOS/iPadOS 11.0 and later. |
-| **Screen Time** | Display the Screen Time screen. For macOS 10.15 and later, and iOS/iPadOS 12.0 and later. |
-| **SIM Setup** | Give the user the option to add a cellular plan. For iOS/iPadOS 12.0 and later. |
-| **Software Update** | Display the mandatory software update screen. For iOS/iPadOS 12.0 and later. |
-| **Watch Migration** | Give the user the option to migrate data from a watch device. For iOS/iPadOS 11.0 and later.|
-| **Appearance** | Display the Appearance screen. For macOS 10.14 and later, and iOS/iPadOS 13.0 and later. |
-| **Device to Device Migration** | Give the user the option to transfer data from an old device to this device. The option to transfer data directly from a device isn't available for ADE devices running iOS 13 or later.
+| **Passcode** | Shows the passcode and password lock pane to users, and prompts users for a passcode. Always require a passcode for unsecured devices unless access is controlled in some other way (such as through a kiosk mode configuration that restricts the device to one app). This screen is available for iOS/iPadOS 7.0 and later, with some limitations. For more information, see [Limitations](#limitations) in this article. |
+| **Location Services** | Shows the location services setup pane, where users can enable location services on their device. For iOS/iPadOS 7.0 and later. |
+| **Restore** | Shows the apps and data setup pane. On this screen, users setting up devices can restore or transfer data from iCloud Backup. For iOS/iPadOS 7.0 and later. |
+| **Apple ID** | Shows the Apple ID setup pane, which gives users to the option to sign in with their Apple ID and use iCloud. For iOS/iPadOS 7.0 and later. |
+| **Terms and conditions** | Shows the Apple terms and conditions pane, and requires users to accept them. For iOS/iPadOS 7.0 and later. |
+| **Touch ID and Face ID** | Shows the biometric setup pane, which gives users the option to set up fingerprint or facial identification on their devices. For iOS/iPadOS 8.1 and later, with some limitations. For more information, see [Limitations](#limitations) in this article. |
+| **Apple Pay** | Shows the Apple Pay setup pane, which gives users the option to set up Apple Pay on their devices. For iOS/iPadOS 7.0 and later. |
+| **Zoom** | Shows the zoom setup pane, which gives users the option to configure zoom settings. For iOS/iPadOS 8.3 and later, and deprecated in iOS/iPadOS 17. |
+| **Siri** | Shows the Siri setup pane to users. For iOS/iPadOS 7.0 and later. |
+| **Diagnostics Data** | Shows the diagnostics pane where users can opt-in to send diagnostic data to Apple. For iOS/iPadOS 7.0 and later. |
+| **Display Tone** | Shows the display tone setup pane, where users can configure the display's white balance settings. For iOS/iPadOS 9.3.2 and later, and deprecated in iOS/iPadOS 15. |
+| **Privacy** | Shows the privacy setup pane to the user. For iOS/iPadOS 11.3 and later. |
+| **Android Migration** | Shows a setup pane meant for previous Android users. On this screen, users can migrate data from an Android device. For iOS/iPadOS 9.0 and later.|
+| **iMessage & FaceTime** | Shows the setup pane for iMessage and FaceTime. For iOS/iPadOS 9.0 and later. |
+| **Onboarding** | Shows onboarding informational screens for user education, such as Cover Sheet and Multitasking and Control Center. For iOS/iPadOS 11.0 and later. |
+| **Screen Time** | Shows the Screen Time screen. For iOS/iPadOS 12.0 and later. |
+| **SIM Setup** | Shows the cellular setup pane, where users can add a cellular plan. For iOS/iPadOS 12.0 and later. |
+| **Software Update** | Shows the mandatory software update screen. For iOS/iPadOS 12.0 and later. |
+| **Watch Migration** | Shows the Apple Watch migration pane, where users can migrate data from an Apple Watch. For iOS/iPadOS 11.0 and later.|
+| **Appearance** | Shows the appearance setup pane. For iOS/iPadOS 13.0 and later. |
+| **Device to Device Migration** | Shows the device-to-device migration pane. On this screen, users can transfer data from an old device to their current device. The option to transfer data directly from a device isn't available for devices running iOS 13 or later.
| **Restore Completed** | Shows users the Restore Completed screen after a backup and restore is performed during Setup Assistant. |
-| **Software Update Completed** | Shows the user all software updates that happen during Setup Assistant.|
+| **Software Update Completed** | Shows users all software updates that happen during Setup Assistant.|
| **Get Started**| Shows users the Get Started welcome screen.
-| **Terms of Address**| Give the user the option to choose how they want to be addressed throughout the system: feminine, masculine, or neutral. This Apple feature is available for select languages. For more information, see [Key Features and Enhancements](https://www.apple.com/ios/ios-16/features/)(opens Apple website). For iOS/iPadOS 16.0 and later.
+| **Terms of Address**| Shows the terms of address pane, which gives users the option to choose how they want to be addressed throughout the system: feminine, masculine, or neutral. This Apple feature is available for select languages. For more information, see [Key Features and Enhancements](https://www.apple.com/ios/ios-16/features/)(opens Apple website). For iOS/iPadOS 16.0 and later.
+| **Emergency SOS**| Shows the safety setup pane. For iOS/iPadOS 16.0 and later.
+| **Action button**| Shows the configuration pane for the action button. For iOS/iPadOS 17.0 and later.
+| **Intelligence**| Shows the Apple Intelligence setup pane, where users can configure Apple Intelligence features. For iOS/iPadOS 18.0 and later.
## Sync managed devices
@@ -402,8 +421,8 @@ Now that Intune has permission to manage your devices, you can synchronize Intun
- A full sync can run no more than once every seven days. During a full sync, Intune fetches the complete updated list of serial numbers assigned to the Apple MDM server connected to Intune.
> [!IMPORTANT]
> If a device is deleted from Intune, but remains assigned to the ADE enrollment token in the ASM/ABM portal, it will reappear in Intune on the next full sync. If you don't want the device to reappear in Intune, unassign it from the Apple MDM server in the ABM/ASM portal.
- - If a device is released from ABM/ASM, it can take up to 45 days for it to be automatically deleted from the devices page in Intune. You can manually delete released devices from Intune one by one if needed. Released devices will be accurately reported as being Removed from ABM/ASM in Intune until they're automatically deleted within 30-45 days.
- - A delta sync is run automatically every 12 hours. You can also trigger a delta sync by selecting the **Sync** button (no more than once every 15 minutes). All sync requests are given 15 minutes to finish. The **Sync** button is disabled until a sync is completed. This sync will refresh existing device status and import new devices assigned to the Apple MDM server. If a delta sync fails for any reason, the next sync will be a full sync to hopefully resolve any issues.
+ - If a device is released from ABM/ASM, it can take up to 45 days for it to be automatically deleted from the devices page in Intune. You can manually delete released devices from Intune one by one if needed. Released devices are accurately reported as being *removed* from ABM/ASM in Intune until they're automatically deleted within 30-45 days.
+ - A delta sync is run automatically every 12 hours. You can also trigger a delta sync by selecting the **Sync** button (no more than once every 15 minutes). All sync requests have 15 minutes to finish. The **Sync** button becomes inactive until the sync is done. Syncing refreshes the existing device status and imports new devices assigned to the Apple MDM server. If a delta sync fails for any reason, the next sync is a full sync and could resolve any issues.
## Assign an enrollment profile to devices
@@ -427,7 +446,7 @@ You can pick a default profile to be applied to all devices that enroll with a s
1. In the admin center, return to **Enrollment program tokens**.
2. Select an enrollment token.
2. Select **Set Default Profile**.
-4. Select a profile in the list, and then select **Save**. The profile will be applied to all devices that enroll with the selected enrollment token.
+4. Select a profile in the list, and then select **Save**. From here, Intune applies the profile to all devices that enroll with the selected enrollment token.
> [!NOTE]
> Ensure that **Device Type Restrictions** under **Enrollment Restrictions** does not have the default **All Users** policy set to block the iOS/iPadOS platform. This setting will cause automated enrollment to fail and your device will show as Invalid Profile, regardless of user attestation. To permit enrollment only by company-managed devices, block only personally owned devices, which will permit corporate devices to enroll. Microsoft defines a corporate device as a device that's enrolled via a Device Enrollment Program or a device that's manually entered under **Corporate device identifiers**.
@@ -436,20 +455,20 @@ You can pick a default profile to be applied to all devices that enroll with a s
You enabled management and syncing between Apple and Intune and assigned a profile so your ADE devices can be enrolled. You're now ready to distribute devices to users. Some things to know:
-- Devices enrolled with user affinity require that each user be assigned an Intune license.
-- Devices enrolled without user affinity typically don't have any associated users. These devices need to have an Intune device license. If devices enrolled without user affinity will be used by an Intune-licensed user, a device license isn't needed.
+- To use devices enrolled with user affinity, users must have an Intune license assigned.
+- Devices enrolled without user affinity typically don't have any associated users. These devices need to have an Intune device license. If a device without user affinity is used by an Intune-licensed user, a device license isn't needed.
To summarize, if a device has a user, the user needs to have an assigned Intune license. If the device doesn't have an Intune-licensed user, the device needs to have an Intune device license.
For more information on Intune licensing, see [Microsoft Intune licensing](../fundamentals/licenses.md) and the [Intune planning guide](../fundamentals/intune-planning-guide.md).
-- A device that's been activated needs to be wiped before it can enroll properly using ADE in Intune. After it's been wiped but before activating it again, you can apply the enrollment profile. See [Set up an existing iPhone, iPad, or iPod touch](https://support.apple.com/en-us/HT207516)
+- A device that is already activated needs to be wiped before it can enroll properly with automated device enrollment. After you wipe it but before activating it again, you can apply the enrollment profile. See [Set up an existing iPhone, iPad, or iPod touch](https://support.apple.com/en-us/HT207516)
- If you're enrolling with ADE and user affinity, the following error can happen during setup:
`The SCEP server returned an invalid response.`
- You can resolve this error by trying to download the management again within 15 minutes. If it's been more than 15 minutes, to resolve this error you'll need to factory reset the device. This error occurs because of a 15-minute time limit on SCEP certificates, which is enforced for security.
+ You can resolve this error by trying to download the management again within 15 minutes. After 15 minutes, you have to factory reset the device to resolve the error. This error occurs because of a 15 minute time limit on SCEP certificates, which is enforced for security.
For information on the end-user experience, see [Enroll your iOS/iPadOS device in Intune by using ADE](../user-help/enroll-your-device-dep-ios.md).
@@ -463,12 +482,11 @@ Complete these steps to re-enroll a device that already went through automated d
## Renew an Automated Device Enrollment token
-You'll sometimes need to renew your tokens:
+It's important to renew your enrollment program token yearly. The Intune admin center shows the expiration date.
-- Renew your ADE token yearly. The Intune admin center shows the expiration date.
-- If the Apple ID password changes for the user who set up the token in Apple Business Manager, renew your enrollment program token in Intune and Apple Business Manager.
+- If the Apple ID password changes for the user who set up the token in Apple Business Manager, renew your enrollment program token in Intune and Apple Business Manager.
- If the user who set up the token in Apple Business Manager leaves the organization, renew your enrollment program token in Intune and Apple Business Manager.
-- If you change the Apple ID used to create the ADE token, the change won't affect currently enrolled devices with that token, until they re-enroll. This is unlike the Apple Push Notification Service (APNS) certificate used for the tenant which cannot be changed without requiring all devices to be re-enrolled unless you contact Apple Support to perform the change on the back end.
+- When you change the Apple ID used to create the ADE token, the change doesn't affect currently enrolled devices with that token, until they re-enroll. This behavior is unlike the Apple Push Notification Service (APNS) certificate used for the tenant. The APNS certificate can be changed with help from Apple Support. Otherwise, to make changes, all devices must re-enroll.
### Renew your tokens
@@ -486,7 +504,7 @@ You'll sometimes need to renew your tokens:
5. Select **Devices** > **Enrollment**.
6. Choose **Enrollment program tokens**.
7. Select the token.
-8. Select **Renew token**. Enter the **Apple ID** used to create the original token (if it's not automatically populated):
+8. Select **Renew token**. Enter the **Apple ID** used to create the original token (if it's not already filled-in):
:::image type="content" source="./media/device-enrollment-program-enroll-ios/renewtoken.png" alt-text="Screenshot that shows the Renew token page." lightbox="./media/device-enrollment-program-enroll-ios/renewtoken.png":::
@@ -494,7 +512,7 @@ You'll sometimes need to renew your tokens:
10. Select **Next** to go to the **Scope tags** page. Assign scope tags if you want to.
-11. Select **Renew token**. You'll see a confirmation that the token is renewed.
+11. Select **Renew token**. Wait for confirmation that the token renewal is done.
:::image type="content" source="./media/device-enrollment-program-enroll-ios/confirmation.png" alt-text="Screenshot that shows the confirmation message.":::
@@ -517,5 +535,14 @@ To delete an enrollment profile token:
1. If there's a default profile or any other enrollment profile, they must all be deleted.
1. Return to **Enrollment program tokens**. Select the token, and then select **Delete**.
+## Limitations
+
+These Setup Assistant screens don't work correctly on devices running iOS/iPadOS 14.5 and later:
+
+ * Passcode
+ * Touch ID and Face ID
+
+Hide both screens on devices running iOS/iPadOS 14.5 and later. If you want to require passcodes on those devices, create a device configuration policy or a compliance policy with passcode requirements. After the user enrolls and receives the policy, the passcode requirement will kick in.
+
## Next steps
-For an overview of what's required of device users, see [ADE end user tasks](../fundamentals/deployment-guide-enrollment-ios-ipados.md#ade-end-user-tasks).
+For an overview of requirements for device users, see [ADE end user tasks](../fundamentals/deployment-guide-enrollment-ios-ipados.md#ade-end-user-tasks).
diff --git a/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md b/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md
index 5262b9ba62e..53e3bcbcc00 100644
--- a/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md
+++ b/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md
@@ -1,13 +1,13 @@
---
# required metadata
-title: Enroll macOS devices - Apple Business Manager or Apple School Manager
-description: Prepare Macs purchased through Apple Business Manager and Apple School Manager for Intune enrollment.
+title: Set up automated device enrollment (ADE) for macOS
+description: Learn how to enroll corporate-owned Macs into Microsoft Intune with Apple Automated Device Enrollment (ADE).
keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 02/19/2024
+ms.date: 09/18/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -27,7 +27,7 @@ ms.collection:
- M365-identity-device-management
---
-# Automatically enroll Macs with Apple Business Manager or Apple School Manager
+# Set up automated device enrollment (ADE) for macOS
Set up automated device enrollment in Intune for new or wiped Macs purchased through an Apple enrollment program, such as Apple Business Manager or Apple School Manager. With this method, you don't need to have the devices with you to configure them. Intune automatically syncs with Apple to obtain device info from your enrollment program account, and deploys your preconfigured enrollment profiles to Macs over-the-air. Prepared devices can be shipped directly to employees or students. Setup Assistant and device enrollment begin when someone turns on the Mac.
@@ -44,8 +44,14 @@ This article describes how to set up an automated device enrollment profile for
4. [Assign DEP profile to devices](#assign-an-enrollment-profile-to-devices)
5. [Distribute devices to users](#end-user-experience-with-managed-devices)
-->
+## Certificates
+
+This enrollment type supports the Automated Certificate Management Environment (ACME) protocol. When new devices enroll, the management profile from Intune receives an ACME certificate. The ACME protocol provides better protection than the SCEP protocol against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management.
+
+Devices that are already enrolled do not get an ACME certificate unless they re-enroll into Microsoft Intune. ACME is supported on devices running macOS 13.1 and later.
## Limitations
+
Automated device enrollment via Apple Business Manager and Apple School Manager isn't supported with [device enrollment manager accounts](device-enrollment-manager-enroll.md).
## Prerequisites
@@ -131,14 +137,14 @@ At the end of this procedure, you can assign this profile to Microsoft Entra dev
1. Select **Next**.
-1. On the **Management Settings** page, configure **User Affinity**. *User affinity* determines whether devices enroll with or without an assigned user. Your options:
+1. On the **Management Settings** page, configure **User Affinity**. *User affinity* determines whether devices enroll with or without an assigned user. Your options:
* **Enroll without User Affinity**: Enroll devices that aren't associated with a single user. Choose this option for shared devices and devices that don't need to access local user data. The Company Portal app doesn't work on these types of devices.
* **Enroll with User Affinity**: Enroll devices that are associated with an assigned user. Choose this option for work devices that belong to users, and if you want to require users to have the Company Portal app to install apps. Multifactor authentication (MFA) is available with this option.
Option 2 requires more configurations. Users must authenticate themselves before enrollment to confirm their identity. Select one of the following authentication methods:
- - **Setup Assistant with modern authentication**: This method requires users to complete all Setup Assistant screens and sign in to the Company Portal app with their Microsoft Entra credentials before they can access resources. After they sign in to Company Portal, the device:
+ - **Setup Assistant with modern authentication**: This method requires users to complete all Setup Assistant screens and sign in to the Company Portal app with their Microsoft Entra credentials before they can access resources. After they sign in to Company Portal, the device:
- Registers with Microsoft Entra ID.
- Is added to the user's device record in Microsoft Entra ID.
@@ -174,24 +180,24 @@ At the end of this procedure, you can assign this profile to Microsoft Entra dev
> [!div class="mx-imgBorder"]
> 
- These settings are supported on devices running macOS 10.11 or later. Keep in mind while you configure the primary account that this account will be an *admin* account after it's created. Having at least one admin account is a Mac setup requirement.
+ These settings are supported on devices running macOS 10.11 or later. Keep in mind while you configure the primary account that this account is going to be an *admin* account. Having at least one admin account is a Mac setup requirement.
Your options:
* **Create a local primary account**: Select **Yes** to configure local primary account settings for targeted Macs. Select **Not configured** to skip all account setting configurations.
- * **Prefill account info**: The default configuration, **Not configured**, requires the device user to enter their account username and full name in Setup Assistant. To prefill the account information for them instead, select **Yes**. Then enter the primary account name and full name:
+ * **Prefill account info**: The default configuration, **Not configured**, requires the device user to enter their account username and full name in Setup Assistant. To prefill the account information for them instead, select **Yes**. Then enter the primary account name and full name:
* **Primary account name**: Enter the username for the account. `{{partialupn}}` is the supported token variable for *account name*.
* **Primary account full name**: Enter the full name of the account. `{{username}}` is the supported token variable for *full name*.
* **Restrict editing**: The default configuration is set to **Yes** so that device users can't edit the account name and full name configured for them. To allow device users to edit the account name and full name, select **Not configured**. If you're only using Setup Assistant (legacy) to enroll devices running macOS 10.15 and later, you can expect the following end user experience:
- * **Yes**: The account creation screen in Setup Assistant never appears. Instead, the local primary account is automatically created based on the other setting configurations, and the password is automatically populated from the Entra ID authentication screen. The device user can't edit these fields.
- * **Not configured**: The local primary account screen is shown to the end user in Setup Assistant and is populated with the configured account values, and the password from the Entra ID authentication screen. The device user can edit these fields during Setup Assistant.
+ * **Yes**: The account creation screen in Setup Assistant never appears. Instead, the local primary account is automatically created based on the other setting configurations, and the password is automatically populated from the Microsoft Entra authentication screen. The device user can't edit these fields.
+ * **Not configured**: The local primary account screen is shown to the end user in Setup Assistant and is populated with the configured account values, and the password from the Microsoft Entra authentication screen. The device user can edit these fields during Setup Assistant.
For account settings to work as intended, your enrollment profile must have the following configurations:
* **User affinity**: Select **Enroll with User affinity**.
* **Authentication method**: Select **Setup Assistant with modern authentication** or **Setup Assistant (legacy)**.
* **Await final configuration**: Select **Yes**.
- Local accounts depend on the *await final configuration* feature when they're being created. As a result, if you configure any local primary account settings, this setting is always enabled. Even if you don't touch the *await final configuration* setting, it is enabled in the background and applied to the enrollment profile.
+ Local accounts depend on the *await final configuration* feature when they're being created. As a result, if you configure any local primary account settings, this setting is always enabled. Even if you don't touch the *await final configuration* setting, it's enabled in the background and applied to the enrollment profile.
1. Select **Next**.
@@ -199,36 +205,44 @@ At the end of this procedure, you can assign this profile to Microsoft Entra dev
1. Enter your department information so that users know who to contact for support:
* **Department Name**: This name appears when device users select **About Configuration** during activation.
* **Department Phone**: This phone number appears when device users select **Need Help** during activation.
- 2. Select the Setup Assistant screens you want to show or hide during device setup. For a description of all screens, see Setup Assistant screen reference (in this article). Your options:
+ 2. Select the Setup Assistant screens you want to show or hide during device setup. For a description of all screens, [see Setup Assistant screen reference](#setup-assistant-screen-reference) (in this article). Your options:
* **Hide**: The screen doesn't appear to users during device setup. After device setup, the user can go to their device settings to set up the feature.
* **Show**: The screen appears to users during device setup. The user can still skip screens that don't require immediate action. After device setup, the user can go to their device settings to set up the feature.
1. Select **Next**.
1. Review the summary of changes, and then select **Create** to finish creating the profile.
### Setup Assistant screen reference
-The following table describes the Setup Assistant screens shown during automated device enrollment for Macs. You can show or hide these screens on supported devices during enrollment.
+The following table describes the Setup Assistant screens shown during automated device enrollment for Macs. You can show or hide these screens on supported devices during enrollment. For more information about how each Setup Assistant screen affects the user experience, see these Apple resources:
+
+- [Apple Platform Deployment guide: Manage Setup Assistant for Apple devices](https://support.apple.com/en-mide/guide/deployment/depdeff4a547/web)
+- [Apple Developer documentation: ShipKeys](https://developer.apple.com/documentation/devicemanagement/skipkeys)
+-
| Setup Assistant screen | What happens when visible |
|------------------------------------------|------------------------------------------|
-| **Location Services** | Prompt the user for their location. For macOS 10.11 and later and iOS/iPadOS 7.0 and later. |
-| **Restore** | Display the Apps & Data screen. This screen gives the user the option to restore or transfer data from iCloud Backup when they set up the device. For macOS 10.9 and later, and iOS/iPadOS 7.0 and later. |
-| **Apple ID** | Give the user the options to sign in with their Apple ID and use iCloud. For macOS 10.9 and later, and iOS/iPadOS 7.0 and later. |
-| **Terms and Conditions** | Require the user to accept Apple's terms and conditions. For macOS 10.9 and later, and iOS/iPadOS 7.0 and later. |
-| **Touch ID and Face ID** | Give the user the option to set up fingerprint identification for the device. For macOS 10.12.4 and later, and iOS/iPadOS 8.1 and later. |
-| **Apple Pay** | Give the user the option to set up Apple Pay on the device. For macOS 10.12.4 and later, and iOS/iPadOS 7.0 and later. |
-| **Siri** | Give the user the option to set up Siri. For macOS 10.12 and later, and iOS/iPadOS 7.0 and later. |
-| **Diagnostics Data** | Display the Diagnostics screen to the user. This screen gives the user the option to send diagnostic data to Apple. For macOS 10.9 and later, and iOS/iPadOS 7.0 and later. |
-| **Display Tone** | Give the user the option to turn on Display Tone. For macOS 10.13.6 and later, and iOS/iPadOS 9.3.2 and later. |
-| **FileVault** | Display the FileVault 2 encryption screen to the user. For macOS 10.10 and later. |
-| **iCloud diagnostics** | Display the iCloud Analytics screen to the user. For macOS 10.12.4 and later. |
-| **Registration** | Display the registration screen. For macOS 10.9 and later. |
-| **iCloud Storage** | Display the iCloud Documents and Desktop screen to the user. For macOS 10.13.4 and later. |
-| **Appearance** | Display the Appearance screen to the user. For macOS 10.14 and later, and iOS/iPadOS 13.0 and later. |
-| **Screen Time** | Display the Screen Time screen. For macOS 10.15 and later, and iOS/iPadOS 12.0 and later. |
-| **Privacy** | Display the Privacy screen to the user. For macOS 10.13.4 and later, and iOS/iPadOS 11.3 and later. |
-| **Accessibility** | Display the Accessibility screen to the user. If this screen is hidden, the user can't use the Voice Over feature. Voice Over is supported on devices that:
- Run macOS 11.
- Are connected to the internet using Ethernet.
- Have the serial number appear in Apple School Manager or Apple Business Manager. |
-| **Auto unlock with Apple Watch**| Give the user an option to use their Apple Watch to unlock their Mac. For macOS 12.0 and later.
-| **Terms of Address**| Give the user the option to choose how they want to be addressed throughout the system: feminine, masculine, or neutral. This Apple feature is available for select languages. For more information, see [Change Language & Region settings on Mac](https://support.apple.com/guide/mac-help/intl163/mac)(opens Apple website). For macOS 13.0 and later.
+| **Location Services** | Shows the location services setup pane, where users can enable location services on their device. For macOS 10.11 and later. |
+| **Restore** | Shows the apps and data setup pane. On this screen, users setting up devices can restore or transfer data from iCloud Backup. For macOS 10.9 and later. |
+| **Apple ID** | Shows the Apple ID setup pane, which gives users to the option to sign in with their Apple ID and use iCloud. For macOS 10.9 and later. |
+| **Terms and conditions** |Shows the Apple terms and conditions pane, and requires users to accept them. For macOS 10.9 and later. |
+| **Touch ID and Face ID** | Shows the biometric setup pane, which gives users the option to set up fingerprint or facial identification on their devices. For macOS 10.12.4 and later. |
+| **Apple Pay** | Shows the Apple Pay setup pane, which gives users the option to set up Apple Pay on their devices. For macOS 10.12.4 and later. |
+| **Siri** | Shows the Siri setup pane to users. For macOS 10.12 and later. |
+| **Diagnostics Data** | Shows the diagnostics pane where users can opt-in to send diagnostic data to Apple. For macOS 10.9 and later. |
+| **Display Tone** |Shows the setup pane for the display tone. This screen gives users the option to turn on true tone display. For macOS 10.13.6 and later. |
+| **FileVault** | Shows the FileVault 2 encryption screen to users. For macOS 10.10 and later. |
+| **iCloud Diagnostics** | Shows the iCloud Analytics screen to users. For macOS 10.12.4 and later. |
+| **Registration** | Shows the registration screen to users. For macOS 10.9 and later. |
+| **iCloud Storage** | Shows the iCloud Documents and Desktop screen to the user. For macOS 10.13.4 and later. |
+| **Appearance** | Shows the appearance pane where users can select an appearance mode. For macOS 10.14 and later. |
+| **Screen Time** | Shows the macOS Screen Time setup pane, a feature users can enable to gain insight on screen-time, and app and website activity. For macOS 10.15 and later. |
+| **Privacy** | Shows the privacy setup pane to the user. For macOS 10.13.4 and later. |
+| **Accessibility** | Shows the accessibility setup screen to the user. If this screen is hidden, the user can't use the macOS Voice Over feature. Voice Over is supported on devices that:
- Run macOS 11.
- Are connected to the internet using Ethernet.
- Have a serial number in Apple School Manager or Apple Business Manager. |
+| **Auto unlock with Apple Watch**| Shows the macOS Unlock with Apple Watch pane, where users can configure their Apple Watch to unlock their Mac. For macOS 12.0 and later.
+| **Terms of Address**| Shows the terms of address pane, which gives users the option to choose how they want to be addressed throughout the system: feminine, masculine, or neutral. This Apple feature is available for select languages. For more information, see [Change Language & Region settings on Mac](https://support.apple.com/guide/mac-help/intl163/mac)(opens Apple website). For macOS 13.0 and later.
+| **Wallpaper**| Shows the macOS Sonoma wallpaper setup pane after devices complete a software upgrade. If you hide this screen, devices get the default macOS Sonoma wallpaper. For macOS 14.1 and later.
+| **Lockdown mode**| Shows the lockdown mode setup pane to users who set up an Apple ID. For macOS 14.0 and later.
+| **Intelligence**| Shows the Apple Intelligence setup pane, where users can configure Apple Intelligence features. For macOS 15.0 and later.
+
## Sync managed devices
Syncing refreshes existing device status and imports new devices assigned to the Apple MDM server. To see all associated Apple devices and device info, sync your enrollment program token in the admin center.
@@ -241,7 +255,7 @@ Syncing refreshes existing device status and imports new devices assigned to the
### Sync restrictions
To comply with Apple's terms for acceptable enrollment program traffic, Microsoft Intune imposes the following restrictions:
- - A *full sync* can run no more than once every seven days. During a full sync, Intune fetches the most recent, updated list of serial numbers assigned to the connected Apple MDM server. If you delete a device from Intune without unassigning it from the MDM server in Apple Business Manager or Apple School Manager, it won't be reimported to Intune until the full sync is run.
+ - A *full sync* can run no more than once every seven days. During a full sync, Intune fetches the most recent, updated list of serial numbers assigned to the connected Apple MDM server. If you delete a device from Intune without unassigning it from the MDM server in Apple Business Manager or Apple School Manager, it won't be reimported to Intune until the full sync runs.
- If a device is released from either of the Apple enrollment programs, it can take up to 45 days for it to be automatically deleted from the Devices page in Intune. You can manually delete released devices in Intune one-by-one, if needed. Intune reports released devices as being removed from Apple Business Manager or Apple School Manager until they're automatically deleted, which occurs within 30-45 days.
- A sync is run automatically every 24 hours. You can initiate a sync no more than once every 15 minutes. All sync requests are given 15 minutes to finish. The **Sync** button becomes inactive until syncing is complete.
@@ -267,13 +281,13 @@ Optionally, you can select a default enrollment profile. The default profile is
Distribute prepared devices throughout your organization.
-* New or wiped Macs: New or wiped Macs configured in Apple Business Manager or Apple School Manager will automatically enroll in Microsoft Intune during Setup Assistant when someone turns on the device. If you assigned the device to a macOS enrollment profile with user affinity, the device user must sign in to the Company Portal after Setup Assistant is done to finish Microsoft Entra registration and conditional access requirements.
+* New or wiped Macs: New or wiped Macs configured in Apple Business Manager or Apple School Manager automatically enroll in Microsoft Intune during Setup Assistant when someone turns on the device. If you assigned the device to a macOS enrollment profile with user affinity, the device user must sign in to the Company Portal after Setup Assistant is done to finish Microsoft Entra registration and conditional access requirements.
* Existing Macs: You can enroll devices that already went through Setup Assistant. Complete these steps to enroll corporate-owned Macs running macOS 10.13 and later.
1. Ensure that:
- * The device has been imported to Apple Business Manager or Apple School Manager.
- * The device has been assigned a macOS enrollment profile in the admin center.
+ * The device is imported to Apple Business Manager or Apple School Manager.
+ * The device is assigned a macOS enrollment profile in the admin center.
1. Sign in to the device with a local administrator account.
1. To trigger enrollment, from the **Home** page open **Terminal**, and run the following command:
diff --git a/memdocs/intune/enrollment/device-enrollment-shared-ios.md b/memdocs/intune/enrollment/device-enrollment-shared-ios.md
index ebe08d94289..5da6c93d68b 100644
--- a/memdocs/intune/enrollment/device-enrollment-shared-ios.md
+++ b/memdocs/intune/enrollment/device-enrollment-shared-ios.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 08/17/2021
+ms.date: 09/16/2024
ms.topic: overview
ms.service: microsoft-intune
ms.subservice: enrollment
diff --git a/memdocs/intune/enrollment/device-limit-intune-azure.md b/memdocs/intune/enrollment/device-limit-intune-azure.md
index 76c59e3f8b8..9cd2b033fa1 100644
--- a/memdocs/intune/enrollment/device-limit-intune-azure.md
+++ b/memdocs/intune/enrollment/device-limit-intune-azure.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 03/04/2024
+ms.date: 10/14/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -58,7 +58,8 @@ Intune device limit restrictions don't apply to devices enrolled via:
- Co-management with Configuration Manager
- Automatic enrollment + group policy
- Automatic enrollment + device enrollment manager
-- Automatic enrollment + bulk device enrollment
+- Automatic enrollment + bulk device enrollment
+- Automatic enrollment initiated by user through desktop (for example, when they [connect a work or school account in the Windows Settings app](https://support.microsoft.com/windows/manage-user-accounts-in-windows-104dc19f-6430-4b49-6a2b-e4dbd1dcdf32))
- Windows Autopilot
Devices enrolled via these methods are enrolled automatically or by an Intune admin, not by an employee or student, and are considered shared devices. Instead, you can apply the Microsoft Entra limit, where supported.
diff --git a/memdocs/intune/enrollment/enrollment-restrictions-set.md b/memdocs/intune/enrollment/enrollment-restrictions-set.md
index b2bbd55c30a..93079dc5b66 100644
--- a/memdocs/intune/enrollment/enrollment-restrictions-set.md
+++ b/memdocs/intune/enrollment/enrollment-restrictions-set.md
@@ -153,7 +153,13 @@ Intune also blocks personal devices using these enrollment methods:
## Limitations
-* Enrollment restrictions are applied to users. For enrollment scenarios that aren't user-driven, such as Windows Autopilot self-deploying mode and Autopilot for pre-provisioned deployment, bulk enrollment (WCD), Azure Virtual desktop, or userless Apple Automated device enrollment (ADE without user device affinity), Intune enforces the default policy.
+* Enrollment restrictions are applied to enrollments that are user-driven. Intune enforces the default policy in enrollment scenarios that aren't user-driven, such as:
+
+ * Windows Autopilot self-deploying mode and Autopilot for pre-provisioned deployment
+ * Bulk enrollment via Windows Configuration Designer
+ * Userless Apple automated device enrollment (without user-device affinity)
+ * Azure Virtual Desktop
+ * Windows 365
* Device limit restrictions can't be applied to devices in the following Windows enrollment scenarios, because these scenarios utilize shared device mode:
diff --git a/memdocs/intune/enrollment/ios-user-enrollment-supported-actions.md b/memdocs/intune/enrollment/ios-user-enrollment-supported-actions.md
index c5701e52ea8..94884a32267 100644
--- a/memdocs/intune/enrollment/ios-user-enrollment-supported-actions.md
+++ b/memdocs/intune/enrollment/ios-user-enrollment-supported-actions.md
@@ -36,7 +36,10 @@ This article provides an overview of the Apple User Enrollment features and func
## Apple User Enrollment methods
-Microsoft Intune supports account driven Apple User Enrollment and Apple User Enrollment with Company Portal.
+>[!IMPORTANT]
+> Apple user enrollment with Company Portal has been deprecated as an enrollment option, and is no longer available for newly enrolled devices. Microsoft Intune product and technical support remains available to devices that already have the enrollment profile. For new enrollments, we recommend account-driven user enrollment.
+
+Microsoft Intune supports account driven Apple User Enrollment and profile based Apple User Enrollment with Company Portal.
* Account driven user enrollment: Also referred to as *account-based enrollment*. The device user initiates enrollment by going to the **Settings** app > **VPN & Device Management** and adding their work or school account. After the device user approves device management, the enrollment profile silently installs, and Intune policies are applied.
diff --git a/memdocs/intune/enrollment/move-to-android-mobile-application-management.md b/memdocs/intune/enrollment/move-to-android-mobile-application-management.md
index 9dba817610f..d9ed65a4881 100644
--- a/memdocs/intune/enrollment/move-to-android-mobile-application-management.md
+++ b/memdocs/intune/enrollment/move-to-android-mobile-application-management.md
@@ -70,7 +70,7 @@ The following table lists configurations commonly used with Android device admin
| --- | --- | --- | --- |
|Conditional Access | Use [device-based Conditional Access policies](../protect/app-based-conditional-access-intune-create.md). | Use [app-based Conditional Access policies](../protect/app-based-conditional-access-intune-create.md). | Before you unenroll devices, consider updating your device-based Conditional Access policies to include an `or` condition for app-based Conditional Access policies. Otherwise, device users could be in an interim state without MDM or mobile application management enforced. |
| Prevent copy and paste | **Restrict copy and paste (Knox only)**
Setting available in [Configuration policy > General](../configuration/device-restrictions-android.md#general). | **Restrict cut, copy, and paste between other apps**
Setting available in [App protection policy > Data protection](../apps/app-protection-policy-settings-android.md#data-protection). | |
-| Enforce password | Password settings vary depending on policy type used.
Settings available in [Configuration policy > Password](../configuration/device-restrictions-android.md#password) and [Compliance policy > Password](../protect/compliance-policy-create-android.md#password). | **PIN for app access**
Setting available in [App protection policy > Access requirements](../apps/app-protection-policy-settings-android.md#access-requirements). | |
+| Enforce password | Password settings vary depending on policy type used.
Settings available in [Configuration policy > Password](../configuration/device-restrictions-android.md#password) and [Compliance policy > Device security](../protect/compliance-policy-create-android.md#device-security). | **PIN for app access**
Setting available in [App protection policy > Access requirements](../apps/app-protection-policy-settings-android.md#access-requirements). | |
| Enforce minimum and maximum OS version | OS version settings vary depending on policy type used.
Settings available in [Compliance policy > Operating system version](../protect/compliance-policy-create-android.md#operating-system-version) and [Enrollment > Device platform restriction](../enrollment/create-device-platform-restrictions.md#create-a-device-platform-restriction). | **Min OS version** and **Max OS version**
Settings available in [App protection policy > Conditional launch](../apps/app-protection-policy-settings-android.md#conditional-launch). |
| Block rooted devices| **Rooted devices**
Setting available in [Compliance policy > Device health](../protect/compliance-policy-create-android.md#device-health).| **Jailbroken/rooted devices**
Setting available in [App protection policy > Conditional launch](../apps/app-protection-policy-settings-android.md#conditional-launch). |
| Allow specific manufacturers | **Device manufacturers**
Setting available in [Enrollment > Device platform restriction](../enrollment/create-device-platform-restrictions.md#create-a-device-platform-restriction). | **Device manufacturers**
Setting available in [App protection policy > Conditional launch](../apps/app-protection-policy-settings-android.md#conditional-launch). | |
diff --git a/memdocs/intune/enrollment/multi-factor-authentication.md b/memdocs/intune/enrollment/multi-factor-authentication.md
index 031502c3ec6..cc9bad1e8f0 100644
--- a/memdocs/intune/enrollment/multi-factor-authentication.md
+++ b/memdocs/intune/enrollment/multi-factor-authentication.md
@@ -77,6 +77,9 @@ Complete these steps to enable multi-factor authentication during Microsoft Intu
| **Microsoft Intune** | Setup Assistant,
Company Portal app | With this option, MFA is required during enrollment and each time the user signs into the Company Portal app or website. The MFA prompts appear on the Company Portal sign-in page. |
| **Microsoft Intune Enrollment** | Setup Assistant | With this option, MFA is required during device enrollment and appears as a one-time MFA prompt on the Company Portal sign-in page. |
+ > [!NOTE]
+ > The Microsoft Intune Enrollment cloud app isn't created automatically for new tenants. To add the app for new tenants, a Microsoft Entra administrator must create a service principal object, with app ID d4ebce55-015a-49b5-a083-c84d1797ae8c, in PowerShell or Microsoft Graph.
+
1. Select the **Grant** category.
1. Select **Require multifactor authentication** and **Require device to be marked as compliant**.
1. Under **For multiple controls**, select **Require all the selected controls**.
@@ -90,7 +93,7 @@ Complete these steps to enable multi-factor authentication during Microsoft Intu
After you apply and deploy this policy, users will see a one-time MFA prompt when they enroll their device.
> [!NOTE]
-> A second device is required to complete the MFA challenge for these types of corporate-owned devices:
+> A second device or a Temporary Access Pass is required to complete the MFA challenge for these types of corporate-owned devices:
>
> - Android Enterprise fully managed devices
> - Android Enterprise corporate-owned devices with a work profile
diff --git a/memdocs/intune/enrollment/quickstart-setup-auto-enrollment.md b/memdocs/intune/enrollment/quickstart-setup-auto-enrollment.md
index 47701b8017e..b9f4442956c 100644
--- a/memdocs/intune/enrollment/quickstart-setup-auto-enrollment.md
+++ b/memdocs/intune/enrollment/quickstart-setup-auto-enrollment.md
@@ -11,7 +11,7 @@ ms.service: microsoft-intune
ms.subservice: enrollment
ms.localizationpriority: high
ms.topic: quickstart
-ms.date: 5/10/2024
+ms.date: 10/03/2024
# optional metadata
@@ -50,13 +50,13 @@ If you don't have an Intune subscription, [sign up for a free trial account](../
- [Create a group](../fundamentals/quickstart-create-group.md).
- [Have Microsoft Entra ID P1 or P2](/azure/active-directory/active-directory-get-started-premium) or the [Premium trial subscription](https://go.microsoft.com/fwlink/?LinkID=816845). You can activate a free Premium trial subscription during setup.
-To configure automatic MDM enrollment, you must be an [Intune Administrator](/entra/identity/role-based-access-control/permissions-reference#intune-administrator). If you signed up for an Intune Trial subscription at the beginning of this quickstart, your account has [Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) permissions and can complete all procedures in this article.
+To configure automatic MDM enrollment, you must be a [Microsoft Entra Global Administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator). If you signed up for a Microsoft Intune Trial subscription at the beginning of this quickstart, your account has Global Administrator permissions and can complete all procedures in this article.
## Set up automatic enrollment
For this example, you'll configure Microsoft Intune mobile device management (MDM) enrollment settings so that corporate-owned and personal devices automatically enroll in Microsoft Intune. *MDM user scope* enables automatic enrollment for Microsoft Intune device management.
-1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) go to **Devices** > **Enrollment**.
+1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**.
2. Go to the **Windows** tab. Then select **Automatic Enrollment**.
> [!IMPORTANT]
diff --git a/memdocs/intune/enrollment/web-based-device-enrollment-ios.md b/memdocs/intune/enrollment/web-based-device-enrollment-ios.md
index 715907e26c7..442dedd32ed 100644
--- a/memdocs/intune/enrollment/web-based-device-enrollment-ios.md
+++ b/memdocs/intune/enrollment/web-based-device-enrollment-ios.md
@@ -8,7 +8,7 @@ keywords:
author: Lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 05/15/2024
+ms.date: 09/23/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: enrollment
@@ -81,14 +81,14 @@ When an employee attempts to sign into a work app on their personal device, the
Alternatively, you can provide employees and students with a URL that opens the Company Portal website. If you aren't utilizing conditional access, it's important to share the enrollment link with device users so that they know how to initiate enrollment. The link to share is:
- `portal.manage.microsoft.com/conditionalaccess/enrollment`
+ `https://portal.manage.microsoft.com/enrollment/webenrollment/ios`
This section provides the high-level enrollment steps for device users. We recommend using this information in your organization's device onboarding documentation or for troubleshooting and support.
>[!IMPORTANT]
> Safari browser is the only supported browser for this type of enrollment, and is needed to download the management profile and complete enrollment. If a user's default browser is anything other than Safari, they will need to copy the enrollment link and paste it into a Safari browser to initiate enrollment. After they complete enrollment, users can return to their preferred browser.
-1. Open Safari and go to [https://portal.manage.microsoft.com/conditionalaccess/enrollment](https://portal.manage.microsoft.com/conditionalaccess/enrollment). Sign in with your work or school account.
+1. Open Safari and go to [https://portal.manage.microsoft.com/enrollment/webenrollment/ios](https://portal.manage.microsoft.com/enrollment/webenrollment/ios). Sign in with your work or school account.
2. When prompted to, download the management profile. Wait in Safari while Company Portal downloads the management profile.
3. Go to your device settings app to view and install the management profile.
4. Wait until Microsoft Authenticator is installed on the device before signing into a work or school app. The device won't be ready for work use until Authenticator is on the device, which can take a few minutes. To verify that Authenticator installed, open your device settings and go to **Profile** > **Management Profile** > **Single Sign On Extension**. Authenticator should be listed as the SSO extension.
diff --git a/memdocs/intune/enrollment/windows-enroll.md b/memdocs/intune/enrollment/windows-enroll.md
index e840100b3a4..0c810d8fcb2 100644
--- a/memdocs/intune/enrollment/windows-enroll.md
+++ b/memdocs/intune/enrollment/windows-enroll.md
@@ -59,13 +59,13 @@ This article describes how to enable automatic mobile device management (MDM) en
You must have:
- A [Microsoft Entra ID P1 or P2 subscription](/azure/active-directory/active-directory-get-started-premium) or [Premium trial subscription](https://go.microsoft.com/fwlink/?LinkID=816845) for automatic MDM enrollment and custom company branding.
- A Microsoft Intune subscription.
-- A Microsoft Entra Global Administator or Intune Administrator role. For more information about role-based-access-control (RBAC), see [RBAC with Microsoft Intune](../fundamentals/role-based-access-control.md).
+- A Microsoft Entra Global Administrator role. For more information about role-based-access-control (RBAC), see [RBAC with Microsoft Intune](../fundamentals/role-based-access-control.md).
[!INCLUDE [AAD-enrollment](../includes/win10-automatic-enrollment-aad.md)]
## Support for device users
-The Microsoft Intune user-help docs provide conceptual information, tutorials, and how-to guides for employees and students setting up their devices for work. You can point people directly to the Intune docs, or use these articles as guidance when developing and updating your own device management docs.
+The Microsoft Intune user help docs provide conceptual information, tutorials, and how-to guides for employees and students setting up their devices for work. You can point people directly to the Intune docs, or use these articles as guidance when developing and updating your own device management docs.
Users on personal devices running Windows 11 or Windows 10 can automatically enroll by adding their work or school account on their device, or by using the Intune Company Portal app. Devices running earlier versions of Windows must enroll using the Intune Company Portal app. For more information, see [Enroll Windows 10/11 devices](../user-help/enroll-windows-10-device.md).
diff --git a/memdocs/intune/fundamentals/account-sign-up.md b/memdocs/intune/fundamentals/account-sign-up.md
index 0acdf36b454..90a6b299baa 100644
--- a/memdocs/intune/fundamentals/account-sign-up.md
+++ b/memdocs/intune/fundamentals/account-sign-up.md
@@ -7,7 +7,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 06/20/2024
+ms.date: 10/02/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -43,6 +43,8 @@ If you already have a work or school account, **sign in** with that account and
>[!WARNING]
>You can't combine an existing work or school account after you sign up for a new account.
+[!INCLUDE [MFA requirement for admin center](../includes/mfa-console.md)]
+
## How to sign up for Intune
1. Visit the [Intune Sign up page](https://admin.microsoft.com/Signup/Signup.aspx?OfferId=40BE278A-DFD1-470a-9EF7-9F2596EA7FF9&dl=INTUNE_A&ali=1#0%20).
diff --git a/memdocs/intune/fundamentals/android-os-project-supported-devices.md b/memdocs/intune/fundamentals/android-os-project-supported-devices.md
index f91e1890bee..0361383d0a3 100644
--- a/memdocs/intune/fundamentals/android-os-project-supported-devices.md
+++ b/memdocs/intune/fundamentals/android-os-project-supported-devices.md
@@ -7,7 +7,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 03/01/2024
+ms.date: 10/15/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -43,6 +43,7 @@ Before setting up Microsoft Intune for Android Open Source Project devices, ensu
|**OEM** | **Device** | **Minimum Firmware** | **Type of Device** | **Restrictions** |
| ------- | -------------------| ------------------- | -------------- | ------------------ |
+| HTC | Vive Focus Vision | 7.0.999.159 | AR/VR Headset | |
| HTC | HTC Vive Focus 3 | 5.2 - 5.0.999.624 | AR/VR Headset | |
| HTC | HTC Vive XR Elite | 4.0 - 1.0.999.350 | AR/VR Headset | |
| Meta | Quest 2 | v49 | AR/VR Headset | [Available in select regions only](https://work.meta.com/help/307276701907179) |
@@ -55,3 +56,5 @@ Before setting up Microsoft Intune for Android Open Source Project devices, ensu
| Realwear| Navigator 500 | 1.1 | AR/VR Headset | |
| Lenovo| ThinkReality VRX | VRX_user_S766001_2310192349_kona | AR/VR Headset | |
| DigiLens Inc.| DigiLens ARGO | DigiOS 2068 (B1.0001.2068) | AR/VR Headset | |
+| Vuzix | M400 | M-Series Version 3.0.2 | AR/VR Headset | |
+| Vuzix | M4000 | M-Series Version 3.0.2 | AR/VR Headset | |
\ No newline at end of file
diff --git a/memdocs/intune/fundamentals/cloud-configuration-setup-guide.md b/memdocs/intune/fundamentals/cloud-configuration-setup-guide.md
index f1c0a8d5e7c..9796042f2b2 100644
--- a/memdocs/intune/fundamentals/cloud-configuration-setup-guide.md
+++ b/memdocs/intune/fundamentals/cloud-configuration-setup-guide.md
@@ -287,18 +287,9 @@ The script is deployed to devices using in Intune. To add and deploy the script,
#### Microsoft Store app
-If you previously removed the Microsoft Store app, you can redeploy it using Microsoft Intune. To re-add the Microsoft Store app (or any other apps you want to re-add), add the Microsoft Store app to your private organization app repository. Then, deploy the app to devices using Intune. The Microsoft Store app helps keep apps updated.
+If you previously removed the Microsoft Store app, you can redeploy it using Microsoft Intune. To re-add the Microsoft Store app (or any other apps you want to re-add), add the Microsoft Store app to your private organization app repository. Then, deploy the app to devices using Intune. The Microsoft Store app helps keep apps updated. For information about how to configure access to the Microsoft Store app, see [Manage access to private store](/microsoft-store/manage-access-to-private-store).
-Your private organization app repository can be:
-
-- The Intune Company Portal app or website (preferred)
-
-- Microsoft Store for Business or Microsoft Store for Education
-
- Previously, the Microsoft Store app had a Microsoft Store for Business tab. This tab is removed. If you use Microsoft Store for Business, then to access your private app repository, go to the [Microsoft Store for Business website](https://businessstore.microsoft.com/). For more information, go to [Manage access to private store](/microsoft-store/manage-access-to-private-store).
-
- > [!NOTE]
- > The Microsoft Store for Business and Microsoft Store for Education will be retired. For more information, go to [Microsoft Store for Business and Microsoft Store for Education](/microsoft-store/microsoft-store-for-business-overview).
+Your private organization app repository can be the Intune Company Portal app or website.
Using Intune, on Windows 10/11 Enterprise and Education devices, you can block end users from installing Microsoft Store apps outside of your organization's private app repository.
diff --git a/memdocs/intune/fundamentals/deployment-guide-enroll.md b/memdocs/intune/fundamentals/deployment-guide-enroll.md
index a4d22eff85b..ef72e3c7235 100644
--- a/memdocs/intune/fundamentals/deployment-guide-enroll.md
+++ b/memdocs/intune/fundamentals/deployment-guide-enroll.md
@@ -141,7 +141,7 @@ The following tabs describe the Intune-supported Android and AOSP enrollment opt
* [Corporate-owned, userless devices](../enrollment/android-aosp-corporate-owned-userless-enroll.md): Enroll devices that are built from the Android Open Source Project (AOSP) and absent of Google Mobile services as *corporate-owned, userless devices*. These devices don't have a user associated with them and are intended to be shared, like in a library or lab.
* [Corporate-owned, user associated devices](../enrollment/android-aosp-corporate-owned-user-associated-enroll.md): Enroll devices that are built from AOSP and absent of Google Mobile services as *corporate-owned, user-associated devices*. These devices are associated with a single user and intended to be exclusively for work use.
-* [Zero-touch enrollment](../enrollment/android-dedicated-devices-fully-managed-enroll.md#enroll-by-using-google-zero-touch): We recommend using zero-touch enrollment for bulk enrollments and to simplify enrollment for remote workers. This method lets you prepare corporate-owned devices ahead of time so that they automatically provision and enroll as fully manged devices when users turn them on.
+* [Zero-touch enrollment](../enrollment/android-dedicated-devices-fully-managed-enroll.md#enroll-by-using-google-zero-touch): We recommend using zero-touch enrollment for bulk enrollments and to simplify enrollment for remote workers. This method lets you prepare corporate-owned devices ahead of time so that they automatically provision and enroll as fully managed devices when users turn them on.
# [User owned](#tab/user-owned-android)
diff --git a/memdocs/intune/fundamentals/deployment-guide-enrollment-ios-ipados.md b/memdocs/intune/fundamentals/deployment-guide-enrollment-ios-ipados.md
index 22d19142aa6..f2f4ec2cd4a 100644
--- a/memdocs/intune/fundamentals/deployment-guide-enrollment-ios-ipados.md
+++ b/memdocs/intune/fundamentals/deployment-guide-enrollment-ios-ipados.md
@@ -214,7 +214,7 @@ When you create an enrollment profile in the [Intune admin center](https://go.mi
5. If you don't **Install Company Portal app with VPP**, and want to use the Company Portal app, then:
- 1. Users sign in to the Apple app store with their Apple ID (`user@iCloud.com` or `user@gmail.com`). When they sign in, the Company Portal app automatically installs.
+ 1. Users sign in to the Apple App Store with their Apple ID (`user@iCloud.com` or `user@gmail.com`). When they sign in, the Company Portal app automatically installs.
This extra sign-in step slows the enrollment, especially if users don't sign in immediately.
@@ -222,7 +222,7 @@ When you create an enrollment profile in the [Intune admin center](https://go.mi
2. Users open the Company Portal app, and sign in with their work or school account (`user@contoso.com`) again. They complete Microsoft Entra registration in the Company Portal app, which fully registers the device with Microsoft Entra ID. At the next check-in, users gain access to corporate resources protected by Conditional Access policies.
-- **Enroll without user affinity**: No actions. Be sure they don't install the Company Portal app from the Apple app store.
+- **Enroll without user affinity**: No actions. Be sure they don't install the Company Portal app from the Apple App Store.
:::image type="content" source="./media/deployment-guide-enrollment-ios-ipados/ade-enroll-without-user-affinity.png" alt-text="In the Intune admin center and Microsoft Intune, enroll iOS/iPadOS devices using automated device enrollment (ADE). Select enroll without user affinity.":::
@@ -305,7 +305,7 @@ This task list provides an overview. For more specific information, go to [Apple
- If you choose **Enroll without user affinity**, then you're automatically using **Direct enrollment**. Remember:
- You're using the settings from an existing macOS enrollment profile.
- - Users can't use apps that require a user, including the Company Portal app. The Company Portal app isn't used, needed, or supported on enrollments without user affinity. Be sure users don't install the Company Portal app from the Apple app store.
+ - Users can't use apps that require a user, including the Company Portal app. The Company Portal app isn't used, needed, or supported on enrollments without user affinity. Be sure users don't install the Company Portal app from the Apple App Store.
- When the enrollment profile is ready, USB connect the devices to the Mac, and open the **Apple Configurator** app. When the app opens, it detects the USB connected device, and deploys the Intune enrollment profile you created.
@@ -340,7 +340,7 @@ The tasks depend on the option you configured in the enrollment profile.
2. The Setup Assistant prompts the user for information, including the Apple ID (`user@iCloud.com` or `user@gmail.com`). This step pushes the Intune management profile to the device.
3. Users install the management profile. The profile checks in with the Intune service, and enrolls the device. The device isn't registered in Microsoft Entra ID.
-- **Enroll without user affinity**: You're using Direct enrollment. No actions. Be sure they don't install the Company Portal app from the Apple app store.
+- **Enroll without user affinity**: You're using Direct enrollment. No actions. Be sure they don't install the Company Portal app from the Apple App Store.
:::image type="content" source="./media/deployment-guide-enrollment-ios-ipados/configurator-enroll-without-user-affinity.png" alt-text="In the Intune admin center and Microsoft Intune, enroll iOS/iPadOS devices using Apple Configurator. Select enroll without user affinity.":::
@@ -350,9 +350,9 @@ The tasks depend on the option you configured in the enrollment profile.
These iOS/iPadOS devices are personal or BYOD (bring your own device) devices that can access organization email, apps, and other data. Starting with iOS 13 and newer, this enrollment option targets users or targets devices. It doesn't require resetting the devices.
-When you create the enrollment profile, you're asked to choose **User enrollment with Company Portal**, **Device enrollment with Company Portal**, **Account driven user enrollment**, or **Determine based on user choice**.
+When you create the enrollment profile, you're asked to choose **Device enrollment with Company Portal**, **Account driven user enrollment**, or **Determine based on user choice**.
-For the specific enrollment steps, and its prerequisites, go to [Set up iOS/iPadOS user enrollment](../enrollment/ios-user-enrollment.md) and [Set up iOS/iPadOS device enrollment](../enrollment/ios-device-enrollment.md).
+For the specific enrollment steps, and its prerequisites, go to [Set up account driven user enrollment](../enrollment/apple-account-driven-user-enrollment.md) and [Set up iOS/iPadOS device enrollment](../enrollment/ios-device-enrollment.md).
---
| Feature | Use this enrollment option when |
@@ -371,7 +371,7 @@ For the specific enrollment steps, and its prerequisites, go to [Set up iOS/iPad
### User and Device enrollment administrator tasks
-This task list provides an overview. For more specific information, go to [Set up iOS/iPadOS and iPadOS User Enrollment](../enrollment/ios-user-enrollment.md).
+This list provides an overview of the tasks required of administrators.
- Be sure your devices are [supported](supported-devices-browsers.md).
- Be sure the [Apple MDM push certificate](../enrollment/apple-mdm-push-certificate-get.md) is added to Intune, and is active. This certificate is required to enroll iOS/iPadOS devices. For more information, go to [Get an Apple MDM push certificate](../enrollment/apple-mdm-push-certificate-get.md).
@@ -387,26 +387,26 @@ This task list provides an overview. For more specific information, go to [Set u
- **Determine based on user choice**: Gives end users a choice when they enroll. Depending on their selection, **User enrollment** or **Device enrollment** is used.
- - **User enrollment**: Starting with iOS 13 and newer. This option configures a specific set of features and organization apps, like password, per-app VPN, Wi-Fi, and Siri. If you use User enrollment, and to help secure apps and their data, then we recommend also using app protection policies.
+ - **Account driven user enrollment**: Starting with iOS 13 and newer. This option configures a specific set of features and organization apps, like password, per-app VPN, Wi-Fi, and Siri. If you use this method, and to help secure apps and their data, then we recommend also using app protection policies.
- For the complete list of what you can and can't do, go to [Intune actions and options supported with Apple User Enrollment](../enrollment/ios-user-enrollment-supported-actions.md). For the specific user enrollment steps, go to [Set up iOS/iPadOS User Enrollment](../enrollment/ios-user-enrollment.md).
+ For the complete list of what you can and can't do, go to [Overview of Apple User Enrollment in Microsoft Intune](../enrollment/ios-user-enrollment-supported-actions.md).
> [!NOTE]
> BYOD can become organization-owned devices. To make these devices corporate, go to [Identify devices as corporate-owned](../enrollment/corporate-identifiers-add.md).
- User enrollment is considered friendlier to end users. But, it might not provide the feature set and security features administrators need. In some scenarios, user enrollment might not be the best option. Consider the following scenarios:
+ Account driven user enrollment is considered friendlier to end users. But, it might not provide the feature set and security features administrators need. In some scenarios, account driven user enrollment might not be the best option. Consider the following scenarios:
- - User enrollment creates a work partition on the devices. The features and security you configure in the user enrollment profile only exist in the work partition. They don't exist in the user partition. Users can't factory reset the work partition; administrators can. Users can factory reset the personal partition; administrators can't.
+ - Account driven user enrollment creates a work partition on the devices. The features and security you configure in the user enrollment profile only exist in the work partition. They don't exist in the user partition. Users can't factory reset the work partition; administrators can. Users can factory reset the personal partition; administrators can't.
- - If users primarily use Microsoft apps, or use apps created with the [Intune App SDK](../developer/app-sdk.md), then users should download these apps from the Apple app store. Then, use app protection policies to protect these apps. In this scenario, you don't need user enrollment.
+ - If users primarily use Microsoft apps, or use apps created with the [Intune App SDK](../developer/app-sdk.md), then users should download these apps from the Apple App Store. Then, use app protection policies to protect these apps. In this scenario, you don't need account driven user enrollment.
- - For line of business (LOB) apps, user enrollment might be an option, as it deploys these apps to the work partition. Application management (MAM) doesn't support LOB apps. So if you need LOB apps, then use User Enrollment.
+ - For line of business (LOB) apps, account driven user enrollment might be an option, as it deploys these apps to the work partition. Application management (MAM) doesn't support LOB apps. So if you need LOB apps, then use account driven user enrollment.
- - When devices are enrolled using user enrollment, you can't switch to device enrollment. With user enrollment, you can't move an app from unmanaged to managed. Users must unenroll from user enrollment, and then re-enroll to device enrollment.
+ - When devices are enrolled using account driven user enrollment, you can't switch to device enrollment. With account driven user enrollment, you can't move an app from unmanaged to managed. Users must unenroll from user enrollment, and then re-enroll to device enrollment.
- If you install apps before the user enrollment profile is applied, then these apps aren't protected or managed by the user enrollment profile.
- For example, a user downloads the Outlook app from the Apple app store. The app automatically installs to the user partition on the device. The user configures Outlook for their personal email. When users configure their organization email, they're blocked by Conditional Access, and asked to enroll. They enroll, and a user enrollment profile deploys.
+ For example, a user downloads the Outlook app from the Apple App Store. The app automatically installs to the user partition on the device. The user configures Outlook for their personal email. When users configure their organization email, they're blocked by Conditional Access, and asked to enroll. They enroll, and a user enrollment profile deploys.
Since the Outlook app was installed before the user enrollment profile, the user enrollment profile fails. The Outlook app can't be managed because it's installed and configured in the user partition, not the work partition. Users must manually uninstall the Outlook app.
@@ -414,18 +414,18 @@ This task list provides an overview. For more specific information, go to [Set u
- Assign the enrollment profile to user groups. Don't assign to device groups.
-### User and Device enrollment end user tasks
+### Device enrollment end user tasks
-Your users must do the following steps. For the specific user experience, go to [enroll the device](../user-help/enroll-your-device-in-intune-ios.md).
+Your users must do the following steps.
-1. Go to the Apple app store, and [install the Intune Company Portal app](../user-help/sign-in-to-the-company-portal.md).
-2. Open the Company Portal app, and sign in with their organization credentials (`user@contoso.com`). After they sign in, your enrollment profile applies to the device.
+1. Go to the Apple App Store, and [install the Intune Company Portal app](../user-help/sign-in-to-the-company-portal.md).
+2. Open the Company Portal app, and sign in with their work or school account (`user@contoso.com`). After they sign in, your enrollment profile applies to the device.
- Users might have to enter more information. For more specific steps, go to [enroll the device](../user-help/enroll-your-device-in-intune-ios.md).
+ Users might have to enter more information. For more specific steps, go to [enroll the device](../user-help/enroll-your-device-in-intune-ios.md).
Users with enabled app notifications receive a prompt to return to the Company Portal app to complete the required device registration. Users with disabled app notifications aren't alerted to this requirement. If you're utilizing dynamic groups, which rely on device registration to work, it's important that users complete device registration. Plan to communicate these steps to end users. If you're using Conditional Access (CA) policies, no action is required because any CA-protected app users try to sign into will prompt them to return to Company Portal to complete device registration.
-When enrollment completes, Intune automatically installs a profile signing certificate on the device. This certificate is valid for one year. At the year end when the certificate is expiring, Intune renews the certificate. If this renew process fails, then on the device, the **Settings** app > **General** > **VPN & Device management** > **Management Profile** status shows **Not verified**. With this status, end users aren't impacted, and devices continue to check-in with Intune and receive policy updates.
+When enrollment completes, Intune automatically installs a profile signing certificate on the device. This certificate is valid for one year. At the year end when the certificate is expiring, Intune renews the certificate. If renewal fails, then a **Not verified** status appears within the **VPN & Device management** > **Management Profile** settings on the device. With this status, end users aren't impacted, and devices continue to check-in with Intune and receive policy updates.
[!INCLUDE [users-dont-like-enroll](../includes/users-dont-like-enroll.md)]
@@ -434,6 +434,19 @@ When enrollment completes, Intune automatically installs a profile signing certi
>
> [Enroll your iOS/iPadOS device](https://www.youtube.com/watch?v=mJyv6YcHi7c)
+### User enrollment end user tasks
+
+Your users must complete the following steps during account driven user enrollment.
+
+1. Open the Settings app and go to **General** > **VPN & Device Management**.
+2. Sign in to their work or school account.
+4. Follow the onscreen prompts and allow remote management.
+5. Enter the device passcode to set up remote management.
+
+When enrollment completes, Intune automatically installs a profile signing certificate on the device. This certificate is valid for one year. At the year end when the certificate is expiring, Intune renews the certificate. If renewal fails, then a **Not verified** status appears within the **VPN & Device management** > **Management Profile** settings on the device. With this status, end users aren't impacted, and devices continue to check in with Intune and receive policy updates.
+
+For more information about the user experience, go to [Prepare employees for enrollment](../enrollment/apple-account-driven-user-enrollment.md#step-3-prepare-employees-for-enrollment).
+
## Related articles
- [MAM](deployment-guide-enrollment-mamwe.md)
diff --git a/memdocs/intune/fundamentals/deployment-guide-enrollment.md b/memdocs/intune/fundamentals/deployment-guide-enrollment.md
index 1924b7bf387..0556bfafa2d 100644
--- a/memdocs/intune/fundamentals/deployment-guide-enrollment.md
+++ b/memdocs/intune/fundamentals/deployment-guide-enrollment.md
@@ -146,7 +146,7 @@ On the platforms that don't require a factory reset, when these devices enroll i
There's an enrollment guide for every platform. Choose your scenario, and get started:
-- [Application management without enrollment (MAM-WE)](deployment-guide-enrollment-mamwe.md)
+- [Application management without enrollment](deployment-guide-enrollment-mamwe.md)
- [Android](deployment-guide-enrollment-android.md)
- [iOS/iPadOS](deployment-guide-enrollment-ios-ipados.md)
- [Linux](deployment-guide-enrollment-linux.md)
diff --git a/memdocs/intune/fundamentals/deployment-plan-protect-apps.md b/memdocs/intune/fundamentals/deployment-plan-protect-apps.md
index 75252fe7e0f..73427bba58d 100644
--- a/memdocs/intune/fundamentals/deployment-plan-protect-apps.md
+++ b/memdocs/intune/fundamentals/deployment-plan-protect-apps.md
@@ -32,7 +32,7 @@ The next step when deploying Intune is to add and protect apps that access organ
:::image type="content" source="./media/deployment-plan-protect-apps/deployment-plan-add-apps.png" alt-text="Diagram that shows getting started with Microsoft Intune with step 2, which is adding and protect apps using Microsoft Intune.":::
-Managing applications on devices in your organization is a central part to a secure and productive enterprise ecosystem. You can use Microsoft Intune to manage the apps that your company's workforce uses. By managing apps, you help control which apps your company uses, as well as the configuration and protection of the apps. This functionality is called mobile application management (MAM). MAM in Intune is designed to protect organization data at the application level, including custom apps and store apps. App management can be used on organization-owned devices and personal devices. When it is used with personal devices, only organization-related access and data is managed. This type of app management is called MAM without enrollment (MAM-WE), or from an end-user perspective, bring your own device (BYOD).
+Managing applications on devices in your organization is a central part to a secure and productive enterprise ecosystem. You can use Microsoft Intune to manage the apps that your company's workforce uses. By managing apps, you help control which apps your company uses, as well as the configuration and protection of the apps. This functionality is called mobile application management (MAM). MAM in Intune is designed to protect organization data at the application level, including custom apps and store apps. App management can be used on organization-owned devices and personal devices. When it is used with personal devices, only organization-related access and data is managed. This type of app management is called MAM without enrollment, or from an end-user perspective, bring your own device (BYOD).
## MAM configurations
@@ -45,7 +45,7 @@ Microsoft Intune supports two MAM configurations:
### MAM without device management
-This configuration allows your organization's apps to be managed by Intune, but doesn't enroll the devices to be managed by Intune. This configuration is commonly referred to as **MAM without device enrollment**, or **MAM-WE**. IT administrators can manage apps using MAM by using Intune configuration and protection policies on devices not enrolled with Intune mobile-device management (MDM).
+This configuration allows your organization's apps to be managed by Intune, but doesn't enroll the devices to be managed by Intune. This configuration is commonly referred to as **MAM without device enrollment**. IT administrators can manage apps using MAM by using Intune configuration and protection policies on devices not enrolled with Intune mobile-device management (MDM).
> [!NOTE]
> This configuration includes managing apps with Intune on devices enrolled with third-party enterprise mobility management (EMM) providers. You can use Intune app protection policies independent of any MDM solution. This independence helps you protect your company's data with or without enrolling devices in a device management solution. By implementing app-level policies, you can restrict access to company resources and keep data within the purview of your IT department.
diff --git a/memdocs/intune/fundamentals/education-settings-configure-ios.md b/memdocs/intune/fundamentals/education-settings-configure-ios.md
index 17020f81d9a..2bd57b06222 100644
--- a/memdocs/intune/fundamentals/education-settings-configure-ios.md
+++ b/memdocs/intune/fundamentals/education-settings-configure-ios.md
@@ -162,7 +162,7 @@ When you're finished configuring certificates, choose **OK**.
The profile is created and appears on the profiles list pane.
-Assign the profile to student devices in the classroom groups that were created when you synchronized your school data with Microsoft Entra ID (see [How to assign device profiles](../configuration/device-profile-assign.md).
+Assign the profile to student devices in the classroom groups that were created when you synchronized your school data with Microsoft Entra ID (see [How to assign device profiles](../configuration/device-profile-assign.md)).
## Next steps
diff --git a/memdocs/intune/fundamentals/free-trial-sign-up.md b/memdocs/intune/fundamentals/free-trial-sign-up.md
index f9fc5c0bbea..9521ef85f54 100644
--- a/memdocs/intune/fundamentals/free-trial-sign-up.md
+++ b/memdocs/intune/fundamentals/free-trial-sign-up.md
@@ -8,7 +8,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 05/13/2024
+ms.date: 10/02/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -54,6 +54,8 @@ Trying out Intune is free for 30 days. If you already have a work or school acco
> [!IMPORTANT]
> You can't combine an existing work or school account after you sign up for a new account.
+[!INCLUDE [MFA requirement for admin center](../includes/mfa-console.md)]
+
To sign up for the Microsoft Intune free trial, follow the steps below:
1. Navigate to the [Intune set up account page](https://go.microsoft.com/fwlink/?linkid=2019088).
diff --git a/memdocs/intune/fundamentals/in-development.md b/memdocs/intune/fundamentals/in-development.md
index f7b0db850cb..4e975e33bbc 100644
--- a/memdocs/intune/fundamentals/in-development.md
+++ b/memdocs/intune/fundamentals/in-development.md
@@ -7,7 +7,7 @@ keywords:
author: dougeby
ms.author: dougeby
manager: dougeby
-ms.date: 08/23/2024
+ms.date: 10/29/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -77,20 +77,13 @@ EPM is available as an [Intune Suite add-on-capability](../fundamentals/intune-a
## App management
-### New UI for Intune Company Portal app for Windows
+### Additional reporting details for LOB apps on AOSP devices
-The UI for the Intune Company Portal app for Windows will be updated. Users will be able to use the same functionality they’re used to with an improved experience for their desktop app. With the updated design, users will see improvements in user experience for the **Home**, **Devices**, and **Downloads & updates** pages. The new design will be more intuitive and will highlights areas where users need to take action.
-
-For more information, see [New look for Intune Company Portal app for Windows](https://techcommunity.microsoft.com/t5/intune-customer-success/new-look-for-intune-company-portal-app-for-windows/ba-p/4158755).
-
-### Working Time settings for Microsoft Teams
-
-Working time settings will allow you to enforce policies that limit access and to mute notifications received during non-working time on Microsoft Teams app. You'll be able to limit access by using App Protection Policies (APP) to block end users from using the iOS/iPadOS or Android Teams app during non-working time. Also, you'll be able to create a non-working time policy to mute notifications from the Teams app to end users during non-working time.
+Additional details will be provided for app installation reporting of Line of Business (LOB) apps on Android Open Source Project (AOSP) devices. You will be able to see error codes and detailed error messages for LOB apps. For information about app status details, see [Monitor app information and assignments with Microsoft Intune](../apps/apps-monitor.md).
Applies to:
-- Android
-- iOS/iPadOS
+- Android Open Source Project (AOSP) devices
### Added protection for iOS/iPadOS app widgets
@@ -104,214 +97,112 @@ Applies to:
## Device configuration
-### New settings available in the Apple settings catalog
-
-The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, go to [Create a policy using settings catalog](../configuration/settings-catalog.md).
-
-There are new settings in the Settings Catalog. To see these settings, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type.
-
-#### iOS/iPadOS
-
-**Declarative Device Management (DDM) > Math Settings**:
-
-- Calculator
- - Basic Mode
- - Math Notes Mode
- - Scientific Mode
-
-- System Behavior
- - Keyboard Suggestions
- - Math Notes
-
-**Restrictions**:
-
-- Allow Personalized Handwriting Results
-- Allow Video Conferencing Remote Control
-- Allow Genmoji
-- Allow Image Playground
-- Allow Image Wand
-- Allow iPhone Mirroring
-- Allow Writing Tools
-
-**Web Content Filter**:
-
-- Hide Deny List URLs
-
-#### macOS
-
-**Declarative Device Management (DDM) > Math Settings**:
-
-- Calculator
- - Basic Mode
- - Math Notes Mode
- - Programmer Mode
- - Scientific Mode
-
-- System Behavior
- - Keyboard Suggestions
- - Math Notes
-
-**Restrictions**:
-
-- Allow Genmoji
-- Allow Image Playground
-- Allow iPhone Mirroring
-- Allow Writing Tools
-
-**System Configuration > System Extensions**:
+### Device Firmware Configuration Interface (DFCI) support for Samsung devices
-- Non Removable From UI System Extensions
-- Non Removable System Extensions
+We're adding support to use DFCI profiles to manage UEFI (BIOS) settings for Samsung devices that run Windows 10 or Windows 11. Not all Samsung devices running Windows are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.
-
-### Device Firmware Configuration Interface (DFCI) supports VAIO devices
-
-For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows 10 and later** for platform > **Templates** > **Device Firmware Configuration Interface** for profile type.
-
-Some VAIO devices running Windows 10/11 are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.
-
-For more information about DFCI profiles, see:
+You can manage DFCI profiles from within the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by going to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows 10 and later** for platform > **Templates** > **Device Firmware Configuration Interface** for profile type. For more information about DFCI profiles, see:
- [Configure Device Firmware Configuration Interface (DFCI) profiles on Windows devices in Microsoft Intune](../configuration/device-firmware-configuration-interface-windows.md)
- [Device Firmware Configuration Interface (DFCI) management with Windows Autopilot](../../autopilot/dfci-management.md)
Applies to:
-- Windows 10
-- Windows 11
-
-### Samsung ended support for multiple Android device administrator (DA) settings
-
-On Android device administrator managed (DA) devices, Samsung has deprecated many [Samsung Knox APIs](https://docs.samsungknox.com/dev/knox-sdk/api-reference/deprecated-api-methods/) (opens Samsung's web site) configuration settings.
-
-In Intune, this deprecation impacts the following device restrictions settings, compliance settings and trusted certificate profiles:
+- Windows
-- [Device restriction settings for Android in Microsoft Intune](../configuration/device-restrictions-android.md)
-- [View the Android device administrator compliance settings for Microsoft Intune compliance policies](../protect/compliance-policy-create-android.md)
-- [Create trusted certificate profiles in Microsoft Intune](../protect/certificates-trusted-root.md#trusted-certificate-profiles-for-android-device-administrator)
+### New settings for Windows 24H2 in the Windows settings catalog
-In the Intune admin center, when you create or update a profile with these settings, the impacted settings are noted.
+The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. You can view these Windows settings in the Microsoft Intune admin center by going to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows 10 and later for platform** > **Settings catalog** for profile type.
-Though the functionality might continue to work, there's no guarantee that it will continue working for any or all Android DA versions supported by Intune. For more information on Samsung support for deprecated APIs, see [What kind of support is offered after an API is deprecated?](https://docs.samsungknox.com/dev/knox-sdk/faqs/general/deprecated-api-support-change.htm) (opens Samsung's web site).
-
-Instead, you can manage Android devices with Intune using one of the following Android Enterprise options:
-
-- [Set up enrollment of Android Enterprise personally owned work profile devices](../enrollment/android-work-profile-enroll.md)
-- [Set up Intune enrollment of Android Enterprise corporate-owned devices with work profile](../enrollment/android-corporate-owned-work-profile-enroll.md)
-- [Set up enrollment for Android Enterprise fully managed devices](../enrollment/android-fully-managed-enroll.md)
-- [Set up Intune enrollment of Android Enterprise dedicated devices](../enrollment/android-kiosk-enroll.md)
-- [App protection policies overview](../apps/app-protection-policy.md)
+We're working on the addition of new settings for Window 24H2.
Applies to:
-- Android device administrator (DA)
-
-### Consent prompt update for remote log collection
+- Windows
-End users might see a different consent experience for remote log collection after the Android APP SDK 10.4.0 and iOS APP SDK 19.6.0 updates. End users will no longer see a common prompt from Intune and will only see a prompt from the application if it has one.
+### New settings available in the Apple settings catalog
-Applies to:
-
-- Android
-- iOS/iPadOS
+The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see [Create a policy using settings catalog](../configuration/settings-catalog.md).
-
+We're adding new settings to the Settings Catalog. To view available settings, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type.
-## Device enrollment
-
-### New Setup Assistant screens available for configuration
-
-New Setup Assistant screens will be available to configure in the Microsoft Intune admin center. You can hide or show these screens during automated device enrollment.
-
-For macOS:
-
-- **Wallpaper**: Show or hide the macOS Sonoma wallpaper setup pane that appears after an upgrade on devices running macOS 14 and later.
-- **Lockdown mode**: Show or hide the macOS lockdown mode setup pane on devices running macOS 14 and later.
-- **Intelligence**: Show or hide the intelligence setup pane on devices running macOS 15 and later.
+#### iOS/iPadOS
-For iOS/iPadOS:
+**Restrictions**:
-- **Emergency SOS**: Show or hide the safety (emergency SOS) setup pane on devices running iOS/iPadOS 16 and later.
-- **Action button**: Show or hide the action button setup pane on devices running iOS/iPadOS 17 and later.
-- **Intelligence**: Show or hide the intelligence setup pane on devices running iOS/iPadOS 18 and later.
+- Allow Apps To Be Hidden
+- Allow Apps To Be Locked
+- Allow Call Recording
+- Allow Mail Summary
+- Allow RCS Messaging
-You can configure these screens in new and existing enrollment policies.
+##### macOS
-Applies to:
+**Declarative Device Management (DDM) > Math Settings**:
-- iOS/iPadOS
-- macOS
+- Calculator
+ - Input Mode - RPN
-### Support ending for Apple User Enrollment with Company Portal
+**Restrictions**:
-After the release of iOS/iPadOS 18, Apple will no longer support profile-based Apple User Enrollment. As a result, Intune will end support for [user enrollment with Company Portal](../enrollment/apple-user-enrollment-with-company-portal.md) shortly after the release of iOS/iPadOS 18.
+- Allow Mail Summary
+- Allow Media Sharing Modification
-After Intune ends support for user enrollment with Company Portal:
+The following settings have been deprecated by Apple and will be marked as deprecated in the Settings Catalog:
-- Existing enrolled devices won't be impacted.
-- Users won't be able to enroll devices if they're targeted with this enrollment profile type.
-- Microsoft Intune technical support will be available for existing enrolled devices with this enrollment profile type. Technical support won't be available for new enrollments.
+#### macOS
-To prepare, use a different management method to enroll devices. We recommend account-driven Apple User Enrollment for similar functionality and an improved user experience. For a simpler enrollment experience, try web- based device enrollment. For more information, see:
+**Security > Firewall**:
-- [Set up account-driven Apple User Enrollment](../enrollment/apple-account-driven-user-enrollment.md)
-- [Set up web-based device enrollment for iOS/iPadOS](../enrollment/web-based-device-enrollment-ios.md)
+- Enable Logging
+- Logging Option
-Applies to:
+
-- iOS/iPadOS
+
## Device management
-### Intune will support macOS 13.x as the minimum version
-
-With Apple's release of macOS 15 Sequoia, Microsoft Intune, the Company Portal app, and the Intune MDM agent will now require macOS 13 (Big Sur) and later.
-
-For more information on this change, see [Plan for change: Intune is moving to support macOS 13 and later](../fundamentals/whats-new.md#plan-for-change-intune-is-moving-to-support-macos-13-and-higher-later-this-year).
+### Store macOS certificates in user keychain
-> [!NOTE]
-> macOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. For more information, see [Support statement](https://aka.ms/Intune/macOS/ADE-DE-support).
+Soon you'll have the option to store macOS certificates in the user keychain. Currently, Microsoft Intune automatically stores user and device certificates in the *device* keychain. The enhancement will strengthen system security, and will improve the user experience by reducing certificate prompts.
Applies to:
- macOS
-### Intune supports iOS/iPadOS 16.x as the minimum version
-
-Later this year, we expect iOS18 and iPadOS 18 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS/iPadOS 16 and higher shortly after the iOS/iPadOS 18 release.
+### Device Inventory for Windows
-For more information on this change, see [Plan for change: Intune is moving to support iOS/iPadOS 16 and later](../fundamentals/whats-new.md#plan-for-change-intune-is-moving-to-support-iosipados-16-and-later).
+Device inventory lets you collect and view additional hardware properties from your managed devices to help you better understand the state of your devices and make business decisions.
-> [!NOTE]
-> Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. For more information, see [Support statement for supported versus allowed iOS/iPadOS versions for user-less devices](https://aka.ms/ADE_userless_support).
+You'll soon be able to choose what you want to collect from your devices, using the catalog of properties and then view the collected properties in the Resource Explorer view.
Applies to:
-- iOS/iPadOS
+- Windows (Corporate owned devices managed by Intune)
## Device security
-### New disk encryption template for Personal Data Encryption
-
-We’re adding a new template named *Personal Data Encryption* (PDE) to endpoint security BitLocker policy. The new template configures the Windows PDE configuration service provider (CSP) that was introduced in Windows 11 22H2.
+### Linux support for Endpoint detection and response exclusion settings
-PDE is different than BitLocker. PDE encrypts individual files and content, instead of whole volumes and disks. You can use PDE with other encryption methods, such as BitLocker.
+We are adding a new Endpoint Security template under Endpoint detection and response (EDR) for the Linux platform, that will be supported through the [Microsoft Defender for Endpoint security settings management](../protect/mde-security-integration.md) scenario.
-Previously, the [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) was made available through the [Intune settings catalog](../fundamentals/whats-new-archive.md#turn-onoff-personal-data-encryption-on-windows-11-devices-using-the-settings-catalog).
+The template will support settings related to global exclusion settings. Applicable to antivirus and EDR engines on the client, the settings can configure exclusions to stop associated real time protection EDR alerts for the excluded items. Exclusions can be defined by the file path, folder, or process explicitly defined by the admin in the policy.
Applies to:
-- Windows 11
+- Linux
-### Defender for Endpoint security settings support in government cloud environments
+### New Microsoft Tunnel readiness check for auditd package
-Customer tenants in US Government Community Cloud (GCC) High, and Department of Defense (DoD) environments will soon be able to use Intune to manage the Defender security settings on the devices you’ve onboarded to Defender without enrolling those devices with Intune. This capability is known as [Defender for Endpoint security settings management](../protect/mde-security-integration.md).
+We're updating the [Microsoft Tunnel readiness tool](../protect/microsoft-tunnel-prerequisites.md#run-the-readiness-tool) to detect if the **auditd** package for Linux System Auditing (LSA) is installed on your Linux Server. When this check is in place, the mst-readiness tool will raise a warning if the audit package isn't installed. Auditing isn't a required prerequisite for the Linux Server, but recommended.
+
+For more information on *auditd* and how to install it on your Microsoft Tunnel server, see [Linux system auditing](../protect/microsoft-tunnel-prerequisites.md#linux-system-auditing).
-For more information about the Intune features supported in GCC High and DoD environments, see [Intune US Government service description](../fundamentals/intune-govt-service-description.md).
### Support for Intune Device control policy for devices managed by Microsoft Defender for Endpoint
@@ -336,8 +227,41 @@ When this change takes effect, devices that are assigned this policy while manag
-
-
+## Monitor and troubleshoot
+
+### New device actions for single device query
+
+We're adding the Intune remote device actions to Single device query to help you manage your devices remotely. From the device query interface, you'll be able to run device actions based on query results for faster and more efficient troubleshooting.
+
+Applies to:
+
+- Windows
+
+For more information, see:
+
+- [Device query in Microsoft Intune](../../analytics/device-query.md)
+- [Run remote actions on devices with Microsoft Intune](../remote-actions/device-management.md)
+
+### Device Query for Multiple Devices
+
+We're adding Device query for multiple devices. This feature allows you to gain comprehensive insights about your entire fleet of devices using Kusto Query Language (KQL) to query across collected inventory data for your devices.
+
+Device query for multiple devices will be supported for devices running Windows 10 or later. This feature will be included as part of Advanced Analytics.
+
+Applies to:
+
+- Windows
+
+### ICCID will be inventoried for Android Enterprise Dedicated and Fully Managed
+
+We're adding the ability to view a device's ICCID number for devices enrolled as Android Enterprise Dedicated or Android Fully Managed. Admins can view ICCID numbers in their device inventory.
+
+When available, you can find the ICCID number for Android devices by navigating to **Devices** > **Android**. Select a device of interest. In the side panel, under **Monitor** select **Hardware**. The ICCID number will be in the **Network details** group. The ICCID number isn't supported for Android Corporate-Owned Work Profile devices.
+
+Applies to:
+
+- Android
+
diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md
index 628bee2182f..60f00240b75 100644
--- a/memdocs/intune/fundamentals/intune-endpoints.md
+++ b/memdocs/intune/fundamentals/intune-endpoints.md
@@ -8,7 +8,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 07/11/2024
+ms.date: 09/24/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -48,7 +48,7 @@ To manage devices behind firewalls and proxy servers, you must enable communicat
- For some tasks, Intune requires unauthenticated proxy server access to manage.microsoft.com, *.azureedge.net, and graph.microsoft.com.
> [!NOTE]
- > SSL traffic inspection is not supported for 'manage.microsoft.com', 'dm.microsoft.com', or the [Device Health Attestation (DHA) endpoints listed in the compliance section](#migrating-device-health-attestation-compliance-policies-to-microsoft-azure-attestation).
+ > SSL traffic inspection is not supported for '\*.manage.microsoft.com', '\*.dm.microsoft.com', or the [Device Health Attestation (DHA) endpoints listed in the compliance section](#migrating-device-health-attestation-compliance-policies-to-microsoft-azure-attestation).
You can modify proxy server settings on individual client computers. You can also use Group Policy settings to change settings for all client computers located behind a specified proxy server.
@@ -97,7 +97,7 @@ The data columns shown in the tables are:
ID |Desc |Category |ER |Addresses |Ports
-- |---------------------------------------------------------------- |---------------------|--- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------|
-163 | Endpoint Manager client and host service| Allow
Required | False | `*.manage.microsoft.com`
`manage.microsoft.com`
`EnterpriseEnrollment.manage.microsoft.com`
`104.46.162.96/27, 13.67.13.176/28, 13.67.15.128/27, 13.69.231.128/28, 13.69.67.224/28, 13.70.78.128/28, 13.70.79.128/27, 13.71.199.64/28, 13.73.244.48/28, 13.74.111.192/27, 13.77.53.176/28, 13.86.221.176/28,13.89.174.240/28, 13.89.175.192/28, 20.189.229.0/25, 20.191.167.0/25, 20.37.153.0/24, 20.37.192.128/25, 20.38.81.0/24, 20.41.1.0/24, 20.42.1.0/24, 20.42.130.0/24, 20.42.224.128/25, 20.43.129.0/24, 20.44.19.224/27, 20.49.93.160/27, 40.119.8.128/25, 40.67.121.224/27, 40.70.151.32/28, 40.71.14.96/28, 40.74.25.0/24, 40.78.245.240/28, 40.78.247.128/27, 40.79.197.64/27, 40.79.197.96/28, 40.80.180.208/28, 40.80.180.224/27, 40.80.184.128/25, 40.82.248.224/28, 40.82.249.128/25, 52.150.137.0/25, 52.162.111.96/28, 52.168.116.128/27, 52.182.141.192/27, 52.236.189.96/27, 52.240.244.160/27, 20.204.193.12/30, 20.204.193.10/31, 20.192.174.216/29, 20.192.159.40/29` | **TCP:** 80, 443|
+163 | Intune client and host service| Allow
Required | False | `*.manage.microsoft.com`
`manage.microsoft.com`
`EnterpriseEnrollment.manage.microsoft.com`
`104.46.162.96/27, 13.67.13.176/28, 13.67.15.128/27, 13.69.231.128/28, 13.69.67.224/28, 13.70.78.128/28, 13.70.79.128/27, 13.71.199.64/28, 13.73.244.48/28, 13.74.111.192/27, 13.77.53.176/28, 13.86.221.176/28,13.89.174.240/28, 13.89.175.192/28, 20.189.229.0/25, 20.191.167.0/25, 20.37.153.0/24, 20.37.192.128/25, 20.38.81.0/24, 20.41.1.0/24, 20.42.1.0/24, 20.42.130.0/24, 20.42.224.128/25, 20.43.129.0/24, 20.44.19.224/27, 20.49.93.160/27, 40.119.8.128/25, 40.67.121.224/27, 40.70.151.32/28, 40.71.14.96/28, 40.74.25.0/24, 40.78.245.240/28, 40.78.247.128/27, 40.79.197.64/27, 40.79.197.96/28, 40.80.180.208/28, 40.80.180.224/27, 40.80.184.128/25, 40.82.248.224/28, 40.82.249.128/25, 52.150.137.0/25, 52.162.111.96/28, 52.168.116.128/27, 52.182.141.192/27, 52.236.189.96/27, 52.240.244.160/27, 20.204.193.12/30, 20.204.193.10/31, 20.192.174.216/29, 20.192.159.40/29` | **TCP:** 80, 443|
172 | MDM Delivery Optimization | Default
Required | False | `*.do.dsp.mp.microsoft.com`
`*.dl.delivery.mp.microsoft.com`
| **TCP:** 80, 443|
170 | MEM - Win32Apps| Default
Required | False | `swda01-mscdn.manage.microsoft.com`
`swda02-mscdn.manage.microsoft.com`
`swdb01-mscdn.manage.microsoft.com`
`swdb02-mscdn.manage.microsoft.com`
`swdc01-mscdn.manage.microsoft.com`
`swdc02-mscdn.manage.microsoft.com`
`swdd01-mscdn.manage.microsoft.com`
`swdd02-mscdn.manage.microsoft.com`
`swdin01-mscdn.manage.microsoft.com`
`swdin02-mscdn.manage.microsoft.com` | **TCP:** 443|
97 | Consumer Outlook.com, OneDrive, Device authentication and Microsoft account | Default
Required | False | `account.live.com`
`login.live.com`
|**TCP:** 443 |
@@ -105,7 +105,6 @@ ID |Desc |Category |ER |Addresses |Ports
189 | Dependency - Feature Deployment| Default
Required | False |`config.edge.skype.com`
| **TCP:** 443|
-
### Autopilot dependencies
ID |Desc |Category |ER |Addresses |Ports|
@@ -318,9 +317,6 @@ Managed Windows devices using the Microsoft Store – either to acquire, install
- licensing.mp.microsoft.com
- storeedgefd.dsx.mp.microsoft.com
-**Proxy configuration**
-- [Prerequisites for Microsoft Store for Business and Education](/microsoft-store/prerequisites-microsoft-store-for-business)
-
**Windows Update Agent:**
For details, see the following resources:
diff --git a/memdocs/intune/fundamentals/intune-govt-service-description.md b/memdocs/intune/fundamentals/intune-govt-service-description.md
index eb9bc28b8b8..1db705490c7 100644
--- a/memdocs/intune/fundamentals/intune-govt-service-description.md
+++ b/memdocs/intune/fundamentals/intune-govt-service-description.md
@@ -7,7 +7,7 @@ keywords:
author: MandiOhlinger
ms.author: mandia
manager: dougeby
-ms.date: 08/01/2024
+ms.date: 09/19/2024
ms.topic: article
ms.service: microsoft-intune
ms.suite: ems
@@ -73,11 +73,12 @@ The following features are available and supported in Microsoft GCC High and/or
| --- | --- |
| Standard MDM features | ✅
You can use app policies, device configuration profiles, compliance policies, and more. |
| Mobile Threat Defense (MTD) | ✅
Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices with MTD vendors that **also support** the GCC High environment can be used. When you sign in to a GCC High tenant, you see the connectors that are available in these environments. |
+| Microsoft Defender for Endpoint security settings management (public preview)| ✅
On devices onboarded to Defender but not enrolled in Intune, you can use Intune endpoint security policies to manage Defender security settings. For more information on this feature, go to [Defender for Endpoint security settings management](../protect/mde-security-integration.md). |
| Platform support | ✅
You can use the same operating systems - Android, AOSP, iOS/iPadOS, Linux, macOS, and Windows.
- **Android (AOSP)**: There are some device restrictions. For more information, go to [Supported operating systems and browsers in Intune - AOSP](supported-devices-browsers.md#android).
- **Linux**: Generally available (GA) in February 2024.|
| Remote Help | ✅
Remote Help is supported in GCC on Android, macOS, and Windows devices. It's not supported in GCC High or DoD.
For more information on this feature, go to [Remote Help in Microsoft Intune](../fundamentals/remote-help.md). |
| Windows Autopilot device preparation | ✅
Some features are available now, such as user-driven deployments, and some are still [in the planning phase](#in-the-planning-phase). For more information on the recent changes to Windows Autopilot device preparation, go to [Blog: Windows deployment with the next generation of Windows Autopilot](https://techcommunity.microsoft.com/t5/microsoft-intune-blog/windows-deployment-with-the-next-generation-of-windows-autopilot/ba-p/4148169).
To get started with Windows Autopilot device preparation, go to [Windows Autopilot Device Preparation overview](/autopilot/device-preparation/overview). |
| Log Analytics | ✅
You can send Intune log data to Azure Storage, Event Hubs, or Log Analytics.
For more information on this feature, go to [Send log data to storage, event hubs, or log analytics from Intune](review-logs-using-azure-monitor.md). |
-| Microsoft Intune Plan 2 and Microsoft Intune Suite | For more information on these plans, go to [Use Intune Suite add-on capabilities](intune-add-ons.md).
The following Plan 2 features support the GCC High and DoD environements: - [Microsoft Tunnel for Mobile Application Management](../protect/microsoft-tunnel-mam.md) - [Firmware-over-the-air update](../protect/fota-updates-android.md) - [Specialty devices management](../fundamentals/specialty-devices-with-intune.md) The following Microsoft Intune Suite features support the GCC High and DoD environements: - [Endpoint Privilege Management](../protect/epm-overview.md) - [Advanced Analytics](../../analytics/advanced-endpoint-analytics.md) - With this release, GCC High and DoD support for Advanced Endpoint Analytics not include the [*Device query*](../../analytics/device-query.md) functionality.|
+| Microsoft Intune Plan 2 and Microsoft Intune Suite | For more information on these plans, go to [Use Intune Suite add-on capabilities](intune-add-ons.md).
The following Plan 2 features support the GCC High and DoD environments: - [Microsoft Tunnel for Mobile Application Management](../protect/microsoft-tunnel-mam.md) - [Firmware-over-the-air update](../protect/fota-updates-android.md) - [Specialty devices management](../fundamentals/specialty-devices-with-intune.md) The following Microsoft Intune Suite features support the GCC High and DoD environments: - [Endpoint Privilege Management](../protect/epm-overview.md) - [Advanced Analytics](../../analytics/advanced-endpoint-analytics.md)
### In the planning phase
diff --git a/memdocs/intune/fundamentals/intune-planning-guide.md b/memdocs/intune/fundamentals/intune-planning-guide.md
index 82caaf3feb0..2d39a8ba885 100644
--- a/memdocs/intune/fundamentals/intune-planning-guide.md
+++ b/memdocs/intune/fundamentals/intune-planning-guide.md
@@ -623,7 +623,7 @@ Validate the end-user experience with success metrics in your deployment plan. S
- Tools and resources
- Q & A
-The community-based [Intune forum](https://social.technet.microsoft.com/Forums/home) and [end-user documentation](/intune-user-help/use-managed-devices-to-get-work-done) are also great resources.
+The community-based [Intune forum](https://social.technet.microsoft.com/Forums/home) and [end-user documentation](/mem/intune/user-help/use-managed-devices-to-get-work-done) are also great resources.
## Related articles
diff --git a/memdocs/intune/fundamentals/intune-scale-guidelines.md b/memdocs/intune/fundamentals/intune-scale-guidelines.md
index a6072d64e44..88d50b1ff9b 100644
--- a/memdocs/intune/fundamentals/intune-scale-guidelines.md
+++ b/memdocs/intune/fundamentals/intune-scale-guidelines.md
@@ -224,7 +224,7 @@ For more information, go to [How many tokens can I upload.](../apps/vpp-apps-ios
- Local admins can create Win32 apps as needed within the cross-platform, line-of-business app and web-link limit. For more information, go to [Win32 app management](../apps/apps-win32-app-management.md).
> [!NOTE]
- > [Microsoft Store for Business](/microsoft-store/microsoft-store-for-business-overview) is being retired. Starting with Windows 11, you have a new option for your private volume-licensed apps. For more information, go to [Private app repository in Windows 11](/windows/application-management/private-app-repository-mdm-company-portal-windows-11) and [Update to Microsoft Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077).
+ > Microsoft Store for Business is being retired. Starting with Windows 11, you have a new option for your private volume-licensed apps. For more information, go to [Private app repository in Windows 11](/windows/application-management/private-app-repository-mdm-company-portal-windows-11) and [Update to Microsoft Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077).
#### Android
diff --git a/memdocs/intune/fundamentals/manage-apps.md b/memdocs/intune/fundamentals/manage-apps.md
index f5bcbfb2ed9..beb5c63fd50 100644
--- a/memdocs/intune/fundamentals/manage-apps.md
+++ b/memdocs/intune/fundamentals/manage-apps.md
@@ -125,7 +125,7 @@ The app features in the Intune admin center make it easier to deploy these diffe
- [Win32 app management](../apps/apps-win32-app-management.md)
> [!NOTE]
- > [Microsoft Store for Business](/microsoft-store/microsoft-store-for-business-overview) is being retired. Starting with Windows 11, you have a new option for your private volume-licensed apps. For more information, go to [Private app repository in Windows 11](/windows/application-management/private-app-repository-mdm-company-portal-windows-11) and [Update to Microsoft Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077).
+ > Microsoft Store for Business is being retired. Starting with Windows 11, you have a new option for your private volume-licensed apps. For more information, go to [Private app repository in Windows 11](/windows/application-management/private-app-repository-mdm-company-portal-windows-11) and [Update to Microsoft Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077).
## Configure apps before they're installed
diff --git a/memdocs/intune/fundamentals/mdm-authority-set.md b/memdocs/intune/fundamentals/mdm-authority-set.md
index 51abd15fb1d..b3d4f12a43f 100644
--- a/memdocs/intune/fundamentals/mdm-authority-set.md
+++ b/memdocs/intune/fundamentals/mdm-authority-set.md
@@ -8,7 +8,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 09/27/2023
+ms.date: 09/24/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -50,12 +50,6 @@ Possible configurations are:
## Set MDM authority to Intune
-For tenants using the 1911 service release and later, the MDM authority is automatically set to Intune.
-
-For tenants using the 1911 service release and later, if you activated Basic Mobility and Security, follow the steps in this section.
-
-For pre-1911 service release tenants, if you haven't yet set the MDM authority, follow the steps in this section.
-
1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select the orange banner to open the **Mobile Device Management Authority** setting. The orange banner is only displayed if you haven't yet set the MDM authority.
2. Under **Mobile Device Management Authority**, choose your MDM authority from the following options:
@@ -114,7 +108,7 @@ To enable coexistence, you must add Intune as the MDM authority for your environ
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) with Microsoft Entra Global or Intune service administrator rights.
2. Navigate to **Devices**.
-3. The **Add MDM Authority blade** displays.
+3. The **Add MDM Authority blade** banner is displayed.
4. To switch the MDM authority from *Office 365* to *Intune* and enable coexistence, select **Intune MDM Authority** > **Add**.
:::image type="content" alt-text="Screenshot of Add MDM Authority screen." source="./media/mdm-authority-set/add-mdm-authority.png" lightbox="./media/mdm-authority-set/add-mdm-authority.png":::
diff --git a/memdocs/intune/fundamentals/media/mdm-authority-set/add-mdm-authority.png b/memdocs/intune/fundamentals/media/mdm-authority-set/add-mdm-authority.png
index 382c3caaaa1..e794b42fa8c 100644
Binary files a/memdocs/intune/fundamentals/media/mdm-authority-set/add-mdm-authority.png and b/memdocs/intune/fundamentals/media/mdm-authority-set/add-mdm-authority.png differ
diff --git a/memdocs/intune/fundamentals/remote-help-macos.md b/memdocs/intune/fundamentals/remote-help-macos.md
index 2be06f0425f..1965687d518 100644
--- a/memdocs/intune/fundamentals/remote-help-macos.md
+++ b/memdocs/intune/fundamentals/remote-help-macos.md
@@ -91,6 +91,7 @@ General prerequisites for Remote Help are listed here [Prerequisites for Remote
- macOS 12 (Monterey)
- macOS 13 (Ventura)
- macOS 14 (Sonoma)
+- macOS 15 (Sequoia)
### Remote Help Web App supported browsers
diff --git a/memdocs/intune/fundamentals/remote-help-windows.md b/memdocs/intune/fundamentals/remote-help-windows.md
index 91589e8b70d..568e10cd49a 100644
--- a/memdocs/intune/fundamentals/remote-help-windows.md
+++ b/memdocs/intune/fundamentals/remote-help-windows.md
@@ -186,8 +186,7 @@ As a sharer, when you've requested help and both you and the helper are ready to
During assistance, helpers that have the *Elevation* permission can enter local admin permissions on your shared device. *Elevation* allows the helper to run executable programs or take similar actions when you lack sufficient permissions.
-5. After the issues are resolved, or at any time during the session, both the sharer and helper can end the session. To end the session, select **Leave** in the upper right corner of the Remote Help app. When a helper performs elevated actions on a user's device, at the end of the session the sharer is automatically signed out of their device. If a helper performs elevated actions on a user's device and the sharer ends the session, a warning message appears for the helper. The message warns that if the helper continues, they'll be logged off.
-
+5. After the issues are resolved, or at any time during the session, both the sharer and helper can end the session. To end the session, select **Leave** in the upper right corner of the Remote Help app.
#### Request help on an unenrolled device
The device might not need to be enrolled to Intune if your administrator allows you to get help on unenrolled devices. If your device is unenrolled and you're trying to receive help, be prepared to enter a security code that you'll get from the individual who is assisting you. You'll enter the code in your Remote Help instance to establish a connection to the helper's instance of Remote Help.
@@ -236,7 +235,7 @@ As a helper, after receiving a request from a user who wants assistance by using
During assistance, helpers that have the *Elevation* permission can enter local admin permissions on your shared device. *Elevation* allows the helper to run executable programs or take similar actions when you lack sufficient permissions.
-5. After the issues are resolved, or at any time during the session, both the sharer and helper can end the session. To end the session, select **Leave** in the upper right corner of the Remote Help app. When a helper performs elevated actions on a user's device, at the end of the session the sharer is automatically signed out of their device. If a helper performs elevated actions on a user's device and the sharer ends the session, a warning message appears for the helper. The message warns that if the helper continues, they'll be logged off.
+5. After the issues are resolved, or at any time during the session, both the sharer and helper can end the session. To end the session, select **Leave** in the upper right corner of the Remote Help app. If a helper performs elevated actions on a user's device and the sharer ends the session, at the end of the session the sharer is automatically signed out.
#### Provide help on an unenrolled device
@@ -392,7 +391,7 @@ Microsoft Edge WebView2 is required to use Remote Help. If you get an error mess
## Known Issues
For remotely starting a session on the user's device, notifications that are sent to the sharer's device when a helper launches a Remote Help session fails if the Microsoft Intune Management Service isn't running.
-After the user's device is restarted, there's a delay for the service to start. You can either manually wait for the service to start (30-60 seconds after restart), or manually start the service through services.msc.
+After the user's device is restarted, there's a delay for the service to start. You can either manually wait for the service to start (30 minutes after restart), or manually start the service through services.msc.
For newly enrolled devices, there's a 1 hour delay before the user's device begins receiving notifications when a helper initiates a session.
## What's New for Remote Help
diff --git a/memdocs/intune/fundamentals/remote-help.md b/memdocs/intune/fundamentals/remote-help.md
index d1ebb1bf7bb..988ed027dc7 100644
--- a/memdocs/intune/fundamentals/remote-help.md
+++ b/memdocs/intune/fundamentals/remote-help.md
@@ -93,7 +93,7 @@ Limitations:
- Windows 10/11 on ARM64 devices
- Windows 365
- Samsung and Zebra devices enrolled as Android Enterprise dedicated devices
- - macOS 12, 13, 14
+ - macOS 12, 13, 14, and 15
Remote Help isn't supported on GCC High or DoD (U.S. Department of Defense) tenants. For more information, go to [Microsoft Intune for US Government GCC High and DoD service description](intune-govt-service-description.md).
@@ -109,7 +109,7 @@ This feature applies to:
- Windows 10 on ARM64 devices
- Windows 365
- Android Enterprise Dedicated (Samsung and Zebra devices)
-- macOS 12, 13 and 14
+- macOS 12, 13, 14, and 15
## Data and privacy
diff --git a/memdocs/intune/fundamentals/reports-export-graph-apis.md b/memdocs/intune/fundamentals/reports-export-graph-apis.md
index e35848b24c0..9ed9d074408 100644
--- a/memdocs/intune/fundamentals/reports-export-graph-apis.md
+++ b/memdocs/intune/fundamentals/reports-export-graph-apis.md
@@ -7,7 +7,7 @@ keywords:
author: Erikre
ms.author: erikre
manager: dougeby
-ms.date: 03/28/2024
+ms.date: 09/20/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -109,7 +109,7 @@ You can then use the `id` field to query the status of the export with a GET req
For example:
```https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs('Devices_05e62361-783b-4cec-b635-0aed0ecf14a3')``` or ```https://graph.microsoft.com/beta/deviceManagement/reports/exportJobs/Devices_05e62361-783b-4cec-b635-0aed0ecf14a3```
-You will need to continue calling this URL until you get a response with a `status: completed` attribute. It will look like the following example:
+You'll need to continue calling this URL until you get a response with a `status: completed` attribute. It looks like the following example:
```http
{
@@ -144,8 +144,8 @@ You can then directly download the compressed CSV from the `url` field.
There are five main parameters you can submit in your request body to define the export request:
- `reportName`: Required. This parameter is the name of the report you want to specify.
-- `filter`: Not required for most reports. Note that the filter parameter is a string.
-- `select`: Not required. Specify which columns from the report you want. Only valid column names relevant to the report you are calling will be accepted.
+- `filter`: Not required for most reports. The filter parameter is a string.
+- `select`: Not required. Specify which columns from the report you want. Only valid column names relevant to the report you're calling will be accepted.
- `format`: Not required. By default, the data is output in `csv` format. Specify `json` to output the file in JSON format.
- `localizationType`: This parameter controls localization behavior for the report. Possible values are `LocalizedValuesAsAdditionalColumn` and `ReplaceLocalizableValues`.
@@ -155,9 +155,9 @@ The `localizationType` parameter controls localization behavior for the report.
### LocalizedValuesAsAdditionalColumn report value
-This value for the `localizationType` parameter is the default value. It will be inserted automatically if the `localizationType` parameter is not specified. This value specifies that Intune provides two columns for each localizable column.
-- *enum value*: The *enum value* column contains either a raw string, or a set of numbers that don't change, regardless of locale. This column will be under the original column name (see example).
-- *localized string value*: This column will be the original column name with _loc appended. It will contain string values that are human readable, and locale conditional (see example).
+This value for the `localizationType` parameter is the default value. It is inserted automatically if the `localizationType` parameter isn't specified. This value specifies that Intune provides two columns for each localizable column.
+- *enum value*: The *enum value* column contains either a raw string, or a set of numbers that don't change, regardless of locale. This column is under the original column name (see example).
+- *localized string value*: This column is the original column name with _loc appended. It contains string values that are human readable, and locale conditional (see example).
#### Example
@@ -173,7 +173,7 @@ This value for the `localizationType` parameter is the default value. It will be
### ReplaceLocalizableValues report value
-ReplaceLocalizableValues report value will only return one column per localized attribute. This column will contain the original column name with the localized values.
+ReplaceLocalizableValues report value will only return one column per localized attribute. This column contains the original column name with the localized values.
#### Example
@@ -191,6 +191,14 @@ For columns without localized values, only a single column with the true column
> [!IMPORTANT]
> The `localizationType` parameter is relevant for any export experience hosted by Intune's reporting infrastructure with a few exceptions. The`Devices` and `DevicesWithInventory` report types will not honor the `localizationType` parameter due to legacy compatibility requirements.
+## API throttling conditions
+
+To ensure that the `exportJobs` API doesn't have too many concurrent requests, which would impact the API's response rate, the below throttling limits are applied.
+
+- **The APIs will support up to 100 requests per tenant per minute**: This support covers all users and apps in a tenant. Any additional requests initiated by either users or apps in the tenant within the same minute will be throttled.
+ - If the APIs are initiated by a user, up to 8 requests will be allowed by the same user within a minute. Subsequent requests by the same user within the same minute will be throttled.
+ - If the APIs are initiated by an app, then up to 48 requests will be allowed by the same app within a minute. Subsequent requests by the same app within the same minute will be throttled.
+
## Next steps
- [Microsoft Graph documentation](/graph/)
diff --git a/memdocs/intune/fundamentals/reports-export-graph-available-reports.md b/memdocs/intune/fundamentals/reports-export-graph-available-reports.md
index 36153a1962c..965a1d0e6f1 100644
--- a/memdocs/intune/fundamentals/reports-export-graph-available-reports.md
+++ b/memdocs/intune/fundamentals/reports-export-graph-available-reports.md
@@ -860,6 +860,7 @@ The following table contains the possible output when calling the `AppInvAggrega
| ApplicationShortVersion |
| ApplicationVersion |
| DeviceCount |
+| Platform |
There are no filters for this report.
@@ -884,7 +885,19 @@ The following table contains the possible output when calling the `AppInvRawData
| EmailAddress |
| UserName |
-There are no filters for this report.
+You can filter the `AppInvRawData` report using the `eq` comparison operator on the following properties:
+- ApplicationName
+- ApplicationPublisher
+- ApplicationShortVersion
+- ApplicationVersion
+- DeviceId
+- DeviceName
+- OSDescription
+- OSVersion
+- Platform
+- UserId
+- EmailAddress
+- UserName
## ChromeOSDevices report
diff --git a/memdocs/intune/fundamentals/role-based-access-control.md b/memdocs/intune/fundamentals/role-based-access-control.md
index 00b49d14ee7..b5bef210f22 100644
--- a/memdocs/intune/fundamentals/role-based-access-control.md
+++ b/memdocs/intune/fundamentals/role-based-access-control.md
@@ -38,6 +38,7 @@ To create, edit, or assign roles, your account must have one of the following pe
- **Global Administrator**
- **Intune Service Administrator** (also known as **Intune Administrator**)
+- An Intune role with Role permissions
## Roles
@@ -76,6 +77,9 @@ You can create your own roles with custom permissions. For more information abou
### Microsoft Entra roles with Intune access
+Microsoft recommends following the principle of least-permissions by only assigning the minimum required permissions for an administrator to perform their duties. Global Administrator and Intune Service Administrator
+are [privileged roles](/entra/identity/role-based-access-control/privileged-roles-permissions) and assignment should be limited.
+
| Microsoft Entra role | All Intune data | Intune audit data |
| --- | :---: | :---: |
| Global Administrator | Read/write | Read/write |
@@ -101,13 +105,13 @@ A role assignment defines:
- what resources they can see
- what resources they can change.
-You can assign both custom and built-in roles to your users. To be assigned an Intune role, the user must have an Intune license.
+You can assign both custom and built-in roles to your users who are administrators in Intune. To be assigned an Intune role, the user must have an Intune license.
To see a role assignment, choose **Intune** > **Tenant administration** > **Roles** > **All roles** > choose a role > **Assignments** > choose an assignment. On the **Properties** page, you can edit:
- **Basics**: The assignments name and description.
- **Members**: All users in the listed Azure security groups have permission to manage the users/devices that are listed in Scope (Groups).
- **Scope (Groups)**: Scope Groups are Microsoft Entra security groups of users or devices or both for which administrators in that role assignment are limited to performing operations on. For example, deployment of a policy or application to a user or remotely locking a device. All users and devices in these Microsoft Entra security groups can be managed by the users in Members.
-- **[Scope (Tags)](scope-tags.md)**: Users in Members can see the resources that have the same scope tags.
+- **[Scope Tags](scope-tags.md)**: Users in Members can see the resources that have the same scope tags.
> [!NOTE]
> Scope Tags are freeform text values that an administrator defines and then adds to a Role Assignment. The scope tag added on a role controls visibility of the role itself, while the scope tag added in role assignment limits the visibility of Intune objects (such as policies and apps) or devices to only administrators in that role assignment because the role assignment contains one or more matching scope tags.
diff --git a/memdocs/intune/fundamentals/supported-devices-browsers.md b/memdocs/intune/fundamentals/supported-devices-browsers.md
index c577ba0e12c..54103b3fec7 100644
--- a/memdocs/intune/fundamentals/supported-devices-browsers.md
+++ b/memdocs/intune/fundamentals/supported-devices-browsers.md
@@ -7,7 +7,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 04/24/2024
+ms.date: 10/10/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
diff --git a/memdocs/intune/fundamentals/whats-new-app-ui.md b/memdocs/intune/fundamentals/whats-new-app-ui.md
index 737faffcf03..537631104c6 100644
--- a/memdocs/intune/fundamentals/whats-new-app-ui.md
+++ b/memdocs/intune/fundamentals/whats-new-app-ui.md
@@ -640,30 +640,12 @@ If users have used their work or school account to sign in to other Microsoft ap
The Managed Browser is receiving updated icons for both the Android and iOS versions of the app. The new icon will contain the updated Intune badge to make it more consistent with other apps in Enterprise Mobility + Security (EM+S).
-Before
- > [!div class="mx-imgBorder"]
- > 
-
-
-After
- > [!div class="mx-imgBorder"]
- > 
-
-
The Company Portal is also receiving updated icons for the Android, iOS, and Windows versions of the app to improve consistency with other apps in EM+S. These icons will be gradually released across platforms from April to late May.
### Sign in progress indicator in Android Company Portal
An update to the Android Company Portal app shows a sign-in progress indicator when the user launches or resumes the app. The indicator progresses through new statuses, beginning with "Connecting...", then "Signing in...", then "Checking for security requirements..." before allowing the user to access the app.
-**Before**
- > [!div class="mx-imgBorder"]
- > 
-
- **After**
- > [!div class="mx-imgBorder"]
- > 
-
### Improved app install status for the Windows 10 Company Portal app
The Windows 10 Company Portal app now provides an install progress bar on the app details page. This is supported for modern apps on devices running the Windows 10 Anniversary Update and up.
@@ -688,8 +670,6 @@ Beginning in March, the Company Portal app for Android will follow [material des
* __Navigation__: All Apps shows a tabbed view of __Featured__, __All__ and __Categories__ for easier navigation. __Contact IT__ has been streamlined for improved readability.
- > [!div class="mx-imgBorder"]
- > 
## January 2017
diff --git a/memdocs/intune/fundamentals/whats-new-archive.md b/memdocs/intune/fundamentals/whats-new-archive.md
index 6a7cadaf7c9..b4b41c64ea9 100644
--- a/memdocs/intune/fundamentals/whats-new-archive.md
+++ b/memdocs/intune/fundamentals/whats-new-archive.md
@@ -7,7 +7,7 @@ keywords:
author: dougeby
ms.author: dougeby
manager: dougeby
-ms.date: 06/14/2024
+ms.date: 09/25/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -37,6 +37,368 @@ ms.collection:
Maintain ~2 years of archived content -->
+## Week of April 15, 2024
+
+### Intune apps
+
+#### Newly available protected app for Intune
+
+The following protected app is now available for Microsoft Intune:
+
+- Atom Edge by Arlanto Apps
+
+For more information about protected apps, see [Microsoft Intune protected apps](../apps/apps-supported-intune-apps.md).
+
+## Week of April 1, 2024
+
+### Device management
+
+#### Copilot in Intune is available in the Intune admin center (public preview)
+
+Copilot in Intune is integrated in the Intune admin center, and can help you get information quickly. You can use Copilot in Intune for the following tasks:
+
+✅ **Copilot can help you manage your settings and policies**
+
+- **Copilot tooltip on settings**: When you add settings to a policy or review settings in an existing policy, there's a new Copilot tooltip. When you select the tooltip, you get AI generated guidance based on Microsoft content and recommendations. You can see what each setting does, how the setting works, any recommended values, if the setting is configured in another policy, and more.
+
+- **Policy summarizer**: On existing policies, you get a Copilot summary of the policy. The summary describes what the policy does, the users and groups assigned to the policy, and the settings in the policy. This feature can help you understand the impact of a policy and its settings on your users and devices.
+
+✅ **Copilot shows device details and can help troubleshoot**
+
+- **All about a device**: On a device, you can use Copilot to get key information about the device, including its properties, configuration, and status information.
+
+- **Device compare**: Use Copilot to compare the hardware properties and device configurations of two devices. This feature helps you determine what's different between two devices with similar configurations, especially when troubleshooting.
+
+- **Error code analyzer**: Use Copilot in the device view to analyze an error code. This feature helps you understand what the error means and provides a potential resolution.
+
+✅ **Intune capabilities in Copilot for Security**
+
+Intune has capabilities available in the Copilot for Security portal. SOC Analysts and IT admins can use these capabilities to get more information on policies, devices, group membership, and more. On a single device, you can get more specific information that's unique to Intune, like compliance status, device type, and more.
+
+You can also ask Copilot to tell you about a user's devices and get a quick summary of critical information. For example, the output shows links to the user's devices in Intune, device ID, enrollment date, last check-in date, and compliance status. If you're an IT admin and reviewing a user, then this data provides a quick summary.
+
+As a SOC analyst that's investigating a suspicious or potentially compromised user or device, information like enrollment date and last check-in can help you make informed decisions.
+
+For more information on these features, see:
+
+- [Microsoft Copilot in Intune](../copilot/copilot-intune-overview.md)
+- [Access your Microsoft Intune data in Copilot for Security](../copilot/security-copilot.md)
+
+Applies to:
+
+- Android
+- iOS/iPadOS
+- macOS
+- Windows
+
+#### GCC customers can use Remote Help for Windows and Android devices
+
+The [Microsoft Intune Suite](intune-add-ons.md) includes advanced endpoint management and security features, including Remote Help.
+
+On Windows and enrolled Android Enterprise dedicated devices, you can use remote help on US Government GCC environments.
+
+For more information on these features, see:
+
+- [Microsoft Intune for US Government GCC service description](intune-govt-service-description.md)
+- [Use Remote Help with Microsoft Intune](remote-help.md)
+
+Applies to:
+
+- Windows 10/11
+- Windows 10/11 on ARM64 devices
+- Windows 365
+- Samsung and Zebra devices enrolled as Android Enterprise dedicated devices
+
+### Device configuration
+
+#### New BIOS device configuration profile for OEMs
+
+There's a new **BIOS configuration and other settings** device configuration policy for OEMs. Admins can use this new policy to enable or disable different BIOS features that secure device. In the Intune device configuration policy, you add the BIOS configuration file, deploy a Win32 app, and then assign the policy to your devices.
+
+For example, admins can use the [Dell Command tool](https://www.dell.com/support/kbdoc/000108963/how-to-use-and-troubleshoot-dell-command-update-to-update-all-drivers-bios-and-firmware-for-your-system) (opens Dell's website) to create the BIOS configuration file. Then, they add this file to the new Intune policy.
+
+For more information on this feature, see [Use BIOS configuration profiles on Windows devices in Microsoft Intune](../configuration/bios-configuration.md).
+
+Applies to
+
+- Windows 10 and later
+
+## Week of March 25, 2024 (Service release 2403)
+
+### Microsoft Intune Suite
+
+#### New elevation type for Endpoint Privilege Management
+
+Endpoint Privilege Management has a new file elevation type, **support approved**. Endpoint Privilege Management is a feature component of the Microsoft Intune Suite and is also available as a standalone [Intune add-on](../fundamentals/intune-add-ons.md).
+
+A support-approved elevation gives you a third option for both the default elevation response and the elevation type for each rule. Unlike automatic or user confirmed, a support-approved elevation request requires Intune administrators to manage which files can run as elevated on a case-by-case basis.
+
+With support approved elevations, users can request approval to elevate an application that isn't explicitly allowed for elevation by automatic or user approved rules. This takes the form of an elevation request that must be reviewed by an Intune administrator who can approve or deny the elevation request.
+
+When the request is approved, users are notified that the application can now be run as elevated, and they have 24 hours from the time of approval to do so before the elevation approval expires.
+
+Applies to:
+
+- Windows 10
+- Windows 11
+
+For more information on this new capability, see [Support approved elevation requests](../protect/epm-support-approved.md).
+
+### App management
+
+#### Extended capabilities for Managed Google Play apps on personally owned Android devices with a work profile
+
+There are new capabilities extended to work profile devices. The following capabilities were previously available only on corporate-owned devices:
+
+- **Available apps for device groups**: You can use Intune to make apps available for device groups through the Managed Google Play store. Previously, apps could only be made available to user groups.
+
+- **Update priority setting**: You can use Intune to configure the app update priority on devices with a work profile. To learn more about this setting, see [Update a Managed Google Play app](../apps/apps-add-android-for-work.md#update-a-managed-google-play-app).
+
+- **Required apps display as available in Managed Google Play**: You can use Intune to make required apps available for users through the Managed Google Play store. Apps that are part of existing policies now display as available.
+
+These new capabilities will follow a phased rollout over multiple months.
+
+Applies to:
+
+- Android Enterprise personally owned devices with a work profile
+
+### Device configuration
+
+#### New settings available in the Apple settings catalog
+
+The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see [Create a policy using settings catalog](../configuration/settings-catalog.md).
+
+There are new settings in the Settings Catalog. To see these settings, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type.
+
+##### iOS/iPadOS
+
+**Declarative Device Management (DDM) > Passcode**:
+
+- Maximum Passcode Age In Days
+- Minimum Complex Characters
+- Require Alphanumeric Passcode
+
+**Restrictions**:
+
+- Allow Marketplace App Installation
+
+##### macOS
+
+**Declarative Device Management (DDM) > Passcode**:
+
+- Change At Next Auth
+- Custom Regex
+- Failed Attempts Reset In Minutes
+- Maximum Passcode Age In Days
+- Minimum Complex Characters
+- Require Alphanumeric Passcode
+
+**Full Disk Encryption > FileVault**:
+
+- Recovery Key Rotation In Months
+
+#### New settings available in the Windows settings catalog
+
+The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place.
+
+There are new settings in the Settings Catalog. To see these settings, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows 10 and later** for platform > **Settings catalog** for profile type.
+
+- **Delivery optimization**:
+
+ - **DO Disallow Cache Server Downloads On VPN** - This setting blocks downloads from Microsoft Connected Cache servers when the device connects using VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected using VPN.
+
+ - **DO Set Hours To Limit Background Download Bandwidth** - This setting specifies the maximum background download bandwidth. Delivery Optimization uses this bandwidth during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
+
+ - **DO Set Hours To Limit Foreground Download Bandwidth** - This setting specifies the maximum foreground download bandwidth. Delivery Optimization uses this bandwidth during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
+
+ - **DO Vpn Keywords** - This policy allows you to set one or more keywords used to recognize VPN connections.
+
+- **Messaging**:
+
+ - **Allow Message Sync** - This policy setting allows the backup and restore of cellular text messages to Microsoft's cloud services.
+
+- **Microsoft Defender Antivirus**:
+
+ - **Specify the maximum depth to scan archive files**
+ - **Specify the maximum size of archive files to be scanned**
+
+For more information on these settings, see:
+
+- [Policy CSP - DeliveryOptimization](/windows/client-management/mdm/policy-csp-deliveryoptimization)
+- [Policy CSP - Messaging](/windows/client-management/mdm/policy-csp-messaging#allowmessagesync)
+- [Policy CSP - ADMX_MicrosoftDefenderAntivirus](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus)
+
+Applies to:
+
+- Windows 10 and later
+
+#### New archive file scan settings added to Antivirus policy for Windows devices
+
+We added the following two settings to the *Microsoft Defender Antivirus* profile for [endpoint security Antivirus policy](../protect/endpoint-security-antivirus-policy.md#antivirus-profiles) that apply to Windows 10 and Windows 11 devices:
+
+- [Specify the maximum depth to scan archive files](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#scan_archivemaxdepth) - This setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning.
+- [Specify the maximum size of archive files to be scanned](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#scan_archivemaxsize) - This setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that are scanned. The value represents file size in kilobytes (KB).
+
+With Antivirus policy, you can manage these settings on devices enrolled by Intune and on devices managed through the [Defender for Endpoint security settings management](../protect/mde-security-integration.md) scenario.
+
+Both settings are also available in the [settings catalog](../configuration/settings-catalog.md) at **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows 10 and later** for platform > **Settings catalog** for profile type > **Defender**.
+
+Applies to:
+
+- Windows 10
+- Windows 11
+
+#### Updates to assignment filters
+
+You can use [Intune assignment filters](filters.md) to assign a policy based on rules you create.
+
+Now, you can:
+
+- Use managed app assignment filters for Window MAM app protection policies and app configuration policies.
+- Filter your existing assignment filters by **Platform**, and by the **Managed apps** or **Managed devices** filter type. When you have many filters, this feature makes it easier to find specific filters you created.
+
+For more information on these features, see:
+
+- [Use filters when assigning your apps, policies, and profiles in Microsoft Intune](filters.md)
+- [Data protection for Windows MAM](../apps/protect-mam-windows.md)
+
+This feature applies to:
+
+- **Managed devices** on the following platforms:
+
+ - Android device administrator
+ - Android Enterprise
+ - Android (AOSP)
+ - iOS/iPadOS
+ - macOS
+ - Windows 10/11
+
+- **Managed apps** on the following platforms:
+
+ - Android
+ - iOS/iPadOS
+ - Windows
+
+### Device management
+
+#### New compliance setting lets you verify device integrity using hardware-backed security features
+
+A new compliance setting called **Check strong integrity using hardware-backed security features** lets you verify device integrity using hardware-backed key attestation. If you configure this setting, strong integrity attestation is added to Google Play's integrity verdict evaluation. Devices must meet device integrity to remain compliant. Microsoft Intune marks devices that don't support this type of integrity check as noncompliant.
+
+This setting is available in profiles for Android Enterprise fully managed, dedicated, and corporate-owned work profile, under **Device Health** > **Google Play Protect**. It only becomes available when the Play integrity verdict policy in your profile is set to **Check basic integrity** or **Check basic integrity & device integrity**.
+
+Applies to:
+
+- Android Enterprise
+
+For more information, see [Device compliance - Google Play Protect](../protect/compliance-policy-create-android-for-work.md#google-play-protect).
+
+#### New compliance settings for Android work profile, personal devices
+
+Now you can add compliance requirements for work profile passwords without impacting device passwords. All new Microsoft Intune settings are available in compliance profiles for Android Enterprise personally owned work profiles under **System Security** > **Work Profile Security**, and include:
+
+- Require a password to unlock work profile
+- Number of days until password expires
+- Number of previous passwords to prevent reuse
+- Maximum minutes of inactivity before password is required
+- Password complexity
+- Required password type
+- Minimum password length
+
+If a work profile password fails to meet requirements, Company Portal marks the device as noncompliant. Intune compliance settings take precedence over the respective settings in an Intune device configuration profile. For example, the password complexity in your compliance profile is set to *medium*. The password complexity in a device configuration profile is set to *high*. Intune prioritizes and enforces the compliance policy.
+
+Applies to:
+
+- Android Enterprise personally owned devices with a work profile
+
+For more information, see [Compliance settings - Android Enterprise](../protect/compliance-policy-create-android-for-work.md#personally-owned-work-profile).
+
+#### Windows quality updates support for expediting non-security updates
+
+Windows quality updates now support expediting non-security updates for those times when a quality fix needs to be deployed faster than the normal quality update settings.
+
+Applies to:
+
+- Windows 11 devices
+
+For more information about installing an expedited update, see [Expedite Windows quality updates in Microsoft Intune](../protect/windows-10-expedite-updates.md#create-and-assign-an-expedited-quality-update).
+
+#### Introducing a remote action to pause the config refresh enforcement interval
+
+In the Windows Settings Catalog, you can configure **Configuration Refresh**. This feature lets you set a cadence for Windows devices to reapply previously received policy settings, without requiring devices to check in to Intune. The device will replay and re-enforce settings based on previously received policy to minimize the chance for configuration drift.
+
+To support this feature, a remote action is added to allow a pause in action. If an admin needs to make changes or run remediation on a device for troubleshooting or maintenance, they can issue a pause from Intune for a specified period. When the period expires, settings are enforced again.
+
+The remote action **Pause configuration refresh** can be accessed from the device summary page.
+
+For more information, see:
+
+- [Remote actions](../remote-actions/device-management.md)
+- [Pause Config Refresh Remote action](../remote-actions/pause-config-refresh.md)
+
+### Device security
+
+#### Updated security baseline for Windows version 23H2
+
+You can now deploy the Intune security baseline for Windows version 23H2. This new baseline is based on the **version 23H2** of the Group Policy security baseline found in the [Security Compliance Toolkit and Baselines](https://www.microsoft.com/en-us/download/details.aspx?id=55319) from the Microsoft Download Center, and includes only the settings that are applicable to devices managed through Intune. Use of this updated baseline can help you maintain best-practice configurations for your Windows devices.
+
+This baseline uses the unified settings platform seen in the Settings Catalog. It features an improved user interface and reporting experience, consistency and accuracy improvements related to setting tattooing, and can support assignment filters for profiles.
+
+Use of [Intune security baselines](../protect/security-baselines.md) can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft. As with all baselines, the default baseline represents the recommended configurations, which you can modify to meet the requirements of your organization.
+
+Applies to:
+
+- Windows 10
+- Windows 11
+
+To view the new baselines included settings with their default configurations, see, [Windows MDM security baseline version 23H2](../protect/security-baseline-settings-mdm-all.md?pivots=mdm-23h2).
+
+#### Use a rootless implementation of Podman to host Microsoft Tunnel
+
+When prerequisites are met, you can use a rootless Podman container to host a Microsoft Tunnel server. This capability is available when you use [Podman for Red Hat Enterprise Linux (RHEL)](../protect/microsoft-tunnel-prerequisites.md#linux-server) version 8.8 or later, to host Microsoft Tunnel.
+
+When using a rootless Podman container, the mstunnel services run under a non-privileged service user. This implementation can help limit impact from a container escape. To use a rootless Podman container, you must start the tunnel installation script using a modified command line.
+
+For more information about this Microsoft Tunnel install option, see [Use a rootless Podman container](../protect/microsoft-tunnel-configure.md#use-a-rootless-podman-container).
+
+#### Improvements for Intune deployments of Microsoft Defender for Endpoint
+
+We improved and simplified the experience, workflow, and report details for onboarding devices to Microsoft Defender when using Intune's endpoint detection and response (EDR) policy. These changes apply for Windows devices managed by Intune and by the tenant-attach scenario. These improvements include:
+
+- Changes to the EDR node, dashboards, and reports to improve the visibility of your Defender EDR deployment numbers. See [About the endpoint detection and response node](../protect/endpoint-security-edr-policy.md#about-the-endpoint-detection-and-response-node).
+
+- A new tenant-wide option to deploy a preconfigured EDR policy that streamlines the deployment of Defender for Endpoint to applicable Windows devices. See [Use a preconfigured EDR policy](../protect/endpoint-security-edr-policy.md#use-a-preconfigured-edr-policy).
+
+- Changes to Intune's the Overview page of the endpoint security node. These changes provide a consolidated view of reports for the device signals from Defender for Endpoint on your managed devices. See [Use a preconfigured EDR policy](../protect/endpoint-security-edr-policy.md#use-a-preconfigured-edr-policy).
+
+These changes apply to the Endpoint security and endpoint detection and response nodes of the admin center, and the following device platforms:
+
+- Windows 10
+- Windows 11
+
+#### Windows quality updates support expediting non-security updates
+
+Windows quality updates now support expediting non-security updates for those times when a quality fix needs to be deployed faster than the normal quality update settings.
+
+Applies to:
+
+- Windows 11 devices
+
+For more information about installing an expedited update, see [Expedite Windows quality updates in Microsoft Intune](../protect/windows-10-expedite-updates.md#create-and-assign-an-expedited-quality-update).
+
+### Intune apps
+
+#### Newly available protected apps for Intune
+
+The following protected apps are now available for Microsoft Intune:
+
+- Cerby by Cerby, Inc.
+- OfficeMail Go by 9Folders, Inc.
+- DealCloud by Intapp, Inc.
+- Intapp 2.0 by Intapp, Inc.
+
+For more information about protected apps, see [Microsoft Intune protected apps](../apps/apps-supported-intune-apps.md).
+
## Week of March 3, 2024
### Device enrollment
@@ -4150,7 +4512,7 @@ Applies to:
- Windows 10/11
> [!NOTE]
-> ASR polices don't support merge functionality for *ASR Only Per Rule Exclusions* and a policy conflict can result when multiple polices that configure *ASR Only Per Rule Exclusions* for the same device conflict. To avoid conflicts, combine the configurations for *ASR Only Per Rule Exclusions* into a single ASR policy. We are investigating adding policy merge for *ASR Only Per Rule Exclusions* in a future update.
+> ASR policies don't support merge functionality for *ASR Only Per Rule Exclusions* and a policy conflict can result when multiple policies that configure *ASR Only Per Rule Exclusions* for the same device conflict. To avoid conflicts, combine the configurations for *ASR Only Per Rule Exclusions* into a single ASR policy. We are investigating adding policy merge for *ASR Only Per Rule Exclusions* in a future update.
#### Grant apps permission to silently use certificates on Android Enterprise devices
You can now configure silent use of certificates by apps on Android Enterprise devices that enrolled as **Fully Managed, Dedicated, and Corporate-Owned work Profile**.
@@ -4195,7 +4557,7 @@ As of October 12, 2022, the name Microsoft Endpoint Manager will no longer be us
For more information, see [Intune documentation]( ../../index.yml).
#### Grace period status visible in Windows Company Portal
-Windows Company Portal now displays a grace period status to account for devices that don't meet compliance requirements but are still within their given grace period. Users are shown the date by which they need to become compliant and the instructions for how to become compliant. If users don't update their device by the given date, their device status changes to noncompliant. For more information about setting grace periods, see [Configure compliance policies with actions for noncompliance](../protect/actions-for-noncompliance.md#available-actions-for-noncompliance) and [Check access from Device details page](../user-help/check-device-access-windows-cpapp.md#check-access-from-device-details-page).
+Windows Company Portal now displays a grace period status to account for devices that don't meet compliance requirements but are still within their given grace period. Users are shown the date by which they need to become compliant and the instructions for how to become compliant. If users don't update their device by the given date, their device status changes to noncompliant. For more information about setting grace periods, see [Configure compliance policies with actions for noncompliance](../protect/actions-for-noncompliance.md#available-actions-for-noncompliance) and [Check access from Device details page](../user-help/check-device-access-windows-cpapp.md).
#### Linux device management available in Microsoft Intune
Microsoft Intune now supports Linux device management for devices running Ubuntu Desktop 22.04 or 20.04 LTS. Intune admins don't need to do anything to enable Linux enrollment in the Microsoft Intune admin center. Linux users can [enroll supported Linux devices](../user-help/enroll-device-linux.md) on their own and use the Microsoft Edge browser to access corporate resources online.
@@ -4457,7 +4819,7 @@ You can now use Intune role-based access control (RBAC) when interacting with te
### App management
#### Android strong biometric change detection
-The Android **Fingerprint instead of PIN for access** setting in Intune, which allows the end-user to use [fingerprint authentication](https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication) instead of a PIN, is being modified. This change allows you to require end-users to set strong biometrics. And, if a change in strong biometrics is detected, you can require end-users to confirm their app protection policy (APP) PIN. You can find Android app protection polices in [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Apps** > **App protection policies** > **Create policy** > **Android**. For more information, see [Android app protection policy settings in Microsoft Intune](../apps/app-protection-policy-settings-android.md#access-requirements).
+The Android **Fingerprint instead of PIN for access** setting in Intune, which allows the end-user to use [fingerprint authentication](https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication) instead of a PIN, is being modified. This change allows you to require end-users to set strong biometrics. And, if a change in strong biometrics is detected, you can require end-users to confirm their app protection policy (APP) PIN. You can find Android app protection policies in [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Apps** > **App protection policies** > **Create policy** > **Android**. For more information, see [Android app protection policy settings in Microsoft Intune](../apps/app-protection-policy-settings-android.md#access-requirements).
#### Noncompliance details available for Android (AOSP) in Microsoft Intune app
Android (AOSP) users can view noncompliance reasons in the Microsoft Intune app. These details describe why a device is marked noncompliant. This information is available on the Device details page for devices enrolled as user-associated Android (AOSP) devices.
diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md
index 35146ce5580..3791d16f6de 100644
--- a/memdocs/intune/fundamentals/whats-new.md
+++ b/memdocs/intune/fundamentals/whats-new.md
@@ -7,7 +7,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 08/23/2024
+ms.date: 10/19/2024
ms.topic: conceptual
ms.service: microsoft-intune
ms.subservice: fundamentals
@@ -54,8 +54,8 @@ You can also read:
>
> For new information about Windows Autopilot solutions, see:
>
-> - [Windows Autopilot device preparation: What's new](/autopilot/device-preparation/whats-new).
-> - [Windows Autopilot: What's new](/autopilot/whats-new).
+> - [Windows Autopilot device preparation: What's new](/autopilot/device-preparation/whats-new)
+> - [Windows Autopilot: What's new](/autopilot/whats-new)
You can use RSS to be notified when this page is updated. For more information, see [How to use the docs](../../use-docs.md#notifications).
@@ -76,6 +76,342 @@ You can use RSS to be notified when this page is updated. For more information,
-->
+## Week of October 14, 2024 (Service release 2410)
+
+### App management
+
+#### Updates to app configuration policies for Android Enterprise devices
+
+App configuration policies for Android Enterprise devices now support overriding the following permissions:
+
+- Access background location
+- Bluetooth (connect)
+
+For more information about app configuration policies for Android Enterprise devices, see [Add app configuration policies for managed Android Enterprise devices](../apps/app-configuration-policies-use-android.md).
+
+Applies to:
+
+- Android Enterprise devices
+
+### Device configuration
+
+#### Windows Autopilot device preparation support in Intune operated by 21Vianet in China
+
+Intune now supports *Windows Autopilot device preparation* policy for [Intune operated by 21Vianet in China](../fundamentals/china.md) cloud. Customers with tenants located in China can now use *Windows Autopilot device preparation* with Intune to provision devices.
+
+For information about this Autopilot support, see the following in the Autopilot documentation:
+
+- Overview: [Overview of Windows Autopilot device preparation](/autopilot/device-preparation/overview)
+- Tutorial: [Windows Autopilot device preparation scenarios](/autopilot/device-preparation/tutorial/scenarios)
+
+### Device management
+
+#### Minimum OS version for Android devices is Android 10 and later for user-based management methods
+
+Beginning in October 2024, Android 10 and later is the minimum Android OS version that is supported for user-based management methods, which includes:
+
+- Android Enterprise personally-owned work profile
+- Android Enterprise corporate owned work profile
+- Android Enterprise fully managed
+- Android Open Source Project (AOSP) user-based
+- Android device administrator
+- App protection policies (APP)
+- App configuration policies (ACP) for managed apps
+
+For enrolled devices on unsupported OS versions (Android 9 and lower)
+
+- Intune technical support is not provided.
+- Intune won't make changes to address bugs or issues.
+- New and existing features aren't guaranteed to work.
+
+While Intune doesn't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.
+
+Userless methods of Android device management (Dedicated and AOSP userless) and Microsoft Teams certified Android devices are not affected by this change.
+
+#### Collection of additional device inventory details
+
+Intune now collects additional files and registry keys to assist in troubleshooting the Device Hardware Inventory feature.
+
+Applies to:
+
+- Windows
+
+## Week of October 7, 2024
+
+### App management
+
+#### New UI for Intune Company Portal app for Windows
+
+The UI for the Intune Company Portal app for Windows is updated. Users now see an improved experience for their desktop app without changing the functionality they've used in the past. Specific UI improvements are focused on the **Home**, **Devices**, and **Downloads & updates** pages. The new design is more intuitive and highlights areas where users need to take action.
+
+For more information, see [New look for Intune Company Portal app for Windows](https://techcommunity.microsoft.com/t5/intune-customer-success/new-look-for-intune-company-portal-app-for-windows/ba-p/4158755). For end user details, see [Install and share apps on your device](../user-help/install-apps-cpapp-windows.md).
+
+### Device security
+
+#### New strong mapping requirements for SCEP certificates authenticating with KDC
+
+The Key Distribution Center (KDC) requires user or device objects to be strongly mapped to Active Directory for certificate-based authentication. This means that a Simple Certificate Enrollment Protocol (SCEP) certificate's subject alternative name (SAN) must have a security identifier (SID) extension that maps to the user or device SID in Active Directory. The mapping requirement protects against certificate spoofing and ensures that certificate-based authentication against the KDC continues working.
+
+To meet requirements, modify or create a SCEP certificate profile in Microsoft Intune. Then add a `URI` attribute and the `OnPremisesSecurityIdentifier` variable to the SAN. After you do that, Microsoft Intune appends a tag with the SID extension to the SAN and issues new certificates to targeted users and devices. If the user or device has a SID on premises that's been synced to Microsoft Entra ID, the certificate shows the SID. If they don't have a SID, a new certificate is issued without the SID.
+
+For more information and steps, see [Update certificate connector: Strong mapping requirements for KB5014754](../protect/certificates-profile-scep.md).
+
+Applies to:
+
+- Windows 10/11, iOS/iPadOS, and macOS user certificates
+- Windows 10/11 device certificates
+
+This requirement isn't applicable to device certificates used with Microsoft Entra joined users or devices, because the SID attribute is an on-premises identifier.
+
+#### Defender for Endpoint security settings support in government cloud environments (public preview)
+
+In public preview, customer tenants in US Government Community (GCC) High, and Department of Defense (DoD) environments can now use Intune to manage the Defender security settings on the devices that onboarded to Defender without enrolling those devices with Intune. This capability is known as [Defender for Endpoint security settings management](../protect/mde-security-integration.md).
+
+For more information about the Intune features supported in GCC High and DoD environments, see [Intune US Government service description](../fundamentals/intune-govt-service-description.md).
+
+## Week of September 30, 2024
+
+### Device security
+
+#### Updates to PKCS certificate issuance process in Microsoft Intune Certificate Connector, version 6.2406.0.1001
+
+We've updated the process for Public Key Cryptography Standards (PKCS) certificate issuance in Microsoft Intune to support the security identifiers (SID) information requirements described in [KB5014754](https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16). As part of this update, an OID attribute containing the user or device SID is added to the certificate. This change is available with the Certificate Connector for Microsoft Intune, version 6.2406.0.1001, and applies to users and devices synced from Active Directory on-premises to Microsoft Entra ID.
+
+The SID update is available for user certificates across all platforms, and for device certificates specifically on Microsoft Entra hybrid joined Windows devices.
+
+For more information, see:
+
+- [What's new for the certificate connector](../protect/certificate-connector-overview.md#september-19-2024)
+
+- [Apply PFX changes to certificate](../protect/certificates-pfx-configure.md)
+
+## Week of September 23, 2024 (Service release 2409)
+
+### App management
+
+#### Working Time settings for app protection policies
+
+Working time settings allow you to enforce policies that limit access to apps and mute message notifications received from apps during non-working time. The limit access setting is now available for the Microsoft Teams and Microsoft Edge apps. You can limit access by using App Protection Policies (APP) to block or warn end users from using the iOS/iPadOS or Android Teams and Microsoft Edge apps during non-working time by setting the **Non-working time** conditional launch setting. Also, you can create a non-working time policy to mute notifications from the Teams app to end users during non-working time.
+
+Applies to:
+
+- Android
+- iOS/iPadOS
+
+#### Streamlined app creation experience for apps from Enterprise App Catalog
+
+We've streamlined the way apps from Enterprise App Catalog are added to Intune. We now provide a direct app link rather than duplicating the app binaries and metadata. App contents now download from a `*.manage.microsoft.com` subdomain. This update helps to improve the latency when adding an app to Intune. When you add an app from Enterprise App Catalog, it syncs immediately and is ready for additional action from within Intune.
+
+#### Update Enterprise App Catalog apps
+
+Enterprise App Management is enhanced to allow you to update an **Enterprise App Catalog** app. This capability guides you through a wizard that allows you to add a new application and use supersedence to update the previous application.
+
+For more information, see [Guided update supersedence for Enterprise App Management](../apps/apps-eam-supersedence.md).
+
+### Device configuration
+
+#### Samsung ended support for multiple Android device administrator (DA) settings
+
+On Android device administrator managed (DA) devices, Samsung has deprecated many [Samsung Knox APIs](https://docs.samsungknox.com/dev/knox-sdk/api-reference/deprecated-api-methods/) (opens Samsung's web site) configuration settings.
+
+In Intune, this deprecation impacts the following device restrictions settings, compliance settings, and trusted certificate profiles:
+
+- [Device restriction settings for Android in Microsoft Intune](../configuration/device-restrictions-android.md)
+- [View the Android device administrator compliance settings for Microsoft Intune compliance policies](../protect/compliance-policy-create-android.md)
+- [Create trusted certificate profiles in Microsoft Intune](../protect/certificates-trusted-root.md#trusted-certificate-profiles-for-android-device-administrator)
+
+In the Intune admin center, when you create or update a profile with these settings, the impacted settings are noted.
+
+Though the functionality might continue to work, there's no guarantee that it will continue working for any or all Android DA versions supported by Intune. For more information on Samsung support for deprecated APIs, see [What kind of support is offered after an API is deprecated?](https://docs.samsungknox.com/dev/knox-sdk/faqs/general/deprecated-api-support-change.htm) (opens Samsung's web site).
+
+Instead, you can manage Android devices with Intune using one of the following Android Enterprise options:
+
+- [Set up enrollment of Android Enterprise personally owned work profile devices](../enrollment/android-work-profile-enroll.md)
+- [Set up Intune enrollment of Android Enterprise corporate-owned devices with work profile](../enrollment/android-corporate-owned-work-profile-enroll.md)
+- [Set up enrollment for Android Enterprise fully managed devices](../enrollment/android-fully-managed-enroll.md)
+- [Set up Intune enrollment of Android Enterprise dedicated devices](../enrollment/android-kiosk-enroll.md)
+- [App protection policies overview](../apps/app-protection-policy.md)
+
+Applies to:
+
+- Android device administrator (DA)
+
+#### Device Firmware Configuration Interface (DFCI) supports VAIO devices
+
+For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows 10 and later** for platform > **Templates** > **Device Firmware Configuration Interface** for profile type.
+
+Some VAIO devices running Windows 10/11 are enabled for DFCI. Contact your device vendor or device manufacturer for eligible devices.
+
+For more information about DFCI profiles, see:
+
+- [Configure Device Firmware Configuration Interface (DFCI) profiles on Windows devices in Microsoft Intune](../configuration/device-firmware-configuration-interface-windows.md)
+- [Device Firmware Configuration Interface (DFCI) management with Windows Autopilot](../../autopilot/dfci-management.md)
+
+Applies to:
+
+- Windows 10
+- Windows 11
+
+#### New settings available in the Apple settings catalog
+
+The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see [Create a policy using settings catalog](../configuration/settings-catalog.md).
+
+There are new settings in the Settings Catalog. To see these settings, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type.
+
+##### iOS/iPadOS
+
+**Declarative Device Management (DDM) > Math Settings**:
+
+- Calculator
+ - Basic Mode
+ - Math Notes Mode
+ - Scientific Mode
+
+- System Behavior
+ - Keyboard Suggestions
+ - Math Notes
+
+**Web Content Filter**:
+
+- Hide Deny List URLs
+
+##### macOS
+
+**Declarative Device Management (DDM) > Math Settings**:
+
+- Calculator
+ - Basic Mode
+ - Math Notes Mode
+ - Programmer Mode
+ - Scientific Mode
+
+- System Behavior
+ - Keyboard Suggestions
+ - Math Notes
+
+**System Configuration > System Extensions**:
+
+- Non Removable From UI System Extensions
+- Non Removable System Extensions
+
+#### Consent prompt update for remote log collection
+
+End users might see a different consent experience for remote log collection after the Android APP SDK 10.4.0 and iOS APP SDK 19.6.0 updates. End users no longer see a common prompt from Intune and only see a prompt from the application, if it has one.
+
+Adoption of this change is per-application and is subject to each applications release schedule.
+
+Applies to:
+
+- Android
+- iOS/iPadOS
+
+### Device enrollment
+
+#### New Setup Assistant screens available for configuration for ADE
+
+New Setup Assistant screens are available to configure in the Microsoft Intune admin center. You can hide or show these screens during automated device enrollment (ADE).
+
+For macOS:
+
+- **Wallpaper**: Show or hide the macOS Sonoma wallpaper setup pane that appears after an upgrade on devices running macOS 14.1 and later.
+- **Lockdown mode**: Show or hide the lockdown mode setup pane on devices running macOS 14.1 and later.
+- **Intelligence**: Show or hide the Apple Intelligence setup pane on devices running macOS 15 and later.
+
+For iOS/iPadOS:
+
+- **Emergency SOS**: Show or hide the safety setup pane on devices running iOS/iPadOS 16 and later.
+- **Action button**: Show or hide the setup pane for the action button on devices running iOS/iPadOS 17 and later.
+- **Intelligence**: Show or hide the Apple Intelligence setup pane on devices running iOS/iPadOS 18 and later.
+
+You can configure these screens in new and existing enrollment policies. For more information and additional resources, see:
+
+- [Set up Apple automated device enrollment for iOS/iPadOS](../enrollment/device-enrollment-program-enroll-ios.md)
+- [Set up Apple automated device enrollment for Macs](../enrollment/device-enrollment-program-enroll-macos.md)
+
+#### Extended expiration date for corporate-owned, user-associated AOSP enrollment tokens
+
+Now when you create an enrollment token for Android Open Source Project (AOSP) corporate-owned, user-associated devices, you can select an expiration date that's up to 65 years into the future, an improvement over the previous 90 day expiration date. You can also modify the expiration date of existing enrollment tokens for Android Open Source Project (AOSP) corporate-owned, user-associated devices.
+
+### Device security
+
+#### New disk encryption template for Personal Data Encryption
+
+You can now use the new *Personal Data Encryption* (PDE) template that is available through endpoint security [*disk encryption* policy](../protect/encrypt-devices.md). This new template configures the Windows [PDE configuration service provider](/windows/client-management/mdm/personaldataencryption-csp) (CSP), which was introduced in Windows 11 22H2. The PDE CSP is also available through the settings catalog.
+
+PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business.
+
+Applies to:
+
+- Windows 11 version 22h2 or later
+
+For more information about PDE, including prerequisites, related requirements, and recommendations, see the following articles in the Windows security documentation:
+
+- [PDE overview](/windows/security/operating-system-security/data-protection/personal-data-encryption/)
+- [Configure PDE](/windows/security/operating-system-security/data-protection/personal-data-encryption/configure)
+- [PDE frequently asked questions (FAQ)](/windows/security/operating-system-security/data-protection/personal-data-encryption/faq)
+
+### Intune Apps
+
+#### Newly available protected app for Intune
+
+The following protected app is now available for Microsoft Intune:
+
+- Notate for Intune by Shafer Systems, LLC
+
+For more information about protected apps, see [Microsoft Intune protected apps](../apps/apps-supported-intune-apps.md).
+
+## Week of September 9, 2024
+
+### App management
+
+#### Managed Home Screen user experience update
+
+All Android devices automatically migrate to the updated Managed Home Screen (MHS) user experience. For more information, see [Updates to the Managed Home Screen experience](https://techcommunity.microsoft.com/t5/intune-customer-success/updates-to-the-managed-home-screen-experience/bc-p/3997842).
+
+### Device enrollment
+
+#### Support has ended for Apple profile-based user enrollment with Company Portal
+
+Apple supports two types of manual enrollment methods for users and devices in bring-your-own-device (BYOD) scenarios: *profile-based enrollment* and *account-driven enrollment*. Apple has ended support for profile-based user enrollment, known in Intune as *user enrollment with Company Portal*. This method was their privacy-focused BYOD enrollment flow that used managed Apple IDs. As a result of this change, Intune has ended support for [profile-based user enrollment with Company Portal](../enrollment/apple-user-enrollment-with-company-portal.md). Users can no longer enroll devices targeted with this enrollment profile type. This change doesn't affect devices that are already enrolled with this profile type, so you can continue to manage them in the admin center and receive Microsoft Intune technical support. Less than 1% of Apple devices across all Intune tenants are currently enrolled this way, so this change doesn't affect most enrolled devices.
+
+There's no change to profile-based device enrollment with Company Portal, the default enrollment method for BYOD scenarios. Devices enrolled via Apple automated device enrollment also remain unaffected.
+
+We recommend account-driven user enrollment as a replacement method for devices. For more information about your BYOD enrollment options in Intune, see:
+
+- [Account-driven user enrollment](../enrollment/apple-account-driven-user-enrollment.md)
+- [Web-based device enrollment](../enrollment/web-based-device-enrollment-ios.md)
+- [Device enrollment with Company Portal](../enrollment/ios-device-enrollment.md#app-or-web-based-enrollment) (default enrollment method for BYOD scenarios)
+
+For more information about the device enrollment types supported by Apple, see [Intro to Apple device enrollment types](https://support.apple.com/en-mide/guide/deployment/dep08f54fcf6/web) in the Apple Platform Deployment guide.
+
+### Device management
+
+#### Intune now supports iOS/iPadOS 16.x as the minimum version
+
+Later this year, we expect iOS 18 and iPadOS 18 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require iOS/iPadOS 16 and higher shortly after the iOS/iPadOS 18 release.
+
+For more information on this change, see [Plan for change: Intune is moving to support iOS/iPadOS 16 and later](whats-new.md#plan-for-change-intune-is-moving-to-support-iosipados-16-and-later).
+
+> [!NOTE]
+> Userless iOS and iPadOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. For more information, see [Support statement for supported versus allowed iOS/iPadOS versions for user-less devices](https://aka.ms/ADE_userless_support).
+
+Applies to:
+
+- iOS/iPadOS
+
+#### Intune now supports macOS 13.x as the minimum version
+
+With Apple's release of macOS 15 Sequoia, Microsoft Intune, the Company Portal app, and the Intune MDM agent will now require macOS 13 (Ventura) and later.
+
+For more information on this change, see [Plan for change: Intune is moving to support macOS 13 and later](whats-new.md#plan-for-change-intune-is-moving-to-support-macos-13-and-higher-later-this-year)
+
+> [!NOTE]
+> macOS devices enrolled through Automated Device Enrollment (ADE) have a slightly nuanced support statement due to their shared usage. For more information, see [Support statement](https://aka.ms/Intune/macOS/ADE-DE-support).
+
+Applies to:
+
+- macOS
+
## Week of August 19, 2024 (Service release 2408)
### Microsoft Intune Suite
@@ -118,7 +454,7 @@ For related information, see:
#### Updates to the Discovered Apps report
-The **Discovered Apps** report, which provides a list of detected apps that are on Intune enrolled devices for your tenant, now provides publisher data for Win32 apps, in addition to Store apps. Rather than providing publisher information only in the exported report data, we are including it as a column in the **Discovered Apps** report.
+The **Discovered Apps** report, which provides a list of detected apps that are on Intune enrolled devices for your tenant, now provides publisher data for Win32 apps, in addition to Store apps. Rather than providing publisher information only in the exported report data, we're including it as a column in the **Discovered Apps** report.
For more information, see [Intune Discovered apps](../apps/app-discovered-apps.md#monitor-discovered-apps-with-intune).
@@ -166,6 +502,13 @@ There are new settings in the Apple Settings Catalog. To see these settings, in
**Restrictions**:
- Allow ESIM Outgoing Transfers
+- Allow Genmoji
+- Allow Image Playground
+- Allow Image Wand
+- Allow iPhone Mirroring
+- Allow Personalized Handwriting Results
+- Allow Video Conferencing Remote Control
+- Allow Writing Tools
##### macOS
@@ -218,6 +561,13 @@ There are new settings in the Apple Settings Catalog. To see these settings, in
- Enable
- Enable Rollback
+**Restrictions**:
+
+- Allow Genmoji
+- Allow Image Playground
+- Allow iPhone Mirroring
+- Allow Writing Tools
+
**System Policy > System Policy Control**:
- Enable XProtect Malware Upload
@@ -246,7 +596,7 @@ For more information, see [Connect Intune account to Managed Google Play account
### Device management
-#### 21 Vianet support for Mobile Threat Defense connectors
+#### 21Vianet support for Mobile Threat Defense connectors
Intune operated by 21Vianet now supports Mobile Threat Defense (MTD) connectors for Android and iOS/iPadOS devices for MTD vendors that also have support in that environment. When an MTD partner is supported and you sign in to a 21Vianet tenant, the supported connectors are available.
@@ -360,7 +710,7 @@ For more information, see:
### Microsoft Intune Suite
-#### Endpoint Privilege Management, Advanced Analytics, and Intune Plan 2 is available for GCC High and DoD
+#### Endpoint Privilege Management, Advanced Analytics, and Intune Plan 2 are available for GCC High and DoD
We are excited to announce that the following capabilities from the Microsoft Intune Suite are now supported in U.S. Government Community Cloud (GCC) High and U.S. Department of Defense (DoD) environments.
@@ -383,17 +733,18 @@ For more information, see:
### Device enrollment
#### ACME protocol support for iOS/iPadOS and macOS enrollment
+
As we prepare to support managed device attestation in Intune, we are starting a phased rollout of an infrastructure change for new enrollments that includes support for the *Automated Certificate Management Environment (ACME) protocol*. Now when new Apple devices enroll, the management profile from Intune receives an ACME certificate instead of a SCEP certificate. ACME provides better protection than SCEP against unauthorized certificate issuance through robust validation mechanisms and automated processes, which helps reduce errors in certificate management.
-Existing OS and hardware eligible devices do not get the ACME certificate unless they re-enroll. There is no change to the end user's enrollment experience, and no changes to the Microsoft Intune admin center. This change only impacts enrollment certificates and has no impact on any device configuration policies.
+Existing OS and hardware eligible devices do not get the ACME certificate unless they re-enroll. There is no change to the end user's enrollment experience, and no changes to the Microsoft Intune admin center. This change only impacts enrollment certificates and has no impact on any device configuration policies.
-ACME is supported for Apple Device Enrollment and Apple Configurator enrollment methods. Eligible OS versions include:
+ACME is supported for Apple Device Enrollment, Apple Configurator enrollment, and Automated device enrollment (ADE) methods. Eligible OS versions include:
- iOS 16.0 or later
- iPadOS 16.1 or later
- macOS 13.1 or later
-## Week of July 22, 2024 (Service release 2407)
+## Week of July 22, 2024 (Service release 2407)
### Microsoft Intune Suite
@@ -467,7 +818,7 @@ In an Intune device restrictions configuration policy, you can configure the **A
The available options are updated to **Allow**, **Block**, and **Not configured**.
-There is no impact to existing profiles using this setting.
+There's no impact to existing profiles using this setting.
For more information on this setting and the values you can currently configure, see [Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune](../configuration/device-restrictions-android-for-work.md).
@@ -611,7 +962,7 @@ The following protected apps are now available for Microsoft Intune:
- HCSS Field: Time, cost, safety (iOS) by Heavy Construction Systems Specialists, Inc.
- Synchrotab for Intune (iOS) by Synchrotab, LLC
-For more information about protected apps, see [Microsoft Intune protected apps](../apps/apps-supported-intune-apps.md).
+For more information about protected apps, see [Microsoft Intune protected apps](../apps/apps-supported-intune-apps.md).
## Week of July 15, 2024
@@ -621,9 +972,7 @@ For more information about protected apps, see [Microsoft Intune protected apps]
We've added a new category and setting to the Device Control profile for the *Windows 10, Windows 11, and Windows Server* platform of Intune [Attack surface reduction policy](../protect/endpoint-security-asr-policy.md).
-The new setting is **Allow Storage Card**, and found in the new **System** category of the profile. This setting is also available from the Intune [settings catalog](../configuration/settings-catalog.md).
-
-for the Windows devices.
+The new setting is **Allow Storage Card**, and found in the new **System** category of the profile. This setting is also available from the Intune [settings catalog](../configuration/settings-catalog.md) for the Windows devices.
This setting controls whether the user is allowed to use the storage card for device storage, and can prevent programmatic access to the storage card. For more information on this new setting, see [AllowStorageCard](/windows/client-management/mdm/policy-csp-system?branch=main&branchFallbackFrom=pr-en-us-15655&WT.mc_id=Portal-fx#allowstoragecard) in the Windows documentation.
@@ -662,18 +1011,18 @@ You can now configure Managed Home Screen (MHS) to enable a virtual app-switcher
We've made changes to the device registration process for Apple devices enrolling with Intune Company Portal. Previously, Microsoft Entra device registration occurred during enrollment. With this change, registration occurs after enrollment.
-Existing enrolled devices are not affected by this change. For new user or device enrollments that utilize Company Portal, users must return to Company Portal to complete registration:
+Existing enrolled devices aren't affected by this change. For new user or device enrollments that utilize Company Portal, users must return to Company Portal to complete registration:
-- For iOS users: Users with notifications enabled will be prompted to return to the Company Portal app for iOS. If they disable notifications, they won't be alerted, but still need to return to Company Portal to complete registration.
+- For iOS users: Users with notifications enabled are prompted to return to the Company Portal app for iOS. If they disable notifications, they aren't alerted, but still need to return to Company Portal to complete registration.
-- For macOS devices: The Company Portal app for macOS will detect the installation of the management profile and automatically register the device, unless the user closes the app. If they close the app, they must reopen it to complete registration.
+- For macOS devices: The Company Portal app for macOS detects the installation of the management profile and automatically register the device, unless the user closes the app. If they close the app, they must reopen it to complete registration.
-If you're using dynamic groups, which rely on device registration to work, it's important for users to complete device registration. Update your user guidance and admin documentation as needed. If you're using Conditional Access (CA) policies, no action is required. When users attempt to sign in to a CA-protected app, they will be prompted to return to Company Portal to complete registration.
+If you're using dynamic groups, which rely on device registration to work, it's important for users to complete device registration. Update your user guidance and admin documentation as needed. If you're using Conditional Access (CA) policies, no action is required. When users attempt to sign in to a CA-protected app, they are prompted to return to Company Portal to complete registration.
-These changes are currently rolling out and will be made available to all Microsoft Intune tenants by the end of July. There's no change to the Company Portal user interface. For more information about device enrollment for Apple devices, see:
+These changes are currently rolling out and will be made available to all Microsoft Intune tenants by the end of July. There's no change to the Company Portal user interface. For more information about device enrollment for Apple devices, see:
- [Enrollment guide: Enroll macOS devices in Microsoft Intune](../fundamentals/deployment-guide-enrollment-macos.md#device-enrollment-end-user-tasks)
-- [Enrollment guide: Enroll iOS and iPadOS devices in Microsoft Intune](../fundamentals/deployment-guide-enrollment-ios-ipados.md#user-and-device-enrollment-end-user-tasks)
+- [Enrollment guide: Enroll iOS and iPadOS devices in Microsoft Intune](../fundamentals/deployment-guide-enrollment-ios-ipados.md)
## Week of June 24, 2024
@@ -681,7 +1030,7 @@ These changes are currently rolling out and will be made available to all Micros
#### Add corporate device identifiers for Windows
-Microsoft Intune now supports corporate device identifiers for devices running Windows 11, version 22H2 and later so that you can identify corporate machines ahead of enrollment. When a device that matches the model, manufacturer, and serial number criteria enrolls, Microsoft Intune will mark it as a corporate device and enable the appropriate management capabilities. For more information, see [Add corporate identifiers](../enrollment/corporate-identifiers-add.md).
+Microsoft Intune now supports corporate device identifiers for devices running Windows 11, version 22H2 and later so that you can identify corporate machines ahead of enrollment. When a device that matches the model, manufacturer, and serial number criteria enrolls, Microsoft Intune marks it as a corporate device and enable the appropriate management capabilities. For more information, see [Add corporate identifiers](../enrollment/corporate-identifiers-add.md).
## Week of June 17, 2024 (Service release 2406)
@@ -793,7 +1142,7 @@ For more information, see [Create device platform restrictions](../enrollment/cr
### Updates to replace Wandera with Jamf is complete in the Intune admin center
-We've completed rebranding in the Microsoft Intune admin center to support replacing Wandera with Jamf. This includes updates to the name of the Mobile Threat Defense connector, which is now *Jamf*, and changes to the minimum required platforms to use the Jamf connector:
+We've completed a rebrand in the Microsoft Intune admin center to support replacing Wandera with Jamf. This includes updates to the name of the Mobile Threat Defense connector, which is now *Jamf*, and changes to the minimum required platforms to use the Jamf connector:
- Android 11 and later
- iOS / iPadOS 15.6 and later
@@ -857,7 +1206,7 @@ Each new permission supports the following rights for the related policy:
- Update
- View Reports
-Each time we add a new granular permission for an endpoint security policy to Intune, those same rights are removed from the *Security baselines* permission. If you use custom roles with the *Security baselines* permission, the new RBAC permission is assigned automatically to your custom roles with the same rights that were granted through the *Security baseline* permission. This auto-assignment ensures your admins continue to have the same permissions they have today.
+Each time we add a new granular permission for an endpoint security policy to Intune, those same rights are removed from the *Security baselines* permission. If you use custom roles with the *Security baselines* permission, the new RBAC permission is assigned automatically to your custom roles with the same rights that were granted through the *Security baseline* permission. This autoassignment ensures your admins continue to have the same permissions they have today.
For more information about current RBAC permissions and built-in roles, see:
@@ -875,7 +1224,7 @@ For more information about current RBAC permissions and built-in roles, see:
#### New enrollment time grouping feature for devices
-Enrollment time grouping is a new, faster way to group devices during enrollment. When it's configured, Intune adds devices to the appropriate group without requiring inventory discovery and dynamic membership evaluations. To set up enrollment time grouping, you must configure a static Microsoft Entra security group in each enrollment profile. After a device enrolls, Intune adds it to the static security group and delivers assigned apps and policies.
+Enrollment time grouping is a new, faster way to group devices during enrollment. When configured, Intune adds devices to the appropriate group without requiring inventory discovery and dynamic membership evaluations. To set up enrollment time grouping, you must configure a static Microsoft Entra security group in each enrollment profile. After a device enrolls, Intune adds it to the static security group and delivers assigned apps and policies.
This feature is available for Windows 11 devices enrolling via Windows Autopilot device preparation. For more information, see [Enrollment time grouping in Microsoft Intune](../enrollment/enrollment-time-grouping.md).
@@ -962,7 +1311,7 @@ When frontline workers receive the devices, all they have to do is connect to Wi
End users can now view the BitLocker Recovery Key for enrolled Windows devices from the Company Portal website. This capability can reduce helpdesk calls in the event the end user gets locked out of their corporate machines. End users can access the recovery key for an enrolled device by signing into the Company Portal website and selecting **Show recovery key**. This experience is similar to the MyAccount website, which also allows end users to see recovery keys.
-You can prevent end users within your organization from accessing BitLocker recovery keys by configuring the Entra ID toggle **Restrict non-admin users from recovering the BitLocker key(s) for their owned device**.
+You can prevent end users within your organization from accessing BitLocker recovery keys by configuring the Microsoft Entra toggle **Restrict non-admin users from recovering the BitLocker key(s) for their owned device**.
For more information, see:
@@ -985,9 +1334,9 @@ Applies to:
#### Optional Feature updates
-Feature updates can now be made available to end users as **Optional** updates, with the introduction of **Optional** Feature updates. End users will see the update in the **Windows Update** settings page in the same way that it's shown for consumer devices.
+Feature updates can now be made available to end users as **Optional** updates, with the introduction of **Optional** Feature updates. End users see the update in the **Windows Update** settings page in the same way that it's shown for consumer devices.
-End users can easily opt in to try out the next Feature update and provide feedback. When it's time to roll out the feature as a **Required** update, then admins can change the setting on the policy, and update the rollout settings so that the update is deployed as a **Required** update to devices that do not yet have it installed.
+End users can easily opt in to try out the next Feature update and provide feedback. When it's time to roll out the feature as a **Required** update, then admins can change the setting on the policy, and update the rollout settings so that the update is deployed as a **Required** update to devices that don't yet have it installed.
For more information on Optional Feature updates, see [Feature updates for Windows 10 and later policy in Intune](..//protect/windows-10-feature-updates.md#create-and-assign-feature-updates-for-windows-10-and-later-policy).
@@ -1059,9 +1408,9 @@ For related information, see [Change the Portal settings](../fundamentals/tutori
#### Updates to the Managed Home Screen experience
-We recently released and improved the Managed Home Screen experience, which is now Generally Available. The app has been redesigned to improve the core workflows throughout the application. The updated design offers a more usable and supportable experience.
+We recently released and improved the Managed Home Screen experience, which is now Generally Available. The app is redesigned to improve the core workflows throughout the application. The updated design offers a more usable and supportable experience.
-With the release, we stop investing in previous Managed Home Screen workflows. New features and fixes for Managed Home Screen are only added to the new experience. During August 2024, the new experience will automatically be enabled for all devices.
+With the release, we stop investing in previous Managed Home Screen workflows. New features and fixes for Managed Home Screen are only added to the new experience. During August 2024, the new experience is automatically enabled for all devices.
For more information, see [Configure the Microsoft Managed Home Screen app for Android Enterprise](../apps/app-configuration-managed-home-screen-app.md) and [Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune](../configuration/device-restrictions-android-for-work.md).
@@ -1203,368 +1552,6 @@ Applies to:
- macOS 12, 13 and 14
-## Week of April 15, 2024
-
-### Intune apps
-
-#### Newly available protected app for Intune
-
-The following protected app is now available for Microsoft Intune:
-
-- Atom Edge by Arlanto Apps
-
-For more information about protected apps, see [Microsoft Intune protected apps](../apps/apps-supported-intune-apps.md).
-
-## Week of April 1, 2024
-
-### Device management
-
-#### Copilot in Intune is available in the Intune admin center (public preview)
-
-Copilot in Intune is integrated in the Intune admin center, and can help you get information quickly. You can use Copilot in Intune for the following tasks:
-
-✅ **Copilot can help you manage your settings and policies**
-
-- **Copilot tooltip on settings**: When you add settings to a policy or review settings in an existing policy, there's a new Copilot tooltip. When you select the tooltip, you get AI generated guidance based on Microsoft content and recommendations. You can see what each setting does, how the setting works, any recommended values, if the setting is configured in another policy, and more.
-
-- **Policy summarizer**: On existing policies, you get a Copilot summary of the policy. The summary describes what the policy does, the users and groups assigned to the policy, and the settings in the policy. This feature can help you understand the impact of a policy and its settings on your users and devices.
-
-✅ **Copilot shows device details and can help troubleshoot**
-
-- **All about a device**: On a device, you can use Copilot to get key information about the device, including its properties, configuration, and status information.
-
-- **Device compare**: Use Copilot to compare the hardware properties and device configurations of two devices. This feature helps you determine what's different between two devices with similar configurations, especially when troubleshooting.
-
-- **Error code analyzer**: Use Copilot in the device view to analyze an error code. This feature helps you understand what the error means and provides a potential resolution.
-
-✅ **Intune capabilities in Copilot for Security**
-
-Intune has capabilities available in the Copilot for Security portal. SOC Analysts and IT admins can use these capabilities to get more information on policies, devices, group membership, and more. On a single device, you can get more specific information that's unique to Intune, like compliance status, device type, and more.
-
-You can also ask Copilot to tell you about a user's devices and get a quick summary of critical information. For example, the output shows links to the user's devices in Intune, device ID, enrollment date, last check-in date, and compliance status. If you're an IT admin and reviewing a user, then this data provides a quick summary.
-
-As a SOC analyst that's investigating a suspicious or potentially compromised user or device, information like enrollment date and last check-in can help you make informed decisions.
-
-For more information on these features, see:
-
-- [Microsoft Copilot in Intune](../copilot/copilot-intune-overview.md)
-- [Access your Microsoft Intune data in Copilot for Security](../copilot/security-copilot.md)
-
-Applies to:
-
-- Android
-- iOS/iPadOS
-- macOS
-- Windows
-
-#### GCC customers can use Remote Help for Windows and Android devices
-
-The [Microsoft Intune Suite](intune-add-ons.md) includes advanced endpoint management and security features, including Remote Help.
-
-On Windows and enrolled Android Enterprise dedicated devices, you can use remote help on US Government GCC environments.
-
-For more information on these features, see:
-
-- [Microsoft Intune for US Government GCC service description](intune-govt-service-description.md)
-- [Use Remote Help with Microsoft Intune](remote-help.md)
-
-Applies to:
-
-- Windows 10/11
-- Windows 10/11 on ARM64 devices
-- Windows 365
-- Samsung and Zebra devices enrolled as Android Enterprise dedicated devices
-
-### Device configuration
-
-#### New BIOS device configuration profile for OEMs
-
-There's a new **BIOS configuration and other settings** device configuration policy for OEMs. Admins can use this new policy to enable or disable different BIOS features that secure device. In the Intune device configuration policy, you add the BIOS configuration file, deploy a Win32 app, and then assign the policy to your devices.
-
-For example, admins can use the [Dell Command tool](https://www.dell.com/support/kbdoc/000108963/how-to-use-and-troubleshoot-dell-command-update-to-update-all-drivers-bios-and-firmware-for-your-system) (opens Dell's website) to create the BIOS configuration file. Then, they add this file to the new Intune policy.
-
-For more information on this feature, see [Use BIOS configuration profiles on Windows devices in Microsoft Intune](../configuration/bios-configuration.md).
-
-Applies to
-
-- Windows 10 and later
-
-## Week of March 25, 2024 (Service release 2403)
-
-### Microsoft Intune Suite
-
-#### New elevation type for Endpoint Privilege Management
-
-Endpoint Privilege Management has a new file elevation type, **support approved**. Endpoint Privilege Management is a feature component of the Microsoft Intune Suite and is also available as a standalone [Intune add-on](../fundamentals/intune-add-ons.md).
-
-A support-approved elevation gives you a third option for both the default elevation response and the elevation type for each rule. Unlike automatic or user confirmed, a support-approved elevation request requires Intune administrators to manage which files can run as elevated on a case-by-case basis.
-
-With support approved elevations, users can request approval to elevate an application that isn't explicitly allowed for elevation by automatic or user approved rules. This takes the form of an elevation request that must be reviewed by an Intune administrator who can approve or deny the elevation request.
-
-When the request is approved, users are notified that the application can now be run as elevated, and they have 24 hours from the time of approval to do so before the elevation approval expires.
-
-Applies to:
-
-- Windows 10
-- Windows 11
-
-For more information on this new capability, see [Support approved elevation requests](../protect/epm-support-approved.md).
-
-### App management
-
-#### Extended capabilities for Managed Google Play apps on personally owned Android devices with a work profile
-
-There are new capabilities extended to work profile devices. The following capabilities were previously available only on corporate-owned devices:
-
-- **Available apps for device groups**: You can use Intune to make apps available for device groups through the Managed Google Play store. Previously, apps could only be made available to user groups.
-
-- **Update priority setting**: You can use Intune to configure the app update priority on devices with a work profile. To learn more about this setting, see [Update a Managed Google Play app](../apps/apps-add-android-for-work.md#update-a-managed-google-play-app).
-
-- **Required apps display as available in Managed Google Play**: You can use Intune to make required apps available for users through the Managed Google Play store. Apps that are part of existing policies now display as available.
-
-These new capabilities will follow a phased rollout over multiple months.
-
-Applies to:
-
-- Android Enterprise personally owned devices with a work profile
-
-### Device configuration
-
-#### New settings available in the Apple settings catalog
-
-The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place. For more information about configuring Settings Catalog profiles in Intune, see [Create a policy using settings catalog](../configuration/settings-catalog.md).
-
-There are new settings in the Settings Catalog. To see these settings, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **iOS/iPadOS** or **macOS** for platform > **Settings catalog** for profile type.
-
-##### iOS/iPadOS
-
-**Declarative Device Management (DDM) > Passcode**:
-
-- Maximum Passcode Age In Days
-- Minimum Complex Characters
-- Require Alphanumeric Passcode
-
-**Restrictions**:
-
-- Allow Marketplace App Installation
-
-##### macOS
-
-**Declarative Device Management (DDM) > Passcode**:
-
-- Change At Next Auth
-- Custom Regex
-- Failed Attempts Reset In Minutes
-- Maximum Passcode Age In Days
-- Minimum Complex Characters
-- Require Alphanumeric Passcode
-
-**Full Disk Encryption > FileVault**:
-
-- Recovery Key Rotation In Months
-
-#### New settings available in the Windows settings catalog
-
-The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place.
-
-There are new settings in the Settings Catalog. To see these settings, in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows 10 and later** for platform > **Settings catalog** for profile type.
-
-- **Delivery optimization**:
-
- - **DO Disallow Cache Server Downloads On VPN** - This setting blocks downloads from Microsoft Connected Cache servers when the device connects using VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected using VPN.
-
- - **DO Set Hours To Limit Background Download Bandwidth** - This setting specifies the maximum background download bandwidth. Delivery Optimization uses this bandwidth during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
-
- - **DO Set Hours To Limit Foreground Download Bandwidth** - This setting specifies the maximum foreground download bandwidth. Delivery Optimization uses this bandwidth during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
-
- - **DO Vpn Keywords** - This policy allows you to set one or more keywords used to recognize VPN connections.
-
-- **Messaging**:
-
- - **Allow Message Sync** - This policy setting allows the backup and restore of cellular text messages to Microsoft's cloud services.
-
-- **Microsoft Defender Antivirus**:
-
- - **Specify the maximum depth to scan archive files**
- - **Specify the maximum size of archive files to be scanned**
-
-For more information on these settings, see:
-
-- [Policy CSP - DeliveryOptimization](/windows/client-management/mdm/policy-csp-deliveryoptimization)
-- [Policy CSP - Messaging](/windows/client-management/mdm/policy-csp-messaging#allowmessagesync)
-- [Policy CSP - ADMX_MicrosoftDefenderAntivirus](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus)
-
-Applies to:
-
-- Windows 10 and later
-
-#### New archive file scan settings added to Antivirus policy for Windows devices
-
-We added the following two settings to the *Microsoft Defender Antivirus* profile for [endpoint security Antivirus policy](../protect/endpoint-security-antivirus-policy.md#antivirus-profiles) that apply to Windows 10 and Windows 11 devices:
-
-- [Specify the maximum depth to scan archive files](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#scan_archivemaxdepth) - This setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning.
-- [Specify the maximum size of archive files to be scanned](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#scan_archivemaxsize) - This setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that are scanned. The value represents file size in kilobytes (KB).
-
-With Antivirus policy, you can manage these settings on devices enrolled by Intune and on devices managed through the [Defender for Endpoint security settings management](../protect/mde-security-integration.md) scenario.
-
-Both settings are also available in the [settings catalog](../configuration/settings-catalog.md) at **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows 10 and later** for platform > **Settings catalog** for profile type > **Defender**.
-
-Applies to:
-
-- Windows 10
-- Windows 11
-
-#### Updates to assignment filters
-
-You can use [Intune assignment filters](filters.md) to assign a policy based on rules you create.
-
-Now, you can:
-
-- Use managed app assignment filters for Window MAM app protection policies and app configuration policies.
-- Filter your existing assignment filters by **Platform**, and by the **Managed apps** or **Managed devices** filter type. When you have many filters, this feature makes it easier to find specific filters you created.
-
-For more information on these features, see:
-
-- [Use filters when assigning your apps, policies, and profiles in Microsoft Intune](filters.md)
-- [Data protection for Windows MAM](../apps/protect-mam-windows.md)
-
-This feature applies to:
-
-- **Managed devices** on the following platforms:
-
- - Android device administrator
- - Android Enterprise
- - Android (AOSP)
- - iOS/iPadOS
- - macOS
- - Windows 10/11
-
-- **Managed apps** on the following platforms:
-
- - Android
- - iOS/iPadOS
- - Windows
-
-### Device management
-
-#### New compliance setting lets you verify device integrity using hardware-backed security features
-
-A new compliance setting called **Check strong integrity using hardware-backed security features** lets you verify device integrity using hardware-backed key attestation. If you configure this setting, strong integrity attestation is added to Google Play's integrity verdict evaluation. Devices must meet device integrity to remain compliant. Microsoft Intune marks devices that don't support this type of integrity check as noncompliant.
-
-This setting is available in profiles for Android Enterprise fully managed, dedicated, and corporate-owned work profile, under **Device Health** > **Google Play Protect**. It only becomes available when the Play integrity verdict policy in your profile is set to **Check basic integrity** or **Check basic integrity & device integrity**.
-
-Applies to:
-
-- Android Enterprise
-
-For more information, see [Device compliance - Google Play Protect](../protect/compliance-policy-create-android-for-work.md#google-play-protect).
-
-#### New compliance settings for Android work profile, personal devices
-
-Now you can add compliance requirements for work profile passwords without impacting device passwords. All new Microsoft Intune settings are available in compliance profiles for Android Enterprise personally owned work profiles under **System Security** > **Work Profile Security**, and include:
-
-- Require a password to unlock work profile
-- Number of days until password expires
-- Number of previous passwords to prevent reuse
-- Maximum minutes of inactivity before password is required
-- Password complexity
-- Required password type
-- Minimum password length
-
-If a work profile password fails to meet requirements, Company Portal marks the device as noncompliant. Intune compliance settings take precedence over the respective settings in an Intune device configuration profile. For example, the password complexity in your compliance profile is set to *medium*. The password complexity in a device configuration profile is set to *high*. Intune prioritizes and enforces the compliance policy.
-
-Applies to:
-
-- Android Enterprise personally owned devices with a work profile
-
-For more information, see [Compliance settings - Android Enterprise](../protect/compliance-policy-create-android-for-work.md#personally-owned-work-profile).
-
-#### Windows quality updates support for expediting non-security updates
-
-Windows quality updates now support expediting non-security updates for those times when a quality fix needs to be deployed faster than the normal quality update settings.
-
-Applies to:
-
-- Windows 11 devices
-
-For more information about installing an expedited update, see [Expedite Windows quality updates in Microsoft Intune](../protect/windows-10-expedite-updates.md#create-and-assign-an-expedited-quality-update).
-
-#### Introducing a remote action to pause the config refresh enforcement interval
-
-In the Windows Settings Catalog, you can configure **Configuration Refresh**. This feature lets you set a cadence for Windows devices to reapply previously received policy settings, without requiring devices to check in to Intune. The device will replay and re-enforce settings based on previously received policy to minimize the chance for configuration drift.
-
-To support this feature, a remote action is added to allow a pause in action. If an admin needs to make changes or run remediation on a device for troubleshooting or maintenance, they can issue a pause from Intune for a specified period. When the period expires, settings are enforced again.
-
-The remote action **Pause configuration refresh** can be accessed from the device summary page.
-
-For more information, see:
-
-- [Remote actions](../remote-actions/device-management.md)
-- [Pause Config Refresh Remote action](../remote-actions/pause-config-refresh.md)
-
-### Device security
-
-#### Updated security baseline for Windows version 23H2
-
-You can now deploy the Intune security baseline for Windows version 23H2. This new baseline is based on the **version 23H2** of the Group Policy security baseline found in the [Security Compliance Toolkit and Baselines](https://www.microsoft.com/en-us/download/details.aspx?id=55319) from the Microsoft Download Center, and includes only the settings that are applicable to devices managed through Intune. Use of this updated baseline can help you maintain best-practice configurations for your Windows devices.
-
-This baseline uses the unified settings platform seen in the Settings Catalog. It features an improved user interface and reporting experience, consistency and accuracy improvements related to setting tattooing, and can support assignment filters for profiles.
-
-Use of [Intune security baselines](../protect/security-baselines.md) can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft. As with all baselines, the default baseline represents the recommended configurations, which you can modify to meet the requirements of your organization.
-
-Applies to:
-
-- Windows 10
-- Windows 11
-
-To view the new baselines included settings with their default configurations, see, [Windows MDM security baseline version 23H2](../protect/security-baseline-settings-mdm-all.md?pivots=mdm-23h2).
-
-#### Use a rootless implementation of Podman to host Microsoft Tunnel
-
-When prerequisites are met, you can use a rootless Podman container to host a Microsoft Tunnel server. This capability is available when you use [Podman for Red Hat Enterprise Linux (RHEL)](../protect/microsoft-tunnel-prerequisites.md#linux-server) version 8.8 or later, to host Microsoft Tunnel.
-
-When using a rootless Podman container, the mstunnel services run under a non-privileged service user. This implementation can help limit impact from a container escape. To use a rootless Podman container, you must start the tunnel installation script using a modified command line.
-
-For more information about this Microsoft Tunnel install option, see [Use a rootless Podman container](../protect/microsoft-tunnel-configure.md#use-a-rootless-podman-container).
-
-#### Improvements for Intune deployments of Microsoft Defender for Endpoint
-
-We improved and simplified the experience, workflow, and report details for onboarding devices to Microsoft Defender when using Intune's endpoint detection and response (EDR) policy. These changes apply for Windows devices managed by Intune and by the tenant-attach scenario. These improvements include:
-
-- Changes to the EDR node, dashboards, and reports to improve the visibility of your Defender EDR deployment numbers. See [About the endpoint detection and response node](../protect/endpoint-security-edr-policy.md#about-the-endpoint-detection-and-response-node).
-
-- A new tenant-wide option to deploy a preconfigured EDR policy that streamlines the deployment of Defender for Endpoint to applicable Windows devices. See [Use a preconfigured EDR policy](../protect/endpoint-security-edr-policy.md#use-a-preconfigured-edr-policy).
-
-- Changes to Intune's the Overview page of the endpoint security node. These changes provide a consolidated view of reports for the device signals from Defender for Endpoint on your managed devices. See [Use a preconfigured EDR policy](../protect/endpoint-security-edr-policy.md#use-a-preconfigured-edr-policy).
-
-These changes apply to the Endpoint security and endpoint detection and response nodes of the admin center, and the following device platforms:
-
-- Windows 10
-- Windows 11
-
-#### Windows quality updates support expediting non-security updates
-
-Windows quality updates now support expediting non-security updates for those times when a quality fix needs to be deployed faster than the normal quality update settings.
-
-Applies to:
-
-- Windows 11 devices
-
-For more information about installing an expedited update, see [Expedite Windows quality updates in Microsoft Intune](../protect/windows-10-expedite-updates.md#create-and-assign-an-expedited-quality-update).
-
-### Intune apps
-
-#### Newly available protected apps for Intune
-
-The following protected apps are now available for Microsoft Intune:
-
-- Cerby by Cerby, Inc.
-- OfficeMail Go by 9Folders, Inc.
-- DealCloud by Intapp, Inc.
-- Intapp 2.0 by Intapp, Inc.
-
-For more information about protected apps, see [Microsoft Intune protected apps](../apps/apps-supported-intune-apps.md).
-
## What's new archive
diff --git a/memdocs/intune/includes/android-supported-os.md b/memdocs/intune/includes/android-supported-os.md
index a8f1701f022..5384b63e40c 100644
--- a/memdocs/intune/includes/android-supported-os.md
+++ b/memdocs/intune/includes/android-supported-os.md
@@ -4,11 +4,11 @@ ms.author: erikje
ms.service: microsoft-intune
ms.subservice: fundamentals
ms.topic: include
-ms.date: 02/01/2022
+ms.date: 10/10/2024
ms.localizationpriority: high
---
> [!NOTE]
-> Intune requires Android 8.x or higher for device enrollment scenarios and app configuration delivered through Managed devices app configuration policies. This requirement does not apply to [Microsoft Teams Android devices](https://www.microsoft.com/microsoft-teams/across-devices/devices?rtc=2) as these devices will continue to be supported.
+> This requirement does not apply to [Microsoft Teams Android devices](https://www.microsoft.com/microsoft-teams/across-devices/devices?rtc=2) as these devices will continue to be supported.
>
> For Intune app protection policies and app configuration delivered through Managed apps app configuration policies, Intune requires Android 9.0 or higher.
\ No newline at end of file
diff --git a/memdocs/intune/includes/app-protection-framework-level1.md b/memdocs/intune/includes/app-protection-framework-level1.md
index fbb834b6b77..c45f6c059cf 100644
--- a/memdocs/intune/includes/app-protection-framework-level1.md
+++ b/memdocs/intune/includes/app-protection-framework-level1.md
@@ -59,7 +59,7 @@ The policies in level 1 enforce a reasonable data access level while minimizing
| Setting | Setting description | Value / Action | Platform | Notes |
|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| App conditions | Max PIN attempts | 5 / Reset PIN | iOS/iPadOS, Android | |
-| App conditions | Offline grace period | 1440 / Block access (minutes) | iOS/iPadOS, Android, Windows | |
+| App conditions | Offline grace period | 10080 / Block access (minutes) | iOS/iPadOS, Android, Windows | |
| App conditions | Offline grace period | 90 / Wipe data (days) | iOS/iPadOS, Android, Windows | |
| Device conditions | Jailbroken/rooted devices | N/A / Block access | iOS/iPadOS, Android | |
| Device conditions | SafetyNet device attestation | Basic integrity and certified devices / Block access | Android |
This setting configures Google Play’s device integrity check on end-user devices. Basic integrity validates the integrity of the device. Rooted devices, emulators, virtual devices, and devices with signs of tampering fail basic integrity.
Basic integrity and certified devices validates the compatibility of the device with Google's services. Only unmodified devices that have been certified by Google can pass this check.
| diff --git a/memdocs/intune/includes/app-protection-framework-level2.md b/memdocs/intune/includes/app-protection-framework-level2.md index 85bf9eb0df5..4bf218ae1d3 100644 --- a/memdocs/intune/includes/app-protection-framework-level2.md +++ b/memdocs/intune/includes/app-protection-framework-level2.md @@ -45,7 +45,7 @@ Level 2 is the data protection configuration recommended as a standard for devic | Device conditions | Required SafetyNet evaluation type | Hardware-backed key | Android | Hardware backed attestation enhances the existing Google's Play Integrity service check by applying a new evaluation type called [Hardware Backed](https://developer.android.com/training/safetynet/attestation#evaluation-types), providing a more robust root detection in response to newer types of rooting tools and methods that can't always be reliably detected by a software only solution.As its name implies, hardware backed attestation uses a hardware-based component, which shipped with devices installed with Android 8.1 and later. Devices that were upgraded from an older version of Android to Android 8.1 are unlikely to have the hardware-based components necessary for hardware backed attestation. While this setting should be widely supported starting with devices that shipped with Android 8.1, Microsoft strongly recommends testing devices individually before enabling this policy setting broadly.
| | Device conditions | Require device lock | Medium/Block Access | Android | This setting ensures that Android devices have a device password that meets the minimum password requirements. | | Device conditions | Samsung Knox device attestation | Block Access | Android | Microsoft recommends configuring the **Samsung Knox device attestation** setting to **Block access** to ensure the user account is blocked from access if the device doesn't meet Samsung's Knox hardware-based verification of device health. This setting verifies all Intune MAM client responses to the Intune service were sent from a healthy device. This setting applies to all devices targeted. To apply this setting only to Samsung devices, you can use "Managed apps" assignment filters. For more information on assignment filters, see [Use filters when assigning your apps, policies, and profiles in Microsoft Intune](/mem/intune/fundamentals/filters).|
-| App conditions | Offline grace period | 21 / Wipe data (days) | Windows | |
+| App conditions | Offline grace period | 30 / Wipe data (days) | iOS/iPadOS, Android, Windows | |
> [!NOTE]
-> Windows conditional launch settings are labeled as **Health Checks**.
\ No newline at end of file
+> Windows conditional launch settings are labeled as **Health Checks**.
diff --git a/memdocs/intune/includes/app-protection-framework-level3.md b/memdocs/intune/includes/app-protection-framework-level3.md
index b4d565cb69a..ed0dc76c4bb 100644
--- a/memdocs/intune/includes/app-protection-framework-level3.md
+++ b/memdocs/intune/includes/app-protection-framework-level3.md
@@ -53,4 +53,5 @@ Level 3 is the data protection configuration recommended as a standard for organ
| Device conditions | Max OS version | *Format: Major.Minor.Build
Example: 15.0* / Block access | iOS/iPadOS | Microsoft recommends configuring the maximum iOS/iPadOS major version to ensure beta or unsupported versions of the operating system aren't used. See [Apple security updates](https://support.apple.com/en-us/HT201222) for Apple's latest recommendations |
| Device conditions | Max OS version | *Format: Major.Minor
Example: 22631.* / Block access | Windows | Microsoft recommends configuring the maximum Windows major version to ensure beta or unsupported versions of the operating system aren't used. |
| Device conditions | Samsung Knox device attestation | Wipe data | Android | Microsoft recommends configuring the **Samsung Knox device attestation** setting to **Wipe data** to ensure the org data is removed if the device doesn't meet Samsung's Knox hardware-based verification of device health. This setting verifies all Intune MAM client responses to the Intune service were sent from a healthy device.
This setting will apply to all devices targeted. To apply this setting only to Samsung devices, you can use "Managed apps" assignment filters. For more information on assignment filters, see [Use filters when assigning your apps, policies, and profiles in Microsoft Intune](/mem/intune/fundamentals/filters).|
+| App conditions | Offline grace period | 30 / Block access (days) | iOS/iPadOS, Android, Windows | |
diff --git a/memdocs/intune/includes/intune-notices.md b/memdocs/intune/includes/intune-notices.md
index 8623c80e37b..ef1daca0e81 100644
--- a/memdocs/intune/includes/intune-notices.md
+++ b/memdocs/intune/includes/intune-notices.md
@@ -12,6 +12,33 @@ ms.custom: include file
These notices provide important information that can help you prepare for future Intune changes and features.
+### Take Action: Update to the latest Intune App SDK for iOS and Intune App Wrapping Tool for iOS
+
+To support the upcoming release of iOS/iPadOS 18.1, update to the latest versions of the Intune App SDK and the Intune App Wrapping Tool to ensure applications stay secure and run smoothly. **Important:** If you don't update to the latest versions, some app protection policies may not apply to your app in certain scenarios. Review the following GitHub announcements for more details on the specific impact:
+
+- SDK for iOS: [Update recommended prior to iOS 18.1 general availability - microsoftconnect/ms-intune-app-sdk-ios - Discussion #477](https://github.com/microsoftconnect/ms-intune-app-sdk-ios/discussions/477)
+- Wrapper for iOS: [Update recommended prior to iOS 18.1 general availability - microsoftconnect/intune-app-wrapping-tool-ios - Discussion #125](https://github.com/microsoftconnect/intune-app-wrapping-tool-ios/discussions/125)
+
+As a best practice, always update your iOS apps to the latest App SDK or App Wrapping Tool to ensure that your app continues to run smoothly.
+
+#### How does this affect you or your users?
+
+If you have applications using the Intune App SDK or Intune App Wrapping Tool, you'll need to update to the latest version to support iOS 18.1.
+
+#### How can you prepare?
+
+For apps running on iOS 18.1, you must update to the new version of the Intune App SDK for iOS
+
+- For apps built with XCode 15 use v19.7.1 - [Release 19.7.1 - microsoftconnect/ms-intune-app-sdk-ios - GitHub](https://github.com/microsoftconnect/ms-intune-app-sdk-ios/releases/tag/19.7.1)
+- For apps built with XCode 16 use v20.1.2 - [Release 20.1.2 - microsoftconnect/ms-intune-app-sdk-ios - GitHub](https://github.com/microsoftconnect/ms-intune-app-sdk-ios/releases/tag/20.1.2)
+
+For apps running on iOS 18.1, you must update to the new version of the Intune App Wrapping Tool for iOS
+
+- For apps built with XCode 15 use v19.7.1 - [Release 19.7.1 - microsoftconnect/intune-app-wrapping-tool-ios - GitHub](https://github.com/microsoftconnect/intune-app-wrapping-tool-ios/releases/tag/19.7.1)
+- For apps built with XCode 16 use v20.1.2 - [Release 20.1.2 - microsoftconnect/intune-app-wrapping-tool-ios - GitHub](https://github.com/microsoftconnect/intune-app-wrapping-tool-ios/releases/tag/20.1.2)
+
+Notify your users as applicable, to ensure they upgrade their apps to the latest version prior to upgrading to iOS 18.1. You can review the Intune App SDK version in use by your users in the Microsoft Intune admin center by navigating to **Apps** > **Monitor** > **App protection status**, then review “Platform version” and “iOS SDK version”.
+
### Take Action: Enable multifactor authentication for your tenant before October 15, 2024
Starting on or after October 15, 2024, to further increase security, Microsoft will require admins to use multi-factor authentication (MFA) when signing into the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. To take advantage of the extra layer of protection MFA offers, we recommend enabling MFA as soon as possible. To learn more, review [Planning for mandatory multifactor authentication for Azure and admin portals](https://aka.ms/mfaforazure).
@@ -33,13 +60,13 @@ For more information, refer to: [Planning for mandatory multifactor authenticati
### Plan for Change: Intune is moving to support iOS/iPadOS 16 and later
-Later this year, we expect iOS 18 and iPadOS 18 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require [iOS 16/iPadOS 16 and higher](../fundamentals/supported-devices-browsers.md) shortly after the iOS/iPadOS 18 release.
+Later this year, we expect iOS 18 and iPadOS 18 to be released by Apple. Microsoft Intune, including the Intune Company Portal and Intune app protection policies (APP, also known as MAM), will require [iOS 16/iPadOS 16 and higher](../fundamentals/supported-devices-browsers.md) shortly after the iOS/iPadOS 18 release.
#### How does this affect you or your users?
-If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS 16/iPadOS 16).
+If you're managing iOS/iPadOS devices, you might have devices that won't be able to upgrade to the minimum supported version (iOS 16/iPadOS 16).
-Given that Microsoft 365 mobile apps are supported on iOS 16/iPadOS 16 and higher, this may not affect you. You've likely already upgraded your OS or devices.
+Given that Microsoft 365 mobile apps are supported on iOS 16/iPadOS 16 and higher, this may not affect you. You've likely already upgraded your OS or devices.
To check which devices support iOS 16 or iPadOS 16 (if applicable), see the following Apple documentation:
@@ -51,7 +78,7 @@ To check which devices support iOS 16 or iPadOS 16 (if applicable), see the foll
#### How can you prepare?
-Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to **Devices** > **All devices** and filter by OS. For devices with app protection policies, go to **Apps** > **Monitor** > **App protection status** and use the *Platform* and *Platform version* columns to filter.
+Check your Intune reporting to see what devices or users might be affected. For devices with mobile device management (MDM), go to **Devices** > **All devices** and filter by OS. For devices with app protection policies, go to **Apps** > **Monitor** > **App protection status** and use the *Platform* and *Platform version* columns to filter.
To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see [Manage operating system versions with Intune](../fundamentals/manage-os-versions.md).
@@ -70,69 +97,20 @@ This change only affects you if you currently manage, or plan to manage, macOS d
Check your Intune reporting to see what devices or users might be affected. Go to **Devices** > **All devices** and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 12.x or earlier. Ask your users to upgrade their devices to a supported OS version.
-### Plan for Change: Update to Intune endpoint for Remote Help
-
-Starting on May 30, 2024, or soon after, to improve the experience for Remote Help on Windows, Web, and macOS, we're updating the primary network endpoint for Remote Help from https://remoteassistance.support.services.microsoft.com to https://remotehelp.microsoft.com.
-
-#### How does this affect you or your users?
-
-If you're using Remote Help and you have firewall rules that don't permit the new endpoint https://remotehelp.microsoft.com, admins and users may experience connectivity issues or disruptions with Remote Help.
-
-Additionally, the Remote Help app on Windows will need to be updated to the newest version. No action is needed for the Remote Help app for macOS and the Remote Help Web app.
-
-#### How can you prepare?
-
-Update your firewall rules to include the new Remote Help endpoint: https://remotehelp.microsoft.com. For Remote Help on Windows, users will need to update to the [newest version (5.1.124.0)](../fundamentals/remote-help-windows.md#march-13-2024). Most users have opted in for automatic updates and will be updated automatically without any action from the user. To learn more, review [Install and update Remote Help for Windows](../fundamentals/remote-help-windows.md#install-and-update-remote-help).
-
-#### Additional information:
-
-- [Remote Help on Windows with Microsoft Intune](../fundamentals/remote-help-windows.md)
-- [Network endpoints for Microsoft Intune | Microsoft Learn](../fundamentals/intune-endpoints.md#remote-help)
-
-### Update to the latest Company Portal for Android, Intune App SDK for iOS, and Intune App Wrapper for iOS
-
-Starting **June 1, 2024**, we're making updates to improve the Intune mobile application management (MAM) service. This update will require iOS wrapped apps, iOS SDK integrated apps, and the Company Portal for Android to be updated to the latest versions to ensure applications stay secure and run smoothly.
-
-> [!IMPORTANT]
-> If you don't update to the latest versions, users will be blocked from launching your app.
->
-> Ahead of this change, for Microsoft apps that need to be updated, when a user opens the app, they'll receive a blocking message to update the app.
-
-Note that the way Android updates, once one Microsoft application with the updated SDK is on the device and the Company Portal is updated to the latest version, Android apps will update. So, this message is focused on iOS SDK/app wrapper updates. We recommend always updating your Android and iOS apps to the latest SDK or app wrapper to ensure that your app continues to run smoothly.
-
-#### How does this affect you or your users?
-If your users haven't updated to the latest Microsoft or third-party app protection supported apps, they'll be blocked from launching their apps. If you have iOS line-of-business (LOB) applications that are using the Intune wrapper or Intune SDK, you must be on Wrapper/SDK version 17.7.0 or later to avoid your users being blocked.
-
-#### How can you prepare?
-Plan to make the changes below before **June 1, 2024**:
-
-* Any of your iOS line-of-business (LOB) apps using older versions of the Intune SDK or wrapper must be updated to v17.7.0 or later.
- * For apps using the Intune iOS SDK, use [Release 19.2.0 · msintuneappsdk/ms-intune-app-sdk-ios (github.com)](https://github.com/msintuneappsdk/ms-intune-app-sdk-ios/releases/tag/19.2.0)
- * For apps using the Intune iOS wrapper, use [Release 19.2.0 · msintuneappsdk/intune-app-wrapping-tool-ios (github.com)](https://github.com/msintuneappsdk/intune-app-wrapping-tool-ios/releases/tag/19.2.0)
-* For tenants with policies targeted to iOS apps:
- * Notify your users that they need to upgrade to the latest version of the Microsoft apps. You can find the latest version of the apps in the [App store](https://www.apple.com/app-store/). For example, you can find the latest version of Microsoft Teams [here](https://apps.apple.com/app/microsoft-teams/id1113153706) and Microsoft Outlook [here](https://apps.apple.com/app/microsoft-outlook/id951937596).
- * Additionally, you have the option to enable the following [conditional launch](../apps/app-protection-policy-settings-ios.md#conditional-launch) settings:
- * The **Min OS version** setting to warn users using iOS 15 or older so that they can download the latest apps.
- * The **Min SDK version** setting to block users if the app is using Intune SDK for iOS older than 17.7.0.
- * The **Min app version** setting to warn users on older Microsoft apps. Note that this setting must be in a policy targeted to only the targeted app.
-* For tenants with policies targeted to Android apps:
- * Notify your users that they need to upgrade to the latest version (v5.0.6198.0) of the [Company Portal](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal) app.
- * Additionally, you have the option to enable the following [conditional launch](../apps/app-protection-policy-settings-ios.md#conditional-launch) device condition setting:
- * The **Min Company Portal version** setting to warn users using a Company Portal app version older than 5.0.6198.0.
-
### Plan for Change: Ending support for Intune App SDK Xamarin Bindings in May 2024
+
With the [end of support for Xamarin Bindings](https://dotnet.microsoft.com/platform/support/policy/xamarin), Intune will end support for Xamarin apps and the Intune App SDK Xamarin Bindings beginning on **May 1, 2024**.
#### How does this affect you or your users?
-If you you have iOS and/or Android apps built with Xamarin and are using the Intune App SDK Xamarin Bindings to enable app protection policies, upgrade your apps to .NET MAUI.
+If you have iOS and/or Android apps built with Xamarin and are using the Intune App SDK Xamarin Bindings to enable app protection policies, upgrade your apps to .NET MAUI.
#### How can you prepare?
-Upgrade your Xamarin based apps to .NET MAUI. Review the following documentation for more information on Xamarin support and upgrading your apps:
+Upgrade your Xamarin based apps to .NET MAUI. Review the following documentation for more information on Xamarin support and upgrading your apps:
- [Xamarin Support Policy | .NET](https://dotnet.microsoft.com/platform/support/policy/xamarin)
-- [Upgrade from Xamarin to .NET | Microsoft Lear](/dotnet/maui/migration/?view=net-maui-8.0)
+- [Upgrade from Xamarin to .NET | Microsoft Lear](/dotnet/maui/migration/?view=net-maui-8.0&preserve-view=true)
- [Microsoft Intune App SDK for .NET MAUI – Android | NuGet Gallery](https://www.nuget.org/packages/Microsoft.Intune.Maui.Essentials.android)
- [Microsoft Intune App SDK for .NET MAUI – iOS | NuGet Gallery](https://www.nuget.org/packages/Microsoft.Intune.Maui.Essentials.iOS)
@@ -156,6 +134,7 @@ For detailed step-by-step instructions visit [powershell-intune-samples/Updating
### Intune moving to support Android 10 and later for user-based management methods in October 2024
In October 2024, Intune will be moving to support Android 10 and later for user-based management methods, which includes:
+
- Android Enterprise personally-owned work profile
- Android Enterprise corporate owned work profile
- Android Enterprise fully managed
@@ -175,7 +154,7 @@ For user-based management methods (as listed above), Android devices running And
- Intune technical support won't be provided.
- Intune won't make changes to address bugs or issues.
-- New and existing features aren't guaranteed to work.
+- New and existing features aren't guaranteed to work.
While Intune won't prevent enrollment or management of devices on unsupported Android OS versions, functionality isn't guaranteed, and use isn't recommended.
@@ -192,7 +171,7 @@ For more information, review: [Manage operating system versions with Microsoft I
### Plan for Change: Web based device enrollment will become default method for iOS/iPadOS device enrollment
Today, when creating iOS/iPadOS enrollment profiles, “Device enrollment with Company Portal” is shown as the default method. In an upcoming service release, the default method will change to “Web based device enrollment” during profile creation. Additionally for *new* tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment.
-
+
> [!NOTE]
> For web enrollment, you will need to deploy the single sign-on (SSO) extension policy to enable just in time (JIT) registration, for more information review: [Set up just in time registration in Microsoft Intune](../enrollment/set-up-just-in-time-registration.md).
@@ -209,34 +188,6 @@ Update your documentation and user guidance as needed. If you currently use devi
- [Set up just in time registration in Microsoft Intune](../enrollment/set-up-just-in-time-registration.md)
- [Set up web based device enrollment for iOS](../enrollment/web-based-device-enrollment-ios.md)
-### Wrapped iOS apps and iOS apps using the Intune App SDK will require Azure AD app registration
-
-We're making updates to improve the security of the Intune mobile application management (MAM) service. This update will require iOS wrapped apps and SDK integrated apps to be [registered with Microsoft Entra ID](/entra/identity-platform/quickstart-register-app) (formerly Azure Active Directory (Azure AD)) by March 31, 2024 to continue receiving MAM policy.
-
-#### How does this affect you or your users?
-
-If you have wrapped apps or SDK integrated apps that aren't registered with Azure AD, these apps will be unable to connect to the MAM service to receive policy and your users won't be able to access apps that aren't registered.
-
-#### How can you prepare?
-
-Prior to this change, you will need to register the apps with Azure AD. See below for detailed instructions.
-
-1. Register your apps with Azure AD by following these instructions: [Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app).
-1. Add the custom redirect URL to your app settings as documented [here](https://github.com/AzureAD/microsoft-authentication-library-for-objc#configuring-msal).
-1. Give your app access to the Intune MAM service, for instructions see [here](../developer/app-sdk-get-started.md#give-your-app-access-to-the-intune-mobile-app-management-service).
-1. Once the above changes are completed, configure your apps for Microsoft Authentication Library (MSAL):
- 1. For wrapped apps: Add the Azure AD application client ID into the command-line parameters with the Intune App Wrapping Tool as outlined in the documentation: [Wrap iOS apps with the Intune App Wrapping Tool | Microsoft Learn](../developer/app-wrapper-prepare-ios.md#command-line-parameters) -ac and -ar are required parameters. Each app will need a unique set of these parameters. -aa is only required for single tenant applications.
- 1. For SDK integrated apps see, [Microsoft Intune App SDK for iOS developer guide | Microsoft Learn](../developer/app-sdk-ios-phase2.md#configure-msal-settings-for-the-intune-app-sdk). ADALClientId and ADALRedirectUri/ADALRedirectScheme are now required parameters. ADALAuthority is only required for single tenant applications.
-1. Deploy the app.
-1. To validate the above steps:
- 1. Target "com.microsoft.intune.mam.IntuneMAMOnly.RequireAADRegistration" application configuration policy and set it to Enabled - [Configuration policies for Intune App SDK managed apps - Microsoft Intune | Microsoft Learn](../apps/app-configuration-policies-managed-app.md)
- 1. Target App Protection Policy to the application. Enable the ['Work or school account credentials for access' policy](../apps/app-protection-policy-settings-ios.md#access-requirements) and set 'Recheck the access requirements after (minutes of inactivity)' setting to a low number like 1.
-1. Then launch the application on a device and verify if the sign-in (which should be required every minute on app launch) happens successfully with the configured parameters.
-1. Note that if you only do step #6 and #7 before doing the other steps, you might be blocked on application launch. You will also notice the same behavior if some of the parameters are incorrect.
-1. Once you’ve completed the validation steps, you can undo the changes made in step #6.
-> [!NOTE]
-> Intune will soon require an Azure AD device registration for iOS devices using MAM. If you have Conditional Access policies enabled, your devices should already be registered, and you won't notice any change. For more information see, [Microsoft Entra registered devices - Microsoft Entra | Microsoft Learn](/entra/identity/devices/concept-device-registration).
-
### Plan for Change: Transition Jamf macOS devices from Conditional Access to Device Compliance
We've been working with Jamf on a migration plan to help customers transition macOS devices from Jamf Pro’s Conditional Access integration to their Device Compliance integration. The Device Compliance integration uses the newer Intune partner compliance management API, which involves a simpler setup than the partner device management API and brings macOS devices onto the same API as iOS devices managed by Jamf Pro. The platform Jamf Pro’s Conditional Access feature is built on will no longer be supported after September 1, 2024.
@@ -248,30 +199,25 @@ Note that customers in some environments cannot be transitioned initially, for m
If you're using Jamf Pro’s Conditional Access integration for macOS devices, follow Jamf’s documented guidelines to migrate your devices to Device Compliance integration: [Migrating from macOS Conditional Access to macOS Device Compliance – Jamf Pro Documentation](https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Conditional_Access.html#ariaid-title6).
After the Device Compliance integration is complete, some users might see a one-time prompt to enter their Microsoft credentials.
-
+
#### How can you prepare?
If applicable, follow the instructions provided by Jamf to migrate your macOS devices. If you need help, contact Jamf Customer Success. For more information and the latest updates, read the blog post: [Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance](https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-transitioning-jamf-macos-devices-from-conditional/ba-p/3913059).
-### Update to the latest Intune App SDK and Intune App Wrapper for iOS to support iOS/iPadOS 17
-
-To support the upcoming release of iOS/iPadOS 17, update to the latest versions of the Intune App SDK and the App Wrapping Tool for iOS to ensure applications stay secure and run smoothly. Additionally, for organizations using the Conditional Access grant “Require app protection policy”, users should update their apps to the latest version prior to upgrading to iOS 17. You can learn more by reading the blog: [Update Intune App SDK, Wrapper, and iOS apps using MAM policies to support iOS/iPadOS 17](https://techcommunity.microsoft.com/t5/intune-customer-success/update-intune-app-sdk-wrapper-and-ios-apps-using-mam-policies-to/ba-p/3926732).
-
### Plan for Change: Intune ending support for Android device administrator on devices with GMS access in December 2024
[Google has deprecated](https://blog.google/products/android-enterprise/da-migration/) Android device administrator management, continues to remove management capabilities, and no longer provides fixes or improvements. Due to these changes, Intune will be ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) beginning **December 31, 2024**. Until that time, we support device administrator management on devices running Android 14 and earlier. For more details, read the blog: [Microsoft Intune ending support for Android device administrator on devices with GMS access](https://aka.ms/Intune-Android-DA-blog).
#### How does this affect you or your users?
-After Intune ends support for Android device administrator, devices with access to GMS will be impacted in the following ways:
+After Intune ends support for Android device administrator, devices with access to GMS will be impacted in the following ways:
-1. Users won't be able to enroll devices with Android device administrator.
-2. Intune won't make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
-3. Intune technical support will no longer support these devices.
+1. Intune won't make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions.
+2. Intune technical support will no longer support these devices.
#### How can you prepare?
-Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users might be affected. Go to **Devices** > **All devices** and filter the OS column to **Android (device administrator)** to see the list of devices.
+Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users might be affected. Go to **Devices** > **All devices** and filter the OS column to **Android (device administrator)** to see the list of devices.
Read the blog, [Microsoft Intune ending support for Android device administrator on devices with GMS access](https://aka.ms/Intune-Android-DA-blog), for our recommended alternative Android device management methods and information about the impact to devices without access to GMS.
@@ -313,27 +259,3 @@ If you have enabled WIP policies, you should turn off or disable these policies.
### How can you prepare?
We recommend disabling WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog [Support tip: End of support guidance for Windows Information Protection](https://aka.ms/Intune-WIP-support) for more details and options for removing WIP from your devices.
-
-### Plan for change: Intune is ending Company Portal support for unsupported versions of Windows
-
-Intune follows the Windows 10 lifecycle for supported Windows 10 versions. We're now removing support for the associated Windows 10 Company Portals for Windows versions that are out of the Modern Support policy.
-
-#### How does this affect you or your users?
-
-Because Microsoft no longer supports these operating systems, this change might not affect you. You've likely already upgraded your OS or devices. This change only affects you if you're still managing unsupported Windows 10 versions.
-
-Windows and Company Portal versions that this change affects include:
-
-- Windows 10 version 1507, Company Portal version 10.1.721.0
-- Windows 10 version 1511, Company Portal version 10.1.1731.0
-- Windows 10 version 1607, Company Portal version 10.3.5601.0
-- Windows 10 version 1703, Company Portal version 10.3.5601.0
-- Windows 10 version 1709, any Company Portal version
-
-We won't uninstall these Company Portal versions, but we will remove them from the Microsoft Store and stop testing our service releases with them.
-
-If you continue to use an unsupported version of Windows 10, your users won't get the latest security updates, new features, bug fixes, latency improvements, accessibility improvements, and performance investments. You won't be able to co-manage users by using System Center Configuration Manager and Intune.
-
-#### How can you prepare?
-
-In the Microsoft Intune admin center, use the [discovered apps](../apps/app-discovered-apps.md) feature to find apps with these versions. On a user's device, the Company Portal version is shown on the **Settings** page of the Company Portal. Update to a supported Windows and Company Portal version.
diff --git a/memdocs/intune/includes/mdm-supported-devices.md b/memdocs/intune/includes/mdm-supported-devices.md
index 9e124761d4a..f0e4df39afe 100644
--- a/memdocs/intune/includes/mdm-supported-devices.md
+++ b/memdocs/intune/includes/mdm-supported-devices.md
@@ -4,7 +4,7 @@ ms.author: erikje
ms.service: microsoft-intune
ms.subservice: fundamentals
ms.topic: include
-ms.date: 04/24/2024
+ms.date: 10/10/2024
ms.localizationpriority: high
---
@@ -12,26 +12,27 @@ ms.localizationpriority: high
- **User assigned devices** - devices enrolled with user affinity using Automated Device Enrollment or personally enrolled devices.
- iOS/iPadOS 15.x and later
- - macOS 12.0 and later
+ - macOS 13.0 and later
- **User-less devices** - devices enrolled without user affinity using Automated Device Enrollment or Apple Configurator.
- Supported:
- - iOS/iPadOS 15.x and later
- - macOS 12.0 and later
+ - iOS/iPadOS 16.x and later
+ - macOS 13.0 and later
- Allowed to enroll:
- - iOS/iPadOS 12.x and later
+ - iOS/iPadOS 13.x and later
- macOS 10.14 and later
> [!NOTE]
> **Supported** versions include devices running the three most recent operating system versions. These devices can enroll and take advantage of all Intune functionality that is applicable, and all new eligible features will work on these devices.
>
-> **Allowed** versions includes devices running a non-supported version (within three versions of the supported versions). These devices can enroll and take advantage of Intune's eligible features but there is no guarantee that they will work as expected.
+> **Allowed** versions includes devices running a non-supported version (within three versions of the supported versions). These devices can enroll and take advantage of Intune's eligible features but there is no guarantee that they will work as expected.
>
> Intune requires iOS 15.x or later for app protection policies and app configuration.
### Android
-- Android 8.0 and later (including Samsung KNOX Standard 3.0 and higher: [requirements](https://www.samsungknox.com/en/knox-platform/supported-devices/2.4+))
-- Android enterprise: [requirements](https://support.google.com/work/android/topic/9428066)
+- For user-based management methods: Android 10.0 and later
+- For userless management methods: Android 8.0 and later (including Samsung KNOX Standard 3.0 and higher: [requirements](https://www.samsungknox.com/en/knox-platform/supported-devices/2.4+))
+- Android enterprise
- Android open source project device: [See here for the list of supported devices](../fundamentals/android-os-project-supported-devices.md)
[!INCLUDE [android-supported-os](android-supported-os.md)]
diff --git a/memdocs/intune/includes/mfa-console.md b/memdocs/intune/includes/mfa-console.md
new file mode 100644
index 00000000000..2f07f60742e
--- /dev/null
+++ b/memdocs/intune/includes/mfa-console.md
@@ -0,0 +1,28 @@
+---
+title: include file
+description: include file
+author: brenduns
+ms.service: microsoft-intune
+ms.topic: include
+ms.date: 10/02/2024
+ms.author: dougeby
+ms.custom: include file
+ms.collection:
+- tier2
+- M365-identity-device-management
+---
+
+> [!IMPORTANT]
+>
+> On October 15, 2024, Microsoft begins enforcement of the Azure sign-in requirement to use multi-factor authentication (MFA). When enforced, MFA must be used by all users who sign-in to Intune admin center regardless of any roles they have or don’t have. The MFA requirements also apply to services that are accessed through the admin center, like Windows 365 Cloud PC, and to use of the Microsoft Azure portal and Microsoft Entra admin center. MFA requirements don’t apply to end users who access applications, websites, or services hosted on Azure where those users don’t sign-in to the admin center.
+>
+> The requirement to sign-in using MFA applies to all Intune subscriptions, including Plan 1 subscriptions with or without add-ons, and free trial subscriptions. The prerequisites and process required to configure MFA depend on the MFA method you choose to use for your tenant. Shortly after MFA is enabled for a tenant, subsequent sign-in attemps will require the user to complete setup for using the configured MFA solution.
+>
+> To learn more about the MFA requirement, see [Planning for mandatory multifactor authentication for Azure and admin portals](/entra/identity/authentication/concept-mandatory-multifactor-authentication) in the Entra documentation.
+>
+> In the Entra planning article you’ll also find guidance and resources to help you [Prepare for multifactor authentication](/entra/identity/authentication/concept-mandatory-multifactor-authentication#prepare-for-multifactor-authentication), including methods to configure MFA including but not limited to:
+>
+> - Conditional Access policies
+> - The *MFA Wizard for Microsoft Entra ID* from the Microsoft 365 admin center
+> - Entra ID *security defaults*
+>
\ No newline at end of file
diff --git a/memdocs/intune/industry/education/introduction-intune-education.md b/memdocs/intune/industry/education/introduction-intune-education.md
index 569e04c66b6..1dd15dbdea8 100644
--- a/memdocs/intune/industry/education/introduction-intune-education.md
+++ b/memdocs/intune/industry/education/introduction-intune-education.md
@@ -51,7 +51,7 @@ For more information about Intune for Education, see [Overview of Intune for Edu
## Next steps
-* Ensure your organization meets [Microsoft Intune technical requirements and capabilities](/intune/supported-devices-browsers).
+* Ensure your organization meets [Microsoft Intune technical requirements and capabilities](/mem/intune/fundamentals/supported-devices-browsers).
* Try Microsoft Intune [with a 90 day free trial](https://signup.microsoft.com/Signup?OfferId=5eec053c-cc40-4cd5-a06a-ea8d75cf2686&ali=1).
* Sign in to [Intune for Education](https://intuneeducation.portal.azure.com) with your admin account.
* [Learn about express configuration](/intune-education/what-is-express-configuration) to get started in Intune for Education.
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-ai.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-ai.md
new file mode 100644
index 00000000000..471b12382f2
--- /dev/null
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-ai.md
@@ -0,0 +1,52 @@
+---
+title: Common Education iPads Apple Intelligence configuration
+description: Learn about common iPads Apple Intelligence configuration used by Education organizations in Intune.
+ms.date: 10/16/2024
+ms.topic: tutorial
+author: yegor-a
+ms.author: egorabr
+ms.manager: dougeby
+no-loc: [Microsoft, Apple]
+ms.collection:
+- graph-interactive
+---
+
+# Apple Intelligence
+
+This article summarizes restrictions for Apple Intelligence introduced in iPadOS 18.
+
+To learn more, see:
+
+- [Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices](/mem/intune/configuration/settings-catalog)
+- [Restrictions payload](https://developer.apple.com/documentation/devicemanagement/restrictions)
+- [iPadOS 18](https://www.apple.com/ipados/ipados-18)
+
+> [!TIP]
+> When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
+
+## [**Settings**](#tab/settings)
+
+| **Category** | **Property** | **Value** | **Notes** | **Payload property** |
+|---|---|:---:|---|---|
+| Restrictions | **:::no-loc text="Allow Genmoji":::** | False | Prohibits creating new Genmoji. | [:::no-loc text="allowGenmoji":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Image Playground":::** | False | Prohibits the use of image generation. | [:::no-loc text="allowImagePlayground":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Image Wand":::** | False | Prohibits the use of Image Wand. | [:::no-loc text="allowImageWand":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Personalized Handwriting Results":::** | False | | [:::no-loc text="allowPersonalizedHandwritingResults":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Writing Tool":::** | False | Disables Apple Intelligence writing tools. | [:::no-loc text="allowWritingTools":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+
+## [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - iPads - Appple Intelligence**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - iPads - Apple Intelligence","description":"","platforms":"iOS","technologies":"mdm,appleRemoteManagement","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.applicationaccess_com.apple.applicationaccess","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowgenmoji","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowgenmoji_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowimageplayground","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowimageplayground_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowimagewand","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowimagewand_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpersonalizedhandwritingresults","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpersonalizedhandwritingresults_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowwritingtools","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowwritingtools_false","children":[]}}]}]}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-device-restrictions.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-device-restrictions.md
new file mode 100644
index 00000000000..15dde916548
--- /dev/null
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-device-restrictions.md
@@ -0,0 +1,145 @@
+---
+title: Common Education iPads restrictions configuration
+description: Learn about common iPads restrictions configuration used by Education organizations in Intune.
+ms.date: 10/16/2024
+ms.topic: tutorial
+author: yegor-a
+ms.author: egorabr
+ms.manager: dougeby
+no-loc: [Microsoft, Apple]
+ms.collection:
+- graph-interactive
+---
+
+# Common Education iPad device restrictions
+
+This article summarizes the configurations that are most commonly used for student and teacher iPads in educational organizations.
+
+To learn more, see:
+
+- [Use the settings catalog to configure settings on Windows, iOS/iPadOS, and macOS devices](/mem/intune/configuration/settings-catalog)
+- [Configure and secure devices with Microsoft Intune](/mem/intune/industry/education/tutorial-school-deployment/configure-device-settings)
+- [Review MDM payloads for Apple devices](https://support.apple.com/guide/deployment/review-mdm-payloads-dep5370d089/web)
+- [MDM payload list for iPhone and iPad devices](https://support.apple.com/guide/deployment/payload-list-for-iphone-and-ipad-depdca795ebd/1/web/1.0)
+
+> [!TIP]
+> When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
+
+## General restrictions
+
+### [**Settings**](#tab/settings)
+
+| **Category** | **Property** | **Value** | **Notes** | **Payload property** |
+|---|---|:---:|---|---|
+| Restrictions | **:::no-loc text="Allow Activity Continuation":::** | False | | [:::no-loc text="allowActivityContinuation":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Adding Game Center Friends":::** | False | | [:::no-loc text="allowAddingGameCenterFriends":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow AirDrop":::** | False | | [:::no-loc text="allowAirDrop":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow App Cellular Data Modification":::** | False | | [:::no-loc text="allowAppCellularDataModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow App Installation":::** | False | Disables the App Store, and the system removes its icon from the Home screen. Users are unable to install or update their apps. In iOS 10 and later, MDM commands can override this restriction. | [:::no-loc text="allowAppInstallation":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Apple Personalized Advertising":::** | False | | [:::no-loc text="allowApplePersonalizedAdvertising":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Assistant":::** | False | Disables Siri. | [:::no-loc text="allowAssistant":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Assistant User Generated Content":::** | False | | [:::no-loc text="allowAssistantUserGeneratedContent":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Assistant While Locked":::** | False | | [:::no-loc text="allowAssistantWhileLocked":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Auto Unlock":::** | False | | [:::no-loc text="allowAutoUnlock":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Bookstore Erotica":::** | False | | [:::no-loc text="allowBookstoreErotica":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Cellular Plan Modification":::** | False | | [:::no-loc text="allowCellularPlanModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Chat":::** | False | Disables the use of iMessage with supervised devices. If the device supports text messaging, the user can still send and receive text messages. | [:::no-loc text="allowChat":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Cloud Backup":::** | False | Disables backing up the device to iCloud as it can't be restricted to Managed Apple ID only. | [:::no-loc text="allowCloudBackup":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Cloud Document Sync":::** | False | Disables document and key-value syncing to iCloud. | [:::no-loc text="allowCloudDocumentSync":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Cloud Keychain Sync":::** | False | Disables iCloud keychain synchronization. | [:::no-loc text="allowCloudKeychainSync":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Cloud Photo Library":::** | False | Disables iCloud Photo Library. The system removes any photos from local storage that aren't fully downloaded from iCloud Photo Library to the device. | [:::no-loc text="allowCloudPhotoLibrary":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Cloud Private Relay":::** | False | Disables iCloud Private Relay. | [:::no-loc text="allowCloudPrivateRelay":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Device Name Modification":::** | False | Prevents the user from changing the device name. Intune Remote Action can override this restriction. | [:::no-loc text="allowDeviceNameModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Enabling Restrictions":::** | False | Disables the Enable Restrictions option in the Restrictions UI in Settings. | [:::no-loc text="allowEnablingRestrictions":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Enterprise App Trust":::** | False | Removes the Trust Enterprise Developer button in *Settings > General > Profiles & Device Management*, which prevents provisioning apps by universal provisioning profiles. | [:::no-loc text="allowEnterpriseAppTrust":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow ESIM Modification":::** | False | | [:::no-loc text="allowESIMModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Explicit Content":::** | False | | [:::no-loc text="allowExplicitContent":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Files Network Drive Access":::** | False | | [:::no-loc text="allowFilesNetworkDriveAccess":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Files USB Drive Access":::** | False | | [:::no-loc text="allowFilesUSBDriveAccess":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Find My Friends":::** | False | | [:::no-loc text="allowFindMyFriends":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Find My Friends Modification":::** | False | | [:::no-loc text="allowFindMyFriendsModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Game Center":::** | False | | [:::no-loc text="allowGameCenter":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow In App Purchases":::** | False | | [:::no-loc text="allowInAppPurchases":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow iPhone Widgets On Mac":::** | False | | [:::no-loc text="allowiPhoneWidgetsOnMac":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow iTunes":::** | False | | [:::no-loc text="allowiTunes":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Lock Screen Control Center":::** | False | | [:::no-loc text="allowLockScreenControlCenter":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Lock Screen Notifications View":::** | False | | [:::no-loc text="allowLockScreenNotificationsView":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Lock Screen Today View":::** | False | | [:::no-loc text="allowLockScreenTodayView":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Managed Apps Cloud Sync":::** | False | Prevents managed apps from using iCloud sync. | [:::no-loc text="allowManagedAppsCloudSync":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Marketplace App Installation":::** | False | Prevents installation of alternative marketplace apps from the web and prevents any installed alternative marketplace apps from installing apps.
**Note:** For select markets. | [:::no-loc text="allowMarketplaceAppInstallation":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Multiplayer Gaming":::** | False | | [:::no-loc text="allowMultiplayerGaming":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Music Service":::** | False | | [:::no-loc text="allowMusicService":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow News":::** | False | | [:::no-loc text="allowNews":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Notifications Modification":::** | False | | [:::no-loc text="allowNotificationsModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Paired Watch":::** | False | | [:::no-loc text="allowPairedWatch":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Passbook While Locked":::** | False | Hides Passbook notifications from the lock screen. | [:::no-loc text="allowPassbookWhileLocked":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Password Proximity Requests":::** | False | Disables requesting passwords from nearby devices. | [:::no-loc text="allowPasswordProximityRequests":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Password Sharing":::** | False | | [:::no-loc text="allowPasswordSharing":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Personal Hotspot Modification":::** | False | | [:::no-loc text="allowPersonalHotspotModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Podcasts":::** | False | | [:::no-loc text="allowPodcasts":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Proximity Setup To New Device":::** | False | | [:::no-loc text="allowProximitySetupToNewDevice":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Radio Service":::** | False | | [:::no-loc text="allowRadioService":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Shared Stream":::** | False | Disables Shared Photo Stream. | [:::no-loc text="allowSharedStream":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Spotlight Internet Results":::** | False | Disables Spotlight Internet search results in Siri Suggestions. | [:::no-loc text="allowSpotlightInternetResults":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow System App Removal":::** | False | | [:::no-loc text="allowSystemAppRemoval":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow UI App Installation":::** | False | Disables the App Store, and the systems removes its icon from the Home screen. However, users can continue to use host apps such as iTunes or Configurator to install or update their apps. | [:::no-loc text="allowUIAppInstallation":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow UI Configuration Profile Installation":::** | False | Prohibits the user from installing configuration profiles and certificates interactively. | [:::no-loc text="allowUIConfigurationProfileInstallation":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow VPN Creation":::** | False | | [:::no-loc text="allowVPNCreation":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Wallpaper Modification":::** | False | | [:::no-loc text="allowWallpaperModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Web Distribution App Installation":::** | False | Prevents installation of apps directly from the web.
**Note:** For select markets. | [:::no-loc text="allowWebDistributionAppInstallation":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Force Assistant Profanity Filter":::** | True | Forces the use of the profanity filter assistant. | [:::no-loc text="forceAssistantProfanityFilter":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Force Limit Ad Tracking":::** | True | Disables app tracking and the Allow Apps to Request to Track setting. | [:::no-loc text="forceLimitAdTracking":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Force WiFi Power On":::** | True | | [:::no-loc text="forceWiFiPowerOn":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Safari Force Fraud Warning":::** | True | | [:::no-loc text="safariForceFraudWarning":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Web Content Filter | **:::no-loc text="Auto Filter Enabled":::** | True | Enables automatic filtering.
**Note:** iPadOS's built-in filter checks for adult content and doesn't cover categories that are educationally inappropriate. A separate filtering solution is recommended. | [:::no-loc text="AutoFilterEnabled":::](https://developer.apple.com/documentation/devicemanagement/webcontentfilter) |
+
+### [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - iPads - Device restrictions**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - iPads - Device restrictions","description":"","platforms":"iOS","technologies":"mdm,appleRemoteManagement","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.applicationaccess_com.apple.applicationaccess","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowactivitycontinuation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowactivitycontinuation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowaddinggamecenterfriends","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowaddinggamecenterfriends_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowairdrop","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowairdrop_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowappcellulardatamodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowappcellulardatamodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowappinstallation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowappinstallation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowapplepersonalizedadvertising","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowapplepersonalizedadvertising_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowassistant","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowassistant_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowassistantusergeneratedcontent","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowassistantusergeneratedcontent_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowassistantwhilelocked","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowassistantwhilelocked_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowautounlock","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowautounlock_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowbookstoreerotica","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowbookstoreerotica_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcellularplanmodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowcellularplanmodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowchat","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowchat_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudbackup","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowcloudbackup_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowclouddocumentsync","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowclouddocumentsync_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudkeychainsync","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowcloudkeychainsync_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudphotolibrary","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowcloudphotolibrary_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowcloudprivaterelay","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowcloudprivaterelay_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowdevicenamemodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowdevicenamemodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowenablingrestrictions","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowenablingrestrictions_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowenterpriseapptrust","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowenterpriseapptrust_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowesimmodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowesimmodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowexplicitcontent","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowexplicitcontent_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowfilesnetworkdriveaccess","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowfilesnetworkdriveaccess_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowfilesusbdriveaccess","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowfilesusbdriveaccess_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowfindmydevice","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowfindmydevice_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowfindmyfriends","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowfindmyfriends_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowfindmyfriendsmodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowfindmyfriendsmodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowgamecenter","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowgamecenter_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowinapppurchases","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowinapppurchases_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowiphonewidgetsonmac","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowiphonewidgetsonmac_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowitunes","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowitunes_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowlockscreencontrolcenter","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowlockscreencontrolcenter_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowlockscreennotificationsview","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowlockscreennotificationsview_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowlockscreentodayview","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowlockscreentodayview_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowmanagedappscloudsync","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowmanagedappscloudsync_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowmarketplaceappinstallation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowmarketplaceappinstallation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowmultiplayergaming","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowmultiplayergaming_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowmusicservice","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowmusicservice_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allownews","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allownews_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allownotificationsmodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allownotificationsmodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpairedwatch","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpairedwatch_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpassbookwhilelocked","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpassbookwhilelocked_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpasswordproximityrequests","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpasswordproximityrequests_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpasswordsharing","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpasswordsharing_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpersonalhotspotmodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpersonalhotspotmodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpodcasts","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpodcasts_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowproximitysetuptonewdevice","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowproximitysetuptonewdevice_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowradioservice","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowradioservice_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowsharedstream","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowsharedstream_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowspotlightinternetresults","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowspotlightinternetresults_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowsystemappremoval","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowsystemappremoval_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowuiappinstallation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowuiappinstallation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowuiconfigurationprofileinstallation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowuiconfigurationprofileinstallation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowvpncreation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowvpncreation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowwallpapermodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowwallpapermodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowwebdistributionappinstallation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowwebdistributionappinstallation_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_forceassistantprofanityfilter","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_forceassistantprofanityfilter_true","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_forcelimitadtracking","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_forcelimitadtracking_true","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_forcewifipoweron","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_forcewifipoweron_true","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_safariforcefraudwarning","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_safariforcefraudwarning_true","children":[]}}]}]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.webcontent-filter_com.apple.webcontent-filter","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.webcontent-filter_autofilterenabled","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.webcontent-filter_autofilterenabled_true","children":[]}}]}]}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
+
+## Settings that require additional consideration
+
+> [!CAUTION]
+> Enable these settings with caution after carefully evaluating their effect on your environment.
+
+### [**Settings**](#tab/settings)
+
+| **Category** | **Property** | **Value** | **Notes** | **Payload property** |
+|---|---|:---:|---|---|
+| Managed Settings > MDM Options | **:::no-loc text="Activation Lock Allowed While Supervised":::** | False | Does not register a supervised device with Activation Lock. | [:::no-loc text="activationLockAllowedWhileSupervised":::](https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/mdmoptions/mdmoptions) |
+| Restrictions | **:::no-loc text="Allow App Removal":::** | False | Disables removal of apps from an iOS device.
**Note:** Could result in devices running out of disk space. | [:::no-loc text="allowAppRemoval":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Erase Content And Settings":::** | False | Without an ability to locally reset the device it complicates device recovery. | [:::no-loc text="allowEraseContentAndSettings":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Unpaired External Boot To Recovery":::** | False | Does not allow devices to be booted into recovery by an unpaired device. | [:::no-loc text="allowUnpairedExternalBootToRecovery":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Untrusted TLS Prompt":::** | False | Websites with untrusted certificates will not be displayed. If you use a DNS filtering solution or need to accept certificate changes due to SSL inspection, distribute the root CA certificate of the changed certificate from MDM. | [:::no-loc text="allowUntrustedTLSPrompt":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Video Conferencing":::** | False | Hides the FaceTime app.
**Note:** Disabling may prevent screen sharing in some remote assistant apps used by IT Helpdesk. | [:::no-loc text="allowVideoConferencing":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Force WiFi To Allowed Networks Only":::** | True | Limits the device to only join Wi-Fi networks set up through a configuration profile.
**Note:** Could potentially leave the device in an unmanageable state if unable to connect to allowed networks. | [:::no-loc text="forceWiFiToAllowedNetworksOnly":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+
+### [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - iPads - Device restrictions (require additional consideration)**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - iPads - Device restrictions (require additional consideration)","description":"","platforms":"iOS","technologies":"mdm,appleRemoteManagement","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"settings_item_mdmoptions","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"settings_item_mdmoptions_mdmoptions","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"settings_item_mdmoptions_mdmoptions_activationlockallowedwhilesupervised","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"settings_item_mdmoptions_mdmoptions_activationlockallowedwhilesupervised_false","children":[]}}]}]}]}]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.applicationaccess_com.apple.applicationaccess","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowappremoval","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowappremoval_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowerasecontentandsettings","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowerasecontentandsettings_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowunpairedexternalboottorecovery","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowunpairedexternalboottorecovery_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowuntrustedtlsprompt","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowuntrustedtlsprompt_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowvideoconferencing","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowvideoconferencing_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_forcewifitoallowednetworksonly","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_forcewifitoallowednetworksonly_true","children":[]}}]}]}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-nouser.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-nouser.md
new file mode 100644
index 00000000000..8d5c79bbd0a
--- /dev/null
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-nouser.md
@@ -0,0 +1,57 @@
+---
+title: Common Education iPads with no user affinity configuration
+description: Learn about common iPads with no user affinity configuration used by Education organizations in Intune.
+ms.date: 10/16/2024
+ms.topic: tutorial
+author: yegor-a
+ms.author: egorabr
+ms.manager: dougeby
+no-loc: [Microsoft, Apple]
+ms.collection:
+- graph-interactive
+---
+
+# iPads with no user affinity
+
+iPads used in earlier grades are commonly enrolled with no user affinity to simplify the user experience for younger students and to allow sharing of devices. For more information, please refer to [Enroll devices with Automated Device Enrollment](/mem/intune/industry/education/tutorial-school-deployment/enroll-ios-ade).
+
+These iPads generally have additional restrictions that are not suitable for 1:1 devices.
+
+To learn more, see:
+
+- [Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices](/mem/intune/configuration/settings-catalog)
+- [Restrictions payload](https://developer.apple.com/documentation/devicemanagement/restrictions)
+
+> [!TIP]
+> When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
+
+## [**Settings**](#tab/settings)
+
+| **Category** | **Property** | **Value** | **Notes** | **Payload property** |
+|---|---|:---:|---|---|
+| Restrictions | **:::no-loc text="Allow Account Modification":::** | False | Disables modification of accounts such as Apple IDs and Internet-based accounts such as Mail, Contacts, and Calendar. | [:::no-loc text="allowAccountModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Bookstore":::** | False | Removes the Book Store tab from the Books app. | [:::no-loc text="allowBookstore":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Enterprise Book Backup":::** | False | Disables backup of Enterprise books. | [:::no-loc text="allowEnterpriseBookBackup":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Enterprise Book Metadata Sync":::** | False | Disables sync of Enterprise books, notes, and highlights. | [:::no-loc text="allowEnterpriseBookMetadataSync":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Fingerprint For Unlock":::** | False | Prevents Touch ID or Face ID from unlocking a device. | [:::no-loc text="allowFingerprintForUnlock":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Fingerprint Modification":::** | False | Prevents the user from modifying Touch ID or Face ID. | [:::no-loc text="allowFingerprintModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Passcode Modification":::** | False | Prevents adding, changing, or removing the passcode. | [:::no-loc text="allowPasscodeModification":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Allow Password Auto Fill":::** | False | | [:::no-loc text="allowPasswordAutoFill":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+| Restrictions | **:::no-loc text="Safari Allow Autofill":::** | False | Disables Safari AutoFill for passwords, contact info, and credit cards and also prevents using the Keychain for AutoFill. | [:::no-loc text="safariAllowAutoFill":::](https://developer.apple.com/documentation/devicemanagement/restrictions) |
+
+## [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph)
+
+[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)]
+
+This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - iPads - No user affinity**.
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{"name":"_MSLearn_Example_CommonEDU - iPads - No user affinity","description":"","platforms":"iOS","technologies":"mdm,appleRemoteManagement","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance","settingDefinitionId":"com.apple.applicationaccess_com.apple.applicationaccess","groupSettingCollectionValue":[{"children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowaccountmodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowaccountmodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowbookstore","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowbookstore_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowenterprisebookbackup","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowenterprisebookbackup_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowenterprisebookmetadatasync","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowenterprisebookmetadatasync_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowfingerprintforunlock","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowfingerprintforunlock_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowfingerprintmodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowfingerprintmodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpasscodemodification","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpasscodemodification_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_allowpasswordautofill","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_allowpasswordautofill_false","children":[]}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"com.apple.applicationaccess_safariallowautofill","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"com.apple.applicationaccess_safariallowautofill_false","children":[]}}]}]}}]}
+```
+
+[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)]
+
+---
diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-optional.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-optional.md
new file mode 100644
index 00000000000..dff086ba432
--- /dev/null
+++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-ipads-optional.md
@@ -0,0 +1,60 @@
+---
+title: Common Education iPads optional configuration
+description: Learn about common iPads optional configuration used by Education organizations in Intune.
+ms.date: 10/16/2024
+ms.topic: tutorial
+author: yegor-a
+ms.author: egorabr
+ms.manager: dougeby
+no-loc: [Microsoft, Apple]
+ms.collection:
+- graph-interactive
+---
+
+# Optional restrictions
+
+Optional policies, while relatively common, are provided for more situational use cases.
+
+To learn more, see:
+
+- [Use the settings catalog to configure settings on Windows, iOS/iPadOS and macOS devices](/mem/intune/configuration/settings-catalog)
+- [Restrictions payload](https://developer.apple.com/documentation/devicemanagement/restrictions)
+
+> [!TIP]
+> When creating a settings catalog profile in the Microsoft Intune admin center, you can copy a policy name from this article and paste it into the settings picker search field to find the desired policy.
+
+## [**Settings**](#tab/settings)
+
+| **Category** | **Property** | **Value** | **Notes** | **Payload property** |
+|---|---|:---:|---|---|
+| Managed Settings > Bluetooth | **:::no-loc text="Enabled":::** | True | Enable the Bluetooth setting. | [:::no-loc text="Enabled":::](https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings/bluetooth) |
+| Restrictions | **:::no-loc text="Force Automatic Date And Time":::** | True | Enables the Set Automatically feature in Date & Time and the user can't disable it.
**Note:**
|
@@ -255,15 +321,21 @@ For guidance, see [Install and configure the Certificate Connector for Microsoft
In **Apps**, configure **Certificate access** to manage how certificate access is granted to applications. Choose from:
- **Require user approval for apps** *(default)* – Users must approve use of a certificate by all applications.
- - **Grant silently for specific apps (require user approval for other apps)** – With this option, select **Add apps**, and then select one or more apps that will silently use the certificate without user interaction.
+ - **Grant silently for specific apps (require user approval for other apps)** – With this option, select **Add apps**. Then select all apps that should silently use the certificate without user interaction.
9. Select **Next**.
-10. In **Assignments**, select the user or groups that will receive your profile. Plan to deploy this certificate profile to the same groups that receive the trusted certificate profile, and that receive a configuration profile like a Wi-Fi profile that makes use of the certificate. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
+10. In **Assignments**, select the users and groups you want to include in the assignment. Users and groups receive the profile after you deploy it. Plan to deploy this certificate profile to the same groups that receive:
- Select **Next**.
+ - The trusted certificate profile and
-11. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
+ - A configuration profile, such as a Wi-Fi profile that makes use of the certificate.
+
+ For more information about assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md).
+
+11. Select **Next**.
+
+12. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
### Subject name format
@@ -319,14 +391,14 @@ Platforms:
By using a combination of one or many of these variables and static text strings, you can create a custom subject name format, such as: **CN={{UserName}},E={{EmailAddress}},OU=Mobile,O=Finance Group,L=Redmond,ST=Washington,C=US**
- That example includes a subject name format that uses the CN and E variables, and strings for Organizational Unit, Organization, Location, State, and Country values. [CertStrToName function](/windows/win32/api/wincrypt/nf-wincrypt-certstrtonamea) describes this function, and its supported strings.
+ That example includes a subject name format that uses the CN and E variables, and strings for organizational unit, organization, location, state, and country/region values. [CertStrToName function](/windows/win32/api/wincrypt/nf-wincrypt-certstrtonamea) describes this function, and its supported strings.
User attributes aren't supported for devices that don’t have user associations, such as devices that are enrolled as Android Enterprise dedicated. For example, a profile that uses *CN={{UserPrincipalName}}* in the subject or SAN can't get the user principal name when there isn't a user on the device.
- **Device certificate type**
Format options for the Subject name format include the following variables:
- **{{AAD_Device_ID}}**
- - **{{DeviceId}}** - This is the Intune device ID
+ - **{{DeviceId}}** - The Intune device ID
- **{{Device_Serial}}**
- **{{Device_IMEI}}**
- **{{SerialNumber}}**
@@ -344,7 +416,7 @@ Platforms:
>
> - When you specify a variable, enclose the variable name in curly brackets { } as seen in the example, to avoid an error.
> - Device properties used in the *subject* or *SAN* of a device certificate, like **IMEI**, **SerialNumber**, and **FullyQualifiedDomainName**, are properties that could be spoofed by a person with access to the device.
- > - A device must support all variables specified in a certificate profile for that profile to install on that device. For example, if **{{IMEI}}** is used in the subject name of a SCEP profile and is assigned to a device that doesn't have an IMEI number, the profile fails to install.
+ > - A device must support all variables specified in a certificate profile for that profile to install on that device. For example, if **{{IMEI}}** is used in the subject name of a SCEP profile and is assigned to a device that doesn't have an IMEI number, the profile fails to install.
## Next steps
diff --git a/memdocs/intune/protect/certificates-profile-scep.md b/memdocs/intune/protect/certificates-profile-scep.md
index 90c914b2917..c44baf140eb 100644
--- a/memdocs/intune/protect/certificates-profile-scep.md
+++ b/memdocs/intune/protect/certificates-profile-scep.md
@@ -5,7 +5,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 08/23/2023
+ms.date: 10/15/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -29,9 +29,7 @@ ms.collection:
- sub-certificates
---
-# Create and assign SCEP certificate profiles in Intune
-
-[!INCLUDE [azure_portal](../includes/strong-mapping-cert.md)]
+# Create and assign SCEP certificate profiles in Intune
After you [configure your infrastructure](certificates-scep-configure.md) to support Simple Certificate Enrollment Protocol (SCEP) certificates, you can create and then assign SCEP certificate profiles to users and devices in Intune.
@@ -48,8 +46,38 @@ Devices that run Android Enterprise might require a PIN before SCEP can provisio
> For more information about this limitation, see [Trusted certificate profiles for Android device administrator](../protect/certificates-trusted-root.md#trusted-certificate-profiles-for-android-device-administrator).
[!INCLUDE [windows-phone-81-windows-10-mobile-support](../includes/windows-phone-81-windows-10-mobile-support.md)]
+
> [!TIP]
-> *SCEP certificate* profiles are supported for [Windows Enterprise multi-session remote desktops](../fundamentals/azure-virtual-desktop-multi-session.md).
+> *SCEP certificate* profiles are supported for [Windows Enterprise multi-session remote desktops](../fundamentals/azure-virtual-desktop-multi-session.md).
+
+## Update certificate connector: Strong mapping requirements for KB5014754
+
+**Applies to**:
+
+- Windows 10
+- Windows 11
+- iOS
+- macOS
+
+The Key Distribution Center (KDC) requires user or device objects to be strongly mapped to Active Directory for certificate-based authentication. This means that the certificate's subject alternative name (SAN) must contain a security identifier (SID) extension that maps to the user or device SID in Active Directory. When a user or device authenticates with a certificate in Active Directory, the KDC checks for the SID to verify that the certificate is mapped and issued to the correct user or device. The mapping requirement protects against certificate spoofing and ensures that certificate-based authentication against the KDC continues working.
+
+Strong mapping is required for all certificates deployed by Microsoft Intune and used for certificate-based authentication against KDC. The strong mapping solution is applicable to user certificates across all platforms. For device certificates, it only applies to Microsoft Entra hybrid-joined Windows devices. If certificates in these scenarios don't meet the strong mapping requirements by the full enforcement mode date, authentication will be denied.
+
+To implement the strong mapping solution for SCEP certificates delivered via Intune, you must add the `OnpremisesSecurityIdentifier` variable to the SAN in the SCEP profile.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+This variable must be part of the URI attribute. You can create a new SCEP profile or edit an existing one to add the URI attribute.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+After you add the URI attribute and value to the certificate profile, Microsoft Intune appends the SAN attribute with the tag and the resolved SID. Example formatting: `tag:microsoft.com,2022-09-14:sid:
Learn how to protect access to company resource based on device, network, and application risk with:
-- [Better Mobile](better-mobile-threat-defense-connector.md)
-- [BlackBerry Protect Mobile](blackberry-mobile-threat-defense-connector.md)
-- [Check Point Harmony Mobile](checkpoint-sandblast-mobile-mobile-threat-defense-connector.md)
-- [CrowdStrike Falcon for Mobile](crowdstrike-falcon-defense-connector.md)
-- [Jamf Mobile Threat Defense](jamf-mtd-connector.md)
-- [Lookout for Work](lookout-mobile-threat-defense-connector.md)
-- [Microsoft Defender for Endpoint](../protect/advanced-threat-protection.md)
-- [Pradeo](pradeo-mobile-threat-defense-connector.md)
-- [SentinelOne](Sentinelone-mobile-threat-defense-connector.md)
-- [Sophos Mobile](sophos-mtd-connector.md)
-- [Symantec Endpoint Protection Mobile](skycure-mobile-threat-defense-connector.md)
-- [Trellix Mobile Security](trellix-mobile-threat-defense-connector.md)
-- [Trend Micro Mobile Security as a Service](trend-micro-mobile-threat-defense-connector.md)
-- [Windows Security Center](../apps/protect-mam-windows.md) *(Supports integration with Windows MAM)*
-- [Zimperium](zimperium-mobile-threat-defense-connector.md)
\ No newline at end of file
+- [Better Mobile](better-mobile-threat-defense-connector.md) - *(Android, iOS/iPadOS)*
+- [BlackBerry Protect Mobile](blackberry-mobile-threat-defense-connector.md) - *(Android, iOS/iPadOS)*
+- [Check Point Harmony Mobile](checkpoint-sandblast-mobile-mobile-threat-defense-connector.md) - *(Android, iOS/iPadOS)*
+- [CrowdStrike Falcon for Mobile](crowdstrike-falcon-defense-connector.md) - *(Android, iOS/iPadOS)*
+- [Jamf Mobile Threat Defense](jamf-mtd-connector.md) - *(Android, iOS/iPadOS)*
+- [Lookout for Work](lookout-mobile-threat-defense-connector.md) - *(Android, iOS/iPadOS)*
+- [Microsoft Defender for Endpoint](../protect/advanced-threat-protection.md) - *(Android, iOS/iPadOS, Windows)*
+- [Pradeo](pradeo-mobile-threat-defense-connector.md) - *(Android, iOS/iPadOS)*
+- [SentinelOne](Sentinelone-mobile-threat-defense-connector.md) - *(Android, iOS/iPadOS)*
+- [Sophos Mobile](sophos-mtd-connector.md) - *(Android, iOS/iPadOS)*
+- [Symantec Endpoint Protection Mobile](skycure-mobile-threat-defense-connector.md) - *(Android, iOS/iPadOS)*
+- [Trellix Mobile Security](trellix-mobile-threat-defense-connector.md) - *(Android, iOS/iPadOS)*
+- [Trend Micro Mobile Security as a Service](trend-micro-mobile-threat-defense-connector.md) - *(Android, iOS/iPadOS)*
+- [Windows Security Center](../apps/protect-mam-windows.md) - *(Windows)* - *For information about the Windows versions that support this connector, see [Data protection for Windows MAM](../apps/protect-mam-windows.md).*
+- [Zimperium](zimperium-mobile-threat-defense-connector.md) - *(Android, iOS/iPadOS)*
diff --git a/memdocs/intune/protect/mtd-add-apps-unenrolled-devices.md b/memdocs/intune/protect/mtd-add-apps-unenrolled-devices.md
index 7f9dff51636..69e05bbab1f 100644
--- a/memdocs/intune/protect/mtd-add-apps-unenrolled-devices.md
+++ b/memdocs/intune/protect/mtd-add-apps-unenrolled-devices.md
@@ -8,7 +8,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 01/23/2024
+ms.date: 08/20/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -20,7 +20,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: aanavath
+ms.reviewer: demerson
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -39,19 +39,7 @@ End users need the Microsoft Authenticator (iOS) to register their device, and t
Optionally, you can use Intune to add and deploy the Microsoft Authenticator, and Mobile Threat Defense (MTD) apps as well.
-> [!NOTE]
-> This article applies to all Mobile Threat Defense partners that support app protection policies:
->
-> - Microsoft Defender for Endpoint (Android, iOS/iPadOS)
-> - Better Mobile (Android, iOS/iPadOS)
-> - BlackBerry Mobile (CylancePROTECT for Android, iOS/iPadOS)
-> - Check Point Harmony Mobile (Android, iOS/iPadOS)
-> - Jamf (Android, iOS/iPadOS)
-> - Lookout for Work (Android, iOS/iPadOS)
-> - SentinelOne (Android, iOS/iPadOS)
-> - Symantec Endpoint Security (Android, iOS/iPadOS)
-> - Trellix Mobile Security (Android, iOS/iPadOS)
-> - Zimperium (Android, iOS/iPadOS)
+[!INCLUDE [mtd-mam-note](../../intune/protect/includes/mtd-mam-note.md)]
>
> For unenrolled devices, you **do not need an iOS app configuration policy** that sets up the Mobile Threat Defense for iOS app you use with Intune. This is a key difference compared to Intune enrolled devices.
@@ -142,21 +130,6 @@ However, should you wish to make the app available to end users via the Intune C
- **iOS**
- See the instructions for [adding iOS store apps to Microsoft Intune](../apps/store-apps-ios.md). Use this [Zimperium - App Store URL](https://itunes.apple.com/us/app/zimperium-zips/id1030924459?mt=8) when completing the **Configure app information** section.
-
-
-
-
-
## Next steps
- [Enable the Mobile Threat Defense connector in Intune for unenrolled devices](mtd-enable-unenrolled-devices.md)
diff --git a/memdocs/intune/protect/mtd-app-protection-policy.md b/memdocs/intune/protect/mtd-app-protection-policy.md
index 649eaab817b..af25f09e869 100644
--- a/memdocs/intune/protect/mtd-app-protection-policy.md
+++ b/memdocs/intune/protect/mtd-app-protection-policy.md
@@ -8,7 +8,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 01/23/2024
+ms.date: 08/20/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -20,7 +20,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: aanavath
+ms.reviewer: demerson
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -35,21 +35,8 @@ ms.collection:
Intune with Mobile Threat Defense (MTD) helps you detect threats and assess risk on mobile and Windows devices. You can create an Intune app protection policy that assesses risk to determine if the application is allowed to access corporate data or not.
-> [!NOTE]
-> This article applies to all Mobile Threat Defense partners that support app protection policies:
->
-> - Better Mobile (Android, iOS/iPadOS)
-> - BlackBerry Mobile (Android, iOS/iPadOS)
-> - Check Point Harmony Mobile (Android, iOS/iPadOS)
-> - Jamf (Android, iOS/iPadOS)
-> - Microsoft Defender for Endpoint (Android, iOS/iPadOS)
-> - Lookout for Work (Android, iOS/iPadOS)
-> - Trellix Mobile Security (Android, iOS/iPadOS)
-> - SentinelOne (Android, iOS/iPadOS)
-> - Symantec Endpoint Security (Android, iOS/iPadOS)
-> - Windows Security Center (Windows)
-> - Zimperium (Android, iOS/iPadOS)
-
+[!INCLUDE [mtd-mam-note](../../intune/protect/includes/mtd-mam-note.md)]
+
## Before you begin
As part of the MTD setup, in the MTD partner console, you created a policy that classifies various threats as high, medium, and low. You now need to set the Mobile Threat Defense level in the Intune app protection policy.
diff --git a/memdocs/intune/protect/mtd-apps-ios-app-configuration-policy-add-assign.md b/memdocs/intune/protect/mtd-apps-ios-app-configuration-policy-add-assign.md
index de94afb7430..760eeaf4080 100644
--- a/memdocs/intune/protect/mtd-apps-ios-app-configuration-policy-add-assign.md
+++ b/memdocs/intune/protect/mtd-apps-ios-app-configuration-policy-add-assign.md
@@ -176,7 +176,7 @@ Use the same Microsoft Entra account previously configured in the [Symantec Endp
### Sophos Mobile app configuration policy
-Create the iOS app configuration policy as described in the [using iOS app configuration policy](../apps/app-configuration-policies-use-ios.md) article. For more information, see [Sophos Intercept X for Mobile iOS - Available managed settings](https://support.sophos.com/support/s/article/KB-000038801) in the Sophos knowledge base.
+Create the iOS app configuration policy as described in the [using iOS app configuration policy](../apps/app-configuration-policies-use-ios.md) article. For more information, see [Sophos Intercept X for Mobile iOS - Available managed settings](https://support.sophos.com/support/s/article/KBA-000006738) in the Sophos knowledge base.
### Trellix Mobile Security app configuration policy
diff --git a/memdocs/intune/protect/mtd-device-compliance-policy-create.md b/memdocs/intune/protect/mtd-device-compliance-policy-create.md
index b01e390470e..4c8087e5834 100644
--- a/memdocs/intune/protect/mtd-device-compliance-policy-create.md
+++ b/memdocs/intune/protect/mtd-device-compliance-policy-create.md
@@ -1,14 +1,14 @@
---
# required metadata
-title: Create a Mobile Threat Defense (MTD) device compliance policy with Microsoft Intune
+title: Create Mobile Threat Defense compliance policies in Intune
titleSuffix: Microsoft Intune
description: Create an Intune device compliance policy that uses your MTD partner threat levels to determine if a mobile device can access company resources.
keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 08/22/2024
+ms.date: 09/30/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -94,6 +94,6 @@ Your Mobile Threat Defense partner can send a risk score for each device for whi
>
> Conditional Access policies for Microsoft 365 or other services also evaluate device compliance results, which include the threat-level configuration. Any noncompliant device can be blocked from accessing corporate resources until that devices threat-level is remediated to bring the device into compliance with your policies and that status is successfully reported to Intune via the MTD vendor.
-## Next steps
+## Related content
-[Enable MTD with Intune](mtd-connector-enable.md)
+[Enable a Mobile Threat Defense connector](mtd-connector-enable.md)
diff --git a/memdocs/intune/protect/mtd-enable-unenrolled-devices.md b/memdocs/intune/protect/mtd-enable-unenrolled-devices.md
index 8b8cc2be3a2..4348ba1e34f 100644
--- a/memdocs/intune/protect/mtd-enable-unenrolled-devices.md
+++ b/memdocs/intune/protect/mtd-enable-unenrolled-devices.md
@@ -8,7 +8,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 07/09/2024
+ms.date: 08/20/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -20,7 +20,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: aanavath
+ms.reviewer: demerson
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -35,18 +35,7 @@ ms.collection:
During Mobile Threat Defense (MTD) setup, you've configured a policy for classifying threats in your Mobile Threat Defense partner console and you've created the app protection policy in Intune. If you've already configured the Intune connector in the MTD partner console, you can now enable the MTD connection for MTD partner applications.
-> [!NOTE]
-> This article applies to all Mobile Threat Defense partners that support app protection policies:
->
-> - BlackBerry Mobile (Android, iOS/iPadOS)
-> - Better Mobile (Android,iOS/iPadOS)
-> - Check Point Harmony Mobile Protect (Android, iOS/iPadOS)
-> - Jamf (Android, iOS/iPadOS)
-> - Lookout for Work (Android, iOS/iPadOS)
-> - SentinelOne (Android,iOS/iPadOS)
-> - Symantec Endpoint Security (Android, iOS/iPadOS)
-> - Trellix Mobile Security (Android,iOS/iPadOS)
-> - Zimperium (Android,iOS/iPadOS)
+[!INCLUDE [mtd-mam-note](../../intune/protect/includes/mtd-mam-note.md)]
## Classic conditional access policies for Mobile Threat Defense (MTD) apps
diff --git a/memdocs/intune/protect/reusable-settings-groups.md b/memdocs/intune/protect/reusable-settings-groups.md
index ad90f4b98ec..977838ef69c 100644
--- a/memdocs/intune/protect/reusable-settings-groups.md
+++ b/memdocs/intune/protect/reusable-settings-groups.md
@@ -7,7 +7,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 08/19/2024
+ms.date: 09/18/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -116,6 +116,10 @@ When you edit the configuration of a reusable group, each profile that uses that
Add reusable settings groups to profiles while editing or creating the profile. On the profiles Configuration settings page, use an option that supports adding one or more previously created groups.
+> [!NOTE]
+>
+> Inbound FQDN rules aren’t natively supported. However, it’s possible to use *pre-hydration* scripts to generate inbound IP entries for the rule. For more information, see [Windows Firewall dynamic keywords](/windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords) in the Windows Firewall documentation.
+
1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), create a new profile or select and edit an existing profile.
2. On the *Configuration settings* page, select **Add** to add a new rule, or **Edit rule** to manage a previously created rule.
diff --git a/memdocs/intune/protect/security-baseline-settings-defender.md b/memdocs/intune/protect/security-baseline-settings-defender.md
index 96e14b68150..63c246d31b5 100644
--- a/memdocs/intune/protect/security-baseline-settings-defender.md
+++ b/memdocs/intune/protect/security-baseline-settings-defender.md
@@ -7,7 +7,7 @@ description: View the settings in the Microsoft Intune security baseline for Mic
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 07/01/2024
+ms.date: 09/10/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: protect
@@ -86,12 +86,12 @@ This baseline is optimized for physical devices and isn't recommended for use on
Baseline default: *Enabled*
[Learn more](/windows/client-management/mdm/policy-csp-deviceinstallation?WT.mc_id=Portal-fx#preventinstallationofmatchingdevicesetupclasses)
+ - **Prevented Classes**
+ Baseline default: *d48179be-ec20-11d1-b6b8-00c04fa372a7*
+
- **Also apply to matching devices that are already installed.**
Baseline default: *False*
- - **Prevented Classes**
- Baseline default: *d48179be-ec20-11d1-b6b8-00c04fa372a7*
-
### Windows Components > BitLocker Drive Encryption
- **Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)**
@@ -161,22 +161,22 @@ This baseline is optimized for physical devices and isn't recommended for use on
- **Omit recovery options from the BitLocker setup wizard**
Baseline default: *True*
+ - **Allow data recovery agent**
+ Baseline default: *True*
+
Value: *Allow 256-bit recovery key*
- - **Save BitLocker recovery information to AD DS for operating system drives**
- Baseline default: *True*
+ - **Configure storage of BitLocker recovery information to AD DS:**
+ Baseline default: *Store recovery passwords and key packages*
- **Do not enable BitLocker until recovery information is stored to AD DS for operating system drives**
Baseline default: *True*
- - **Configure user storage of BitLocker recovery information:**
- Baseline default: *Allow 48-digit recovery password*
-
- - **Allow data recovery agent**
+ - **Save BitLocker recovery information to AD DS for operating system drives**
Baseline default: *True*
- - **Configure storage of BitLocker recovery information to AD DS:**
- Baseline default: *Store recovery passwords and key packages*
+ - **Configure user storage of BitLocker recovery information:**
+ Baseline default: *Allow 48-digit recovery password*
- **Enable use of BitLocker authentication requiring preboot keyboard input on slates**
Baseline default: *Enabled*
@@ -196,12 +196,12 @@ This baseline is optimized for physical devices and isn't recommended for use on
- **Configure TPM startup key and PIN:**
Baseline default: *Do not allow startup key and PIN with TPM*
- - **Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)**
- Baseline default: *False*
-
- **Configure TPM startup:**
Baseline default: *Allow TPM*
+ - **Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)**
+ Baseline default: *False*
+
- **Configure TPM startup PIN:**
Baseline default: *Allow startup PIN with TPM*
@@ -340,40 +340,40 @@ This baseline is optimized for physical devices and isn't recommended for use on
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
- - **Block JavaScript or VBScript from launching downloaded executable content**
+ - **Block Adobe Reader from creating child processes**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
- - **Block Webshell creation for Servers**
+ - **Block credential stealing from the Windows local security authority subsystem**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
- - **Block untrusted and unsigned processes that run from USB**
+ - **Block JavaScript or VBScript from launching downloaded executable content**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
- - **Block Adobe Reader from creating child processes**
+ - **Block Webshell creation for Servers**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
- - **Block credential stealing from the Windows local security authority subsystem**
+ - **Block untrusted and unsigned processes that run from USB**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
- - **Block abuse of exploited vulnerable signed drivers (Device)**
- Baseline default: *Block*
+ - **Block persistence through WMI event subscription**
+ Baseline default: *Audit*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
- - **Block persistence through WMI event subscription**
+ - **[PREVIEW] Block use of copied or impersonated system tools**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
- - **[PREVIEW] Block use of copied or impersonated system tools**
+ - **Block abuse of exploited vulnerable signed drivers (Device)**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
- **Block process creations originating from PSExec and WMI commands**
- Baseline default: *Block*
+ Baseline default: *Audit*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
- **Block Office applications from creating executable content**
@@ -490,29 +490,29 @@ This baseline is optimized for physical devices and isn't recommended for use on
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoredomainprofileenablefirewall)
- - **Disable Stealth Mode Ipsec Secured Packet Exemption**
+ - **Allow Local Ipsec Policy Merge**
Baseline default: *True*
- [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoredomainprofiledisablestealthmodeipsecsecuredpacketexemption)
+ [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoredomainprofileallowlocalipsecpolicymerge)
- **Disable Stealth Mode**
Baseline default: *False*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoredomainprofiledisablestealthmode)
- - **Allow Local Ipsec Policy Merge**
- Baseline default: *True*
- [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoredomainprofileallowlocalipsecpolicymerge)
-
- **Disable Inbound Notifications**
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoredomainprofiledisableinboundnotifications)
+ - **Disable Unicast Responses To Multicast Broadcast**
+ Baseline default: *False*
+ [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoredomainprofiledisableunicastresponsestomulticastbroadcast)
+
- **Global Ports Allow User Pref Merge**
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoredomainprofileglobalportsallowuserprefmerge)
- - **Disable Unicast Responses To Multicast Broadcast**
- Baseline default: *False*
- [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoredomainprofiledisableunicastresponsestomulticastbroadcast)
+ - **Disable Stealth Mode Ipsec Secured Packet Exemption**
+ Baseline default: *True*
+ [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoredomainprofiledisablestealthmodeipsecsecuredpacketexemption)
- **Allow Local Policy Merge**
Baseline default: *True*
@@ -520,6 +520,7 @@ This baseline is optimized for physical devices and isn't recommended for use on
- **Enable Packet Queue**
Baseline default: *Configured*
+ Value: *Disabled*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreglobalenablepacketqueue)
- **Enable Private Network Firewall**
@@ -527,7 +528,7 @@ This baseline is optimized for physical devices and isn't recommended for use on
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreprivateprofileenablefirewall)
- **Default Inbound Action for Private Profile**
- Baseline default: *True*
+ Baseline default: *Block*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreprivateprofiledefaultinboundaction)
- **Disable Unicast Responses To Multicast Broadcast**
@@ -550,6 +551,10 @@ This baseline is optimized for physical devices and isn't recommended for use on
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreprivateprofiledisablestealthmodeipsecsecuredpacketexemption)
+ - **Disable Inbound Notifications**
+ Baseline default: *True*
+ [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreprivateprofiledisableinboundnotifications)
+
- **Allow Local Policy Merge**
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreprivateprofileallowlocalpolicymerge)
@@ -562,10 +567,6 @@ This baseline is optimized for physical devices and isn't recommended for use on
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreprivateprofileauthappsallowuserprefmerge)
- - **Disable Inbound Notifications**
- Baseline default: *True*
- [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreprivateprofiledisableinboundnotifications)
-
- **Enable Public Network Firewall**
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileenablefirewall)
@@ -586,30 +587,30 @@ This baseline is optimized for physical devices and isn't recommended for use on
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofiledisablestealthmodeipsecsecuredpacketexemption)
- - **Default Inbound Action for Public Profile**
- Baseline default: *Block*
- [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofiledefaultinboundaction)
-
- - **Global Ports Allow User Pref Merge**
- Baseline default: *True*
- [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileglobalportsallowuserprefmerge)
-
- **Allow Local Policy Merge**
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileallowlocalpolicymerge)
- - **Allow Local Ipsec Policy Merge**
- Baseline default: *True*
- [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileallowlocalipsecpolicymerge)
-
- **Auth Apps Allow User Pref Merge**
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileauthappsallowuserprefmerge)
+ - **Default Inbound Action for Public Profile**
+ Baseline default: *Block*
+ [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofiledefaultinboundaction)
+
- **Disable Unicast Responses To Multicast Broadcast**
Baseline default: *False*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofiledisableunicastresponsestomulticastbroadcast)
+ - **Global Ports Allow User Pref Merge**
+ Baseline default: *True*
+ [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileglobalportsallowuserprefmerge)
+
+ - **Allow Local Ipsec Policy Merge**
+ Baseline default: *True*
+ [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileallowlocalipsecpolicymerge)
+
- **Preshared Key Encoding**
Baseline default: *UTF8*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreglobalpresharedkeyencoding)
diff --git a/memdocs/intune/protect/security-baseline-settings-mdm-all.md b/memdocs/intune/protect/security-baseline-settings-mdm-all.md
index 21d98b083a9..31c02051079 100644
--- a/memdocs/intune/protect/security-baseline-settings-mdm-all.md
+++ b/memdocs/intune/protect/security-baseline-settings-mdm-all.md
@@ -110,7 +110,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P
Baseline default: *Enabled*
[Learn more](/windows/client-management/mdm/policy-csp-msslegacy?WT.mc_id=Portal-fx#ipsourceroutingprotectionlevel)
- **DisableIPSourceRouting (Device)**
- Baseline default: *Enabled* *Highest protection, source routing is completely disabled*
+ Baseline default: *Highest protection, source routing is completely disabled*
- **MSS: (EnableCMPRedirect) Allow ICMP redirects to override OSPF generated routes**
Baseline default: *Disabled*
@@ -1698,87 +1698,87 @@ The settings in this baseline are taken from the **version 23H2** of the Group P
- **Access From Network**
Baseline default: *Configured*
- Values: *Administrators*, *Remote Desktop Users*
+ Values: *Administrators* (*S-1-5-32-544), *Remote Desktop Users* (*S-1-5-32-555)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#accessfromnetwork)
- **Allow Local Log On**
Baseline default: *Configured*
- Values: *Administrators*, *Users*
+ Values: *Administrators* (*S-1-5-32-544), *Users* (*S-1-5-32-545)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#allowlocallogon)
- **Backup Files And Directories**
Baseline default: *Configured*
- Value: *Administrators*
+ Value: *Administrators* (*S-1-5-32-544)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#backupfilesanddirectories)
- **Create Global Objects**
Baseline default: *Configured*
- Values: *Administrators*, *LOCAL SERVICE*, *NETWORK SERVICE*, *SERVICE*
+ Values: *Administrators* (*S-1-5-32-544), *Local Service* (*S-1-5-19), *Network Service* (*S-1-5-20), *Service* (*S-1-5-6)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#createglobalobjects)
- **Create Page File**
Baseline default: *Configured*
- Value: *Administrators*
+ Value: *Administrators* (*S-1-5-32-544)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#createpagefile)
- **Debug Programs**
Baseline default: *Configured*
- Value: *Administrators*
+ Value: *Administrators* (*S-1-5-32-544)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#debugprograms)
- **Deny Access From Network**
Baseline default: *Configured*
- Value: *NT AUTHORITY\Local Account*
+ Value: *NT AUTHORITY\Local Account* (*S-1-5-113)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#denyaccessfromnetwork)
- **Deny Remote Desktop Services Log On**
Baseline default: *Configured*
- Value: *NT AUTHORITY\Local Account*
+ Value: *NT AUTHORITY\Local Account* (*S-1-5-113)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#denyremotedesktopserviceslogon)
- **Impersonate Client**
Baseline default: *Configured*
- Values: *Administrators*, *SERVICE*, *Local Service*, *Network Service*
+ Values: *Administrators* (*S-1-5-32-544), *Service* (*S-1-5-6), *Local Service* (*S-1-5-19), *Network Service* (*S-1-5-20)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#impersonateclient)
- **Load Unload Device Drivers**
Baseline default: *Configured*
- Value: *Administrators*
+ Value: *Administrators* (*S-1-5-32-544)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#loadunloaddevicedrivers)
- **Manage Auditing And Security Log**
Baseline default: *Configured*
- Value: *Administrators*
+ Value: *Administrators* (*S-1-5-32-544)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#manageauditingandsecuritylog)
- **Manage Volume**
Baseline default: *Configured*
- Value: *Administrators*
+ Value: *Administrators* (*S-1-5-32-544)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#managevolume)
- **Modify Firmware Environment**
Baseline default: *Configured*
- Value: *Administrators*
+ Value: *Administrators* (*S-1-5-32-544)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#modifyfirmwareenvironment)
- **Profile Single Process**
Baseline default: *Configured*
- Value: *Administrators*
+ Value: *Administrators* (*S-1-5-32-544)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#profilesingleprocess)
- **Remote Shutdown**
Baseline default: *Configured*
- Value: *Administrators*
+ Value: *Administrators* (*S-1-5-32-544)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#remoteshutdown)
- **Restore Files And Directories**
Baseline default: *Configured*
- Value: *Administrators*
+ Value: *Administrators* (*S-1-5-32-544)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#restorefilesanddirectories)
- **Take Ownership**
Baseline default: *Configured*
- Value: *Administrators*
+ Value: *Administrators* (*S-1-5-32-544)
[Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#takeownership)
## Virtualization Based Technology
diff --git a/memdocs/intune/protect/security-baseline-settings-windows-365.md b/memdocs/intune/protect/security-baseline-settings-windows-365.md
index 790d37d095c..d1527ba5f08 100644
--- a/memdocs/intune/protect/security-baseline-settings-windows-365.md
+++ b/memdocs/intune/protect/security-baseline-settings-windows-365.md
@@ -7,7 +7,7 @@ description: View a list of the settings in the Microsoft Intune security baseli
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 07/19/2024
+ms.date: 09/10/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: protect
@@ -174,10 +174,11 @@ The settings in this baseline apply to Windows devices managed through Intune. W
- **Prevent installation of devices using drivers that match these device setup classes**
Baseline default: *Enabled*
[Learn more](/windows/client-management/mdm/policy-csp-deviceinstallation?WT.mc_id=Portal-fx#preventinstallationofmatchingdevicesetupclasses)
+ - **Prevented Classes**
+ Baseline default: *{d48179be-ec20-11d1-b6b8-00c04fa372a7}*
+
- **Also apply to matching devices that are already installed**
Baseline default: *True*
- - **Prevented Classes**
- Baseline default: *{d48179be-ec20-11d1-b6b8-00c04fa372a7}*
### System > Early Launch Antimalware
@@ -200,7 +201,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W
### System > Internet Communication Management > Internet Communication settings
-- **Turn off downloading of print drivers**
+- **Turn off downloading of print drivers over HTTP**
Baseline default: *Enabled*
[Learn more](/windows/client-management/mdm/policy-csp-connectivity?WT.mc_id=Portal-fx#disabledownloadingofprintdriversoverhttp)
@@ -208,24 +209,6 @@ The settings in this baseline apply to Windows devices managed through Intune. W
Baseline default: *Enabled*
[Learn more](/windows/client-management/mdm/policy-csp-connectivity?WT.mc_id=Portal-fx#disableinternetdownloadforwebpublishingandonlineorderingwizards)
-### System > Power Management > Sleep Settings
-
-- **Allow standby states (S1-S3) when sleeping (on battery)**
- Baseline default: *Disabled*
- [Learn more](/windows/client-management/mdm/policy-csp-power?WT.mc_id=Portal-fx#allowstandbystateswhensleepingonbattery)
-
-- **Allow standby states (S1-S3) when sleeping (plugged in)**
- Baseline default: *Disabled*
- [Learn more](/windows/client-management/mdm/policy-csp-power?WT.mc_id=Portal-fx#allowstandbywhensleepingpluggedin)
-
-- **Require a password when a computer wakes (on battery)**
- Baseline default: *Enabled*
- [Learn more](/windows/client-management/mdm/policy-csp-power?WT.mc_id=Portal-fx#requirepasswordwhencomputerwakesonbattery)
-
-- **Require a password when a computer wakes (plugged in)**
- Baseline default: *Enabled*
- [Learn more](/windows/client-management/mdm/policy-csp-power?WT.mc_id=Portal-fx#requirepasswordwhencomputerwakespluggedin)
-
### System > Remote Assistance
- **Configure Solicited Remote Assistance**
@@ -264,28 +247,6 @@ The settings in this baseline apply to Windows devices managed through Intune. W
- **Turn off Autoplay on:**
Baseline default: *All drives*
-### Windows Components > BitLocker Drive Encryption > Fixed Data Drives
-
-> [!NOTE]
->
-> The default configuration of the following setting will apply to all managed Windows 365 PCs as Windows 365 PC’s do no support use of BitLocker as an encryption option. For more information, see [Data encryption in Windows 365](/windows-365/enterprise/encryption) in the Windows Security documentation.
-
-- **Deny write access to fixed drives not protected by BitLocker**
- Baseline default: *Disabled*
- [Learn more](/windows/client-management/mdm/bitlocker-csp?WT.mc_id=Portal-fx#fixeddrivesrequireencryption)
-
-### Windows Components > BitLocker Drive Encryption > Removable Data Drives
-
-> [!NOTE]
->
-> The default configuration of the following setting will apply to all managed Windows 365 PCs as Windows 365 PC’s do no support use of BitLocker as an encryption option. For more information, see [Data encryption in Windows 365](/windows-365/enterprise/encryption) in the Windows Security documentation.
-
-- **Deny write access to removable drives not protected by BitLocker**
- Baseline default: *Enabled*
- [Learn more](/windows/client-management/mdm/bitlocker-csp?WT.mc_id=Portal-fx#removabledrivesrequireencryption)
- - **Do not allow write access to devices configured in another organization**
- Baseline default: *False*
-
### Windows Components > Credential User Interface
- **Enumerate administrator accounts on elevation**
@@ -1222,28 +1183,6 @@ The settings in this baseline apply to Windows devices managed through Intune. W
Baseline default: *Success+ Failure*
[Learn more](/windows/client-management/mdm/policy-csp-Audit?WT.mc_id=Portal-fx#system_auditsystemintegrity)
-## Browser
-
-- **Allow Password Manager**
- Baseline default: *Block*
- [Learn more](/windows/client-management/mdm/policy-csp-Browser?WT.mc_id=Portal-fx#allowpasswordmanager)
-
-- **Allow Smart Screen**
- Baseline default: *Allow*
- [Learn more](/windows/client-management/mdm/policy-csp-Browser?WT.mc_id=Portal-fx#allowsmartscreen)
-
-- **Prevent Cert Error Overrides**
- Baseline default: *Enabled*
- [Learn more](/windows/client-management/mdm/policy-csp-Browser?WT.mc_id=Portal-fx#preventcerterroroverrides)
-
-- **Prevent Smart Screen Prompt Override**
- Baseline default: *Enabled*
- [Learn more](/windows/client-management/mdm/policy-csp-Browser?WT.mc_id=Portal-fx#preventsmartscreenpromptoverride)
-
-- **Prevent Smart Screen Prompt Override For Files**
- Baseline default: *Enabled*
- [Learn more](/windows/client-management/mdm/policy-csp-Browser?WT.mc_id=Portal-fx#preventsmartscreenpromptoverrideforfiles)
-
## Data Protection
- **Allow Direct Memory Access**
@@ -1283,36 +1222,47 @@ The settings in this baseline apply to Windows devices managed through Intune. W
- **Allow Script Scanning**
Baseline default: *Allowed.*
[Learn more](/windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-fx#allowscriptscanning)
+
- **Block execution of potentially obfuscated scripts**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+
- **Block Win32 API calls from Office macros**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+
- **Block Office communication application from creating child processes**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+
- **Block all Office applications from creating child processes**
Baseline default: *Block*
- [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
- - **Block JavaScript or VBScript from launching downloaded executable content**
+ [Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+
+ - **Block Adobe Reader from creating child processes**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
- - **Block untrusted and unsigned processes that run from USB**
+
+ - **Block credential stealing from the Windows local security authority subsystem**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
- - **Block Adobe Reader from creating child processes**
+
+ - **Block JavaScript or VBScript from launching downloaded executable content**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
- - **Block credential stealing from the Windows local security authority subsystem**
+
+ - **Block untrusted and unsigned processes that run from USB**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+
- **Block Office applications from creating executable content**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+
- **Block Office applications from injecting code into other processes**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
+
- **Block executable content from email client and webmail**
Baseline default: *Block*
[Learn more](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=Portal-fx)
@@ -1377,10 +1327,12 @@ The settings in this baseline apply to Windows devices managed through Intune. W
- **Device Password Enabled**
Baseline default: *Enabled*
[Learn more](/windows/client-management/mdm/policy-csp-devicelock?WT.mc_id=Portal-fx#devicepasswordenabled)
+
- **Device Password History**
Baseline default: *Configured*
Value: *24*
[Learn more](/windows/client-management/mdm/policy-csp-devicelock?WT.mc_id=Portal-fx#devicepasswordhistory)
+
- **Min Device Password Length**
Baseline default: *Configured*
Value: *14*
@@ -1397,9 +1349,11 @@ The settings in this baseline apply to Windows devices managed through Intune. W
- **Allow Windows Spotlight (User)**
Baseline default: *Allow*
[Learn more](/windows/client-management/mdm/policy-csp-Experience?WT.mc_id=Portal-fx#allowwindowsspotlight)
+
- **Allow Windows Consumer Features**
Baseline default: *Allow*
[Learn more](/windows/client-management/mdm/policy-csp-experience?WT.mc_id=Portal-fx#allowwindowsconsumerfeatures)
+
- **Allow Third Party Suggestions In Windows Spotlight (User)**
Baseline default: *Block*
[Learn more](/windows/client-management/mdm/policy-csp-Experience?WT.mc_id=Portal-fx#allowthirdpartysuggestionsinwindowsspotlight)
@@ -1409,74 +1363,94 @@ The settings in this baseline apply to Windows devices managed through Intune. W
- **Enable Domain Network Firewall**
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoredomainprofileenablefirewall)
- - **Enable Log Success Connections**
- Baseline default: *Enable Logging Of Successful Connections*
- [Learn more](/windows/client-management/mdm/Firewall-csp/?WT.mc_id=Portal-fx#mdmstoredomainprofileenablelogsuccessconnections)
- - **Default Outbound Action**
- Baseline default: *Allow*
- [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoredomainprofiledefaultoutboundaction)
+
- **Enable Log Dropped Packets**
Baseline default: *Enable Logging Of Dropped Packets*
[Learn more](/windows/client-management/mdm/Firewall-csp/?WT.mc_id=Portal-fx#mdmstoredomainprofileenablelogdroppedpackets)
+
+ - **Default Outbound Action**
+ Baseline default: *Allow*
+ [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoredomainprofiledefaultoutboundaction)
+
- **Disable Inbound Notifications**
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoredomainprofiledisableinboundnotifications)
+
- **Log Max File Size**
Baseline default: *Configured*
Value: *16384*
[Learn more](/windows/client-management/mdm/Firewall-csp/?WT.mc_id=Portal-fx#mdmstoredomainprofilelogmaxfilesize)
+
- **Default Inbound Action for Domain Profile**
Baseline default: *Block*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoredomainprofiledefaultinboundaction)
+ - **Enable Log Success Connections**
+ Baseline default: *Enable Logging Of Successful Connections*
+ [Learn more](/windows/client-management/mdm/Firewall-csp/?WT.mc_id=Portal-fx#mdmstoredomainprofileenablelogsuccessconnections)
+
- **Enable Private Network Firewall**
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreprivateprofileenablefirewall)
+
- **Log Max File Size**
Baseline default: *Configured*
Value: *16384*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreprivateprofilelogmaxfilesize)
+
- **Default Inbound Action for Private Profile**
Baseline default: *Block*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreprivateprofiledefaultinboundaction)
+
- **Enable Log Success Connections**
Baseline default: *Enable Logging Of Successful Connections*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreprivateprofileenablelogsuccessconnections)
+
- **Enable Log Dropped Packets**
Baseline default: *Enable Logging Of Dropped Packets*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreprivateprofileenablelogdroppedpackets)
- - **Default Outbound Action**
- Baseline default: *Allow*
- [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreprivateprofiledefaultoutboundaction)
+
- **Disable Inbound Notifications**
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreprivateprofiledisableinboundnotifications)
+ - **Default Outbound Action**
+ Baseline default: *Allow*
+ [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreprivateprofiledefaultoutboundaction)
+
- **Enable Public Network Firewall**
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileenablefirewall)
+
- **Enable Log Dropped Packets**
Baseline default: *Enable Logging Of Dropped Packets*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileenablelogdroppedpackets)
+
- **Log Max File Size**
Baseline default: *Configured*
Value: *16384*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofilelogmaxfilesize)
+
- **Default Outbound Action**
Baseline default: *Allow*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofiledefaultoutboundaction)
+
- **Disable Inbound Notifications**
Baseline default: *True*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofiledisableinboundnotifications)
- - **Default Inbound Action for Public Profile**
- Baseline default: *Block*
- [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofiledefaultinboundaction)
+
- **Allow Local Policy Merge**
Baseline default: *False*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileallowlocalpolicymerge)
+
+ - **Default Inbound Action for Public Profile**
+ Baseline default: *Block*
+ [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofiledefaultinboundaction)
+
- **Enable Log Success Connections**
Baseline default: *Enable Logging Of Successful Connections*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileenablelogsuccessconnections)
+
- **Allow Local Ipsec Policy Merge**
Baseline default: *False*
[Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileallowlocalipsecpolicymerge)
@@ -1487,94 +1461,6 @@ The settings in this baseline apply to Windows devices managed through Intune. W
Baseline default: *Disabled*
[Learn more](/windows/client-management/mdm/policy-csp-LanmanWorkstation?WT.mc_id=Portal-fx#enableinsecureguestlogons)
-## Local Policies Security Options
-
-- **Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only**
- Baseline default: *Enabled*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#accounts_limitlocalaccountuseofblankpasswordstoconsolelogononly)
-
-- **Interactive Logon Machine Inactivity Limit**
- Baseline default: *Configured*
- Value: *900*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#interactivelogon_machineinactivitylimit)
-
-- **Interactive Logon Smart Card Removal Behavior**
- Baseline default: *Lock Workstation*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#interactivelogon_smartcardremovalbehavior)
-
-- **Microsoft Network Client Digitally Sign Communications Always**
- Baseline default: *Enable*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#microsoftnetworkclient_digitallysigncommunicationsalways)
-
-- **Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers**
- Baseline default: *Disable*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#microsoftnetworkclient_sendunencryptedpasswordtothirdpartysmbservers)
-
-- **Microsoft Network Server Digitally Sign Communications Always**
- Baseline default: *Enable*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#microsoftnetworkserver_digitallysigncommunicationsalways)
-
-- **Network Access Do Not Allow Anonymous Enumeration Of SAM Accounts**
- Baseline default: *Enabled*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networkaccess_donotallowanonymousenumerationofsamaccounts)
-
-- **Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares**
- Baseline default: *Enabled*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networkaccess_donotallowanonymousenumerationofsamaccountsandshares)
-
-- **Network Access Restrict Anonymous Access To Named Pipes And Shares**
- Baseline default *Enable*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networkaccess-restrictanonymousaccesstonamedpipesandshares)
-
-- **Network Access Restrict Clients Allowed To Make Remote Calls To SAM**
- Baseline default: *Configured*
- Value: *O:BAG:BAD:(A;;RC;;;BA)*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networkaccess_restrictclientsallowedtomakeremotecallstosam)
-
-- **Network Security Do Not Store LAN Manager Hash Value On Next Password Change**
- Baseline default: *Enable*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networksecurity_donotstorelanmanagerhashvalueonnextpasswordchange)
-
-- **Network Security LAN Manager Authentication Level**
- Baseline default: *Send LM and NTLMv2 responses only. Refuse LM and NTLM*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networksecurity_lanmanagerauthenticationlevel)
-
-- **Network Security Minimum Session Security For NTLMSSP Based Clients**
- Baseline default: *Require NTLM and 128-bit encryption*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networksecurity_minimumsessionsecurityforntlmsspbasedclients)
-
-- **Network Security Minimum Session Security For NTLMSSP Based Servers**
- Baseline default: *Require NTLM and 128-bit encryption*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networksecurity_minimumsessionsecurityforntlmsspbasedservers)
-
-- **User Account Control Behavior Of The Elevation Prompt For Administrators**
- Baseline default: *Prompt for consent on the secure desktop*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol_behavioroftheelevationpromptforadministrators)
-
-- **User Account Control Behavior Of The Elevation Prompt For Standard Users**
- Baseline default: *Automatically deny elevation requests*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol_behavioroftheelevationpromptforstandardusers)
-
-- **User Account Control Detect Application Installations And Prompt For Elevation**
- Baseline default: *Enable*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol-detectapplicationinstallationsandpromptforelevation)
-
-- **User Account Control Only Elevate UI Access Applications That Are Installed In Secure Locations**
- Baseline default: *Enabled: Application runs with UIAccess integrity only if it resides in secure location.*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations)
-
-- **User Account Control Run All Administrators In Admin Approval Mode**
- Baseline default: *Enabled*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol_runalladministratorsinadminapprovalmode)
-
-- **User Account Control Use Admin Approval Mode**
- Baseline default: *Enable*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol_useadminapprovalmode)
-
-- **User Account Control Virtualize File And Registry Write Failures To Per User Locations**
- Baseline default: *Enabled*
- [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol_virtualizefileandregistrywritefailurestoperuserlocations)
-
## Local Security Authority
- **Configure Lsa Protected Process**
@@ -1607,11 +1493,13 @@ The settings in this baseline apply to Windows devices managed through Intune. W
- **Minimum TLS version enabled**
Baseline default: *Enabled*
+
- **Minimum TLS version enabled (Device)**
Baseline default: *TlS 1.2*
- **Minimum TLS version enabled (User)**
Baseline default: *Enabled*
+
- **Minimum TLS version enabled (User)**
Baseline default: *TLS 1.2*
@@ -1659,30 +1547,6 @@ The settings in this baseline apply to Windows devices managed through Intune. W
- **Service Enabled**
Baseline default: *Enabled*
-## System Services
-
-- **Configure Xbox Accessory Management Service Startup Mode**
- Baseline default: *Disabled*
- [Learn more](/windows/client-management/mdm/policy-csp-SystemServices?WT.mc_id=Portal-fx#configurexboxaccessorymanagementservicestartupmode)
-
-- **Configure Xbox Live Auth Manager Service Startup Mode**
- Baseline default: *Disabled*
- [Learn more](/windows/client-management/mdm/policy-csp-SystemServices?WT.mc_id=Portal-fx#configurexboxliveauthmanagerservicestartupmode)
-
-- **Configure Xbox Live Game Save Service Startup Mode**
- Baseline default: *Disabled*
- [Learn more](/windows/client-management/mdm/policy-csp-SystemServices?WT.mc_id=Portal-fx#configurexboxlivegamesaveservicestartupmode)
-
-- **Configure Xbox Live Networking Service Startup Mode**
- Baseline default: *Disabled*
- [Learn more](/windows/client-management/mdm/policy-csp-SystemServices?WT.mc_id=Portal-fx#configurexboxlivenetworkingservicestartupmode)
-
-## Task Scheduler
-
-- **Enable Xbox Game Save Task**
- Baseline default: *Disabled*
- [Learn more](/windows/client-management/mdm/policy-csp-TaskScheduler?WT.mc_id=Portal-fx#enablexboxgamesavetask)
-
## User Rights
- **Access From Network**
@@ -1801,22 +1665,99 @@ The settings in this baseline apply to Windows devices managed through Intune. W
Baseline default: *(Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock.*
[Learn more](/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#hypervisorenforcedcodeintegrity)
-## Wi-Fi Settings
-
-- **Allow Auto Connect To Wi Fi Sense Hotspots**
- Baseline default: *Block*
- [Learn more](/windows/client-management/mdm/policy-csp-wifi?WT.mc_id=Portal-fx#allowautoconnecttowifisensehotspots)
-
-- **Allow Internet Sharing**
- Baseline default: *Block*
- [Learn more](/windows/client-management/mdm/policy-csp-wifi?WT.mc_id=Portal-fx#allowinternetsharing)
-
## Windows Ink Workspace
- **Allow Windows Ink Workspace**
Baseline default: *Ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.*
[Learn more](/windows/client-management/mdm/policy-csp-WindowsInkWorkspace?WT.mc_id=Portal-fx#allowwindowsinkworkspace)
+## Local Policies Security Options
+
+- **Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only**
+ Baseline default: *Enabled*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#accounts_limitlocalaccountuseofblankpasswordstoconsolelogononly)
+
+- **Interactive Logon Machine Inactivity Limit**
+ Baseline default: *Configured*
+ Value: *900*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#interactivelogon_machineinactivitylimit)
+
+- **Interactive Logon Smart Card Removal Behavior**
+ Baseline default: *Lock Workstation*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#interactivelogon_smartcardremovalbehavior)
+
+- **Microsoft Network Client Digitally Sign Communications Always**
+ Baseline default: *Enable*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#microsoftnetworkclient_digitallysigncommunicationsalways)
+
+- **Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers**
+ Baseline default: *Disable*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#microsoftnetworkclient_sendunencryptedpasswordtothirdpartysmbservers)
+
+- **Microsoft Network Server Digitally Sign Communications Always**
+ Baseline default: *Enable*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#microsoftnetworkserver_digitallysigncommunicationsalways)
+
+- **Network Access Do Not Allow Anonymous Enumeration Of SAM Accounts**
+ Baseline default: *Enabled*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networkaccess_donotallowanonymousenumerationofsamaccounts)
+
+- **Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares**
+ Baseline default: *Enabled*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networkaccess_donotallowanonymousenumerationofsamaccountsandshares)
+
+- **Network Access Restrict Anonymous Access To Named Pipes And Shares**
+ Baseline default *Enable*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networkaccess-restrictanonymousaccesstonamedpipesandshares)
+
+- **Network Access Restrict Clients Allowed To Make Remote Calls To SAM**
+ Baseline default: *Configured*
+ Value: *O:BAG:BAD:(A;;RC;;;BA)*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networkaccess_restrictclientsallowedtomakeremotecallstosam)
+
+- **Network Security Do Not Store LAN Manager Hash Value On Next Password Change**
+ Baseline default: *Enable*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networksecurity_donotstorelanmanagerhashvalueonnextpasswordchange)
+
+- **Network Security LAN Manager Authentication Level**
+ Baseline default: *Send LM and NTLMv2 responses only. Refuse LM and NTLM*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networksecurity_lanmanagerauthenticationlevel)
+
+- **Network Security Minimum Session Security For NTLMSSP Based Clients**
+ Baseline default: *Require NTLM and 128-bit encryption*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networksecurity_minimumsessionsecurityforntlmsspbasedclients)
+
+- **Network Security Minimum Session Security For NTLMSSP Based Servers**
+ Baseline default: *Require NTLM and 128-bit encryption*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#networksecurity_minimumsessionsecurityforntlmsspbasedservers)
+
+- **User Account Control Behavior Of The Elevation Prompt For Administrators**
+ Baseline default: *Prompt for consent on the secure desktop*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol_behavioroftheelevationpromptforadministrators)
+
+- **User Account Control Behavior Of The Elevation Prompt For Standard Users**
+ Baseline default: *Automatically deny elevation requests*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol_behavioroftheelevationpromptforstandardusers)
+
+- **User Account Control Detect Application Installations And Prompt For Elevation**
+ Baseline default: *Enable*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol-detectapplicationinstallationsandpromptforelevation)
+
+- **User Account Control Only Elevate UI Access Applications That Are Installed In Secure Locations**
+ Baseline default: *Enabled: Application runs with UIAccess integrity only if it resides in secure location.*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations)
+
+- **User Account Control Run All Administrators In Admin Approval Mode**
+ Baseline default: *Enabled*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol_runalladministratorsinadminapprovalmode)
+
+- **User Account Control Use Admin Approval Mode**
+ Baseline default: *Enable*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol_useadminapprovalmode)
+
+- **User Account Control Virtualize File And Registry Write Failures To Per User Locations**
+ Baseline default: *Enabled*
+ [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol_virtualizefileandregistrywritefailurestoperuserlocations)
::: zone-end
::: zone pivot="win365-nov21"
@@ -2791,6 +2732,11 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po
## Microsoft Defender Antivirus Exclusions
+> [!WARNING]
+> **Defining exclusions lowers the protection offered by Microsoft Defender Antivirus**. Always evaluate the risks that are associated with implementing exclusions. Only exclude files you know aren't malicious.
+>
+> For more information, see [Exclusions overview](/defender-endpoint/navigate-defender-endpoint-antivirus-exclusions) in the Microsoft Defender documentation.
+
- **Defender Processes to exclude**
Baseline defaults: *Not configured by default. Manually add one or more entries.*
diff --git a/memdocs/intune/protect/security-baseline-v2-edge-settings.md b/memdocs/intune/protect/security-baseline-v2-edge-settings.md
index 5743ec5c363..f61d7cb1fd1 100644
--- a/memdocs/intune/protect/security-baseline-v2-edge-settings.md
+++ b/memdocs/intune/protect/security-baseline-v2-edge-settings.md
@@ -7,7 +7,7 @@ description: View a list of the settings in the Microsoft Intune security baseli
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 12/11/2023
+ms.date: 09/17/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: protect
@@ -48,7 +48,7 @@ zone_pivot_groups: dcv2-edge-baselines
This article is a reference for the settings that are available in the Microsoft Edge security baseline for Microsoft Intune and applies to versions of that baseline that released in May 2023 or later.
-If you use a security baseline for Edge version 85 or earlier, see [List of the settings in the Microsoft Edge security baseline in Intune](../protect/security-baseline-settings-edge.md).
+If you use a security baseline for Microsoft Edge version 85 or earlier, see [List of the settings in the Microsoft Edge security baseline in Intune](../protect/security-baseline-settings-edge.md).
> [!NOTE]
> Beginning in May 2023, all new security baseline versions use a new settings format that replaces previous versions. While the last version instance for a baseline that uses the older setting format remains available to use, the older format will no longer receive updates for new settings, or updated default configurations.
diff --git a/memdocs/intune/protect/security-baseline-v2-office-settings.md b/memdocs/intune/protect/security-baseline-v2-office-settings.md
index 87fe27268ab..2417c6ae4e1 100644
--- a/memdocs/intune/protect/security-baseline-v2-office-settings.md
+++ b/memdocs/intune/protect/security-baseline-v2-office-settings.md
@@ -7,7 +7,7 @@ description: View a list of the settings in the Microsoft Intune security baseli
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 11/10/2023
+ms.date: 09/13/2024
ms.topic: reference
ms.service: microsoft-intune
ms.subservice: protect
@@ -46,7 +46,7 @@ Pivot yml:
title: May 2023
-->
-# Microsoft 365 Apps for Enterprise security baseline settings reference for Microsoft Intune
+# Microsoft 365 Apps for Enterprise security baseline settings reference for Microsoft Intune
This article is a reference for the settings that are available in the Microsoft 365 Apps for Enterprise security baseline for Microsoft Intune.
@@ -72,41 +72,94 @@ To learn more about using security baselines, see:
::: zone pivot="office-may-2023"
-**Microsoft 365 Apps for Enterprise security baseline for May 2023**
+**Microsoft 365 Apps for Enterprise security baseline for May 2023**
+
+This baseline version was first made available in May of 2023. It was replaced by the Baseline *Version 2306*
For more information about the following settings that are included in this baseline, download the [Microsoft Security Compliance Toolkit 1.0](https://www.microsoft.com/download/details.aspx?id=55319) from the Microsoft Download Center, and review the *Microsoft 365 Apps for Enterprise-2206-FINAL.zip* file.
::: zone-end
::: zone pivot="v2306"
-**Microsoft 365 Apps for Enterprise for security baseline version 2306**
+**Microsoft 365 Apps for Enterprise for security baseline version 2306**
+
+This baseline version was first made available in November 2023, and replaces the *May 2023* version.
For more information about the following settings that are included in this baseline, download the [Security Compliance Toolkit and Baselines](https://www.microsoft.com/download/details.aspx?id=55319) from the Microsoft Download Center, and then review the *Microsoft 365 Apps for Enterprise 2306.zip* file.
::: zone-end
+::: zone pivot="office-may-2023,v2306"
-## Microsoft 365 Apps for Enterprise
+## Administrative Templates
+
+*MS Security Guide*
+
+- **Block Flash activation in Office documents**
+ Baseline default: *Enabled*
+ - **Block Flash player in Office (Device)**
+ Baseline default: Block all activation*
+
+- **Restrict legacy JScript execution for Office**
+ Baseline default: *Enabled*
+
+ - **Excel: (Device)**
+ Baseline default: *69632*
+
+ - **PowerPoint: (Device)**
+ Baseline default: *69632*
+
+ - **OneNote: (Device)**
+ Baseline default: *69632*
+
+ - **Publisher: (Device)**
+ Baseline default: *69632*
+
+ - **Access: (Device)**
+ Baseline default: *69632*
+
+ - **Project: (Device)**
+ Baseline default: *69632*
+
+ - **Visio: (Device)**
+ Baseline default: *69632*
+
+ - **Outlook: (Device)**
+ Baseline default: *69632*
+
+
+ - **Word: (Device)**
+ Baseline default: *69632*
-::: zone pivot="office-may-2023,v2306"
-### Microsoft Access 2016
+
+## Microsoft Access 2016
*Application Settings > Security > Trust Center*
- **Block macros from running in Office files from the Internet (User)**
- Baseline default: *Enabled*
+ Baseline default: *Enabled*
+
+- **Disable Trust Bar Notification for unsigned application add-ins and block them (User)**
+ Baseline default: *Enabled*
+
+::: zone-end
+::: zone pivot="v2306"
+
+
+- **Require that application add-ins are signed by Trusted Publisher (User)**
+ Baseline default: *Enabled*
+
+::: zone-end
+::: zone pivot="office-may-2023,v2306"
- **VBA Macro Notification Settings (User)**
Baseline default: *Enabled*
- Baseline default: *Disable all with notification*
-- **Disable Trust Bar Notification for unsigned application add-ins and block them (User)**
- Baseline default: *Enabled*
-
*Application Settings > Security > Trust Center > Trusted Locations*
- **Allow Trusted Locations on the network (User)**
- Baseline default: *Disabled*
+ Baseline default: *Disabled*
### Microsoft Excel 2016
@@ -152,31 +205,40 @@ For more information about the following settings that are included in this base
*Excel Options > Security > Trust Center*
+::: zone-end
+::: zone pivot="v2306"
+
+
+- **Block Excel XLL Add-ins that come from an untrusted source (User)**
+ Baseline default: *Enabled*
+ - Baseline default: *Block*
+
+::: zone-end
+::: zone pivot="office-may-2023,v2306"
+
- **Block macros from running in Office files from the Internet (User)**
Baseline default: *Enabled*
-- **Prevent Excel from running XLM macros (User)**
+::: zone-end
+::: zone pivot="v2306"
+- **Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated)**
Baseline default: *Enabled*
-- **Require that application add-ins are signed by Trusted Publisher (User)**
+::: zone-end
+::: zone pivot="office-may-2023,v2306"
+
+- **Prevent Excel from running XLM macros (User)**
Baseline default: *Enabled*
-- **Disable Trust Bar Notification for unsigned application add-ins and block them (User)**
+- **Require that application add-ins are signed by Trusted Publisher (User)**
+ Baseline default: *Enabled*
+ - **Disable Trust Bar Notification for unsigned application add-ins and block them (User)**
Baseline default: *Enabled*
- **VBA Macro Notification Settings (User)**
Baseline default: *Enabled*
- Baseline default: *Disable all except digitally signed macros*
-::: zone-end
-::: zone pivot="v2306"
-
-- **Block Excel XLL Add-ins that come from an untrusted source**
- Baseline default: *Block*
-
-::: zone-end
-::: zone pivot="office-may-2023,v2306"
-
*Excel Options > Security > Trust Center > External Content*
- **Always prevent untrusted Microsoft Query files from opening (User)**
@@ -184,6 +246,7 @@ For more information about the following settings that are included in this base
::: zone-end
::: zone pivot="office-may-2023"
+
- **Don’t allow Dynamic Data Exchange (DDE) server launch in Excel (User)**
Baseline default: *Enabled*
@@ -277,8 +340,7 @@ For more information about the following settings that are included in this base
Baseline default: *Disabled*
- **Set document behavior if file validation fails (User)**
- Baseline default: *Enabled*
-
+ Baseline default: *Enabled*
- **Checked: Allow edit. Unchecked: Do not allow edit. (User)**
Baseline default: *False*
- Baseline default: *Open in Protected View*
@@ -289,22 +351,17 @@ For more information about the following settings that are included in this base
*Excel Options > Security > Trust Center > Trusted Locations*
- **Allow Trusted Locations on the network (User)**
- Baseline default: *Disabled*+
+ Baseline default: *Disabled*
-::: zone-end
-::: zone pivot="office-may-2023"
-### Microsoft Lync Feature Policies
+## Microsoft Lync Feature Policies
-- **Configure SIP security mode**
+- **Configure SIP security mode**
Baseline default: *Enabled*
-- **Disable HTTP fallback for SIP connection**
+- **Disable HTTP fallback for SIP connection**
Baseline default: *Enabled*
-::: zone-end
-::: zone pivot="office-may-2023,v2306"
-
-### Microsoft Office 2016
+## Microsoft Office 2016
*Customize*
@@ -317,12 +374,6 @@ For more information about the following settings that are included in this base
- **Disallow in Publisher (User)**
Baseline default: *True*
- - **Disallow in Visio (User)**
- Baseline default: *True*
-
- - **Disallow in InfoPath (User)**
- Baseline default: *True*
-
- **Disallow in Outlook (User)**
Baseline default: *True*
@@ -332,24 +383,30 @@ For more information about the following settings that are included in this base
- **Disallow in Access (User)**
Baseline default: *True*
+ - **Disallow in InfoPath (User)**
+ Baseline default: *True*
+
- **Disallow in Word (User)**
Baseline default: *True*
- **Disallow in Excel (User)**
Baseline default: *True*
+ - **Disallow in Visio (User)**
+ Baseline default: *True*
+
*Security Settings*
- **ActiveX Control Initialization (User)**
- Baseline default: *Enabled*
-
- - **ActiveX Control Initialization: (User)**
+ Baseline default: *Enabled*
+ -**ActiveX Control Initialization: (User)**
Baseline default: *6*
::: zone-end
::: zone pivot="v2306"
+
-- **Allow Basic Authentication prompts from network proxies**
+- **Allow Basic Authentication prompts from network proxies (User)**
Baseline default: *Disabled*
::: zone-end
@@ -378,10 +435,11 @@ For more information about the following settings that are included in this base
::: zone-end
::: zone pivot="v2306"
+
-- **Encryption mode for Information Rights Management (IRM)**
+- **Encryption mode for Information Rights Management (IRM) (User)**
Baseline default: *Enabled*
- - **Encryption type: (User)**
+ - **IRM Encryption Mode: (User)**
Baseline default: *Cipher Block Chaining (CBC)*
::: zone-end
@@ -424,10 +482,7 @@ For more information about the following settings that are included in this base
- **Disable Smart Document's use of manifests (User)**
Baseline default: *Enabled*
-::: zone-end
-::: zone pivot="office-may-2023"
-
-### Microsoft Office 2016 (Machine)
+## Microsoft Office 2016 (Machine)
*Security Settings > IE Security*
@@ -446,9 +501,15 @@ For more information about the following settings that are included in this base
- **powerpnt.exe (Device)**
Baseline default: *True*
+ - **excel.exe (Device)**
+ Baseline default: *True*
+
- **visio.exe (Device)**
Baseline default: *True*
+ - **onent.exe (Device)**
+ Baseline default: *True*
+
- **outlook.exe (Device)**
Baseline default: *True*
@@ -458,21 +519,15 @@ For more information about the following settings that are included in this base
- **winword.exe (Device)**
Baseline default: *True*
- - **excel.exe (Device)**
+ - **exprwd.exe (Device)**
Baseline default: *True*
- - **onent.exe (Device)**
+ - **spDesign.exe (Device)**
Baseline default: *True*
- **winproj.exe (Device)**
Baseline default: *True*
- - **exprwd.exe (Device)**
- Baseline default: *True*
-
- - **spDesign.exe (Device)**
- Baseline default: *True*
-
- **groove.exe (Device)**
Baseline default: *True*
@@ -488,34 +543,34 @@ For more information about the following settings that are included in this base
- **spDesign.exe (Device)**
Baseline default: *True*
+ - **onent.exe (Device)**
+ Baseline default: *True*
+
- **outlook.exe (Device)**
Baseline default: *True*
- - **mspub.exe (Device)**
+ - **pptview.exe (Device)**
Baseline default: *True*
- - **visio.exe (Device)**
+ - **mspub.exe (Device)**
Baseline default: *True*
- - **onent.exe (Device)**
- Baseline default: *True*
-
- - **pptview.exe (Device)**
+ - **visio.exe (Device)**
Baseline default: *True*
- **winproj.exe (Device)**
Baseline default: *True*
- - **powerpnt.exe (Device)**
+ - **msaccess.exe (Device)**
Baseline default: *True*
- - **mse7.exe (Device)**
+ - **powerpnt.exe (Device)**
Baseline default: *True*
-
- - **msaccess.exe (Device)**
+
+ - **groove.exe (Device)**
Baseline default: *True*
- - **groove.exe (Device)**
+ - **mse7.exe (Device)**
Baseline default: *True*
- **winword.exe (Device)**
@@ -524,9 +579,9 @@ For more information about the following settings that are included in this base
- **Disable user name and password**
Baseline default: *Enabled*
- - **pptview.exe (Device)**
+ - **excel.exe (Device)**
Baseline default: *True*
-
+
- **groove.exe (Device)**
Baseline default: *True*
@@ -536,7 +591,7 @@ For more information about the following settings that are included in this base
- **mse7.exe (Device)**
Baseline default: *True*
- - **excel.exe (Device)**
+ - **mspub.exe (Device)**
Baseline default: *True*
- **visio.exe (Device)**
@@ -545,16 +600,13 @@ For more information about the following settings that are included in this base
- **exprwd.exe (Device)**
Baseline default: *True*
- - **spDesign.exe (Device)**
- Baseline default: *True*
-
- - **winword.exe (Device)**
+ - **msaccess.exe (Device)**
Baseline default: *True*
- - **mspub.exe (Device)**
+ - **spDesign.exe (Device)**
Baseline default: *True*
- - **msaccess.exe (Device)**
+ - **winword.exe (Device)**
Baseline default: *True*
- **powerpnt.exe (Device)**
@@ -566,6 +618,9 @@ For more information about the following settings that are included in this base
- **winproj.exe (Device)**
Baseline default: *True*
+ - **pptview.exe (Device)**
+ Baseline default: *True*
+
- **Information Bar**
Baseline default: *Enabled*
@@ -581,25 +636,19 @@ For more information about the following settings that are included in this base
- **msaccess.exe (Device)**
Baseline default: *True*
- - **outlook.exe (Device)**
- Baseline default: *True*
-
- - **winproj.exe (Device)**
+ - **onent.exe (Device)**
Baseline default: *True*
- - **spDesign.exe (Device)**
+ - **outlook.exe (Device)**
Baseline default: *True*
- - **onent.exe (Device)**
+ - **winproj.exe (Device)**
Baseline default: *True*
- **powerpnt.exe (Device)**
Baseline default: *True*
- - **winword.exe (Device)**
- Baseline default: *True*
-
- - **exprwd.exe (Device)**
+ - **spDesign.exe (Device)**
Baseline default: *True*
- **groove.exe (Device)**
@@ -611,8 +660,14 @@ For more information about the following settings that are included in this base
- **mse7.exe (Device)**
Baseline default: *True*
+ - **winword.exe (Device)**
+ Baseline default: *True*
+
+ - **exprwd.exe (Device)**
+ Baseline default: *True*
+
- **Local Machine Zone Lockdown Security**
- Baseline default: *Enabled*
+ Baseline default: *Enabled*
- **mse7.exe (Device)**
Baseline default: *True*
@@ -638,9 +693,6 @@ For more information about the following settings that are included in this base
- **groove.exe (Device)**
Baseline default: *True*
- - **visio.exe (Device)**
- Baseline default: *True*
-
- **winword.exe (Device)**
Baseline default: *True*
@@ -650,6 +702,9 @@ For more information about the following settings that are included in this base
- **spDesign.exe (Device)**
Baseline default: *True*
+ - **visio.exe (Device)**
+ Baseline default: *True*
+
- **onent.exe (Device)**
Baseline default: *True*
@@ -683,9 +738,6 @@ For more information about the following settings that are included in this base
- **outlook.exe (Device)**
Baseline default: *True*
- - **pptview.exe (Device)**
- Baseline default: *True*
-
- **mspub.exe (Device)**
Baseline default: *True*
@@ -695,25 +747,22 @@ For more information about the following settings that are included in this base
- **msaccess.exe (Device)**
Baseline default: *True*
- - **spDesign.exe (Device)**
+ - **pptview.exe (Device)**
Baseline default: *True*
- **winproj.exe (Device)**
Baseline default: *True*
-- **Navigate URL**
- Baseline default: *Enabled*
-
- - **powerpnt.exe (Device)**
+ - **spDesign.exe (Device)**
Baseline default: *True*
- - **visio.exe (Device)**
- Baseline default: *True*
+- **Navigate URL**
+ Baseline default: *Enabled*
- - **mse7.exe (Device)**
+ - **groove.exe (Device)**
Baseline default: *True*
- - **groove.exe (Device)**
+ - **spDesign.exe (Device)**
Baseline default: *True*
- **onent.exe (Device)**
@@ -722,58 +771,55 @@ For more information about the following settings that are included in this base
- **pptview.exe (Device)**
Baseline default: *True*
- - **spDesign.exe (Device)**
- Baseline default: *True*
-
- **outlook.exe (Device)**
Baseline default: *True*
- **winproj.exe (Device)**
Baseline default: *True*
- - **excel.exe (Device)**
- Baseline default: *True*
-
- - **exprwd.exe (Device)**
- Baseline default: *True*
-
- **msaccess.exe (Device)**
Baseline default: *True*
- **winword.exe (Device)**
Baseline default: *True*
- - **mspub.exe (Device)**
+ - **excel.exe (Device)**
Baseline default: *True*
-- **Object Caching Protection**
- Baseline default: *Enabled*
+ - **mspub.exe (Device)**
+ Baseline default: *True*
- - **excel.exe (Device)**
+ - **exprwd.exe (Device)**
Baseline default: *True*
- - **pptview.exe (Device)**
+ - **powerpnt.exe (Device)**
Baseline default: *True*
- - **winproj.exe (Device)**
+ - **visio.exe (Device)**
Baseline default: *True*
- - **exprwd.exe (Device)**
+ - **mse7.exe (Device)**
Baseline default: *True*
+- **Object Caching Protection**
+ Baseline default: *Enabled*
+
- **winword.exe (Device)**
Baseline default: *True*
- - **spDesign.exe (Device)**
+ - **powerpnt.exe (Device)**
Baseline default: *True*
+ - **spDesign.exe (Device)**
+ Baseline default: *True*
+
- **mse7.exe (Device)**
Baseline default: *True*
- **mspub.exe (Device)**
Baseline default: *True*
- - **powerpnt.exe (Device)**
+ - **msaccess.exe (Device)**
Baseline default: *True*
- **onent.exe (Device)**
@@ -782,30 +828,33 @@ For more information about the following settings that are included in this base
- **outlook.exe (Device)**
Baseline default: *True*
- - **msaccess.exe (Device)**
+ - **groove.exe (Device)**
Baseline default: *True*
- - **visio.exe (Device)**
+ - **excel.exe (Device)**
Baseline default: *True*
- - **groove.exe (Device)**
+ - **visio.exe (Device)**
Baseline default: *True*
-- **Protection From Zone Elevation**
- Baseline default: *Enabled*
-
- - **msaccess.exe (Device)**
+ - **pptview.exe (Device)**
Baseline default: *True*
- - **spDesign.exe (Device)**
+ - **winproj.exe (Device)**
Baseline default: *True*
- - **groove.exe (Device)**
+ - **exprwd.exe (Device)**
Baseline default: *True*
+- **Protection From Zone Elevation**
+ Baseline default: *Enabled*
+
- **winproj.exe (Device)**
Baseline default: *True*
+ - **groove.exe (Device)**
+ Baseline default: *True*
+
- **outlook.exe (Device)**
Baseline default: *True*
@@ -827,13 +876,19 @@ For more information about the following settings that are included in this base
- **winword.exe (Device)**
Baseline default: *True*
- - **onent.exe (Device)**
+ - **exprwd.exe (Device)**
Baseline default: *True*
- - **pptview.exe (Device)**
+ - **msaccess.exe (Device)**
Baseline default: *True*
- - **exprwd.exe (Device)**
+ - **spDesign.exe (Device)**
+ Baseline default: *True*
+
+ - **onent.exe (Device)**
+ Baseline default: *True*
+
+ - **pptview.exe (Device)**
Baseline default: *True*
- **Restrict ActiveX Install**
@@ -851,9 +906,6 @@ For more information about the following settings that are included in this base
- **onent.exe (Device)**
Baseline default: *True*
- - **pptview.exe (Device)**
- Baseline default: *True*
-
- **excel.exe (Device)**
Baseline default: *True*
@@ -869,6 +921,9 @@ For more information about the following settings that are included in this base
- **outlook.exe (Device)**
Baseline default: *True*
+ - **pptview.exe (Device)**
+ Baseline default: *True*
+
- **winproj.exe (Device)**
Baseline default: *True*
@@ -929,31 +984,34 @@ For more information about the following settings that are included in this base
- **Saved from URL**
Baseline default: *Enabled*
+ - **mspub.exe (Device)**
+ Baseline default: *True*
+
- **visio.exe (Device)**
Baseline default: *True*
- - **mspub.exe (Device)**
+ - **winword.exe (Device)**
Baseline default: *True*
- - **outlook.exe (Device)**
+ - **msaccess.exe (Device)**
Baseline default: *True*
- - **winword.exe (Device)**
+ - **onent.exe (Device)**
Baseline default: *True*
- - **excel.exe (Device)**
+ - **outlook.exe (Device)**
Baseline default: *True*
- - **msaccess.exe (Device)**
+ - **groove.exe (Device)**
Baseline default: *True*
- - **powerpnt.exe (Device)**
+ - **excel.exe (Device)**
Baseline default: *True*
- - **onent.exe (Device)**
+ - **powerpnt.exe (Device)**
Baseline default: *True*
- - **groove.exe (Device)**
+ - **pptview.exe (Device)**
Baseline default: *True*
- **exprwd.exe (Device)**
@@ -965,9 +1023,6 @@ For more information about the following settings that are included in this base
- **spDesign.exe (Device)**
Baseline default: *True*
- - **pptview.exe (Device)**
- Baseline default: *True*
-
- **winproj.exe (Device)**
Baseline default: *True*
@@ -980,46 +1035,43 @@ For more information about the following settings that are included in this base
- **onent.exe (Device)**
Baseline default: *True*
+ - **winproj.exe (Device)**
+ Baseline default: *True*
+
- **winword.exe (Device)**
Baseline default: *True*
- **exprwd.exe (Device)**
Baseline default: *True*
- - **mspub.exe (Device)**
+ - **mse7.exe (Device)**
Baseline default: *True*
- - **outlook.exe (Device)**
+ - **mspub.exe (Device)**
Baseline default: *True*
- - **powerpnt.exe (Device)**
+ - **outlook.exe (Device)**
Baseline default: *True*
- - **groove.exe (Device)**
+ - **msaccess.exe (Device)**
Baseline default: *True*
- - **mse7.exe (Device)**
+ - **powerpnt.exe (Device)**
Baseline default: *True*
- - **msaccess.exe (Device)**
+ - **groove.exe (Device)**
Baseline default: *True*
- **excel.exe (Device)**
Baseline default: *True*
- - **spDesign.exe (Device)**
- Baseline default: *True*
-
- **pptview.exe (Device)**
Baseline default: *True*
- - **winproj.exe (Device)**
+ - **spDesign.exe (Device)**
Baseline default: *True*
-::: zone-end
-::: zone pivot="office-may-2023,v2306"
-
-### Microsoft Outlook 2016
+## Microsoft Outlook 2016
*Security > Security Form Settings*
@@ -1032,6 +1084,23 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are
- **Guard behavior: (User)**
Baseline default: *Automatically Deny*
+ - **Prevent users from customizing attachment security settings (User)**
+ Baseline default: *Enabled*
+
+ - **Retrieving CRLs (Certificate Revocation Lists) (User)**
+ Baseline default: *Enabled*
+ - Baseline default: *When online always retrieve the CRL*
+
+::: zone-end
+::: zone pivot="office-may-2023"
+
+
+ - **Junk E-mail protection level (User)**
+ Baseline default: *Disabled*
+
+::: zone-end
+::: zone pivot="office-may-2023,v2306"
+
- **Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (User)**
Baseline default: *Enabled*
- **Guard behavior: (User)**
@@ -1042,17 +1111,17 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are
- **Select the authentication with Exchange server. (User)**
Baseline default: *Kerberos Password Authentication*
- - **Configure Outlook object model prompt when reading address information (User)**
- Baseline default: *Enabled*
- - **Guard behavior: (User)**
- Baseline default: *Automatically Deny*
-
- - **Enable RPC encryption (User)**
+ - **Enable RPC encryption (User)**
Baseline default: *Enabled*
- **Allow hyperlinks in suspected phishing e-mail messages (User)**
Baseline default: *Disabled*
+ - **Configure Outlook object model prompt when reading address information (User)**
+ Baseline default: *Enabled*
+ - **Guard behavior: (User)**
+ Baseline default: *Automatically Deny*
+
- **Configure Outlook object model prompt when sending mail (User)**
Baseline default: *Enabled*
@@ -1067,21 +1136,17 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are
- **Allow scripts in one-off Outlook forms (User)**
Baseline default: *Disabled*
- - **Prevent users from customizing attachment security settings (User)**
- Baseline default: *Enabled*
-
- **Remove file extensions blocked as Level 2 (User)**
Baseline default: *Enabled*
- **Removed Extensions: (User)**
Baseline default: *;*
- - **Retrieving CRLs (Certificate Revocation Lists) (User)**
- Baseline default: *Enabled*
- - Baseline default: *When online always retrieve the CRL*
+ - **Use Unicode format when dragging e-mail message to file system (User)**
+ Baseline default: *Disabled*
- - **Configure Outlook object model prompt when accessing an address book (User)**
+ - **Set Outlook object model custom actions execution prompt (User)**
Baseline default: *Enabled*
- - **Guard behavior: (User)**
+ - **When executing a custom action: (User)**
Baseline default: *Automatically Deny*
- **Do not allow Outlook object model scripts to run for public folders (User)**
@@ -1090,19 +1155,6 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are
- **Include Internet in Safe Zones for Automatic Picture Download (User)**
Baseline default: *Disabled*
- - **Signature Warning (User)**
- Baseline default: *Enabled*
- - **Signature Warning (User)**
- Baseline default: *Always warn about invalid signatures*
-
- - **Use Unicode format when dragging e-mail message to file system (User)**
- Baseline default: *Disabled*
-
- - **Set Outlook object model custom actions execution prompt (User)**
- Baseline default: *Enabled*
- - **When executing a custom action: (User)**
- Baseline default: *Automatically Deny*
-
- **Security setting for macros (User)**
Baseline default: *Enabled*
- **Security Level (User)**
@@ -1113,44 +1165,58 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are
- **Removed Extensions: (User)**
Baseline default: *;*
-::: zone-end
-::: zone pivot="office-may-2023"
-
- - **Junk E-mail protection level (User)**
- Baseline default: *Disabled*
-
-::: zone-end
-::: zone pivot="office-may-2023,v2306"
+ - **Signature Warning (User)**
+ Baseline default: *Enabled*
+ - **Signature Warning (User)**
+ Baseline default: *Always warn about invalid signatures*
- - **Display Level 1 attachments (User)**
- Baseline default: *Disabled*
+- **Display Level 1 attachments (User)**
+ Baseline default: *Disabled*
- - **Minimum encryption settings (User)**
- Baseline default: *Enabled*
- - **Minimum key size (in bits): (User)**
- Baseline default: *168*
+- **Minimum encryption settings (User)**
+ Baseline default: *Enabled*
+ - **Minimum key size (in bits): (User)**
+ Baseline default: *168*
- - **Do not allow Outlook object model scripts to run for shared folders (User)**
- Baseline default: *Enabled*
+- **Do not allow Outlook object model scripts to run for shared folders (User)**
+ Baseline default: *Enabled*
- - **Configure Outlook object model prompt when executing Save As (User)**
+- **Configure Outlook object model prompt when executing Save As (User)**
+ Baseline default: *Enabled*
+ - **Guard behavior: (User)**
+ Baseline default: *Automatically Deny*
+ - **Configure Outlook object model prompt when reading address information (User)**
Baseline default: *Enabled*
- **Guard behavior: (User)**
Baseline default: *Automatically Deny*
- - **Configure Outlook object model prompt when responding to meeting and task requests (User)**
- Baseline default: *Enabled*
- - **Guard behavior: (User)**
- Baseline default: *Automatically Deny*
+- **Configure Outlook object model prompt when responding to meeting and task requests (User)**
+ Baseline default: *Enabled*
+ - **Guard behavior: (User)
+ Baseline default: *Automatically Deny*
-### Microsoft PowerPoint 2016
+## Microsoft PowerPoint 2016
*PowerPoint Options > Security*
+::: zone-end
+::: zone pivot="v2306"
+
+
+- **Run Programs (User)**
+ Baseline default: *Disabled*
+
+::: zone-end
+::: zone pivot="office-may-2023"
+
+
- **Run Programs (User)**
Baseline default: *Enabled*
- *disable (don't run any programs)*
+::: zone-end
+::: zone pivot="office-may-2023,v2306"
+
- **Scan encrypted macros in PowerPoint Open XML presentations (User)**
Baseline default: *Enabled*
- Baseline default: *Scan encrypted macros (default)*
@@ -1163,10 +1229,19 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are
- **Block macros from running in Office files from the Internet (User**)
Baseline default: *Enabled*
+::: zone-end
+::: zone pivot="v2306"
+
+
+- **Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated)**
+ Baseline default: *Enabled*
+
+::: zone-end
+::: zone pivot="office-may-2023,v2306"
+
- **Require that application add-ins are signed by Trusted Publisher (User)**
Baseline default: *Enabled*
-
-- **Disable Trust Bar Notification for unsigned application add-ins and block them (User)**
+ - **Disable Trust Bar Notification for unsigned application add-ins and block them (User)**
Baseline default: *Enabled*
- **VBA Macro Notification Settings (User)**
@@ -1193,10 +1268,11 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are
Baseline default: *Disabled*
- **Set document behavior if file validation fails (User)**
- Baseline default: *Enabled*
- - Baseline default: *Open in Protected View*
+ Baseline default: *Enabled*
+
- **Checked: Allow edit. Unchecked: Do not allow edit. (User)**
Baseline default: *False*
+ - Baseline default: *Open in Protected View*
- **Turn off Protected View for attachments opened from Outlook (User)**
Baseline default: *Disabled*
@@ -1206,24 +1282,33 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are
- **Allow Trusted Locations on the network (User)**
Baseline default: *Disabled*
-### Microsoft Project 2016
+## Microsoft Project 2016
*Project Options > Security > Trust Center*
- **Allow Trusted Locations on the network (User)**
Baseline default: *Disabled*
-- **Require that application add-ins are signed by Trusted Publisher (User)**
- Baseline default: *Enabled*
+::: zone-end
+::: zone pivot="v2306"
+
-- **Disable Trust Bar Notification for unsigned application add-ins and block them (User)**
+- **Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated)**
Baseline default: *Enabled*
+::: zone-end
+::: zone pivot="office-may-2023,v2306"
+
+- **Require that application add-ins are signed by Trusted Publisher (User)**
+ Baseline default: *Enabled*
+ - **Disable Trust Bar Notification for unsigned application add-ins and block them (User)**
+ Baseline default: *Enabled*
+
- **VBA Macro Notification Settings (User)**
Baseline default: *Enabled*
- Baseline default: *Disable all except digitally signed macros*
-### Microsoft Publisher 2016
+## Microsoft Publisher 2016
*Security*
@@ -1234,9 +1319,13 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are
*Security > Trust Center*
::: zone-end
-::: zone pivot="office-may-2023,v2306"
+::: zone pivot="v2306"
+
-- **Block macros from running in Office files from the internet**
+- **Block macros from running in Office files from the internet (User)**
+ Baseline default: *Enabled*
+
+- **Disable Trust Bar Notification for unsigned application add-ins (User) (Deprecated)**
Baseline default: *Enabled*
::: zone-end
@@ -1245,29 +1334,38 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are
- **Require that application add-ins are signed by Trusted Publisher (User)**
Baseline default: *Enabled*
-- **Disable Trust Bar Notification for unsigned application add-ins and block them(User)**
- Baseline default: *Enabled*
+ - **Disable Trust Bar Notification for unsigned application add-ins (User)**
+ Baseline default: Enabled*
- **VBA Macro Notification Settings (User)**
Baseline default: *Enabled*
- Baseline default: *Disable all except digitally signed macros*
-### Microsoft Visio 2016
+## Microsoft Visio 2016
*Visio Options > Security > Trust Center*
- **Allow Trusted Locations on the network (User)**
Baseline default: *Disabled*
-- **Block macros from running in Office files from the internet (User)**
+- **Block macros from running in Office files from the Internet (User)**
Baseline default: *Enabled*
-- **Require that application add-ins are signed by Trusted Publisher (User)**
- Baseline default: *Enabled*
-- **Disable Trust Bar Notification for unsigned application add-ins and block them (User)**
+::: zone-end
+::: zone pivot="v2306"
+
+- **Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated)**
Baseline default: *Enabled*
+::: zone-end
+::: zone pivot="office-may-2023,v2306"
+
+- **Require that application add-ins are signed by Trusted Publisher (User)**
+ Baseline default: *Enabled*
+ - **Disable Trust Bar Notification for unsigned application add-ins and block them (User)**
+ Baseline default: *Enabled*
+
- **VBA Macro Notification Settings (User)**
Baseline default: *Enabled*
- Baseline default: *Disable all except digitally signed macros*
@@ -1289,20 +1387,29 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are
- **File block setting: (User)**
Baseline default: *Open/Save blocked*
-### Microsoft Word 2016
+## Microsoft Word 2016
*Word Options > Security > Trust Center*
-- **Block macros from running in Office files from the internet (User)**
+- **Block macros from running in Office files from the Internet (User)**
Baseline default: *Enabled*
+::: zone-end
+::: zone pivot="v2306"
+
+- **Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated)**
+ Baseline default: *Enabled*
+
+::: zone-end
+::: zone pivot="office-may-2023,v2306"
+
- **Dynamic Data Exchange (User)**
Baseline default: *Disabled*
- **Require that application add-ins are signed by Trusted Publisher (User)**
Baseline default: *Enabled*
-- **Disable Trust Bar Notification for unsigned application add-ins and block them (User)**
+ - **Disable Trust Bar Notification for unsigned application add-ins and block them (User)**
Baseline default: *Enabled*
- **Scan encrypted macros in Word Open XML documents (User)**
@@ -1361,7 +1468,7 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are
*Word Options > Security > Trust Center > Protected View*
-- **Do not open files from the internet zone in Protected View (User)**
+- **Do not open files from the Internet zone in Protected View (User)**
Baseline default: *Disabled*
- **Do not open files in unsafe locations in Protected View (User)**
@@ -1369,6 +1476,7 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are
- **Set document behavior if file validation fails (User)**
Baseline default: *Enabled*
+
- Baseline default: *Open in Protected View*
- **Checked: Allow edit. Unchecked: Do not allow edit. (User)**
@@ -1377,57 +1485,15 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are
- **Turn off Protected View for attachments opened from Outlook (User)**
Baseline default: *Disabled*
-*Word Options > Security > Trust Center > Trusted Locations*
-
-- **Allow Trusted Locations on the network (User)**
- Baseline default: *Disabled*
-
*Word Options > Security*
- **Turn off file validation (User)**
Baseline default: *Disabled*
-::: zone-end
-::: zone pivot="office-may-2023"
-
-### Administrative Templates
-
-*MS Security Guide*
-
-- **Block Flash activation in Office documents**
- Baseline default: *Enabled*
- - **Block Flash player in Office (Device)**
- Baseline default: Block all activation*
-
-- **Restrict legacy JScript execution for Office**
- Baseline default: *Enabled*
-
- - **Outlook: (Device)**
- Baseline default: *69632*
-
- - **Excel: (Device)**
- Baseline default: *69632*
-
- - **PowerPoint: (Device)**
- Baseline default: *69632*
-
- - **OneNote: (Device)**
- Baseline default: *69632*
-
- - **Publisher: (Device)**
- Baseline default: *69632*
-
- - **Access: (Device)**
- Baseline default: *69632*
-
- - **Visio: (Device)**
- Baseline default: *69632*
+*Word Options > Security > Trust Center > Trusted Locations*
- - **Project: (Device)**
- Baseline default: *69632*
-
- - **Word: (Device)**
- Baseline default: *69632*
+- **Allow Trusted Locations on the network (User)**
+ Baseline default: *Disabled*
::: zone-end
diff --git a/memdocs/intune/protect/sentinelone-mobile-threat-defense-connector.md b/memdocs/intune/protect/sentinelone-mobile-threat-defense-connector.md
index 257df17d45a..6b8dbd05d31 100644
--- a/memdocs/intune/protect/sentinelone-mobile-threat-defense-connector.md
+++ b/memdocs/intune/protect/sentinelone-mobile-threat-defense-connector.md
@@ -8,7 +8,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 01/10/2024
+ms.date: 10/14/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -35,7 +35,7 @@ ms.collection:
You can control mobile device access to corporate resources using Conditional Access based on risk assessment conducted by SentinelOne, a Mobile Threat Defense (MTD) solution that integrates with Microsoft Intune. Risk is assessed based on telemetry collected from devices running the SentinelOne app.
-You can configure Conditional Access policies based on SentinelOne risk assessment enabled through Intune device compliance policies for enrolled devices, which you can use to allow or block noncompliant devices to access corporate resources based on detected threats. For unenrolled devices, you can use app protection policies to enforce a block or selective wipe based on detected threats.
+You can configure Conditional Access policies that are based on SentinelOne risk assessment, enabled through Intune device compliance policies for enrolled devices. You can use these policies to allow or block noncompliant devices access to corporate resources based on detected threats. For unenrolled devices, you can use app protection policies to enforce a block or selective wipe based on detected threats.
## Supported platforms
@@ -51,7 +51,7 @@ You can configure Conditional Access policies based on SentinelOne risk assessme
## How do Intune and SentinelOne help protect your company resources?
-The SentinelOne app for Android and iOS/iPadOS captures file system, network stack, device, and application telemetry where available, then sends the telemetry data to the SentinelOne cloud service to assess the device's risk for mobile threats.
+For Android and iOS/iPadOS The SentinelOne app captures file system, network stack, device, and application telemetry where available. Then the app sends the data to the SentinelOne cloud service to assess the device's risk for mobile threats.
- **Support for enrolled devices** - Intune device compliance policy includes a rule for Mobile Threat Defense (MTD), which can use risk assessment information from SentinelOne. When the MTD rule is enabled, Intune evaluates device compliance with the policy that you enabled. If the device is found noncompliant, users are blocked access to corporate resources like Exchange Online and SharePoint Online. Users also receive guidance from the SentinelOne app installed in their devices to resolve the issue and regain access to corporate resources. To support using SentinelOne with enrolled devices:
diff --git a/memdocs/intune/protect/sentinelone-mtd-connector-integration.md b/memdocs/intune/protect/sentinelone-mtd-connector-integration.md
index e22e62d05d3..01a74013c71 100644
--- a/memdocs/intune/protect/sentinelone-mtd-connector-integration.md
+++ b/memdocs/intune/protect/sentinelone-mtd-connector-integration.md
@@ -8,12 +8,12 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 11/17/2023
+ms.date: 10/10/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
ms.localizationpriority: high
-ms.assetid:
+ms.assetid:
# optional metadata
@@ -60,11 +60,11 @@ The SentinelOne app authorization process follows:
- Allow SentinelOne Management Console to use Microsoft Entra single sign-on (SSO).
- Allow the SentinelOne app to sign in using Microsoft Entra SSO.
-For more information about consent and Microsoft Entra applications, see [Introduction to permissions and consent](/azure/active-directory/develop/permissions-consent-overview#request-the-permissions-from-a-directory-admin) in the Microsoft Entra documentation.
+For more information about consent and Microsoft Entra applications, see [Introduction to permissions and consent](/entra/identity-platform/permissions-consent-overview#request-the-permissions-from-a-directory-admin) in the Microsoft Entra documentation.
## To set up SentinelOne integration
-1. Go to [SentinelOne Management Console]( https://console.mobile.sentinelone.net) and sign in with your credentials. To perform the SentinelOne integration setup process, you must sign in with a Microsoft Entra user who has the Global Administrator role. This one-time setup operation uses the Global Administrator rights to grant permission in your organization for the SentinelOne apps to communicate with Intune.
+1. Go to [SentinelOne Management Console]( https://console.mobile.sentinelone.net) and sign in with your credentials. To perform the SentinelOne integration setup process, you must sign in with a Microsoft Entra user who has the Global Administrator role. This one-time setup operation uses the Global Administrator rights to grant permission in your organization for the SentinelOne apps to communicate with Intune.
2. Choose **Management** from the left menu.
@@ -86,7 +86,7 @@ For more information about consent and Microsoft Entra applications, see [Introd
9. Sign out of the SentinelOne MTD console.
-## Next steps
+## Next step
- [Set up SentinelOne apps for enrolled devices](mtd-apps-ios-app-configuration-policy-add-assign.md)
- [Set up SentinelOne apps for unenrolled devices](mtd-add-apps-unenrolled-devices.md)
diff --git a/memdocs/intune/protect/tenant-attach-intune.md b/memdocs/intune/protect/tenant-attach-intune.md
index d3e33627a21..f82731d14c2 100644
--- a/memdocs/intune/protect/tenant-attach-intune.md
+++ b/memdocs/intune/protect/tenant-attach-intune.md
@@ -7,7 +7,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 07/19/2024
+ms.date: 10/10/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -49,6 +49,9 @@ To support using Intune endpoint security policies with Configuration Manager de
- **Permissions to Microsoft Entra ID** - To complete setup of tenant attach, your account must have Global Administrator permissions to your Azure subscription.
+ > [!IMPORTANT]
+ > Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
- **Tenant for Microsoft Defender for Endpoint** – Your Microsoft Defender for Endpoint tenant must be integrated with your Microsoft Intune tenant (Microsoft Intune Plan 1 subscription). See [Use Microsoft Defender for Endpoint](advanced-threat-protection.md) in the Intune documentation.
### Configuration Manager version requirements for Intune endpoint security policies
diff --git a/memdocs/intune/protect/windows-10-feature-updates.md b/memdocs/intune/protect/windows-10-feature-updates.md
index 3c27dbd421f..a2259010983 100644
--- a/memdocs/intune/protect/windows-10-feature-updates.md
+++ b/memdocs/intune/protect/windows-10-feature-updates.md
@@ -7,7 +7,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 07/15/2024
+ms.date: 09/10/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -203,7 +203,6 @@ For more information about WPJ limitations for Intune Windows Update policies, s
5. Under **Review + create**, review the settings. When ready to save the Feature updates policy, select **Create**.
-
## Upgrade devices to Windows 11
You can use policy for *Feature updates for Windows 10 and later* to upgrade devices that run Windows 10 to Windows 11.
@@ -245,7 +244,7 @@ You cannot set the checkbox for an existing policy because changing the checkbox
- Deploying an older Windows version to a device won't downgrade the device. Devices only install an update when it's newer than the devices current version.
- Deploying a Windows 11 update to a Windows 10 device that supports Windows 11, [upgrades that device](#upgrade-devices-to-windows-11).
-## Update behavior when multiple policies target a device:
+## Update behavior when multiple policies target a device
Consider the following points when feature update policies target a device with more than one update policy, or target a Windows 10 device with an update for Windows 11:
@@ -257,6 +256,9 @@ Consider the following points when feature update policies target a device with
- Using the checkbox **When a device isn't capable of running Windows 11, install the latest Windows 10 feature update** when using multiple policies avoids the problems mentioned in this section and configures the service to detect when the Windows 11 is not eligible for a device and instead offers the latest Windows 10 feature update.
+> [!NOTE]
+> If you create two policies with the same device/s, where one is set to **Required** and the other set to **Optional** and both policies target the same feature update version, then the update is offered as **Required**.
+
## Manage Feature updates for Windows 10 and later policy
In the admin center, go to **Devices** > **By platform** > **Windows** > **Manage updates** > **Windows 10 and later updates** > **Feature updates** tab to view your profiles.
diff --git a/memdocs/intune/protect/windows-driver-updates-overview.md b/memdocs/intune/protect/windows-driver-updates-overview.md
index 5153051df3d..523c4f1e63f 100644
--- a/memdocs/intune/protect/windows-driver-updates-overview.md
+++ b/memdocs/intune/protect/windows-driver-updates-overview.md
@@ -7,7 +7,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 07/15/2024
+ms.date: 09/10/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -250,6 +250,7 @@ To help avoid issues that require rolling back a driver from large numbers of de
### Why do my devices have driver updates installed that didn't pass through an updates policy?
- These are likely *extension* drivers, which are "sub drivers" that a main driver can reference to be installed when the main driver is installed or updated. Extension drivers show up in the installed drivers or update history on the device, but aren't directly manageable. Because extension drivers don't function without base drivers, it's safe to allow them to install.
+- Plug and Play can also install drivers automatically. When Windows detects new hardware or software (such as a mouse, keyboard, or webcam) without an existing driver, it installs the latest driver to ensure the component functions immediately. After the initial installation, any future updates to these drivers will require approval.
### How quickly are paused updates actually paused?
diff --git a/memdocs/intune/protect/windows-hello.md b/memdocs/intune/protect/windows-hello.md
index 55bb9442044..21a991bdf89 100644
--- a/memdocs/intune/protect/windows-hello.md
+++ b/memdocs/intune/protect/windows-hello.md
@@ -40,7 +40,7 @@ For Windows 10/11 devices, use of [Windows Hello for Business](/windows/security
After device enrollment, or when you choose not to use the tenant-wide enrollment policy, Intune supports the following methods to manage Windows Hello on discrete groups of devices:
-- [**Endpoint security Account protection policy**](../protect/endpoint-security-account-protection-policy.md): To manage Windows Hello on devices after they have enrolled with Intune, use the Intune *Account protection* profile, which is part of endpoint security Account protection policy.
+- [**Endpoint security Account protection policy**](../protect/endpoint-security-account-protection-policy.md): To manage settings for Windows Hello on devices after they have enrolled with Intune, use the Intune *Account protection* profile, which is part of endpoint security Account protection policy.
- [**Security baselines**](../protect/security-baselines.md): Some settings for Windows Hello can be managed by security baselines like the baselines for *Microsoft Defender for Endpoint security* or *Security Baseline for Windows 10 and later*.
diff --git a/memdocs/intune/protect/windows-laps-policy.md b/memdocs/intune/protect/windows-laps-policy.md
index 0eb91c319ec..e189e3f8725 100644
--- a/memdocs/intune/protect/windows-laps-policy.md
+++ b/memdocs/intune/protect/windows-laps-policy.md
@@ -49,13 +49,13 @@ Applies to:
## About Intune LAPS policy
-Intune’s provides support to configure Windows LAPS on devices through the **Local admin password solution (Windows LAPS)** profile, available through endpoint security policies for [account protection](../protect/endpoint-security-account-protection-policy.md).
+Intune supports configuration of Windows LAPS on devices through the **Local admin password solution (Windows LAPS)** profile for endpoint security [account protection](../protect/endpoint-security-account-protection-policy.md) policy.
Intune policies manage LAPS by using the Windows LAPS configuration service provider (CSP). Windows LAPS CSP configurations [take precedence](/windows-server/identity/laps/laps-management-policy-settings#supported-policy-roots) over, and overwrite, any existing configurations from other LAPS sources, like GPOs or the [Legacy Microsoft LAPS](https://www.microsoft.com/en-us/download/details.aspx?id=46899) tool.
Windows LAPS allows for the management of a single local administrator account per device. Intune policy can specify which local admin account it applies to by use of the policy setting **Administrator Account Name**. If the account name specified in the policy isn’t present on the device, no account is managed. However, when **Administrator Account Name** is left blank, the policy defaults to the devices built-in local admin account that is identified by its well-known relative identifier (RID).
-> [!NOTE]
+> [!NOTE]
> Ensure the [prerequisites](../protect/windows-laps-overview.md#prerequisites) for Intune to support Windows LAPS in your tenant are met before creating policies.
>
> Intune’s LAPS policies do not create new accounts or passwords. Instead, they manage an account that’s already on the device.
@@ -143,7 +143,7 @@ For more information, see [Role based access controls for LAPS](../protect/windo
2. On the devices Overview pane, below *Monitor* select **Local admin password**. If your account has sufficient permissions, the Local admin password pane for the device opens, which is the same view that’s available from within the Azure portal.
- :::image type="content" source="./media/windows-laps-policy/view-password.png" alt-text="Screen shot that shows the local admin password pane for a Windows device." lightbox="./media/windows-laps-policy/view-password.png":::
+ :::image type="content" source="./media/windows-laps-policy/view-password.png" alt-text="Screen shot that shows the local admin password pane for a Windows device." lightbox="./media/windows-laps-policy/view-password.png":::
The following information can be viewed from within the admin center. However, the *Local admin password* can only be viewed when the account was backed up to Microsoft Entra. It can’t be viewed for an account that’s backed up to an on-premises Active Directory (Windows Server Active Directory):
@@ -170,7 +170,7 @@ To use this device action, your account must have the following three Intune per
- Managed devices: **Read**
- Organization: **Read**
-- Remote tasks: **Rotate Local Admin Password**
+- Remote tasks: **Rotate Local Admin Password**
See [Role based access controls for LAPS](../protect/windows-laps-overview.md#role-based-access-controls-for-laps).
@@ -218,7 +218,7 @@ When a device that doesn’t have a LAPS policy then receives two conflicting po
To resolve conflicts, you must either remove policy assignments from the device, or reconfigure settings in applicable policies until no more conflicts remain.
-## Next steps
+## Related content
- [Introduction to Intune policy for LAPS](../protect/windows-laps-overview.md)
- [View reports for LAPS](../protect/windows-laps-reports.md)
diff --git a/memdocs/intune/protect/zimperium-mobile-threat-defense-connector.md b/memdocs/intune/protect/zimperium-mobile-threat-defense-connector.md
index c10af4b062e..a94db3b9238 100644
--- a/memdocs/intune/protect/zimperium-mobile-threat-defense-connector.md
+++ b/memdocs/intune/protect/zimperium-mobile-threat-defense-connector.md
@@ -8,7 +8,7 @@ keywords:
author: brenduns
ms.author: brenduns
manager: dougeby
-ms.date: 11/17/2023
+ms.date: 09/30/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: protect
@@ -57,7 +57,7 @@ The Zimperium app for Android and iOS/iPadOS captures file system, network stack
- **Support for enrolled devices** - Intune device compliance policy includes a rule for Mobile Threat Defense (MTD), which can use risk assessment information from Zimperium. When the MTD rule is enabled, Intune evaluates device compliance with the policy that you enabled. If the device is found noncompliant, users are blocked access to corporate resources like Exchange Online and SharePoint Online. Users also receive guidance from the Zimperium app installed in their devices to resolve the issue and regain access to corporate resources. To support using Zimperium with enrolled devices:
- [Add MTD apps to devices](../protect/mtd-apps-ios-app-configuration-policy-add-assign.md)
- [Create a device compliance policy that supports MTD](../protect/mtd-device-compliance-policy-create.md)
- - [Enable the MTD connector in Intune](../protect/mtd-connector-enable.md)
+ - [Enable a Mobile Threat Defense connector](../protect/mtd-connector-enable.md)
- **Support for unenrolled devices** - Intune can use the risk assessment data from the Zimperium app on unenrolled devices when you use Intune app protection policies. Admins can use this combination to help protect corporate data within a [Microsoft Intune protected app](../apps/apps-supported-intune-apps.md), Admins can also issue a block or selective wipe for corporate data on those unenrolled devices. To support using Zimperium with unenrolled devices:
- [Add the MTD app to unenrolled devices](../protect/mtd-add-apps-unenrolled-devices.md)
@@ -118,14 +118,9 @@ Access is granted on remediation:
:::image type="content" source="./media/zimperium-mobile-threat-defense-connector/zimperium-mobile-app-policy-remediated.png" alt-text="Product flow for App protection policies to grant access after malware is remediated.":::
-## Next steps
+## Related content
- [Integrate Zimperium with Intune](zimperium-mtd-connector-integration.md)
-
- [Set up Zimperium apps](mtd-apps-ios-app-configuration-policy-add-assign.md)
-
- [Create Zimperium device compliance policy](mtd-device-compliance-policy-create.md)
-
-- [Enable Zimperium MTD connector](mtd-connector-enable.md)
-
- [Create an MTD app protection policy](../protect/mtd-app-protection-policy.md)
diff --git a/memdocs/intune/enrollment/chrome-enterprise-device-details.md b/memdocs/intune/remote-actions/chrome-enterprise-device-details.md
similarity index 79%
rename from memdocs/intune/enrollment/chrome-enterprise-device-details.md
rename to memdocs/intune/remote-actions/chrome-enterprise-device-details.md
index 2c0ae58e449..fb1fe06bb7f 100644
--- a/memdocs/intune/enrollment/chrome-enterprise-device-details.md
+++ b/memdocs/intune/remote-actions/chrome-enterprise-device-details.md
@@ -40,17 +40,17 @@ You can view synced devices in the **Devices** > **All devices** list and throug
## Prerequisites
-To view ChromeOS devices and device details, you must be assigned a role that has read permission for *Chrome Enterprise*.
+To view ChromeOS devices and device details, you must be assigned a role with *read* permission for *Chrome Enterprise*.
Devices must be enrolled before you can see them in the admin center. Enrollment for ChromeOS devices is done in the Google Admin center. You can create the connection before or after you enroll devices. For more information, see [Enroll ChromeOS devices](https://support.google.com/chrome/a/answer/1360534) (opens Chrome Enterprise and Education Help).
## View ChromeOS devices
-Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Devices** > **All devices** to view an aggregated list of all devices in Intune, including those running ChromeOS. The following information is shown for ChromeOS devices:
+Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Devices** > **All devices** to view an aggregated list of all devices in Intune, including those running ChromeOS. The following information is shown for ChromeOS devices:
* **Device name**: Device names for ChromeOS devices appear as `Chrome- {serialNumber}`.
* **Managed by**: ChromeOS devices are managed by **Intune**.
* **Ownership**: ChromeOS devices are always marked as **Corporate**.
-* **Compliance**: Compliance policies are not supported with ChromeOS devices in Intune so they'll appear in this column as **Not evaluated**.
+* **Compliance**: Compliance policies aren't supported with ChromeOS devices in Intune, so they appear in this column as **Not evaluated**.
Select **Filter** to filter the device list by platform. You can also go to the navigation menu and select **ChromeOS** for an exclusive view of ChromeOS devices.
@@ -78,15 +78,15 @@ You can create dynamic device groups based on a [Google Admin organizational uni
1. For **Membership type**, select **Dynamic Device**.
2. Select **Add a dynamic query**.
3. For **Property**, select **enrollmentProfileName**. Select the **Operator**, depending on how you want the rule to work. For **Value**, enter the name of a Google Admin organizational unit.
-2. Create a scope tag for an Intune RBAC role. The scope tag determines the level of access for the Intune role. When you get to **Assignments**, include the dynamic device group you previously created. For more information, see [Use role-based access (RBAC) and scope tags for distributed IT](../fundamentals/scope-tags.md#to-create-a-scope-tag).
+2. Create a scope tag for an Intune RBAC role. The scope tag determines the level of access for the Intune role. When you get to **Assignments**, include the dynamic device group you previously created. For more information, see [Use role-based access (RBAC) and scope tags for distributed IT](../fundamentals/scope-tags.md#to-create-a-scope-tag).
-After you save the scope tag, it's applied to every device that's part of the dynamic device group. The organizational unit's information syncs with the *enrollmentProfileName* device object property in Microsoft Entra ID, using the full path format that's shown in [System info](#system-info).
+ After you save the scope tag, it applies to every device that's part of the dynamic device group. The organizational unit's information syncs with the *enrollmentProfileName* device object property in Microsoft Entra ID, using the full path format shown in [System info](#system-info).
-For example: `/OU Level1/OU Level2`.
+ For example: `/OU Level1/OU Level2`.
-The maximum length of the string is 255 characters. Intune truncates the first part of the string if it exceeds the max number of characters.
+ The maximum length of the string is 255 characters. Intune truncates the first part of the string if it exceeds the max number of characters.
-For example: `/OU Level1/OU Level2/.../OU Level18` becomes `evel1/OU Level2/.../OU Level18`.
+ For example: `/OU Level1/OU Level2/.../OU Level18` becomes `evel1/OU Level2/.../OU Level18`.
## Next steps
diff --git a/memdocs/intune/remote-actions/chrome-enterprise-remote-actions.md b/memdocs/intune/remote-actions/chrome-enterprise-remote-actions.md
new file mode 100644
index 00000000000..450454aadce
--- /dev/null
+++ b/memdocs/intune/remote-actions/chrome-enterprise-remote-actions.md
@@ -0,0 +1,88 @@
+---
+# required metadata
+
+title: Remote actions for ChromeOS devices | Microsoft Intune
+description: Remotely run Microsoft Intune device actions on ChromeOS devices in the Microsoft Intune admin center.
+keywords:
+author: Lenewsad
+ms.author: lanewsad
+manager: dougeby
+ms.date: 10/09/2024
+ms.topic: how-to
+ms.service: microsoft-intune
+ms.subservice: protect
+ms.localizationpriority: high
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: shsivak
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.custom: intune-azure
+ms.collection:
+- tier2
+- M365-identity-device-management
+---
+
+# Remote device actions for ChromeOS
+
+Remotely run device actions on ChromeOS devices synced with Microsoft Intune. There are four remote actions supported on ChromeOS devices:
+
+- Deprovision
+- Lost mode, known in Chrome Enterprise as *disabling a device*
+- Wipe
+- Restart (only for kiosk devices and managed guest session devices)
+
+To access remote actions, select a device in your **Chrome Enterprise** list or go to **Devices** > **All devices** and select a device. This article describes the remote actions, and provides information about required permissions and known issues.
+
+## Prerequisites
+
+[Set up the Chrome Enterprise connector](../enrollment/chrome-enterprise-connector-configure.md) with Microsoft Intune, and enroll devices using the Google Admin console.
+
+Permission requirements are provided in the sections that follow.
+
+## Deprovision
+
+Select **Deprovision** to remove Google Admin policies from devices your organization no longer uses. To deprovision a ChromeOS device, you must be assigned a role that has the *Remote tasks: Retire* permission.
+
+After you deprovision a device, it remains in the Intune admin center and the Google Admin console. Then on the admin center **System info** page, the device status changes to **DEPROVISIONED**. The device can't be enrolled again until you restore it to factory settings. For more information about the deprovision action, such as how to select the best reason for deprovisioning, see the [Chrome Enterprise and Education Help documentation](https://support.google.com/chrome/a/answer/3523633?).
+
+## Lost mode
+
+Select **Lost mode** to prevent other people from using a lost or stolen ChromeOS device. Devices in lost mode display the contact information and message you configured in the Google Admin console. To deprovision a device, you must be assigned a role that has the following permissions:
+
+- *Remote tasks: Enable lost mode*
+- *Remote tasks: Disable lost mode*
+
+>[!TIP]
+> Chrome Enterprise and the Google Admin console refer to devices in lost mode as *disabled*. For more information about how to disable a device, see the Chrome Enterprise and Education Help documentation.
+
+## Wipe
+
+Select **Wipe** to remove data from a device. With this action, you can either:
+
+- **Remove user profiles only**: This option removes all user account data. Device and enrollment policies remain on the device.
+- **Factory reset (powerwash)**: This option fully restores a device to its factory state, removing all personal and work data. Before using this action, [deprovision](chrome-enterprise-remote-actions.md#deprovision) the device. Otherwise, once it connects to Wi-Fi, it will automatically enroll again.
+
+To wipe a device, you must be assigned a role that has the *Remote tasks: Wipe* permission. For more information about wiping ChromeOS devices, see [Wipe ChromeOS device data](https://support.google.com/chrome/a/answer/1360642) (opens Google Chrome Enterprise Help).
+
+## Restart
+
+Select **Restart** to restart a device. To restart a device, you must be assigned a role that has the *Remote tasks: Reboot now* permission.
+
+>[!IMPORTANT]
+> Device users aren't automatically notified of restarts, and might lose unsaved work if you don't tell them about it ahead of time.
+
+Restart is only available for kiosk devices and managed guest session devices. The restart fails on any other type of device. For more information, see [Kiosk apps, managed guest sessions, and smart cards](https://support.google.com/chrome/a/topic/6128720?) (opens Google Chrome Enterprise Help).
+
+## Bulk device actions
+
+You can issue all of these remote actions as part of a bulk device action. For more information about how to do that, see [Use bulk device actions](bulk-device-actions.md).
+
+## Known issues
+
+In some cases, device commands remain in a pending state, even if they’ve already completed or failed.
diff --git a/memdocs/intune/remote-actions/collect-diagnostics.md b/memdocs/intune/remote-actions/collect-diagnostics.md
index 6135ce25eb5..5dad0d2b000 100644
--- a/memdocs/intune/remote-actions/collect-diagnostics.md
+++ b/memdocs/intune/remote-actions/collect-diagnostics.md
@@ -8,7 +8,7 @@ keywords:
author: Smritib17
ms.author: smbhardwaj
manager: dougeby
-ms.date: 02/06/2024
+ms.date: 10/10/2024
ms.topic: how-to
ms.service: microsoft-intune
ms.subservice: remote-actions
@@ -41,7 +41,7 @@ The **Collect diagnostics** remote action lets you collect and download managed
## Collect diagnostics for Microsoft 365 remote applications
-The Microsoft 365 remote application diagnostics allows Intune admins to request Intune app protection logs and Microsoft 365 application logs (where applicable) directly from the Intune console. Admins can find this report in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Troubleshooting + support** > **Troubleshoot** > *select a user* > **Summary** > *App protection**. This feature is exclusive to applications that are under Intune app protection management. If supported, the application specific logs are gathered and stored within dedicated storage solutions for each application.
+The Microsoft 365 remote application diagnostics allows Intune admins to request Intune app protection logs and Microsoft 365 application logs (where applicable) directly from the Intune console. Admins can find this report in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Troubleshooting + support** > **Troubleshoot** > *select a user* > **Summary** > *App protection**. This feature is exclusive to applications that are under Intune app protection management. If supported, the application specific logs are gathered and stored within dedicated storage solutions for each application.
### Collect diagnostics from a M365 Application
@@ -93,12 +93,12 @@ The *Collect diagnostics* remote action is supported for:
- Devices that are online and able to communicate with the service during diagnostics
> [!NOTE]
-> For diagnostics to be able to upload successfully from the client, make sure that the following URLs are not blocked on the network:
-> `lgmsapeweu.blob.core.windows.net`
-> `lgmsapewus2.blob.core.windows.net`
-> `lgmsapesea.blob.core.windows.net`
-> `lgmsapeaus.blob.core.windows.net`
-> `lgmsapeind.blob.core.windows.net`
+> For diagnostics to be able to upload successfully from the client, make sure that the URL for your region is not blocked on the network:
+> - `Europe - lgmsapeweu.blob.core.windows.net`
+> - `Americas - lgmsapewus2.blob.core.windows.net`
+> - `East Asia - lgmsapesea.blob.core.windows.net`
+> - `Australia - lgmsapeaus.blob.core.windows.net`
+> - `India - lgmsapeind.blob.core.windows.net`
### Collect diagnostics
@@ -148,6 +148,7 @@ Registry Keys:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
+- HKLM\SOFTWARE\Microsoft\DeviceInventory
- HKLM\SOFTWARE\Policies
- HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL
- HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
@@ -200,6 +201,7 @@ Files:
- %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\\*.etl
- %ProgramFiles%\Microsoft EPM Agent\Logs\\\*.*
+- %Program Files%\Microsoft Device Inventory Agent\Logs
- %ProgramData%\Microsoft\IntuneManagementExtension\Logs\\\*.*
- %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab
- %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html
diff --git a/memdocs/intune/remote-actions/device-activation-lock-disable.md b/memdocs/intune/remote-actions/device-activation-lock-disable.md
index 50d1d397331..b534fac2854 100644
--- a/memdocs/intune/remote-actions/device-activation-lock-disable.md
+++ b/memdocs/intune/remote-actions/device-activation-lock-disable.md
@@ -32,6 +32,8 @@ ms.collection:
# Disable Activation Lock on Apple devices with Intune
+> [!TIP]
+> You can now turn off Activation Lock directly in Apple Business Manager and Apple School Manager. Learn more on [Apple's User Guide site.](https://support.apple.com/guide/apple-business-manager/axm812df1dd8/web)
Microsoft Intune can help you manage Activation Lock, a feature of the Find My iPhone app for iOS/iPadOS and macOS devices. Activation Lock is enabled automatically when a user sets up the Find My iPhone app on a device. After it's enabled, the user's Apple ID and password must be entered before anyone can:
- Turn off Find My iPhone
@@ -61,7 +63,7 @@ You can read more about Activation Lock on [Apple's web site](https://support.ap
There are two methods to disabling Activation Lock on devices:
- - Manually entering the Activation Lock bypass code on the device
+- Manually entering the Activation Lock bypass code on the device
- Using the Disable Activation Lock device action
diff --git a/memdocs/intune/toc.yml b/memdocs/intune/toc.yml
index 258112b2c92..6850eb4bfd6 100644
--- a/memdocs/intune/toc.yml
+++ b/memdocs/intune/toc.yml
@@ -338,6 +338,30 @@ items:
- name: Step 6. Use app protection actions
href: /microsoft-365/solutions/apps-protect-step-6?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Assign and deploy apps using Microsoft Intune
+ items:
+ - name: Overview
+ href: /microsoft-365/solutions/apps-assign-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ displayName: assign, deploy, app, apps, monitor, troubleshoot
+ - name: Understand app management
+ href: /microsoft-365/solutions/apps-assign-management?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Understand app assignments
+ href: /microsoft-365/solutions/apps-assign-assignments?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Understand app deployment
+ href: /microsoft-365/solutions/apps-assign-deployment?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Assign apps to your organization
+ items:
+ - name: Assign apps overview
+ href: /microsoft-365/solutions/apps-assign-steps-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Step 1. Confirm users, devices, or groups
+ href: /microsoft-365/solutions/apps-assign-step-1?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Step 2. Assign apps to users, devices, or groups
+ href: /microsoft-365/solutions/apps-assign-step-2?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Step 3. Verify and monitor app assignments
+ href: /microsoft-365/solutions/apps-assign-step-3?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Step 4. Troubleshoot app deployment issues
+ href: /microsoft-365/solutions/apps-assign-step-4?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+
- name: Secure your corporate data using Edge for Business
items:
- name: Overview
@@ -1169,7 +1193,7 @@ items:
- name: Domain Join on Windows
href: ./configuration/domain-join-configure.md
displayName: enrollment, active directory, azure ad joined, join domain
- - name: Update Windows
+ - name: Delivery Optimization
href: ./configuration/delivery-optimization-windows.md
displayName: delivery optimization, windows updates
- name: Upgrade Windows and S mode
@@ -1476,6 +1500,9 @@ items:
- name: Get Apple MDM push certificate
href: ./enrollment/apple-mdm-push-certificate-get.md
displayName: digital; certificates; notifications; token; PEM; automated device enrollment; user enrollment; device enrollment
+ - name: Configure Chrome Enterprise connector
+ href: ./enrollment/chrome-enterprise-connector-configure.md
+ displayName: chrome os; connector; device management; google admin
- name: Add corporate identifiers
href: ./enrollment/corporate-identifiers-add.md
displayName: COD; corporate owned; IMEI; device ownership; serial
@@ -1506,14 +1533,6 @@ items:
href: ./enrollment/create-device-platform-restrictions.md
- name: Create device limit restrictions
href: ./enrollment/create-device-limit-restrictions.md
- - name: Configure Chrome Enterprise connector
- items:
- - name: Configure Chrome Enterprise connector
- href: ./enrollment/chrome-enterprise-connector-configure.md
- - name: View ChromeOS device information in Intune
- href: ./enrollment/chrome-enterprise-device-details.md
- - name: Remote device actions for ChromeOS
- href: ./enrollment/chrome-enterprise-remote-actions.md
- name: Set up Windows enrollment
items:
@@ -1711,6 +1730,8 @@ items:
href: ./remote-actions/find-primary-user.md
- name: Other actions
items:
+ - name: Remote actions for ChromeOS
+ href: ./remote-actions/chrome-enterprise-remote-actions.md
- name: Locate device
href: ./remote-actions/device-locate.md
- name: Rename device
@@ -1723,6 +1744,8 @@ items:
href: ./remote-actions/device-sync.md
- name: Examine device inventory
href: ./remote-actions/device-inventory.md
+ - name: View ChromeOS device information
+ href: ./remote-actions/chrome-enterprise-device-details.md
- name: Collect diagnostics
href: ./remote-actions/collect-diagnostics.md
- name: Remove apps and configuration
@@ -1842,6 +1865,16 @@ items:
href: ./industry/education/tutorial-school-deployment/common-config-settings-catalog-start-menu.md
- name: OneDrive Known Folder Move
href: ./industry/education/tutorial-school-deployment/common-config-settings-catalog-onedrive-knownfoldermove.md
+ - name: Intune policies for iPads in Education
+ items:
+ - name: Device restrictions
+ href: ./industry/education/tutorial-school-deployment/common-config-ipads-device-restrictions.md
+ - name: Apple Intelligence
+ href: ./industry/education/tutorial-school-deployment/common-config-ipads-ai.md
+ - name: iPads with no user affinity
+ href: ./industry/education/tutorial-school-deployment/common-config-ipads-nouser.md
+ - name: Optional restrictions
+ href: ./industry/education/tutorial-school-deployment/common-config-ipads-optional.md
- name: Intune for Education docs
href: /intune-education/
@@ -2038,6 +2071,30 @@ items:
- name: Step 6. Use app protection actions
href: /microsoft-365/solutions/apps-protect-step-6?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Assign and deploy apps using Microsoft Intune
+ items:
+ - name: Overview
+ href: /microsoft-365/solutions/apps-assign-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ displayName: assign, deploy, app, apps, monitor, troubleshoot
+ - name: Understand app management
+ href: /microsoft-365/solutions/apps-assign-management?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Understand app assignments
+ href: /microsoft-365/solutions/apps-assign-assignments?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Understand app deployment
+ href: /microsoft-365/solutions/apps-assign-deployment?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Assign apps to your organization
+ items:
+ - name: Assign apps overview
+ href: /microsoft-365/solutions/apps-assign-steps-overview?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Step 1. Confirm users, devices, or groups
+ href: /microsoft-365/solutions/apps-assign-step-1?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Step 2. Assign apps to users, devices, or groups
+ href: /microsoft-365/solutions/apps-assign-step-2?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Step 3. Verify and monitor app assignments
+ href: /microsoft-365/solutions/apps-assign-step-3?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+ - name: Step 4. Troubleshoot app deployment issues
+ href: /microsoft-365/solutions/apps-assign-step-4?toc=%2Fmem%2Fintune%2Ftoc.json&bc=%2Fmem%2Fintune%2Fbreadcrumb%2Ftoc.json
+
- name: Secure your corporate data using Edge for Business
items:
- name: Overview
diff --git a/memdocs/intune/user-help/TOC.yml b/memdocs/intune/user-help/TOC.yml
index 5da28582683..6b7e5fa91b7 100644
--- a/memdocs/intune/user-help/TOC.yml
+++ b/memdocs/intune/user-help/TOC.yml
@@ -86,16 +86,6 @@ items:
href: use-microsoft-tunnel-android.md
- name: Installing Company Portal app in China
href: install-company-portal-android-china.md
- - name: Resolve a threat in MTD app
- items:
- - name: Lookout for Work
- href: you-need-to-resolve-a-threat-found-by-lookout-for-work-android.md
- - name: Symantec Endpoint Protection Mobile
- href: you-need-to-resolve-a-threat-found-by-skycure-android.md
- - name: Harmony Mobile Protect
- href: you-need-to-resolve-a-threat-found-by-checkpoint-android.md
- - name: Zimperium zIPS
- href: you-need-to-resolve-a-threat-found-by-zips-android.md
- name: Get help
items:
- name: Report a problem
@@ -124,7 +114,7 @@ items:
items:
- name: Migrate account to new iPhone
href: set-up-migrate-iphone-for-work.md
- - name: Manually sync iOS/iPadOS device
+ - name: Check device status
href: sync-your-device-manually-ios.md
- name: Reset iOS/iPadOS device
href: effects-of-device-reset-company-portal-ios.md
@@ -140,16 +130,6 @@ items:
href: use-managed-apps-on-your-device-ios.md
- name: Use Microsoft Tunnel for iOS
href: use-microsoft-tunnel-iOS.md
- - name: Resolve a threat in MTD app
- items:
- - name: Lookout for Work
- href: you-need-to-resolve-a-threat-found-by-lookout-for-work-ios.md
- - name: Symantec Endpoint Protection Mobile
- href: you-need-to-resolve-a-threat-found-by-skycure-ios.md
- - name: Harmony Mobile Protect
- href: you-need-to-resolve-a-threat-found-by-checkpoint-ios.md
- - name: Zimperium zIPS
- href: you-need-to-resolve-a-threat-found-by-zips-ios.md
- name: Get help
items:
- name: Retrieve app logs
@@ -200,6 +180,8 @@ items:
href: enroll-windows-10-device.md
- name: Unenroll device
href: unenroll-your-device-from-intune-windows.md
+ - name: Enrollment dialog FAQs
+ href: sso-dialog-faqs.yml
- name: Company Portal app for Windows
items:
diff --git a/memdocs/intune/user-help/check-device-access-windows-cpapp.md b/memdocs/intune/user-help/check-device-access-windows-cpapp.md
index 4c24642d19e..af4d67761b5 100644
--- a/memdocs/intune/user-help/check-device-access-windows-cpapp.md
+++ b/memdocs/intune/user-help/check-device-access-windows-cpapp.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 05/15/2024
+ms.date: 10/16/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -30,26 +30,36 @@ ms.collection:
# Check access from Company Portal app for Windows
-Verify that your device has access to work or school resources.
+Verify that your device has access to work or school resources. The *check access* action in Company Portal evaluates your device's settings and its access status.
-Organizations enforce requirements–such as encryption and password limits– to make sure only secure, trusted devices access their data. Managed devices must meet and maintain these requirements to access the organization's resources.
-
-The **Check access** action evaluates your device's settings and its access status. The **Device details** page lists the settings you need to adjust to regain access.
-
-Complete the steps in this article to check access from the Company Portal app for Windows.
+Organizations enforce requirements, such as encryption and password limits, to make sure only secure, trusted devices access their internal resources. Your device must meet and maintain these requirements to gain access. Complete the steps in this article to check access from the Company Portal app for Windows.
> [!NOTE]
> If you don't have the Company Portal app installed, you can still [use the Company Portal website to check access](check-status-company-portal-website.md).
-## Check access from Device details page
+## Check access
+
1. Open the Company Portal app for Windows and go to **Devices**.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
2. Select a device.
-3. Under **Device status**, select **Check access**. The app syncs your device with your organization's current requirements and checks to make sure your device matches them. This check can take a few minutes.
+
+3. Under **Device status**, select **Check access**.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+
+ The app syncs your device with your organization's current requirements and checks to make sure your device matches them. This check can take a few minutes.
+
4. Look at the status update.
- **Can access company resources**: No other action needed.
- - **Cannot access company resources**: Take the required remediation actions to regain access to company resources. After you update flagged settings, select **Check access** to recheck access.
- - **Can access company resources, but action required**: Take the required remediation actions by the specified date or lose access to company resources. After you update flagged settings, select **Check access** to recheck access.
-5. When applicable, the status message shows Microsoft Learn help links and remediation actions. Select one or more of these options to start troubleshooting right away. The resolve, check access, and contact actions in the following list are only visible when you're using Company Portal on the affected device.
+ - **Cannot access company resources**: Take the required remediation actions to regain access to company resources. After you update flagged settings, select **Check access** to recheck access.
+ - **Can access company resources, but action required**: Take the required remediation actions by the specified date or lose access to company resources. After you update flagged settings, select **Check access** to recheck access.
+
+5. When applicable, the status message shows Microsoft Learn help links and remediation actions. To start troubleshooting right away, select one or more of the options. The *resolve*, *check access*, and *contact* actions in the following list are only visible when you're using Company Portal on the affected device.
* **How to resolve this** opens a relevant help article, if available.
* **Resolve** redirects you to the setting on your device.
diff --git a/memdocs/intune/user-help/check-status-linux.md b/memdocs/intune/user-help/check-status-linux.md
index 5cb7ad25f89..3119602cb36 100644
--- a/memdocs/intune/user-help/check-status-linux.md
+++ b/memdocs/intune/user-help/check-status-linux.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 11/29/2023
+ms.date: 10/08/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -28,14 +28,18 @@ ms.collection:
- tier2
---
-# Check status in Microsoft Intune app for Linux
-You can use the Microsoft Intune app for Linux to resolve access and compliance issues for enrolled devices. This article describes how to:
+# Check status in Microsoft Intune app for Linux
+
+You can use the Microsoft Intune app for Linux to resolve access and compliance issues for enrolled devices. This article describes how to:
* View the status of a device
+
* View and resolve compliance issues with your device settings
-* Refresh device status
+
+* Refresh device status
## View device status
+
The Intune app routinely checks in with your device to verify that it complies with setting requirements. Check-ins occur at the time of enrollment, and thereafter whenever you're using your device for work. The status reveals the result of the last check-in. To view the status of a device, sign in to the Intune app and select the device.
There are three statuses in the Intune app:
@@ -50,17 +54,20 @@ There are three statuses in the Intune app:
To view compliance issues:
-1. Sign in to the Intune app.
-2. Select a device.
-3. On the device details page, select **View Issues**. This option is only available when issues are present.
-The app shows you the:
+1. Sign in to the Intune app.
+
+2. Select a device.
+
+3. On the device details page, select **View Issues**. This option is only available when issues are present.
+
+The app shows you the following information:
- * Action required, such as *Upgrade your operating system*.
+ * The action required, such as *Upgrade your operating system*.
- * Reason for noncompliance, such as *This device’s operating system is not supported*.
+ * The reason for noncompliance, such as *This device’s operating system is not supported*.
- * **How to resolve this** link that, when available, points to a help article on learn.microsoft.com.
+ * The **How to resolve this** link that, when available, points to a help article on learn.microsoft.com.
### Operating system and version
When OS and version requirements are enforced, devices running Linux flavors or versions that aren't supported are marked as noncompliant. To resolve this issue, upgrade to or install a version that’s supported by your organization.
@@ -82,4 +89,4 @@ Not all filesystem partitions need to be encrypted:
* The */boot* or */boot/efi* partitions are ignored.
-Intune supports all encryption systems that use the [*dm-crypt* subsystem](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt), the standard underlying infrastructure for Linux systems. We recommend setting up dm-crypt by using the *LUKS format* with the *cryptsetup tool*.
\ No newline at end of file
+Intune supports all encryption systems that use the [*dm-crypt* subsystem](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt), the standard underlying infrastructure for Linux systems. We recommend setting up dm-crypt by using the *LUKS format* with the *cryptsetup tool*.
diff --git a/memdocs/intune/user-help/device-little-different-jamf.md b/memdocs/intune/user-help/device-little-different-jamf.md
index b12cc775ea3..5159ac6b27b 100644
--- a/memdocs/intune/user-help/device-little-different-jamf.md
+++ b/memdocs/intune/user-help/device-little-different-jamf.md
@@ -7,7 +7,7 @@ keywords: Mac OS X, macOS, OS X
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 11/03/2023
+ms.date: 10/08/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
diff --git a/memdocs/intune/user-help/effects-of-device-reset-company-portal-ios.md b/memdocs/intune/user-help/effects-of-device-reset-company-portal-ios.md
index c645f8a44ab..60e191a20ab 100644
--- a/memdocs/intune/user-help/effects-of-device-reset-company-portal-ios.md
+++ b/memdocs/intune/user-help/effects-of-device-reset-company-portal-ios.md
@@ -37,7 +37,7 @@ If your device is only set up to access work or school email, your email account
## Availability of factory reset option
-The factory reset option isn't available for all iOS devices. If you're an IT support person and want to find out more about these limitations, see [Remove devices by using wipe, retire, or manually unenrolling the device](/intune/devices-wipe).
+The factory reset option isn't available for all iOS devices. If you're an IT support person and want to find out more about these limitations, see [Remove devices by using wipe, retire, or manually unenrolling the device](/mem/intune/remote-actions/devices-wipe).
## Factory reset device
To reset a device to its original, out-of-box settings:
diff --git a/memdocs/intune/user-help/enroll-company-device-macos.md b/memdocs/intune/user-help/enroll-company-device-macos.md
index a445ddb913c..31175865ca7 100644
--- a/memdocs/intune/user-help/enroll-company-device-macos.md
+++ b/memdocs/intune/user-help/enroll-company-device-macos.md
@@ -38,7 +38,7 @@ To begin management setup, power on your device and sign in with your work or sc
## What is Apple's Automated Device Enrollment?
-Your organization might have purchased their devices through an Apple program called *Automated Device Enrollment* (formerly referred to as their device enrollment program or *DEP*). Automated Device Enrollment lets organizations buy large amounts of iOS, iPadOS or macOS devices. Organizations can then configure and manage those devices within their preferred mobile device management provider, such as Intune. If you're an administrator and want more information about Apple ADE, see [Automatically enroll macOS devices with Apple's Automated Device Enrollment with ABM/ASM](/intune/enrollment/device-enrollment-program-enroll-macos).
+Your organization might have purchased their devices through an Apple program called *Automated Device Enrollment* (formerly referred to as their device enrollment program or *DEP*). Automated Device Enrollment lets organizations buy large amounts of iOS, iPadOS or macOS devices. Organizations can then configure and manage those devices within their preferred mobile device management provider, such as Intune. If you're an administrator and want more information about Apple ADE, see [Automatically enroll macOS devices with Apple's Automated Device Enrollment with ABM/ASM](/mem/intune/enrollment/device-enrollment-program-enroll-macos).
## Get your device managed
diff --git a/memdocs/intune/user-help/enroll-device-aosp.md b/memdocs/intune/user-help/enroll-device-aosp.md
index 32d41eada66..3280643f764 100644
--- a/memdocs/intune/user-help/enroll-device-aosp.md
+++ b/memdocs/intune/user-help/enroll-device-aosp.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 07/01/2024
+ms.date: 09/24/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -48,16 +48,21 @@ Additionally, you need the enrollment QR code that's provided by your organizati
Complete these steps to set up and enroll your device.
1. Turn on your new or factory-reset device.
-2. If prompted to, connect to Wi-Fi. Then tap **NEXT**.
-3. Scan the QR code provided by your organization.
-4. Follow the onscreen prompts to enroll your device.
-5. If prompted to, review the device terms and conditions. Then select **ACCEPT & CONTINUE**.
-6. The Microsoft Intune app opens. The next step depends on the type of device you're using. Complete the step that matches the screen shown on your device:
+1. If prompted to, connect to Wi-Fi. Then tap **NEXT**.
+1. When you receive the QR code, stop. Then make sure that:
+
+ - The QR code comes from a trusted source, via a trusted channel.
+
+ - You're enrolling your device into the right organization.
+1. Scan the QR code.
+1. Follow the onscreen prompts to enroll your device.
+1. If prompted to, review the device terms and conditions. Then select **ACCEPT & CONTINUE**.
+1. The Microsoft Intune app opens. The next step depends on the type of device you're using. Complete the step that matches the screen shown on your device:
- Tap **START** to begin enrollment.
- Sign in with your work account.
1. Enter your email, and then tap **NEXT**.
2. Enter your password, and then tap **SIGN IN** to begin enrollment.
-7. When you see the message that your device is ready, tap **DONE**.
+1. When you see the message that your device is ready, tap **DONE**.
If after enrolling you have trouble accessing your organization's resources, go to the Microsoft Intune app to verify that all of your device settings meet your organization's requirements. For more information about checking compliance, see [Check compliance on your AOSP device](check-compliance-aosp.md).
diff --git a/memdocs/intune/user-help/enroll-windows-10-device.md b/memdocs/intune/user-help/enroll-windows-10-device.md
index bcfd9756c8d..6f547f14c29 100644
--- a/memdocs/intune/user-help/enroll-windows-10-device.md
+++ b/memdocs/intune/user-help/enroll-windows-10-device.md
@@ -98,7 +98,7 @@ For a non-exhaustive list of error messages and resolutions, see [Troubleshoot W
## Support for IT administrators
-If you're an IT administrator and run into problems while enrolling devices, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](https://support.microsoft.com/help/4469913). This article lists common errors, their causes, and steps to resolve them.
+If you're an IT administrator and run into problems while enrolling devices, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/device-enrollment/troubleshoot-windows-enrollment-errors). This article lists common errors, their causes, and steps to resolve them.
## Next steps
If you need more help setting up your device or using Company Portal, contact your support person. Sign in to the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980) for your organization's contact information.
diff --git a/memdocs/intune/user-help/help-support-windows-cpapp.md b/memdocs/intune/user-help/help-support-windows-cpapp.md
index d6278fabdca..98fb338cc85 100644
--- a/memdocs/intune/user-help/help-support-windows-cpapp.md
+++ b/memdocs/intune/user-help/help-support-windows-cpapp.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 11/21/2023
+ms.date: 10/16/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -30,7 +30,12 @@ ms.collection:
# Get help and support in Company Portal app for Windows
-Go to **Help & support** in the Intune Company Portal app for Windows to troubleshoot app and access problems. You can:
+Go to **Help & support** in the Intune Company Portal app for Windows to troubleshoot app and access problems.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+From Help & support, you can:
* Request help and send logs
* Report problems with the app
@@ -41,20 +46,20 @@ If the problem you're experiencing prevents you from accessing help and support
## Request help and send logs
-Email your organization about any problems you experience in Company Portal. Select **Upload logs & contact support** to open the email template in your preferred mail app. In the body of the email, describe the problem. For more information, see [Send logs to your company support from the Company Portal app for Windows](send-logs-to-your-it-admin-cp-windows.md).
+Email your organization about problems you experience in Company Portal. Select **Upload Logs** to open the email template in your preferred mail app. In the body of the email, describe the problem. For more information, see [Send logs to your company support from the Company Portal app for Windows](send-logs-to-your-it-admin-cp-windows.md).
## Report app problems to Microsoft
-Select **Report problem to Microsoft**. On the **Feedback for Microsoft** page, choose from the following options:
+If you experience trouble in the app, select **Report problem to Microsoft**. Then on the **Feedback for Microsoft** page, choose from the following options:
* Report a problem or bug that you see in the app
* Send a suggestion or idea you have for the app
* Leave a review for the app in Microsoft Store
## View helpdesk contact details
-Use your organization's helpdesk details, such as phone number, emails, and website to quickly troubleshoot work or school access.
+Use your organization's contact information to quickly troubleshoot work or school access.
## Find answers to frequently asked questions
-Under **Frequently asked questions** find answers to the most common questions people ask when enrolling their devices. Select a question to go to the relevant help article on Microsoft Learn.
+Under **Frequently asked questions** find the most common questions people ask when enrolling their devices. Select a question to go to the relevant help article on Microsoft Learn.
## IT pro and administrator documentation
For help and support documentation for IT pros and Intune administrators, see:
diff --git a/memdocs/intune/user-help/install-a-new-version-of-the-company-portal-app.md b/memdocs/intune/user-help/install-a-new-version-of-the-company-portal-app.md
index 93a03fbe42b..e7fa580cca2 100644
--- a/memdocs/intune/user-help/install-a-new-version-of-the-company-portal-app.md
+++ b/memdocs/intune/user-help/install-a-new-version-of-the-company-portal-app.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 11/29/2023
+ms.date: 10/08/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -54,37 +54,56 @@ Google Play Store notifies you when a new version of the Company Portal is avail
## Update on iOS device
-Check for available Company Portal updates in the App Store. For more information, see the Apple Support article for [How to manually update apps on your Apple device](https://support.apple.com/en-us/HT202180). After you install updates, sync your device in Company Portal.
+Check for available Company Portal updates in the App Store. For more information, see the Apple Support article for [How to manually update apps on your Apple device](https://support.apple.com/en-us/HT202180).
+
+After you install the updates, run a status check on your device in Company Portal.
1. Open Company Portal and go to **Devices**.
+
2. Select the device that you're currently using.
-3. Select **Check Status** to sync your changes.
+
+3. Select **Check Status**.
> [!NOTE]
> The minimum supported version of the Company Portal app for iOS/iPadOS is v5.2311.1. If you're running an older version, you will be prompted to update the Company Portal app when you sign in.
## Update on macOS device
-To view and install available updates on a macOS device:
+To view available updates for Company Portal on a macOS device:
1. Open Company Portal and go to **Help**.
-2. Select **Check for updates**, and then select the available update to begin installation.
-4. When the update is complete, return to Company Portal > **Devices**.
-5. Select the device that you're currently using.
-6. Select **More [...]** and then choose **Check Status** to sync your device.
-To turn on automatic app updates:
+1. Select **Check for updates**, and then select the available update to begin installation.
+
+1. After you install the updates, run a status check on your device in Company Portal. Go to **Devices**.
+
+1. Select the device that you're currently using.
+
+1. Select **More [...]** and then choose **Check Status**.
+
+To turn on automatic app updates:
+
1. Open Company Portal and go to **Help**.
-2. Select **Check for updates**.
+
+2. Select **Check for updates**.
+
3. On the Microsoft AutoUpdate screen, select **Automatically download and install**.
## Update on Windows device
-To view available updates for Company Portal for Windows 10/11, open the Microsoft Store and select **Get Updates**.
-1. Open Company Portal and go to **Devices**.
-2. Select the device you're currently using.
-3. Select **Check access** to sync your device.
-You can turn on automatic updates to ensure that you don't miss updates. For more information, see [Turn on automatic app updates](https://support.microsoft.com/windows/turn-on-automatic-app-updates-70634d32-4657-dc76-632b-66048978e51b). Your organization can disable automatic app updates. If automatic app updates are unavailable, use the first set of Windows 10/11 instructions (Microsoft Store > **Get Updates**) in the Microsoft Support article to update your app.
+To view available app updates on devices running Windows 10/11:
+
+1. Open the Microsoft Store app and go to **Downloads**.
+
+1. Select **Get Updates**.
+
+1. After you install the updates, run a status check on your device in Company Portal. Go to **Devices**.
+
+1. Select the device you're currently using.
+
+1. Select **Check access**.
+
+Optionally, turn on automatic updates to ensure that you don't miss updates. For more information, see [Turn on automatic app updates](https://support.microsoft.com/windows/turn-on-automatic-app-updates-70634d32-4657-dc76-632b-66048978e51b). Your organization can disable automatic app updates on devices used for work, so this option might be unavailable.
## Next steps
diff --git a/memdocs/intune/user-help/install-apps-cpapp-windows.md b/memdocs/intune/user-help/install-apps-cpapp-windows.md
index 2a8251b5d6e..7d42b772bef 100644
--- a/memdocs/intune/user-help/install-apps-cpapp-windows.md
+++ b/memdocs/intune/user-help/install-apps-cpapp-windows.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 06/28/2024
+ms.date: 10/07/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -48,20 +48,22 @@ Required apps are necessary for work and school and are deployed directly to you
To find out which installed apps are required:
1. Sign into the Company Portal app with your work or school account.
-2. Go to **Downloads & updates**.
+2. Go to **Downloads & updates**.
+ 
3. In the table, look under the column **Required by your organization**. A *yes* means that the app is required on your enrolled device.
## Install apps
Before you begin, install [Intune Company Portal for Windows from the Microsoft Store](https://apps.microsoft.com/detail/9WZDNCRFJ3PZ).
-1. Sign in to the Company Portal app on your work or school device.
+1. Sign in to the Company Portal app on your work or school device. You'll see the latest notifications on the Home page.
+ 
2. You can access available apps from the following places in Company Portal:
* **Home**: Go to **Home** to view your organization's featured apps.
* **Apps**: Go to **Apps** to view, sort, and filter through all available apps.
* **App categories**: Go to **App categories** to browse apps by type or function. Apps in this area are sorted into categories picked by your organization, like *featured*, *education*, and *productivity*.
* **Search for apps**: Use the static search bar in the navigation pane to search apps by name or publisher.
-3. Select an app, and then choose **Install**. The app's installation status changes to *Installed* when installation is done. Select **Retry** if a required app fails to install and the option to retry is available. It could take up to ten minutes for the installation status to update itself.
+3. Select an app, and then choose **Install**. The app's installation status changes to *Installing* while the app installation occurs, then *Installed* when installation is done. Select **Retry** if a required app fails to install and the option to retry is available. It could take up to ten minutes for the installation status to update itself.
> [!TIP]
> To select and install more than one app at a time, go to **Apps** and switch the layout view to multi-select mode. Then select the checkbox next to each app you want to install. Choose **Install selected** to install them.
@@ -79,6 +81,7 @@ Select **Sort by** to rearrange the apps alphabetically by app or publisher name
## View installed apps
Go to **Downloads & updates** to see a list of installed apps on your device. If no apps are available to view, you'll see a message that no company apps were installed.
+
The following information is available for each app:
@@ -91,8 +94,6 @@ The following information is available for each app:
## Installing Microsoft Office
Depending on the size of your workplace or school, there could be multiple versions of Office available to install in Company Portal. You should only install one version of Office. If you try to install an additional one, the first one will be uninstalled. If you're unsure which version is best for your role, contact your IT support person for guidance.
-
-
## Share apps
Share and recommend apps to your work or school contacts. The following steps describe how to share a link directly from Company Portal.
diff --git a/memdocs/intune/user-help/intune-app-logs-aosp.md b/memdocs/intune/user-help/intune-app-logs-aosp.md
index 7234c23155c..c248fd61db9 100644
--- a/memdocs/intune/user-help/intune-app-logs-aosp.md
+++ b/memdocs/intune/user-help/intune-app-logs-aosp.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 03/04/2024
+ms.date: 10/08/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
diff --git a/memdocs/intune/user-help/intune-company-portal-password-message-reference.md b/memdocs/intune/user-help/intune-company-portal-password-message-reference.md
index 694248cfb94..10dfefb308c 100644
--- a/memdocs/intune/user-help/intune-company-portal-password-message-reference.md
+++ b/memdocs/intune/user-help/intune-company-portal-password-message-reference.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 03/18/2024
+ms.date: 10/08/2024
ms.topic: end-user-help
ms.localizationpriority: high
ms.service: microsoft-intune
diff --git a/memdocs/intune/user-help/intune-company-portal-preferences-macos.md b/memdocs/intune/user-help/intune-company-portal-preferences-macos.md
index c18ef27f83c..f07cb8726bc 100644
--- a/memdocs/intune/user-help/intune-company-portal-preferences-macos.md
+++ b/memdocs/intune/user-help/intune-company-portal-preferences-macos.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 05/06/2024
+ms.date: 10/08/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -36,13 +36,14 @@ Select your preferences for single sign-on and in-app data collection in Company
2. Go to the menu bar and select **Company Portal** > **Preferences**.
## Single sign-on
+
Single sign-on (SSO) configures your work or school account so that you only have to authenticate once to access all cloud-based work apps and services. Preferences include:
* **Register device**: Register your device to enable SSO and gain access to protected resources. This setting is only available on devices enabled for platform SSO.
-* **Deregister**: Remove device registration and disable SSO. To access protected resources again on this device, you must reregister. This setting is only available on devices enabled for platform SSO.
+* **Deregister**: Remove device registration and disable SSO. To access protected resources again on this device, you must reregister. This setting is only available on devices enabled for platform SSO.
-* **Remove account from this device**: Remove your work or school account and any SSO authentication tokens from the device.
+* **Remove account from this device**: Remove your work or school account and any SSO authentication tokens from the device.
To opt out of SSO on your Mac, select the checkbox next to **Don't ask me to sign in with single sign-on for this device**.
@@ -50,7 +51,7 @@ To opt out of SSO on your Mac, select the checkbox next to **Don't ask me to sig
This setting enables Microsoft to collect data about your Intune Company Portal usage. When the checkbox is selected, your in-app performance and usage data are automatically anonymized and shared with Microsoft to help improve the reliability and performance of our products. Your organization doesn't have control over the collection of this data and cannot change your preference.
-To turn off data collection in Company Portal, clear the checkbox next to **Allow Microsoft to collect usage data**.
+To turn off data collection in Company Portal, deselect the checkbox next to **Allow Microsoft to collect usage data**.
## Advanced logging
diff --git a/memdocs/intune/user-help/media/check-device-access-windows-cpapp/company-portal-windows-check-access.png b/memdocs/intune/user-help/media/check-device-access-windows-cpapp/company-portal-windows-check-access.png
new file mode 100644
index 00000000000..159df0544ad
Binary files /dev/null and b/memdocs/intune/user-help/media/check-device-access-windows-cpapp/company-portal-windows-check-access.png differ
diff --git a/memdocs/intune/user-help/media/check-device-access-windows-cpapp/company-portal-windows-devices.png b/memdocs/intune/user-help/media/check-device-access-windows-cpapp/company-portal-windows-devices.png
new file mode 100644
index 00000000000..63658dc7adf
Binary files /dev/null and b/memdocs/intune/user-help/media/check-device-access-windows-cpapp/company-portal-windows-devices.png differ
diff --git a/memdocs/intune/user-help/media/check-device-access-windows-cpapp/company-portal-windows-rename.png b/memdocs/intune/user-help/media/check-device-access-windows-cpapp/company-portal-windows-rename.png
new file mode 100644
index 00000000000..ca39da2fd86
Binary files /dev/null and b/memdocs/intune/user-help/media/check-device-access-windows-cpapp/company-portal-windows-rename.png differ
diff --git a/memdocs/intune/user-help/media/help-support-windows-cpapp/company-portal-windows-support.png b/memdocs/intune/user-help/media/help-support-windows-cpapp/company-portal-windows-support.png
new file mode 100644
index 00000000000..132f67b1636
Binary files /dev/null and b/memdocs/intune/user-help/media/help-support-windows-cpapp/company-portal-windows-support.png differ
diff --git a/memdocs/intune/user-help/media/reset-device-company-portal-windows/company-portal-windows-reset-confirmation.png b/memdocs/intune/user-help/media/reset-device-company-portal-windows/company-portal-windows-reset-confirmation.png
new file mode 100644
index 00000000000..61106e339c4
Binary files /dev/null and b/memdocs/intune/user-help/media/reset-device-company-portal-windows/company-portal-windows-reset-confirmation.png differ
diff --git a/memdocs/intune/user-help/media/reset-device-company-portal-windows/company-portal-windows-reset.png b/memdocs/intune/user-help/media/reset-device-company-portal-windows/company-portal-windows-reset.png
new file mode 100644
index 00000000000..87e1000508a
Binary files /dev/null and b/memdocs/intune/user-help/media/reset-device-company-portal-windows/company-portal-windows-reset.png differ
diff --git a/memdocs/intune/user-help/media/sso-dialog-faqs/sso-consent-screen-mdm.png b/memdocs/intune/user-help/media/sso-dialog-faqs/sso-consent-screen-mdm.png
new file mode 100644
index 00000000000..eccdedefcb3
Binary files /dev/null and b/memdocs/intune/user-help/media/sso-dialog-faqs/sso-consent-screen-mdm.png differ
diff --git a/memdocs/intune/user-help/media/sso-dialog-faqs/sso-consent-screen-no-mdm.png b/memdocs/intune/user-help/media/sso-dialog-faqs/sso-consent-screen-no-mdm.png
new file mode 100644
index 00000000000..33dc5dbb392
Binary files /dev/null and b/memdocs/intune/user-help/media/sso-dialog-faqs/sso-consent-screen-no-mdm.png differ
diff --git a/memdocs/intune/user-help/media/sync-your-device-manually-windows/company-portal-windows-settings.png b/memdocs/intune/user-help/media/sync-your-device-manually-windows/company-portal-windows-settings.png
new file mode 100644
index 00000000000..766de1ce94d
Binary files /dev/null and b/memdocs/intune/user-help/media/sync-your-device-manually-windows/company-portal-windows-settings.png differ
diff --git a/memdocs/intune/user-help/media/sync-your-device-manually-windows/company-portal-windows-sync.png b/memdocs/intune/user-help/media/sync-your-device-manually-windows/company-portal-windows-sync.png
new file mode 100644
index 00000000000..4848a513e3c
Binary files /dev/null and b/memdocs/intune/user-help/media/sync-your-device-manually-windows/company-portal-windows-sync.png differ
diff --git a/memdocs/intune/user-help/media/turn-off-microsoft-usage-data-collection-windows/company-portal-windows-usage-data.png b/memdocs/intune/user-help/media/turn-off-microsoft-usage-data-collection-windows/company-portal-windows-usage-data.png
new file mode 100644
index 00000000000..07361c7e523
Binary files /dev/null and b/memdocs/intune/user-help/media/turn-off-microsoft-usage-data-collection-windows/company-portal-windows-usage-data.png differ
diff --git a/memdocs/intune/user-help/media/windows-companyportal-01.png b/memdocs/intune/user-help/media/windows-companyportal-01.png
new file mode 100644
index 00000000000..ea1b7161e54
Binary files /dev/null and b/memdocs/intune/user-help/media/windows-companyportal-01.png differ
diff --git a/memdocs/intune/user-help/media/windows-companyportal-02.png b/memdocs/intune/user-help/media/windows-companyportal-02.png
new file mode 100644
index 00000000000..03df0cce181
Binary files /dev/null and b/memdocs/intune/user-help/media/windows-companyportal-02.png differ
diff --git a/memdocs/intune/user-help/media/windows-companyportal-03.png b/memdocs/intune/user-help/media/windows-companyportal-03.png
new file mode 100644
index 00000000000..6c1439dbb76
Binary files /dev/null and b/memdocs/intune/user-help/media/windows-companyportal-03.png differ
diff --git a/memdocs/intune/user-help/media/windows-companyportal-04.png b/memdocs/intune/user-help/media/windows-companyportal-04.png
new file mode 100644
index 00000000000..eaed9daa254
Binary files /dev/null and b/memdocs/intune/user-help/media/windows-companyportal-04.png differ
diff --git a/memdocs/intune/user-help/remove-your-device-cpwebsite.md b/memdocs/intune/user-help/remove-your-device-cpwebsite.md
index 8e34521e725..b588244bf2d 100644
--- a/memdocs/intune/user-help/remove-your-device-cpwebsite.md
+++ b/memdocs/intune/user-help/remove-your-device-cpwebsite.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 11/29/2023
+ms.date: 10/08/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
diff --git a/memdocs/intune/user-help/rename-your-device-cpapp.md b/memdocs/intune/user-help/rename-your-device-cpapp.md
index 3067e4826fe..0ab404bc516 100644
--- a/memdocs/intune/user-help/rename-your-device-cpapp.md
+++ b/memdocs/intune/user-help/rename-your-device-cpapp.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 11/29/2023
+ms.date: 10/16/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -37,27 +37,16 @@ Rename a device to make it easier to recognize and manage in the Intune Company
* iOS
* Android
-## Change name in device details
+## Rename device
-Select the name of a device in the Company Portal app to edit it directly.
+After you rename a device, its name immediately changes in the app.
1. Open the Company Portal app and go to **Devices**.
-2. Select the device you want to rename.
-3. Next to the current device name, select the **Rename** pencil icon.
+1. Select the device you want to rename.
+1. Select the **Edit** pencil icon that's next to the current device name. Enter the new name, and then select **Rename**.
- 
-4. Type in the new name and select **Rename**. The device name updates immediately in the app.
-
- 
-
-## Rename device from Actions menu
-
-Rename a device via the **Actions** menu in the Company Portal app.
-
-1. Open the Company Portal app and go to **Devices**.
-2. Select the device you want to rename.
-2. Select **Actions** > **Rename**.
-3. Type in a new name and select **Rename**. The device name updates immediately in the app.
+ > [!div class="mx-imgBorder"]
+ > 
Still need help? Contact your IT support person. For contact information, sign into the Company Portal app or [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980) with your work or school account.
diff --git a/memdocs/intune/user-help/reset-device-company-portal-website.md b/memdocs/intune/user-help/reset-device-company-portal-website.md
index 92a09e93995..933139db25b 100644
--- a/memdocs/intune/user-help/reset-device-company-portal-website.md
+++ b/memdocs/intune/user-help/reset-device-company-portal-website.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 03/03/2023
+ms.date: 10/08/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -45,15 +45,19 @@ You can reset the following types of devices from the Company Portal website:
* iOS/iPadOS devices that aren't supervised
* Devices running Windows 10 or Windows 11
-The action may not be available on devices that your organization owns and lends out for use. If you're an IT support person and want to find out more about device reset and its limitations, see [Remove devices by using wipe, retire, or manually unenrolling the device](../remote-actions/devices-wipe.md).
+The action may be unavailable on devices that your organization owns and lends out for use. If you're an IT support person and want to find out more about device reset and its limitations, see [Remove devices by using wipe, retire, or manually unenrolling the device](../remote-actions/devices-wipe.md).
## Reset device
To reset a device to its original, out-of-box settings:
1. On any device, sign in to [the Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980) with your work or school account.
-1. Select the menu > **Devices**.
+1. Go to the menu and select **Devices**.
1. Select the device you want to reset.
-1. Select **Reset**. If the reset option isn't visible at the top of your page, select the **More (…)** menu to see all overflow actions. Then select **Reset**.
-1. A message warns you that you're about to erase all content on your device. Tap **Reset** to confirm.
+1. Select **Reset**.
+
+ >[!TIP]
+ > If the reset option isn't visible at the top of your page, select the **More (…)** menu to see all overflow actions.
+
+1. A message warns you that you're about to erase all data on your device, and reset the device to its factory default settings. Tap **Reset** to confirm.
Need additional help? Contact your support person. For contact details, sign in to the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980) and go to **Helpdesk**.
diff --git a/memdocs/intune/user-help/reset-device-company-portal-windows.md b/memdocs/intune/user-help/reset-device-company-portal-windows.md
index ac75c24cc7b..6b733e0312c 100644
--- a/memdocs/intune/user-help/reset-device-company-portal-windows.md
+++ b/memdocs/intune/user-help/reset-device-company-portal-windows.md
@@ -2,12 +2,12 @@
# required metadata
title: Reset device from Intune Company Portal for Windows | Microsoft Docs
-description: Learn how to factory reset a used, lost, or stolen device in Company Portal for Windows.
+description: Reset a used, lost, or stolen device in Company Portal for Windows.
keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 10/04/2021
+ms.date: 10/16/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -20,7 +20,7 @@ searchScope:
ROBOTS:
#audience:
-ms.reviewer: jieyang
+ms.reviewer: madakeva
ms.suite: ems
#ms.tgt_pltfrm:
ms.custom: intune-enduser; intune-azure
@@ -31,40 +31,32 @@ ms.collection:
# Reset device in Company Portal app for Windows
-**Applies to**
-- Windows 10
-- Windows 11
-- Windows 10 Mobile
-- Windows Phone 8.1
-
-Use the Company Portal app for Windows to reset a used, lost, or stolen device back to factory settings. All apps, settings, and personal data on the device will be deleted and the device will no longer appear in Company Portal.
+Use the Company Portal app for Windows to reset a used, lost, or stolen device back to factory settings. After a reset, all apps, settings, and personal data on the device are deleted, and the device no longer appears in Company Portal.
The reset option may not be available for every device that appears in Company Portal. Your organization can choose to hide the option.
-
## Reset device
To reset a device to its original, out-of-box settings:
1. Open the Company Portal app on any managed device and sign in with your work or school account.
-2. Select **DEVICES**.
-3. Select the device you want to reset.
-4. Select **Actions** > **Reset**.
-5. Select **Reset** to start wiping the device.
+2. Select **Devices**, and then select the device you want to reset.
+3. Select **Actions** > **Reset**.
-## Reset limitations
-Company Portal device resets aren't supported on all devices. The feasibility of a reset depends on the Windows version and how your organization configured their policies. This table lists the expected outcomes for various Windows devices and configurations.
+ > [!div class="mx-imgBorder"]
+ > 
+4. Select **Reset** to start wiping the device.
-|Device configuration and management|Device type|
-|---------------------------------------|---------------|
-|Your organization manages your mobile device|**Windows 10/11 and Windows Phone 8.1**Your device won't appear in Company Portal anymore, and Company Portal will try to reset the device back to the manufacturer's default settings. Your personal data, apps, and settings will be removed.
**Windows 10 Mobile**The only way to unenroll your device is to reset it.|
-|Your device can access company email only|**Windows Phone 8.1**
Your device won't appear in Company Portal anymore, and your work email account and unsaved emails will be deleted.
**Windows 7 or Windows Vista**
You cannot reset a device that's only used for email and running Windows 7 or earlier.
**Windows 8.1 and Windows 8**
Your device won't appear in Company Portal anymore, and your company email account and unsaved email will be deleted.|
-|PCs and laptops|**Windows 8.1 and Windows 8**
You cannot reset a computer that's running Windows 8 or Windows 8.1, unless it's only being used for email.
**Windows 7 or Windows Vista**
You cannot reset a computer that's running Windows 7 or earlier.|
+ > [!div class="mx-imgBorder"]
+ > 
-## Next steps
-
-* You can also [reset a device from the Company Portal website](reset-device-company-portal-website.md).
+## Reset limitations
+Company Portal device resets aren't supported on all devices. The feasibility of a reset depends on the Windows version and how your organization configured their policies. This table lists the expected outcomes for various Windows devices and configurations.
-* If you just want to remove your device from Company Portal, see [Remove your Windows device from management](unenroll-your-device-from-intune-windows.md). Removing the device effectively removes it from Intune and may cause you to lose access to the work-related content on your device.
+|Device configuration and management|Device type|
+|---------------------------------------|---------------|
+|Your organization manages your mobile device|**Windows 10/11 and Windows Phone 8.1**Your device no longer appears in Company Portal. Company Portal tries to reset the device back to the manufacturer's default settings. Your personal data, apps, and settings are removed.
**Windows 10 Mobile**The only way to unenroll your device is to reset it.|
+|Your device can access company email only|**Windows Phone 8.1**
Your device no longer appears in Company Portal. The email that belongs to your work account, and all unsaved emails, are deleted.
**Windows 7 or Windows Vista**
Devices running Windows 7 or earlier, and used exclusively for email, can't be reset.
**Windows 8.1 and Windows 8**
Your device no longer appears in Company Portal. The email that belongs to your work account, and all unsaved emails, are deleted.|
+|PCs and laptops|**Windows 8.1 and Windows 8**
Devices running Windows 8 or Windows 8.1 can't be reset, unless they're used exclusively for email.
**Windows 7 or Windows Vista**
Devices running Windows 7 or earlier can't be reset.|
-* Need additional help? Contact your IT support person. For contact information, check the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980).
+Need more help? Contact your IT support person. For contact information, check the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980).
diff --git a/memdocs/intune/user-help/set-up-mobile-threat-defense.md b/memdocs/intune/user-help/set-up-mobile-threat-defense.md
index b045d2ddaf5..ef82f76b8f4 100644
--- a/memdocs/intune/user-help/set-up-mobile-threat-defense.md
+++ b/memdocs/intune/user-help/set-up-mobile-threat-defense.md
@@ -2,7 +2,7 @@
# required metadata
title: Install mobile threat defense app on your mobile device | Microsoft Intune
-description: Find out what mobile threat defense apps are and how to set one up to meet your organization's access requirements.
+description: Find out what mobile threat defense apps are and how to set one up to meet work or school requirements.
keywords:
author: lenewsad
ms.author: lanewsad
@@ -36,10 +36,11 @@ ms.collection:
Install a mobile threat defense (MTD) app on the personal device you use for work or school. An MTD app works by detecting and alerting you to threats on your device, like suspicious apps or networks, and operating system vulnerabilities. In this article, you'll learn how to set up and activate an MTD app so that you can satisfy your organization's security requirement and access work apps.
## Step 1: Install MTD app
+
>[!NOTE]
-> An additional step, called *device registration*, happens prior to app installation on devices that aren't registered. Registration is required to confirm your identity and connect your school or work account to your device. For more information about device registration, see [Register your personal device on your organization's network](/azure/active-directory/user-help/user-help-register-device-on-network).
+> An additional step, called *device registration*, happens prior to app installation on devices that aren't registered. Registration is required to confirm your identity and connect your work or school account to your device. For more information about device registration, see [Register your personal device on your organization's network](/azure/active-directory/user-help/user-help-register-device-on-network).
-Install your organization's preferred mobile threat defense (MTD) app on your device. Your organization chooses the MTD app you need to use. If the app name or listing isn't provided to you during enrollment or app setup, contact your IT support person to determine which app you need to use. The following MTD apps are commonly used on Apple devices. Select an app to open its listing in the App Store.
+Install a mobile threat defense (MTD) app on the device you use for work or school. Your organization chooses the MTD app you need to access internal resources. If the app name or listing isn't provided to you during enrollment or app setup, contact your IT support person to determine which app you need to use. The following MTD apps are commonly used on Apple devices. Select an app to open its listing in the App Store.
* [ActiveShield](https://apps.apple.com/app/activeshield/id980234260)
* [Microsoft Defender for Endpoint](https://apps.apple.com/app/microsoft-defender-atp/id1526737990)
@@ -63,44 +64,69 @@ The following MTD apps are commonly used on Android devices. Select an app to op
* [Zimperium MTD](https://play.google.com/store/apps/details?id=com.zimperium.zips)
## Step 2: Activate MTD app
-Complete the following steps to activate the MTD app on your iOS or Android device.
+The prompt to install a MTD app happens when you're setting up your device for work or school. The prompt could appear as an Intune Company Portal push notification or as a message in the Company Portal app or website. Tap the prompt to get the appropriate MTD app.
+
+After you install the MTD app, activate the MTD app on your iOS or Android device.
### Activation for iOS app
1. Open the MTD app.
+
2. The MTD app asks for permission to open Microsoft Authenticator. Select **Open**.
+
3. Sign in with your work account.
+
4. Wait while the MTD app scans your device for security threats. If the scan doesn't happen automatically, you can start the scan yourself.
-5. Return to the Company Portal app or website.
- * Company Portal app: Select **CONFIRM DEVICE SETTINGS**.
- * Company Portal website: Select **Check status**.
- 6. Now that you have the app set up, you can sign in to work apps with your work account. If you're still blocked:
- * Check the MTD app for threats and [resolve them](#resolving-a-threat).
- * Return to the Company Portal app and check for other compliance issues that need your attention. For more information, see [Check compliance in Company Portal app for iOS](sync-your-device-manually-ios.md).
+
+5. Return to the Intune Company Portal app or website, and run a device check to register the changes you made on your device.
+
+ * In the Company Portal app, select **CONFIRM DEVICE SETTINGS**.
+
+ * On the Company Portal website, select **Check status**.
+
+ After you've met this requirement, you can securely sign in and access work apps and files on your device. If Company Portal is still blocking you from access:
+
+ * Check the MTD app for threats and [resolve them](#resolving-a-threat).
+
+ * Return to the Company Portal app or website and check for other flagged device settings. Your workplace might have other requirements that require your attention. For more information, see [Check device compliance in Company Portal app for iOS](sync-your-device-manually-ios.md).
### Activation for Android app
+
1. Open the MTD app.
+
2. Review and grant permissions, as needed, to the MTD app. Permissions vary by MTD app.
-3. Wait while the MTD app scans your device for security threats. If the scan doesn't happen automatically, you can start the scan yourself.
-4. Return to the Company Portal app or website.
- * Company Portal app: Select **CONFIRM DEVICE SETTINGS**.
- * Company Portal website: Select **Check status**.
-5. Now that you have the app set up, you can sign in to work apps with your work account. If you're still blocked:
+
+3. Wait while the MTD app scans your device for security threats. If the scan doesn't happen automatically, you can start the scan yourself.
+
+4. Return to the Intune Company Portal app or website, and run a device check to register the changes you made on your device.
+
+ * In the Company Portal app, select **CONFIRM DEVICE SETTINGS**.
+
+ * On the Company Portal website, select **Check status**.
+
+5. After you've met this requirement, you can securely sign in and access work apps and files on your device. If Company Portal is still blocking you from access:
+
* Check the MTD app for threats and [resolve them](#resolving-a-threat).
+
* Return to the Company Portal app and check for other compliance issues that need your attention. For more information, see [Check compliance in Company Portal app for Android](check-compliance-on-your-device-android.md).
## Resolving a threat
-If a threat is detected and exceeds an acceptable threat level, your organization can either:
+If a threat is detected and exceeds an acceptable threat level, your workplace could:
* Block access: Block you from using apps while signed in to your work or school account.
+
* Wipe data: Delete your work or school data from one or more work apps.
To resolve a threat and regain access to work apps, complete the following steps.
1. Open the MTD app on your device.
-2. Open the threat details in the app. These details explain how the threat could affect your device if left unresolved, and how to resolve it.
-3. Make the required changes on your device. For example, you may need to uninstall an app that's not safe.
-4. Return to the MTD app and start a new scan.
-5. Repeat these steps until all threats are resolved. It can take a few minutes for your changes to sync with the MTD app. Once those changes sync, you can access your work apps again.
+
+2. Open the threat details in the app. These details explain how the threat could affect your device if left unresolved, and how to resolve it.
+
+3. Make the required changes on your device. For example, you might need to uninstall an app that's not safe.
+
+4. Return to the MTD app and start a new scan.
+
+5. Repeat these steps until all threats are resolved. Wait a few minutes for your changes to sync between the MTD app and Company Portal.
## Information your organization can see
diff --git a/memdocs/intune/user-help/sso-dialog-faqs.yml b/memdocs/intune/user-help/sso-dialog-faqs.yml
new file mode 100644
index 00000000000..e8248e87c91
--- /dev/null
+++ b/memdocs/intune/user-help/sso-dialog-faqs.yml
@@ -0,0 +1,126 @@
+### YamlMime:FAQ
+metadata:
+ title: FAQ - Adding your Microsoft Entra account to a device
+ description: Frequently asked questions about adding your Microsoft Entra account to a device and their answers.
+ author: DidunAyodeji
+ ms.author: dayodeji
+ ms.service: entra-id
+ ms.topic: faq
+ ms.date: 09/10/2024
+ ms.reviewer: joflore
+ #customer intent: As an Entra account holder, I want to add my account to the device so that I am compliant with my organization's security requirements.
+title: Adding your Microsoft Entra account to a device
+summary: |
+ **The changes to the single sign-on enrollment page mentioned in this article are scheduled for October of 2024.**
+
+ This article provides answers to some frequently asked questions (FAQ) about adding your Microsoft Entra account to a device.
+
+sections:
+ - name: Overview
+ questions:
+ - question: |
+ What is the single sign-on enrollment dialog page?
+ answer: |
+ The single sign-on (SSO) enrollment page is shown when you're trying to access protected resources through an app. The page is where you decide if you want to add your account to the device. When an app like Outlook tries to access a protected resource, you see the SSO enrollment page requesting you to add your account to the device. This functionality enables your administrator to make sure your device is compliant with your organization's security requirements. Adding your account to the device gives you the ability to seamlessly sign in to all your desktop apps. It also provides you with more security features. This dialog only appears when using your Microsoft Entra accounts.
+
+ :::image type="content" source="media/sso-dialog-faqs/sso-consent-screen-no-mdm.png" alt-text="Screenshot of the SSO dialog enrollment page." lightbox="media/sso-dialog-faqs/sso-consent-screen-no-mdm.png":::
+
+ - question: |
+ What does selecting "Yes, all apps" do?
+ answer: |
+ You're automatically signed in to desktop apps that use your work or school account. You don't have to enter your credentials when you open these apps.
+
+ - question: |
+ How do I sign out?
+ answer: |
+ On a Windows device, navigate to the **Settings** app > **Accounts** > **Access work or school** > Select your account > **Disconnect**. If you don't have access to the device you signed in to, go to [https://account.microsoft.com/devices](https://account.microsoft.com/devices) to manage your account and sign out.
+
+ > [!NOTE]
+ > Signing out of any individual desktop app doesn't remove your account from the device. You must sign out of all apps via settings or [https://account.microsoft.com/devices](https://account.microsoft.com/devices) to remove your account from the device.
+
+ - question: |
+ What does selecting "No, this app only" do?
+ answer: |
+ You're signed in to the individual app that you're currently trying to sign in to. Your account isn't added to the device and it isn't shown in the Windows Settings app under Accounts. You aren't signed in to other apps.
+
+ - name: Mobile device management
+ questions:
+ - question: |
+ What is mobile device management?
+ answer: |
+ [Mobile device management (MDM)](/windows/client-management/mdm-overview) lets your administrator manage security and applications on your personal or corporate device without compromising your privacy. It's how organizations make sure only devices that are up to date and configured with required security policies are able to access apps and resources. If your company enables mobile device management, you see the following version of the dialog and you can enroll by checking the **Allow my organization to manage this device** checkbox.
+
+ :::image type="content" source="media/sso-dialog-faqs/sso-consent-screen-mdm.png" alt-text="Screenshot of the SSO dialog enrollment page with MDM enrollment." lightbox="media/sso-dialog-faqs/sso-consent-screen-mdm.png":::
+
+ - question: |
+ What can an administrator see if I enroll in MDM?
+ answer: |
+ [Things your administrator can always see.](/mem/intune/user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune#things-your-organization-can-always-see)
+
+ - question: |
+ What can an administrator never see even if I enroll in MDM?
+ answer: |
+ [Things your administrator can never see.](/mem/intune/user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune#things-your-organization-can-never-see)
+
+ - question: |
+ What happens if I check the device management checkbox but don't sign in to all apps, I sign in to this app only?
+ answer: |
+ [Mobile device management](/windows/client-management/mdm-overview) isn't activated. If you select "No, this app only," mobile device management isn't activated even if the checkbox is checked. Mobile device management can only be turned on if you select "Yes, all apps."
+
+ - question: |
+ What happens if I uncheck the device management checkbox but sign in to all apps?
+ answer: |
+ You're signed in to all desktop apps on the device, but the device isn't enrolled in [mobile device management](/windows/client-management/mdm-overview). Your organization might require MDM to access some applications or resources, without it you might not have access.
+
+ - question: |
+ What can my administrator do if I enroll in mobile device management?
+ answer: |
+ They're able to:
+ - Install applications on devices
+ - Restrict access to specific operating systems
+ - Deploy and update software
+ - Configure device settings
+ - Enforce security policies
+ - Block personal devices
+ - Remove data from lost or stolen devices
+ - Secure and protect data on devices
+
+ - name: General
+ questions:
+ - question: |
+ Can I change my selections later?
+ answer: |
+ The SSO enrollment dialog page appears only once per account so to change your choices, sign out of the account then sign back in. When you sign back in, you see the SSO enrollment dialog page again. You can then make different selections.
+
+ - question: |
+ Why am I seeing the SSO enrollment dialog page?
+ answer: |
+ All Microsoft Entra users are prompted to add their account to the device when signing in to an app because it can provide you with more security. This page is where you decide if you want to add your account to the device or not. If your administrator requires mobile device management, you get to decide if you want to enroll in mobile device management on this page as well.
+
+ - question: |
+ What are the benefits of signing in to all apps on my device?
+ answer: |
+ In addition to being compliant with your organization's policies, you get more security features. You're also automatically signed in to all your desktop apps.
+
+ - question: |
+ Do my choices here apply to other devices I'm signed in to?
+ answer: |
+ No, your choices on the SSO enrollment page apply to this device only.
+
+ - question: |
+ What is the difference between a service and an app?
+ answer: |
+ A desktop app is a software program that you access directly on the computer and it runs locally on the computer. A web app is a combination of pages that you access via a browser and it runs in the cloud. A web app has links to help you navigate through multiple pages.
+
+ A service enables communication between different apps that work with the internet. Web services work by exposing APIs (Application Programming Interfaces) and allow for the exchange of information between different apps across different platforms (mobile, Windows, Microsoft Edge).
+
+ - question: |
+ For administrator reference
+ answer: |
+ [Conditional Access](/entra/identity/conditional-access/overview) policies are used by administrators to protect resources.
+
+ Applications configured to work with Windows [Web Account Manager](/entra/identity-platform/scenario-desktop-acquire-token-wam) authentication broker provide you with SSO and other [security features](/entra/identity/conditional-access/concept-token-protection).
+
+ All Microsoft Entra customers are prompted to sign in using Web Account Manager if the app and operating system support it.
+
+ [Learn more about mobile device management](/mem/intune/fundamentals/what-is-device-management).
diff --git a/memdocs/intune/user-help/sync-your-device-manually-windows.md b/memdocs/intune/user-help/sync-your-device-manually-windows.md
index c8b7ebf1144..10c27d8830e 100644
--- a/memdocs/intune/user-help/sync-your-device-manually-windows.md
+++ b/memdocs/intune/user-help/sync-your-device-manually-windows.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 06/28/2024
+ms.date: 10/16/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -38,24 +38,26 @@ Sync the enrolled device you're using for work to get the latest updates, requir
This article describes how to start a sync from the:
-* Company Portal app
-* Windows desktop taskbar or Start menu
-* System settings app
+* Company Portal app
+* Windows desktop taskbar or Start menu
+* System settings app
## Sync from Company Portal app for Windows
Complete these steps to sync a device in the Company Portal app. You can sync devices running Windows 10 with the Creator's Update (1703) or later, and Windows 11.
-1. Open the Company Portal app on your device.
+1. Open the Company Portal app on your device and go to **Settings**.
-2. Select **Settings** > **Sync**.
+ > [!div class="mx-imgBorder"]
+ > 
- 
-
- 
+1. Select **Sync**.
+
+ > [!div class="mx-imgBorder"]
+ > 
## Sync from device taskbar or Start menu
-You can access the Company Portal syncing action from your device's desktop. This way is useful if you have the app pinned directly to your taskbar or Start menu, and want to quickly sync.
+You can access Company Portal syncing action from the desktop. This way is useful if you have the app pinned directly to your taskbar or Start menu, and want to quickly sync.
1. Find the Company Portal app icon in your taskbar or Start menu.
2. Right-click the app's icon so its menu (also referred to as a jump list) appears.
diff --git a/memdocs/intune/user-help/turn-off-microsoft-usage-data-collection-aosp.md b/memdocs/intune/user-help/turn-off-microsoft-usage-data-collection-aosp.md
index 40a97e4acd0..7375528486c 100644
--- a/memdocs/intune/user-help/turn-off-microsoft-usage-data-collection-aosp.md
+++ b/memdocs/intune/user-help/turn-off-microsoft-usage-data-collection-aosp.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 11/29/2023
+ms.date: 10/10/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -34,6 +34,8 @@ In-app performance and usage data is automatically anonymized and shared with Mi
To turn off data collection:
-1. Open the Intune app.
-2. Select the menu button > **Settings**.
-3. Turn **Usage data** off.
+1. Open the Intune app.
+
+1. Select the menu button > **Settings**.
+
+1. Turn **Usage data** off.
diff --git a/memdocs/intune/user-help/turn-off-microsoft-usage-data-collection-windows.md b/memdocs/intune/user-help/turn-off-microsoft-usage-data-collection-windows.md
index ac51f974386..bd08617bce9 100644
--- a/memdocs/intune/user-help/turn-off-microsoft-usage-data-collection-windows.md
+++ b/memdocs/intune/user-help/turn-off-microsoft-usage-data-collection-windows.md
@@ -7,7 +7,7 @@ keywords: privacy
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 10/04/2021
+ms.date: 10/16/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -35,11 +35,17 @@ ms.collection:
- Windows 10
- Windows 11
-This article describes how to prevent Microsoft from collecting data about your Intune Company Portal usage. To turn off data collection in Company Portal:
+This article describes how to prevent Microsoft from collecting data about your Company Portal app usage. To turn off data collection in Company Portal:
-1. Open the Company Portal app.
-2. Select **Settings**.
-3. Under **Usage data**, switch the toggle to **No**.
+1. Open the Company Portal app and go to **Settings**.
+
+ > [!div class="mx-imgBorder"]
+ > 
+
+1. Under **Usage data**, switch the toggle to **No**.
+
+ > [!div class="mx-imgBorder"]
+ > 
## Allowing Microsoft data collection
diff --git a/memdocs/intune/user-help/unenroll-your-device-from-intune-macos.md b/memdocs/intune/user-help/unenroll-your-device-from-intune-macos.md
index 881f433ea69..37486c145b3 100644
--- a/memdocs/intune/user-help/unenroll-your-device-from-intune-macos.md
+++ b/memdocs/intune/user-help/unenroll-your-device-from-intune-macos.md
@@ -7,7 +7,7 @@ keywords:
author: lenewsad
ms.author: lanewsad
manager: dougeby
-ms.date: 08/25/2021
+ms.date: 10/08/2024
ms.topic: end-user-help
ms.service: microsoft-intune
ms.subservice: end-user
@@ -37,39 +37,37 @@ After you remove a device:
- The device is removed from Intune.
- The device loses access to Company Portal features. For example, you can't install apps for the device from the Company Portal.
-- You lose access to internal file shares and websites from your device.
-- You lose access to internal apps on your device.
-- You might be blocked from connecting to your org's network over Wi-Fi or virtual private network (VPN).
+- You lose access to work or school file shares and websites previously accessed from the device.
+- You lose access to work apps that are on the device.
+- You might be blocked from connecting to your organization's network over Wi-Fi or virtual private network (VPN).
- Work and school email profiles are removed from the device.
-- Device restrictions previously enforced by Intune (for example, disabling the camera or requiring a certain password length) are no longer required.
+- Device restrictions previously enforced by Company Portal (for example, disabling the camera or requiring a certain password length) are no longer enforced.
This article describes how to remove a device from within the Company Portal app, and then how to uninstall the app.
-
## Remove a device
+
Follow these steps to remove a device from Company Portal that you no longer need for work or school. For these steps to work, you must still have access to your work or school account. If you no longer have access to your account, see [Remove management profile](unenroll-your-device-from-intune-macos.md#remove-management-profile) (in this article) to unenroll your device.
-1. Sign in to Company Portal for macOS.
-2. Go to **Devices** and select the device you want to unenroll.
-3. From the app toolbar, select the **Devices** menu > **Remove**.
+1. Sign in to Company Portal for macOS.
+
+2. Go to **Devices** and select the device you want to unenroll.
+
+3. From the app toolbar, select the **Devices** menu > **Remove**.
+
4. When asked to confirm the removal, select **Remove**. The device is immediately removed from Intune.
After you complete these steps, you can uninstall Company Portal from your device.
## Remove management profile
+
To remove a device after you've left your workplace or school, you have to remove the *management profile* that was installed during enrollment. For steps specific to your version of macOS, see [Remove a configuration profile from your Mac](https://support.apple.com/guide/mac-help/configuration-profiles-standardize-settings-mh35561/mac) on the Apple Support website. After you remove the management profile, you can uninstall Company Portal from your device.
## Uninstall Company Portal app
-To uninstall the Company Portal app from a macOS device:
-
-1. Open **Finder** > **Applications**.
-2. Select and drag the Company Portal app to **Trash** (located in your dock). Or select the app and then choose **File** > **Move to Trash**.
-
- 
-3. If prompted to, enter your device username and password to confirm the move.
+To uninstall the Company Portal app from a macOS device, select and drag the Company Portal app to the trashcan located in your dock. For more information, see [Uninstall apps on your Mac](https://support.apple.com/en-us/102610) on the Apple Support website.
## Next steps
If you change your mind and want your access back later, install the Company Portal app and go through device setup again. For detailed instructions, see [Enroll your Mac with Intune Company Portal](enroll-your-device-in-intune-macos-cp.md).
-Still need help? Contact your support person. For contact information, check the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980).
+Still need help? Contact your support person. For your organization's helpdesk information, sign in to the Company Portal app or [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980).
diff --git a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-checkpoint-android.md b/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-checkpoint-android.md
deleted file mode 100644
index 3280a4edc9d..00000000000
--- a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-checkpoint-android.md
+++ /dev/null
@@ -1,109 +0,0 @@
----
-# required metadata
-
-title: Resolve threats in Harmony Mobile Protect for Android - Microsoft Intune | Microsoft Docs
-description: Learn how to use Harmony Mobile Protect for Android to keep your device secure.
-keywords:
-author: lenewsad
-ms.author: lanewsad
-manager: dougeby
-ms.date: 04/19/2022
-ms.topic: end-user-help
-ms.service: microsoft-intune
-ms.subservice: end-user
-ms.assetid: 449c34ec-2d94-4c7f-8691-a5200efee3cb
-searchScope:
- - User help
-
-# optional metadata
-
-ROBOTS:
-#audience:
-
-ms.reviewer: heenamac
-#ms.suite: ems
-#ms.tgt_pltfrm:
-ms.custom: intune-enduser
-ms.collection:
-- tier2
----
-
-# Resolve threats found by Harmony Mobile Protect for Android
-
-Harmony Mobile Protect is a mobile threat defender app that's integrated with Intune to alert you to potential threats and compliance problems. As long as the threat or problem exists on your device, you might not be able to:
-
-* Connect to corporate e-mail
-* Connect to corporate Wi-Fi
-* Connect to SharePoint Online
-* Sync corporate files with OneDrive
-* Access internal apps
-
-This article describes how to use the app to view and resolve threats.
-
-## Set up Harmony Mobile Protect app
-Complete the following steps to set up Harmony Mobile Protect on your device.
-
-1. Install the app from [Google Play](https://go.microsoft.com/fwlink/?linkid=2139455). Your organization might let you know that you need to get the app via notification, email, or by installing the app on your device.
- * Company Portal/Intune app notification: Tap the push notification to open Google Play.
- * Work or school email: Tap the link or scan the QR code provided in that email to open Google Play.
- * App already installed: Open the app and continue to step 3 to sign in.
-3. When installation is complete, open the app.
-4. Tap your account (the same one you use to sign in at work or school) to sign in.
-5. Tap **ACTIVATE** to make the app a device administrator.
-
-After your initial sign-in, the app will scan your device for threats.
-
-## Using Harmony Mobile Protect
-Harmony Mobile Protect detects device threats, app threats, and network security events. This section describes how to use the app to view and resolve each type of threat.
-
-### Get threat notifications
-By default, Harmony Mobile Protect uses push notifications and its in-app **Threat Center** to alert you to threats and events. As a best practice, do not turn off these notifications.
-
- ### View overall device status
-The app's main screen shows the current status and threat count, if applicable.
-
-* No threat or events detected: The screen shows a green circle with a checkmark.
-
-* Threats detected: The screen shows a red circle with the number of threats detected.
-
-* Security event occurred: The screen shows a blue circle with the number of events that occurred.
-
-## View device threats
-A device threat happens when the settings on your device don't meet your organization's requirements. When a threat is present, a red dot appears next to the **MY DEVICES** icon. To get more details about a threat:
-
-1. Tap **MY DEVICES** to open the list of settings that were scanned on your device.
-2. Settings that appear in red do not meet your organization's requirements. Tap a red setting to find out more information about it.
-3. Open the Settings app on your device to adjust the setting.
-4. If Harmony Mobile Protect doesn't show the threat as resolved right away, return to the app and tap the circle on the main app page to initiate a new scan.
-
-### View app threats
-An app is considered a threat when it poses a security risk to you or your organization's data. Examples of threats include:
-
-* Apps that contain malware
-* Apps that are on your organization's block list
-* Apps that are installed from unknown sources
-
-When a threat is present, a red dot appears next to the **MY APPS** icon. To get more details about a threat:
-
-1. Tap **MY APPS**.
-2. The **SECURITY HISTORY** section shows the number of apps with threats. Tap the number.
-3. The **Threat Center** opens. Tap the **i** info icon next to a threat to get more details about the threat, including the steps to resolve it. The quickest way to resolve a threat is to uninstall the affected app.
-
-To find out why your organization classifies an app as high, medium, or low risk, contact your IT support person.
-
-### View security events
-A security event occurs when Harmony Mobile Protect prevents an attack before it happens. This type of event is informational and poses no immediate risk on your device. They could happen if your organization enforces network protection policies, such as requiring you to use a VPN.
-
-When an event occurs, you'll see a blue dot next to the **MY NETWORK** icon. To get more details about a security event:
-
-1. Tap **MY NETWORK**.
-2. The **NETWORK PROTECTION** section shows the number of events that occurred. Tap the number.
-3. The **Event Center** opens. Tap the **i** info icon next to any event to get more details about the prevented threat.
-
-## Next steps
-If you use Company Portal or the Intune app, open the app and sync your device after you resolve a threat. Otherwise, you'll have to wait until Intune checks in with your device to regain access to corporate resources.
-
-Still need help?
-
-* For the most up-to-date information about Harmony Mobile Protect, see the Harmony Mobile Protect user and admin guides on the [Check Point support center website](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk120655).
-* For additional help, contact your IT support person. Check out the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980) for contact information.
diff --git a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-checkpoint-ios.md b/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-checkpoint-ios.md
deleted file mode 100644
index ea60121db00..00000000000
--- a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-checkpoint-ios.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-# required metadata
-
-title: Resolving threats found by Check point Harmony Mobile Protect for iOS | Microsoft Docs
-description: Learn how to fix a threat found by Check point Harmony Mobile Protect for iOS.
-keywords:
-author: lenewsad
-ms.author: lanewsad
-manager: dougeby
-ms.date: 07/11/2024
-ms.topic: end-user-help
-ms.service: microsoft-intune
-ms.subservice: end-user
-ms.assetid: 5b2a69e7-cc86-4f1b-81d9-35b8b23b937b
-searchScope:
- - User help
-
-# optional metadata
-
-ROBOTS:
-#audience:
-
-ms.reviewer: heenamac
-#ms.suite: ems
-#ms.tgt_pltfrm:
-ms.custom: intune-enduser
-ms.collection:
-- tier2
----
-
-# Resolve a threat found by Harmony Mobile Protect on iOS
-
-Harmony Mobile Protect is a mobile threat defense service that identifies and assesses potential threats on mobile devices used for work or school. The Harmony Mobile Protect app for iOS works with the Intune Company Portal app to keep work devices free of viruses and threats. While threats are present, you may be restricted from using your device for work, and unable to:
-
-* Connect to corporate e-mail
-* Connect to corporate Wi-Fi
-* Connect to SharePoint Online
-* Sync corporate files with OneDrive
-* Access company app
-
-This article describes how to recognize alerts about detected threats, and what to do to resolve them.
-
-## Troubleshoot virus or security threat
-When Harmony Mobile Protect detects a virus or security threat on a work or school device, it acts according to your organization's mobile device management (MDM) policies. To maintain work access on the device, immediately investigate push notifications and Company Portal alerts about detected threats. Tap or open threat notifications and follow the onscreen instructions to resolve them in the Harmony Mobile Protect app.
-
- 
-
-## Troubleshoot an app threat
-
-If you continue to use a work or school device with an app threat, your device will lose access to work or school resources. To resolve the threat and regain access, go to the Harmony Mobile Protect app. Select the app from the list of threats, and then follow the onscreen instructions to uninstall the app.
-
-Still need help? Check in with your IT support person. You can find their contact information on the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980) or in the Intune Company Portal app.
diff --git a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-lookout-for-work-android.md b/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-lookout-for-work-android.md
deleted file mode 100644
index b8ae5b212e2..00000000000
--- a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-lookout-for-work-android.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-# required metadata
-
-title: Resolving threats found by Lookout for Work on Android | Microsoft Docs
-description: Learn how to fix a threat found on an Android device by the Lookout for Work app.
-keywords:
-author: lenewsad
-
-ms.author: lanewsad
-manager: dougeby
-ms.date: 08/28/2018
-ms.topic: end-user-help
-ms.service: microsoft-intune
-ms.subservice: end-user
-ms.assetid: 5656b3e6-e812-4264-a170-b17c9c03e4d4
-
-searchScope:
- - User help
-
-# optional metadata
-
-ROBOTS:
-#audience:
-
-ms.reviewer: natgreen
-#ms.suite: ems
-#ms.tgt_pltfrm:
-ms.custom: intune-enduser
-ms.collection:
-- tier2
----
-
-# Resolve a threat found by Lookout for Work on Android
-
-The Lookout for Work app is a Mobile Threat Defender service that identifies potential threats on your Android devices. These threats are reported to the Company Portal app, and appear there as unresolved, noncompliant issues. As long as these threats are present, you may be unable to:
-
-* Connect to corporate e-mail
-* Connect to corporate Wi-Fi
-* Connect to SharePoint Online
-* Sync corporate files with OneDrive
-* Access company apps
-
-This article describes how to recognize Lookout for Work threat alerts and what to do to resolve them.
-
-## Troubleshoot virus or security threat
-Regain access to your company's resources when the Lookout for Work app detects a security or virus threat.
-
-1. If a virus or security threat is detected, you'll receive a message like the one shown in the screenshot below. Tap the **device management portal** link to open the [Company Portal website](https://portal.manage.microsoft.com/devices).
-
- 
-
-2. Select your device.
-3. Read the warning that appears below your device. It will instruct you to open Lookout for Work to fix the virus or security threat.
-
- 
-
-## Troubleshoot an app threat
-
-If you install an app that Lookout for Work identifies as a threat, you'll receive a message like the one shown in the screenshot below.
-
-
-
-To regain the access you've lost to your company email and data, uninstall the questionable app. As long as the app is on your device, you'll be unable to access company resources.
-
-Still need help? Contact your company support. For contact information, check the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980).
diff --git a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-lookout-for-work-ios.md b/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-lookout-for-work-ios.md
deleted file mode 100644
index 2904c65a155..00000000000
--- a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-lookout-for-work-ios.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-# required metadata
-
-title: Resolving threats found by Lookout for Work on iOS | Microsoft Docs
-description: Learn how to fix a threat found on your iOS device by the Lookout for Work app.
-keywords:
-author: lenewsad
-
-ms.author: lanewsad
-manager: dougeby
-ms.date: 10/05/2018
-ms.topic: end-user-help
-ms.service: microsoft-intune
-ms.subservice: end-user
-ms.assetid: dd6aec3a-4063-4054-8d0f-d2f2034f0d3d
-
-searchScope:
- - User help
-
-# optional metadata
-
-ROBOTS:
-#audience:
-
-ms.reviewer: natgreen
-#ms.suite: ems
-#ms.tgt_pltfrm:
-ms.custom: intune-enduser
-ms.collection:
-- tier2
----
-
-# Resolve a threat found by Lookout for Work on iOS
-
-The Lookout for Work app is a Mobile Threat Defender service that identifies potential threats on your iOS device. These threats are reported to the Company Portal app, and appear there as unresolved, noncompliant issues. As long as these threats are present, you may be unable to:
-
-* Connect to corporate e-mail
-* Connect to corporate Wi-Fi
-* Connect to SharePoint Online
-* Sync corporate files with OneDrive
-* Access company apps
-
-This article describes how to recognize Lookout for Work threat alerts and what to do to resolve them.
-
-## Troubleshoot virus or security threat
-Regain access to your company's resources when the Lookout for Work app detects a security or app threat.
-
-1. If a virus or security threat is detected, you'll receive a message like the one shown in the screenshot below. Tap the **device management portal** link to open the [Company Portal website](https://portal.manage.microsoft.com/devices).
-
- 
-
-2. Select your device.
-3. Read the warning that appears below your device. It will instruct you to open Lookout for Work to fix the virus or security threat.
-
- 
-
-## Troubleshoot an app threat
-If you install an app that Lookout for Work identifies as a threat, you'll receive a message like the one shown in the screenshot below.
-
-
-Select the app name shown at the top of your screen. Then follow the instructions to remove and uninstall the app. As long as the app is on your device, you'll be unable to access company resources.
-
-Still need help? Check in with your company support. You can find their contact information on the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980).
diff --git a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-skycure-android.md b/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-skycure-android.md
deleted file mode 100644
index 58a23b6743a..00000000000
--- a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-skycure-android.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-# required metadata
-
-title: Resolving threats found by Symantec Endpoint Protection Mobile for Android | Microsoft Docs
-description: Learn how to fix threats found on your Android device.
-keywords:
-author: lenewsad
-
-ms.author: lanewsad
-manager: dougeby
-ms.date: 07/01/2024
-ms.topic: end-user-help
-ms.service: microsoft-intune
-ms.subservice: end-user
-ms.assetid: b5521762-a80c-4630-ae30-38b471da216b
-
-searchScope:
- - User help
-
-# optional metadata
-
-ROBOTS:
-#audience:
-
-ms.reviewer: heenamac
-#ms.suite: ems
-#ms.tgt_pltfrm:
-ms.custom: intune-enduser
-ms.collection:
-- tier2
----
-
-# Resolve a threat found by Symantec Endpoint Protection Mobile on Android
-
-Symantec Endpoint Protection (SEP) Mobile is a Mobile Threat Defender service that identifies potential threats on your Android devices. These threats are reported to the Company Portal app, and appear as unresolved, noncompliant issues. If your device is identified as being noncompliant, you may be unable to:
-
-* Connect to corporate e-mail
-* Connect to corporate Wi-Fi
-* Connect to SharePoint Online
-* Sync corporate files with OneDrive
-* Access company apps
-
-This article describes how to recognize SEP Mobile threat alerts and what to do to resolve them.
-
-## Resolve virus or security threat
-
-1. When you attempt to access company email or websites, you'll receive a message like the one shown in the screenshot below. Tap the **device management portal** link to open the [Company Portal website](https://portal.manage.microsoft.com/devices).
-
- 
-
-2. Select your device.
-3. Read the warning that appears below your device. It will instruct you to open SEP Mobile to fix the virus or security threat.
-
- 
-
-## Resolve an app threat
-
-If you install an app that's seen as a threat to your device, you'll receive a notification within the SEP Mobile app. If the affected app remains on your device, you'll be unable to access company resources.
-
-To resolve, select the app from the list of threats in SEP Mobile. Then follow the on-screen instructions to remove and uninstall the app.
-
-Still need help? Contact your company support. For contact information, check the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980).
diff --git a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-skycure-ios.md b/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-skycure-ios.md
deleted file mode 100644
index 9e9e0b33e06..00000000000
--- a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-skycure-ios.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-# required metadata
-
-title: Resolving threats found by Symantec Endpoint Protection Mobile for iOS | Microsoft Docs
-description: Learn how to fix threats security, virus, and app threats found on your iOS device.
-keywords:
-author: lenewsad
-
-ms.author: lanewsad
-manager: dougeby
-ms.date: 10/05/2018
-ms.topic: end-user-help
-ms.service: microsoft-intune
-ms.subservice: end-user
-ms.assetid: b40595f0-a399-4aa1-aa6f-344c2a1cb883
-
-searchScope:
- - User help
-
-# optional metadata
-
-ROBOTS:
-#audience:
-
-ms.reviewer: heenamac
-#ms.suite: ems
-#ms.tgt_pltfrm:
-ms.custom: intune-enduser
-ms.collection:
-- tier2
----
-
-# Resolve a threat found by Symantec Endpoint Protection Mobile on iOS
-
-Symantec Endpoint Protection (SEP) Mobile is a Mobile Threat Defender service that identifies potential threats on your Android devices. These threats are reported to the Company Portal app, and appear as unresolved, noncompliant issues. If your device is identified as being noncompliant, you may be unable to:
-
-* Connect to corporate e-mail
-* Connect to corporate Wi-Fi
-* Connect to SharePoint Online
-* Sync corporate files with OneDrive
-* Access company apps
-
-This article describes how to regain access to your company's resources when SEP Mobile detects a security or app threat.
-
-## Troubleshoot a virus or security threat
-
-1. When you attempt to access company email or websites, you'll receive a message like the one shown in the screenshot below. Tap the **device management portal** link to open the [Company Portal website](https://portal.manage.microsoft.com/devices).
-
- 
-
-2. Select your device.
-3. Read the warning that appears below your device. It will instruct you to open SEP Mobile to fix the virus or security threat.
-
- 
-
-## Troubleshoot an app threat
-
-If you install an app that's seen as a threat to your device, you'll receive a notification within the SEP Mobile app. If the affected app remains on your device, you'll be unable to access company resources.
-
-To resolve, select the app from the list of threats in SEP Mobile. Then follow the on-screen instructions to remove and uninstall the app.
-
-Still need help? Check in with your company support. You can find their contact information on the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980).
diff --git a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-zips-android.md b/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-zips-android.md
deleted file mode 100644
index c72ba16bdd8..00000000000
--- a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-zips-android.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-# required metadata
-
-title: Resolving threats found by Zimperium zIPS on Android
-description: Learn how to fix security and app threats found on your Android device.
-keywords:
-author: lenewsad
-ms.author: lanewsad
-manager: dougeby
-ms.date: 07/01/2024
-ms.topic: end-user-help
-ms.service: microsoft-intune
-ms.subservice: end-user
-ms.assetid: 9ffbb656-93cd-4e0b-96c0-c5038cd2cf31
-searchScope:
- - User help
-
-# optional metadata
-
-ROBOTS:
-#audience:
-
-ms.reviewer: heenamac
-#ms.suite: ems
-#ms.tgt_pltfrm:
-ms.custom: intune-enduser
-ms.collection:
-- tier2
----
-
-# Resolve a threat found by Zimperium zIPS on Android
-
-Zimperium zIPS is a Mobile Threat Defender service that identifies potential threats on your Android devices. These threats are reported to the Company Portal app, and appear as unresolved, noncompliant issues. If your device is identified as being noncompliant, you may be unable to:
-
-* Connect to corporate e-mail
-* Connect to corporate Wi-Fi
-* Connect to SharePoint Online
-* Sync corporate files with OneDrive
-* Access company apps
-
-This article describes how to recognize Zimperium zIPS threat alerts and what to do to resolve them.
-
-## Troubleshoot virus or security threat
-When a virus or security threat is detected, Zimperium zIPS will enforce restrictions according to your organization's access policies. Your company's access policies could prevent you from accessing your work's network, apps, and email from your device.
-
-Zimperium zIPS will prompt you to take action to regain the access you've lost. Select the threat and follow the instructions within the app to resolve it.
-
-Because the app is integrated with your company's MDM provider, you'll also see a warning about restricted access in the Company portal app. The warning instructs you to open Zimperium zIPS to fix the virus or security threat.
-
- 
-
-Select the warning banner that appears below the affected device. Zimperium zIPS will open and tell you how to eliminate the threat.
-
-## Resolve an app threat
-
-If you install an app that's seen as a threat to your device, you'll receive a notification within Zimperium zIPS. If the affected app remains on your device, you'll be unable to access company resources.
-
-To resolve, select the app from the list of threats in Zimperium zIPS. Then follow the on-screen instructions to remove and uninstall the app.
-
-Still need help? Contact your company support. For contact information, check the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980).
diff --git a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-zips-ios.md b/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-zips-ios.md
deleted file mode 100644
index 2fde2d0028a..00000000000
--- a/memdocs/intune/user-help/you-need-to-resolve-a-threat-found-by-zips-ios.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-# required metadata
-
-title: Resolving threats found by Zimperium zIPS on iOS | Microsoft Docs
-description: Learn how to fix threats found on your iOS device.
-keywords:
-author: lenewsad
-ms.author: lanewsad
-manager: dougeby
-ms.date: 07/01/2024
-ms.topic: end-user-help
-ms.service: microsoft-intune
-ms.subservice: end-user
-ms.assetid: eaccd9c0-cd46-48e2-8675-4c022c74f672
-searchScope:
- - User help
-
-# optional metadata
-
-ROBOTS:
-#audience:
-
-ms.reviewer: heenamac
-#ms.suite: ems
-#ms.tgt_pltfrm:
-ms.custom: intune-enduser
-ms.collection:
-- tier2
----
-
-# Resolve a threat found by Zimperium zIPS on iOS
-
-Zimperium zIPS is a Mobile Threat Defender service that identifies potential threats on your iOS devices. These threats are reported to the Company Portal app, and appear as unresolved, noncompliant issues. If your device is identified as being noncompliant, you may be unable to:
-
-* Connect to corporate e-mail
-* Connect to corporate Wi-Fi
-* Connect to SharePoint Online
-* Sync corporate files with OneDrive
-* Access company apps
-
-This article describes how to recognize Zimperium zIPS threat alerts and what to do to resolve them.
-
-## Troubleshoot virus or security threat
-If a virus or security threat is detected, Zimperium zIPS will enforce restrictions according to your organization's access policies. Your company's access policies could prevent you from accessing your work's network, apps, and email from your device.
-
-Zimperium zIPS will prompt you to take action to regain the access you've lost. Select the threat and follow the instructions within the app to resolve it.
-
-Because the app is integrated with your company's MDM provider, you'll also see a warning about restricted access in the Company portal app. The warning instructs you to open Zimperium zIPS to fix the virus or security threat.
-
- 
-
-## Troubleshoot an app threat
-
-If you install an app that's seen as a threat to your device, you'll receive a notification within Zimperium zIPS. If the affected app remains on your device, you'll be unable to access company resources.
-
-To resolve, select the app from the list of threats in Zimperium zIPS. Then follow the on-screen instructions to remove and uninstall the app.
-
-Still need help? Check in with your company support. You can find their contact information on the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980).
diff --git a/memdocs/intune/user-help/your-device-appears-encrypted-but-cp-says-otherwise-android.md b/memdocs/intune/user-help/your-device-appears-encrypted-but-cp-says-otherwise-android.md
index ddd20292f67..05c065c9797 100644
--- a/memdocs/intune/user-help/your-device-appears-encrypted-but-cp-says-otherwise-android.md
+++ b/memdocs/intune/user-help/your-device-appears-encrypted-but-cp-says-otherwise-android.md
@@ -53,9 +53,9 @@ This section only applies to the Company Portal app. If your device offers you t
Some Android devices on version 7.0 and later encrypt data in ways that are inconsistent with certain Android platform standards. These encryption methods put device information at risk. As a result, these devices aren't supported.
-For a non-exhaustive list of supported Android devices, see the article [Supported operating systems and browsers in Intune](/intune/fundamentals/supported-devices-browsers#supported-samsung-knox-standard-devices). If your device isn't listed, refer to the device manufacturer or contact your support person.
+For a non-exhaustive list of supported Android devices, see the article [Supported operating systems and browsers in Intune](/mem/intune/fundamentals/supported-devices-browsers#supported-samsung-knox-standard-devices). If your device isn't listed, refer to the device manufacturer or contact your support person.
-> [!Note]
+> [!NOTE]
> Microsoft works with manufacturers to address any issues we find while testing or that users report to us. We update this article whenever new information is available.
## Update devices
diff --git a/memdocs/zone-pivot-groups.yml b/memdocs/zone-pivot-groups.yml
index ac3a44cb765..0fcb84c34d4 100644
--- a/memdocs/zone-pivot-groups.yml
+++ b/memdocs/zone-pivot-groups.yml
@@ -26,10 +26,10 @@ groups:
title: Microsoft Edge baseline versions
prompt: Choose a version
pivots:
- - id: edge-v112
- title: Edge v112 (May 2023)
- id: edge-v117
title: Edge v117 (November 2023)
+ - id: edge-v112
+ title: Edge v112 (May 2023)
- id: edge-baseline-versions
title: Edge baseline versions
diff --git a/windows-365/business-continuity-disaster-recovery.md b/windows-365/business-continuity-disaster-recovery.md
index 0dea3973f92..029605ee5dd 100644
--- a/windows-365/business-continuity-disaster-recovery.md
+++ b/windows-365/business-continuity-disaster-recovery.md
@@ -19,7 +19,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: docoombs
+ms.reviewer: docoombs, olivchen, rkiran
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -29,6 +29,8 @@ ms.collection:
- tier1
---
+
+
# Business continuity and disaster recovery overview
Windows 365 provides highly resilient user cloud pcs, including:
diff --git a/windows-365/business/TOC.yml b/windows-365/business/TOC.yml
index 8579a5e14e5..93968802c2d 100644
--- a/windows-365/business/TOC.yml
+++ b/windows-365/business/TOC.yml
@@ -31,6 +31,8 @@ items:
href: change-organization-default-settings.md
- name: Remotely manage Cloud PCs
href: remotely-manage-business-cloud-pcs.md
+ - name: Resize a Cloud PC
+ href: resize-cloud-pc.md
- name: Reset a user's password
href: reset-user-password.md
- name: Restore a Cloud PC to an earlier state
diff --git a/windows-365/business/apps-install-admin.md b/windows-365/business/apps-install-admin.md
index 4fe2bb10b17..4a09e5dfe92 100644
--- a/windows-365/business/apps-install-admin.md
+++ b/windows-365/business/apps-install-admin.md
@@ -6,7 +6,7 @@ f1.keywords:
ms.author: erikje
author: ErikjeMS
manager: dougeby
-ms.date: 10/18/2023
+ms.date: 09/26/2024
audience: Admin
ms.topic: how-to
ms.service: windows-365
diff --git a/windows-365/business/assign-unassign-license.md b/windows-365/business/assign-unassign-license.md
index 5c8cdce104f..94c918765f5 100644
--- a/windows-365/business/assign-unassign-license.md
+++ b/windows-365/business/assign-unassign-license.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 04/10/2024
+ms.date: 09/24/2024
ms.topic: how-to
ms.service: windows-365
ms.subservice:
@@ -33,7 +33,7 @@ ms.collection:
You can assign some licenses on [windows365.microsoft.com](https://windows365.microsoft.com). For full license management, use the [Microsoft 365 admin center](https://admin.microsoft.com).
-1. Sign in to [windows365.microsoft.com](https://windows365.microsoft.com) with a Microsoft Entra Global Administrator account.
+1. Sign in to [windows365.microsoft.com](https://windows365.microsoft.com) with an administrator account with the License Administrator role.
2. Select **Your organization’s Cloud PCs**.
3. Select the user whose licenses you want to manage.
4. Select **Licenses and apps**.
diff --git a/windows-365/business/in-development.md b/windows-365/business/in-development.md
index 3ed71e7e213..fb9d55a8a59 100644
--- a/windows-365/business/in-development.md
+++ b/windows-365/business/in-development.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 03/13/2024
+ms.date: 09/25/2024
ms.topic: conceptual
ms.service: windows-365
@@ -56,10 +56,6 @@ To help in your readiness and planning, this page lists Windows 365 Business upd
By using the upcoming Resize action, you'll be able to upgrade Cloud PCs to more storage, RAM, and CPU.
-### Resize support for Windows 365 Business
-
-You'll be able to use the resize remote action for Windows 365 Business Cloud PCs.
-
## Monitor and troubleshoot
diff --git a/windows-365/business/media/resize-cloud-pc/resize-cloud-pc.png b/windows-365/business/media/resize-cloud-pc/resize-cloud-pc.png
new file mode 100644
index 00000000000..a12052dfb7a
Binary files /dev/null and b/windows-365/business/media/resize-cloud-pc/resize-cloud-pc.png differ
diff --git a/windows-365/business/media/resize-cloud-pc/resize-options.png b/windows-365/business/media/resize-cloud-pc/resize-options.png
new file mode 100644
index 00000000000..aaabb3df385
Binary files /dev/null and b/windows-365/business/media/resize-cloud-pc/resize-options.png differ
diff --git a/windows-365/business/reset-user-password.md b/windows-365/business/reset-user-password.md
index bcfe4009b50..6f9c7adeab2 100644
--- a/windows-365/business/reset-user-password.md
+++ b/windows-365/business/reset-user-password.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 08/28/2024
+ms.date: 09/24/2024
ms.topic: how-to
ms.service: windows-365
ms.subservice:
@@ -33,7 +33,7 @@ ms.collection:
To reset a user’s password:
-1. Sign in to [windows365.microsoft.com](https://windows365.microsoft.com) with a Microsoft Entra Global Administrator account.
+1. Sign in to [windows365.microsoft.com](https://windows365.microsoft.com) with an administrator account with the Password Administrator role.
2. Select **Your organization’s Cloud PCs**.
3. Select the check box next to the user whose password you want to reset > **Select**.
4. Under **Reset password**, choose the options that you want for resetting the password.
diff --git a/windows-365/business/resize-cloud-pc.md b/windows-365/business/resize-cloud-pc.md
new file mode 100644
index 00000000000..01fe58cad8e
--- /dev/null
+++ b/windows-365/business/resize-cloud-pc.md
@@ -0,0 +1,75 @@
+---
+# required metadata
+title: Resize a Windows 365 Business Cloud PC
+titleSuffix:
+description: Learn how to resize a Windows 365 Business Cloud PC.
+keywords:
+author: ErikjeMS
+ms.author: erikje
+manager: dougeby
+ms.date: 10/01/2024
+ms.topic: how-to
+ms.service: windows-365
+ms.subservice:
+ms.localizationpriority: high
+ms.assetid:
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: lrayasam
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.custom: intune-azure; get-started
+ms.collection:
+- M365-identity-device-management
+- tier2
+---
+
+# Resize a Windows 365 Business Cloud PC
+
+[!INCLUDE [Resize a Cloud PC intro](../includes/resize-introduction.md)]
+
+## Requirements
+
+### Role requirements
+
+To resize a Cloud PC, the admin must have certain built-in Microsoft Entra roles.
+
+For a Cloud PC provisioned with a direct assigned license, at least one of the following roles:
+
+- Windows 365 Administrator
+
+Alternatively, you can assign a custom role that includes the permissions of this built-in role.
+
+[!INCLUDE [Resize a Cloud PC IP requirements](../includes/resize-ip-address-requirements.md)]
+
+[!INCLUDE [Resize a Cloud PC other requirements](../includes/resize-other-requirements.md)]
+
+## Resize a Windows 365 Cloud PC
+
+When resizing Windows 365 Cloud PCs, the Windows 365 service automatically takes care of:
+
+- Unassigning the original license.
+- Assigning the new license on behalf of the admin.
+
+1. Sign in to the windows365.microsoft.com, select **Your organization's Cloud PCs** > choose a device > **Devices** > **Resize**.
+
+2. Under **Resize**, there's a list of the sizes that you can upgrade or downsize to based on the licenses available in your inventory. You can upgrade a Cloud PC’s **Processor** and **RAM**. **Storage** can only be upgraded. Select one of the available options.
+
+3. Select **Resize**.
+
+If there are available licenses, the resizing starts.
+
+If there are no licenses available, then you can purchase a new license at the Windows 365 Market place. The newly purchased license will be available for upgrade soon.
+
+## Resizing details
+
+[!INCLUDE [Resize a Cloud PC details](../includes/resize-details.md)]
+
+## Next steps
+
+[Remotely manage Windows 365 Business Cloud PCs](remotely-manage-business-cloud-pcs.md).
diff --git a/windows-365/enterprise/TOC.yml b/windows-365/enterprise/TOC.yml
index 007bc174359..aa21e6ee8c8 100644
--- a/windows-365/enterprise/TOC.yml
+++ b/windows-365/enterprise/TOC.yml
@@ -119,6 +119,8 @@ items:
href: windows-365-boot-restrict-user-access-physical-device.md
- name: Partner connectors for Windows 365
items:
+ - name: Partner integration scenarios
+ href: partner-integration-scenarios.md
- name: Citrix requirements
href: requirements-citrix.md
- name: Set up Citrix HDX Plus for Windows 365
diff --git a/windows-365/enterprise/architecture.md b/windows-365/enterprise/architecture.md
index 03d9b335a38..924fde7b5e0 100644
--- a/windows-365/enterprise/architecture.md
+++ b/windows-365/enterprise/architecture.md
@@ -19,7 +19,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: thhickli
+ms.reviewer: thhickli, mattsha, rikiran
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -29,6 +29,8 @@ ms.collection:
- tier2
---
+
+
# Windows 365 architecture
Windows 365 provides a per-user per-month license model by hosting Cloud PCs on behalf of customers in Microsoft Azure. In this model, there’s no need to consider storage, compute infrastructure architecture, or costs. The Windows 365 architecture also lets you use your existing investments in Azure networking and security. Each Cloud PC is provisioned according to the configuration you define in the Windows 365 section of the Microsoft Intune admin center.
diff --git a/windows-365/enterprise/assign-users-as-local-admin.md b/windows-365/enterprise/assign-users-as-local-admin.md
index 4ff38b43105..094e4dc8273 100644
--- a/windows-365/enterprise/assign-users-as-local-admin.md
+++ b/windows-365/enterprise/assign-users-as-local-admin.md
@@ -35,7 +35,7 @@ ms.collection:
The **User settings** page lets IT administrators manage the following settings for the user:
- **Enable local admin**: If enabled, each user in the assigned groups is elevated to a local administrator of each of their own Cloud PCs. These permissions apply at the user level.
-- **Enable users to reset their Cloud PCs**: If enabled, a **Reset** option is shown in the Windows 365 app and portal for users in the assigned groups. Resetting wipes and reprovisions the Cloud PC, deleting all user data and apps.
+- **Enable users to reset their Cloud PCs**: If enabled, a **Reset** option is shown in the Windows App and portal for users in the assigned groups. Resetting wipes and reprovisions the Cloud PC, deleting all user data and apps.
- **Allow user to initiate restore service**: If enabled, each user in the assigned groups can restore their own Cloud PCs to any available backup version.
When managing settings, keep the following points in mind:
diff --git a/windows-365/enterprise/azure-network-connections.md b/windows-365/enterprise/azure-network-connections.md
index 29ded36f1fa..54e0de3dff1 100644
--- a/windows-365/enterprise/azure-network-connections.md
+++ b/windows-365/enterprise/azure-network-connections.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 08/28/2024
+ms.date: 10/30/2024
ms.topic: overview
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -47,8 +47,8 @@ There are two kinds of ANCs based on their join type. Both let you manage traffi
When a Cloud PC is provisioned, the information in the ANC is used by the provisioning policy to provision the Cloud PC in the Azure subnet. The information required in an ANC includes:
-- **Network details**: The Azure subscription, resource group, virtual network, and subnet that the Cloud PC will be associated with. When a provisioning policy runs, it creates a Cloud PC in the Microsoft hosted Azure subscription. To connect to a customer's on-premises network, a virtual network interface card (vNic) is injected into a customer-provided Azure virtual network (vNet). To create this vNic, Windows 365 needs sufficient access to an Azure subscription.
-- **Active Directory domain**: The Active Directory domain to join, an Organizational Unit (OU) destination for the computer object, and Active Directory user credentials with sufficient permissions to perform the domain join. When a provisioning policy runs, the Cloud PC is joined to this Active Directory domain. The credentials will be stored securely in the Windows 365 service.
+- **Network details**: The Azure subscription, resource group, virtual network, and subnet to associate with the Cloud PC. When a provisioning policy runs, it creates a Cloud PC in the Microsoft hosted Azure subscription. To connect to a customer's on-premises network, a virtual network interface card (vNic) is injected into a customer-provided Azure virtual network (vNet). To create this vNic, Windows 365 needs sufficient access to an Azure subscription.
+- **Active Directory domain**: The Active Directory domain to join, an Organizational Unit (OU) destination for the computer object, and Active Directory user credentials with sufficient permissions to perform the domain join. When a provisioning policy runs, the Cloud PC is joined to this Active Directory domain. The credentials are stored securely in the Windows 365 service.
During provisioning, the Cloud PC is connected to the Azure subnet and joined to a domain (either Windows Server Active Directory or Microsoft Entra ID). This process results in a Cloud PC that is:
@@ -61,7 +61,7 @@ The ANC settings are applied to the Cloud PC only at the time of provisioning.
### Alternate ANCs
-To help make provisioning Cloud PCs more reliable in the rare case of capacity constraints in a region, you have the option to assign alternate ANCs to a provisioning policy. You can define the priority order of the ANCs that the policy will use. If the first ANC is unavailable, the policy will automatically use the second ANC in the priority list. If the second one is unavailable, it will move on to the next, and so on. This lets administrators prepare multiple ANCs in different Azure regions, making provisioning more reliable. You don't have to use multiple ANCs. For more information about using alternate ANCs when creating your provisioning policies, see [Create provisioning policies](create-provisioning-policy.md).
+To help make provisioning Cloud PCs more reliable in the rare case of capacity constraints in a region, you can assign alternate ANCs to a provisioning policy. You can define the priority order of the ANCs that the policy uses. If the first ANC is unavailable, the policy automatically uses the second ANC in the priority list. If the second one is unavailable, it moves on to the next, and so on. This process lets administrators prepare multiple ANCs in different Azure regions, making provisioning more reliable. You don't have to use multiple ANCs. For more information about using alternate ANCs when creating your provisioning policies, see [Create provisioning policies](create-provisioning-policy.md).
## First health check
@@ -81,7 +81,7 @@ After provisioning, the information in an ANC is also used to monitor:
- the connection health between your network-based resources
- the Cloud PC hosted in the Microsoft hosted subscription
-Windows 365 will report configuration issues that may cause provisioning failures or poor end-user experiences. This monitoring reduces your management overhead. For more information on these periodic checks, see [Azure network connection health checks](health-checks.md).
+Windows 365 reports configuration issues that may cause provisioning failures or poor end-user experiences. This monitoring reduces your management overhead. For more information on these periodic checks, see [Azure network connection health checks](health-checks.md).
## Health check frequency
@@ -102,13 +102,13 @@ The ANC wizard requires access to Azure and, optionally, on-premises domain reso
- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) or [Windows 365 Administrator](/azure/active-directory/roles/permissions-reference) role.
- An Active Directory user account with sufficient permissions to join the AD domain into this Organizational Unit (Microsoft Entra hybrid join ANCs only).
-To create or edit an ANC, you must at least have the Subscription Reader role in the Azure Subscription where the VNET associated with the ANC was located.
+To create or edit an ANC, you must have at least the Subscription Reader role in the Azure Subscription where the VNET associated with the ANC was located.
For a full list of requirements, see [Windows 365 requirements](requirements.md).
## Changing an Azure network connection
-Changing the settings in an ANC won’t affect Cloud PCs previously provisioned with that ANC. Only Cloud PCs provisioned after the changes to the ANC will reflect such later changes.
+Changing the settings in an ANC won’t affect Cloud PCs previously provisioned with that ANC. Only Cloud PCs provisioned after the changes to the ANC reflect such later changes.
If you want to change the ANC related settings on a previously provisioned Cloud PC, you must reprovision the Cloud PC. Reprovisioning is a destructive action, so be sure it's an action you really want to take. For more information, see [reprovisioning](provisioning.md#reprovisioning).
@@ -125,6 +125,10 @@ After completing either of these operations, you can delete the ANC.
Each tenant has a limit of 10 Azure network connections. If your organization needs more than 10 Azure network connections, contact support.
+## Inactive ANCs
+
+ANCs that are unused for a period of time become inactive. Inactive ANCs pause running health checks and can't be assigned to a provisioning policy until the ANC is reactivated and health checks complete successfully.
+
## User sign-in
When users attempt to sign in to their Cloud PC, user authentication occurs.
diff --git a/windows-365/enterprise/cisco-webex-support.md b/windows-365/enterprise/cisco-webex-support.md
index 072eddc5876..ea522437b13 100644
--- a/windows-365/enterprise/cisco-webex-support.md
+++ b/windows-365/enterprise/cisco-webex-support.md
@@ -45,7 +45,7 @@ To optimize Cisco Webex, you’ll need to:
These instructions don't support connections through a web browser.
-- **Windows 365 app for Windows**
+- **Windows App**
- **Windows Remote Desktop Client**
- **Operating system**: Windows
diff --git a/windows-365/enterprise/configure-single-sign-on.md b/windows-365/enterprise/configure-single-sign-on.md
index 404f0980f71..c33e04e0370 100644
--- a/windows-365/enterprise/configure-single-sign-on.md
+++ b/windows-365/enterprise/configure-single-sign-on.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 11/16/2023
+ms.date: 09/26/2024
ms.topic: how-to
ms.service: windows-365
ms.subservice: windows-365-enterprise
diff --git a/windows-365/enterprise/create-azure-network-connection.md b/windows-365/enterprise/create-azure-network-connection.md
index b58773d20a4..fdc0e74ec34 100644
--- a/windows-365/enterprise/create-azure-network-connection.md
+++ b/windows-365/enterprise/create-azure-network-connection.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 04/01/2024
+ms.date: 10/30/2024
ms.topic: how-to
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -51,7 +51,7 @@ To create an ANC, you must meet these requirements:
- If you want to create an ANC with a network or resource group that was never used in any pervious ANC creation, then you must have the Subscription owner or user administrator role.
- For Disaster Recovery (DR) purposes, make sure that there are at least 50% of the IP addresses available in your subnet. If reprovisioning for DR is required, sufficient new IP addresses are required for each Cloud PC provisioned on the subnet.
- For Windows 365 Government - GCC only and not GCC-H - make sure to complete the script options listed in [Set up tenants for Windows 365 Government](set-up-tenants-windows-365-gcc.md).
- - If you aren't using Azure CloudShell, make sure that your PowerShell execution policy is configured to allow Unrestricted scripts. If you use Group Policy to set execution policy, make sure that the Group Policy Object (GPO) targeted at the Organizational Unit (OU) defined in the ANC is configured to allow Unrestricted scripts. For more information, see [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy).
+- If you aren't using Azure CloudShell, make sure that your PowerShell execution policy is configured to allow Unrestricted scripts. If you use Group Policy to set execution policy, make sure that the Group Policy Object (GPO) targeted at the Organizational Unit (OU) defined in the ANC is configured to allow Unrestricted scripts. For more information, see [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy).
When planning your ANC VNets with ExpressRoute as the on-premises connectivity model, refer to [Azure’s documentation on VM limits](/azure/expressroute/expressroute-about-virtual-network-gateways#performance-results). For the ExpressRoute Gateway SKU, make sure that you have the correct sized Gateway for the number of Cloud PCs planned within the VNet. Exceeding this limit could cause instability in your connectivity.
@@ -68,7 +68,7 @@ When planning your ANC VNets with ExpressRoute as the on-premises connectivity m
-4. Select a **Subscription** and **Resource group** for the new connection. Create a new resource group to contain your Cloud PC resources. Optionally, you can instead select an existing resource group in the list (which grant Windows 365 permissions to the existing resource group). If you don’t have a [healthy ANC](health-checks.md), you won't be able to proceed.
+4. Select a **Subscription** and **Resource group** for the new connection. Create a new resource group to contain your Cloud PC resources. Optionally, you can instead select an existing resource group in the list (which grant Windows 365 permissions to the existing resource group). If you don’t have a [healthy ANC](health-checks.md), you can't proceed.
5. Select a **Virtual network** and **Subnet**.
6. Select **Next**.
7. For hybrid Microsoft Entra join ANCs, on the **AD domain** page, provide the following information:
@@ -88,6 +88,8 @@ When planning your ANC VNets with ExpressRoute as the on-premises connectivity m
8. Select **Next**.
9. On the **Review + Create** page, select **Create**.
+When an ANC is in use, it can't be deleted and certain configuration settings can't be edited. For more information, see [Edit Azure network connection](edit-azure-network-connection.md) and [Delete Azure network connection](delete-azure-network-connection.md).
+
## Next steps
diff --git a/windows-365/enterprise/create-dynamic-device-group-all-cloudpcs.md b/windows-365/enterprise/create-dynamic-device-group-all-cloudpcs.md
index 7db2440cdd1..cf70f5f75a3 100644
--- a/windows-365/enterprise/create-dynamic-device-group-all-cloudpcs.md
+++ b/windows-365/enterprise/create-dynamic-device-group-all-cloudpcs.md
@@ -51,7 +51,7 @@ In these steps, you’ll use the Device Model device property to create the dyna
5. Select **Add dynamic query**.
6. On the **Dynamic membership rules** page, enter the following:
1. **Property** = "deviceModel"
- 2. **Operator** = "Contains"
+ 2. **Operator** = "Starts With"
3. **Value** = "Cloud PC"
7. To validate that it works, select **Validate Rules (Preview)** > **+Add devices** > select some Cloud PCs and non-Cloud PC devices.
8. After the validation completes, select **Save** > **Create**.
@@ -93,7 +93,7 @@ In these steps, you'll use the Device Model device property to create the dynami
5. Select **Add dynamic query**.
6. On the **Dynamic membership rules** page, enter the following:
1. **Property** = “deviceModel”
- 2. **Operator** = “Contains”
+ 2. **Operator** = “Starts With”
3. **Value** = “Cloud PC”
7. Select **Add expression** and enter the following:
1. **Property** = “deviceModel”
diff --git a/windows-365/enterprise/create-provisioning-policy.md b/windows-365/enterprise/create-provisioning-policy.md
index e85990edfd2..0f43fa8055a 100644
--- a/windows-365/enterprise/create-provisioning-policy.md
+++ b/windows-365/enterprise/create-provisioning-policy.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 10/17/2023
+ms.date: 09/16/2024
ms.topic: how-to
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -94,7 +94,7 @@ To select an ANC, follow these steps:
- **Custom image**: Choose **Select** > select an image from the list > **Select**. The page displays the list of images that you uploaded using the [Add device images](add-device-images.md) workflow.
4. Select **Next**.
5. On the **Configuration** page, under **Windows settings**, choose a **Language & Region**. The selected language pack is installed on Cloud PCs provisioned with this policy.
-6. Optional. Select **Apply device name template** to create a Cloud PC naming template to use when naming all Cloud CPs that are provisioned with this policy. This naming template updates the NETBIOS name and doesn't affect the display name of the Cloud PC. When creating the template, follow these rules:
+6. Optional. Select **Apply device name template** to create a Cloud PC naming template to use when naming all Cloud PCs that are provisioned with this policy. This naming template updates the NETBIOS name and doesn't affect the display name of the Cloud PC. When creating the template, follow these rules:
- Names must be between 5 and 15 characters.
- Names can contain letters, numbers, and hyphens.
- Names can't include blank spaces or underscores.
@@ -108,10 +108,13 @@ To select an ANC, follow these steps:
- ABC-%USERNAME:5%-%RAND:5%
7. Optional. Under **Additional services**, choose a service to be installed on Cloud PCs provisioned with this policy:
- **Windows Autopatch** is a cloud service that automates updates for Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams on both physical and virtual devices. For more information, see [What is What is Windows Autopatch?](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) and the [Windows Autopatch FAQ](https://go.microsoft.com/fwlink/?linkid=2200228).
- - **Microsoft Managed Desktop** is a cloud service that helps with device deployment, service management and operations, and security. For more information, see [What is Microsoft Managed Desktop?](/managed-desktop/intro/).
+ - If you already have Windows Autopatch configured to manage your cloud PCs, this option replaces the existing policy. This replacement might disrupt any dynamic distribution that is already configured in Autopatch.
+ - When this option is selected, the system assigns devices to a new ring as the last ring of the Autopatch group.
+ - To manually enable dynamic distribution for your Cloud PCs, modify your Autopatch Groups dynamic distribution list to include the Entra ID group to which your Cloud PCs are being added.
+ - **None**. Manage and update Cloud PCs manually.
8. Select **Next**.
9. On the **Assignments** page, choose **Select groups** > choose the groups you want this policy assigned to > **Select**. Nested groups aren't currently supported.
-10. For Windows 365 Frontline, you must also select a Cloud PC size for each group in the policy. Choose **Select one** > select a size under **Available sizes** > **Select**. After you've selected a size for each group, select **Next**.
+10. For Windows 365 Frontline, you must also select a Cloud PC size for each group in the policy. Choose **Select one** > select a size under **Available sizes** > **Select**. After you select a size for each group, select **Next**.
11. On the **Review + create** page, select **Create**. If you used Microsoft Entra hybrid join as the join type, it can take up to 60 minutes for the policy creation process to complete. The time depends on when the Microsoft Entra Connect sync last happened.
After the provisioning policy is created and assigned, Windows 365 automatically starts to provision Cloud PCs and assigns them to users in the assigned groups.
diff --git a/windows-365/enterprise/delete-azure-network-connection.md b/windows-365/enterprise/delete-azure-network-connection.md
index c0c171bbbd8..6bb0972bec7 100644
--- a/windows-365/enterprise/delete-azure-network-connection.md
+++ b/windows-365/enterprise/delete-azure-network-connection.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 07/25/2024
+ms.date: 10/30/2024
ms.topic: how-to
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -31,18 +31,29 @@ ms.collection:
# Delete Azure network connection
-Only an unassigned Azure network connection (ANC) can be deleted. If an ANC is in use by a provisioning policy, then you must take one of the following steps:
+Only an unused Azure network connection (ANC) can be deleted.
-- Remove the ANC from all provisioning policies.
-- Delete the ANC.
-
-To delete an Azure network connection:
+To delete an unused ANC:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows 365** (under **Provisioning**) > **Azure network connection**. You must have [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) or [Windows 365 Administrator](/azure/active-directory/roles/permissions-reference) permissions.
2. Select the ellipses (**…**) next to the connection you want to delete > **Delete**.
3. Select **Confirm** when asked to delete the connection.
+## In use ANCs
+
+ANCs that are in use can't be deleted. In use ANCs include ANCs that are:
+
+- Referenced by a provisioning policy, including as an alternate ANC.
+- Used by a Cloud PC.
+- Configured as backup ANCs for [cross region disaster recovery](cross-region-disaster-recovery.md).
+
+If an ANC is in use, then you must take one of the following steps before you can delete it:
+
+- Remove the ANC from all provisioning policies.
+- Move Cloud PCs to another ANC or deprovision the Cloud PCs.
+- Remove the ANC from all cross region disaster recovery user settings.
+
## Next steps
diff --git a/windows-365/enterprise/deployment-options.md b/windows-365/enterprise/deployment-options.md
index 73064f8bb24..3241b7ca458 100644
--- a/windows-365/enterprise/deployment-options.md
+++ b/windows-365/enterprise/deployment-options.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 12/08/2023
+ms.date: 09/26/2024
ms.topic: how-to
ms.service: windows-365
ms.subservice: windows-365-enterprise
diff --git a/windows-365/enterprise/device-images.md b/windows-365/enterprise/device-images.md
index 861915529c7..6c445d43053 100644
--- a/windows-365/enterprise/device-images.md
+++ b/windows-365/enterprise/device-images.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 08/09/2024
+ms.date: 09/09/2024
ms.topic: overview
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -88,6 +88,8 @@ Each updated image includes:
- [Microsoft Teams updates](https://support.microsoft.com/office/what-s-new-in-microsoft-teams-d7092a6d-c896-424c-b362-a472d5f105de)
- [WebRTC redirector service updates](/azure/virtual-desktop/teams-on-avd#install-the-teams-websocket-service)
+Applications that come pre-installed are the latest version that is available at the start of the second Tuesday of that month. Any app updates posted on that day are included in the image update of the subsequent month.
+
Newly provisioned Cloud PCs are automatically created with the latest images. For existing Cloud PCs, you can receive the updates by reprovisioning.
## Custom images
@@ -118,3 +120,5 @@ When you upload a custom device image, Windows 365:
[Learn about device configuration](device-configuration.md).
[Learn about using apps, like Microsoft Teams, with your Cloud PCs](app-overview.md).
+
+[Learn about restoring a Cloud PC to a previous state](restore-overview.md)
diff --git a/windows-365/enterprise/edit-azure-network-connection.md b/windows-365/enterprise/edit-azure-network-connection.md
index 6d82413976b..9df54919f76 100644
--- a/windows-365/enterprise/edit-azure-network-connection.md
+++ b/windows-365/enterprise/edit-azure-network-connection.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 07/25/2024
+ms.date: 10/30/2024
ms.topic: how-to
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -44,10 +44,16 @@ To edit an Azure network connection:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows 365** (under **Provisioning**) > **Azure network connection** > select the connection you want to edit > **Properties**.
2. For all ANCs, you can edit the **General** settings by selecting **Edit** next to each header. You can edit all settings except **Join type**. For Microsoft Entra hybrid join connections, you can also edit the **AD domain** settings.
-After the edits have been saved, the ANC checks are run to verify the configuration.
+After the edits are saved, the ANC checks are run to verify the configuration.
You can't edit an ANC if it's running checks. You must wait for the checks to pass/fail before edit functionality becomes available.
+Some configuration settings can't be edited for ANCs that are:
+
+- Referenced by a provisioning policy, including as an alternate ANC.
+- Used by a Cloud PC.
+- Configured as backup ANCs for [cross region disaster recovery](cross-region-disaster-recovery.md).
+
## Next steps
diff --git a/windows-365/enterprise/encryption.md b/windows-365/enterprise/encryption.md
index 30f53cdc2e4..eabfe077a2e 100644
--- a/windows-365/enterprise/encryption.md
+++ b/windows-365/enterprise/encryption.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 12/05/2023
+ms.date: 09/26/2024
ms.topic: overview
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -19,7 +19,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: anbiswas
+ms.reviewer: ryclar, pratikshah, saudm, jonshi
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -29,6 +29,8 @@ ms.collection:
- tier2
---
+
+
# Data encryption in Windows 365
Windows 365 encrypts data at rest and in transit as explained in this article.
@@ -64,7 +66,7 @@ Windows 365 uses the Transport Layer Security (TLS) protocol to protect data in
- Algorithm flexibility
- Ease of deployment and use
-TLS 1.2 is used for all connections started from Windows 365 to the Azure Virtual Desktop infrastructure components. These components use the same TLS 1.2 ciphers as [Azure Front Door](/azure/frontdoor/concept-end-to-end-tls#supported-cipher-suites). Additional technical details on the cipher suites are available at [Microsoft 365 technical reference details about encryption](/purview/technical-reference-details-about-encryption#tls-cipher-suites-supported-by-microsoft-365).
+TLS 1.2 is used for all connections started from Windows 365 to the Azure Virtual Desktop infrastructure components. These components use the same TLS 1.2 ciphers as [Azure Front Door](/azure/frontdoor/concept-end-to-end-tls#supported-cipher-suites). Additional technical details on the cipher suites are available at [Microsoft 365 technical reference details about encryption](/purview/technical-reference-details-about-encryption#tls-cipher-suites-supported-by-microsoft-365). For the reverse connect transport, TLS 1.3 is supported. For more details see [Understanding Azure Virtual Desktop connectivity](/azure/virtual-desktop/network-connectivity).
## Next steps
diff --git a/windows-365/enterprise/end-of-support.md b/windows-365/enterprise/end-of-support.md
index f98c9578e09..a6cf36f7c5f 100644
--- a/windows-365/enterprise/end-of-support.md
+++ b/windows-365/enterprise/end-of-support.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 07/25/2024
+ms.date: 10/14/2024
ms.topic: how-to
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -55,6 +55,16 @@ These status values for custom images also appear under the **OS support status*
Starting on the end of support date, gallery images that use the expired OS won’t be selectable for newly created provisioning policies. The images also won’t be available for use when editing existing provisioning policies.
+## Removed images
+
+Gallery images might rarely be removed prior to the End of Support date. Such removed images go through the same **Warning** and **Unsupported** states as the OS.
+
+While in the Warning state, you can use existing provisioning policies to deploy devices using the image, but you can’t create new provisioning policies using the image.
+
+For images in the **Unsupported** state, no provisioning is possible.
+
+Planned removals are always preceded by proactive message center communications.
+
## Next steps
diff --git a/windows-365/enterprise/health-checks.md b/windows-365/enterprise/health-checks.md
index 2f762ce4be8..18591c09fab 100644
--- a/windows-365/enterprise/health-checks.md
+++ b/windows-365/enterprise/health-checks.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 08/28/2024
+ms.date: 10/30/2024
ms.topic: how-to
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -44,12 +44,13 @@ Statuses include:
- **Running checks**: The health checks are currently running. The ANC list view automatically refreshes every five minutes. Wait for the checks to complete before attempting to assign it to a provisioning policy.
- **Checks successful**: All health checks passed. The ANC is ready for use.
-- **Checks successful with warnings**: All critical health checks passed. However at least one non-critical check may have issues. An example of a check that may trigger this state is the Microsoft Entra hybrid join sync check. Microsoft Entra hybrid join sync can take up to 90 minutes, so we check much of the Microsoft Entra hybrid join sync service but can’t confirm the device sync succeeded until later. ANCs with this status can be used by provisioning policies.
-- **Checks failed**: One or more required checks failed. An ANC can’t be used if it's in a failed state. You’ll have to resolve the underlying issue and Retry the health checks.
+- **Checks successful with warnings**: All critical health checks passed. However at least one noncritical check may have issues. An example of a check that may trigger this state is the Microsoft Entra hybrid join sync check. Microsoft Entra hybrid join sync can take up to 90 minutes. Therefore, we check much of the Microsoft Entra hybrid join sync service but can’t confirm that the device sync succeeded until later. Provisioning policies can use ANCs with this status.
+- **Checks failed**: One or more required checks failed. An ANC can’t be used if it's in a failed state. Resolve the underlying issue and Retry the health checks.
+- **Inactive**: The ANC is inactive and health checks are paused. Reactivate the ANC to restart the health checks. After the health checks are passed, the ANC is ready for use.
## Status error details
-Every failed ANC or success with warning error state includes the technical details behind the failure. Select the **View details** link for each failed check to view more information on the failure. After you’ve fixed the underlying issue, **Retry** the health check to rerun the tests. To retry the health check, you must:
+Every failed ANC or success with warning error state includes the technical details behind the failure. Select the **View details** link for each failed check to view more information on the failure. After you fix the underlying issue, **Retry** the health check to rerun the tests. To retry the health check, you must:
- Have the [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) or [Windows 365 Administrator](/azure/active-directory/roles/permissions-reference) role.
diff --git a/windows-365/enterprise/hp-anyware-requirements.md b/windows-365/enterprise/hp-anyware-requirements.md
index 26d50eba610..d18165c7f00 100644
--- a/windows-365/enterprise/hp-anyware-requirements.md
+++ b/windows-365/enterprise/hp-anyware-requirements.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 04/10/2024
+ms.date: 10/09/2024
ms.topic: overview
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -29,7 +29,7 @@ ms.collection:
- tier2
---
-# Requirements for using HP Anyware for Windows 365 Enterprise (preview)
+# Requirements for using HP Anyware for Windows 365 Enterprise
To use HP Anyware for Windows 365, you must meet the following requirements:
@@ -38,7 +38,7 @@ To use HP Anyware for Windows 365, you must meet the following requirements:
- HP Anyware Standard license
- Cloud PCs must have access to:
- https://cas.teradici.com on TCP 443 for Broker connectivity.
-- Consult [Anyware Session Planning Guide](https://www.teradici.com/web-help/pcoip/session_planning_guide/2023.12/network/network_requirements/) for more requirements.
+- Consult the [Anyware Session Planning Guide](https://www.teradici.com/web-help/pcoip/session_planning_guide/2023.12/network/network_requirements/) for more requirements.
## Microsoft requirements
@@ -46,8 +46,8 @@ To use HP Anyware for Windows 365, you must meet the following requirements:
- Microsoft Entra domain in the same tenant as Microsoft Intune
- Windows 365 Enterprise licenses in the same tenant as Microsoft Intune
- Azure admin account:
- - Microsoft Entra Global Admin for required authorizations in HP Anyware Service.
- - Intune Admin for enabling the HP Anyware connector in Microsoft Intune.
+ - Intune Administrator for required authorizations in HP Anyware Service.
+ - Intune Administrator for enabling the HP Anyware connector in Microsoft Intune.
- For more information about the Windows 365 requirements, see [Windows 365 requirements](requirements.md).
## Supported configurations
diff --git a/windows-365/enterprise/hp-anyware-set-up.md b/windows-365/enterprise/hp-anyware-set-up.md
index 5f41918fc64..5c498c11834 100644
--- a/windows-365/enterprise/hp-anyware-set-up.md
+++ b/windows-365/enterprise/hp-anyware-set-up.md
@@ -29,11 +29,11 @@ ms.collection:
- tier2
---
-# Set up HP Anyware for Windows 365 Enterprise (preview)
+# Set up HP Anyware for Windows 365 Enterprise
HP Anyware for Windows 365 is a cloud-based service that lets you deliver Windows 365 Enterprise desktops on HP Anyware’s management and PCoIP protocol. HP Anyware's infrastructure and protocol excel in low bandwidth environments and intensive workloads.
-HP Anyware for Windows 365 is in [public preview](../public-preview.md) in selected regions. To submit a request to join this preview, see [https://aka.ms/HPAnywarePublicPreviewSignUp](https://aka.ms/HPAnywarePublicPreviewSignUp).
+HP Anyware for Windows 365 is available in selected regions. To sign up for a guided onboarding experience of HP Anyware for Windows 365 or sign up for updates, see [https://reinvent.hp.com/Anyware-for-windows365](https://reinvent.hp.com/Anyware-for-windows365).
## Set up overview
@@ -41,7 +41,6 @@ To set up HP Anyware for Windows 365 Enterprise, follow these steps. The first t
1. [Fulfill requirements](hp-anyware-requirements.md).
2. [Turn on the Windows 365 HP Anyware connector in Intune](#turn-on-the-windows-365-hp-anyware-connector-in-intune).
-3. [Sign up for the Preview – HP Anyware for Windows 365](https://aka.ms/HPAnywarePublicPreviewSignUp).
4. [Connect Microsoft Entra ID to HP Anyware](https://aka.ms/HPAnywareDocConnectEntraIDtoHP).
5. [Assign HP Anyware licenses to users and provision Cloud PCs](https://aka.ms/HPAnywareDocAssignHPLic).
@@ -49,23 +48,15 @@ To set up HP Anyware for Windows 365 Enterprise, follow these steps. The first t
To turn on the HP Anyware connector, follow these steps:
-1. As a Global administrator, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Tenant administration** > **Connectors and tokens**.
+1. As a Intune Administrator, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Tenant administration** > **Connectors and tokens**.
2. Select **Windows Windows partner connectors** > **Add**.
-3. Under **Add connector**, select **HP Anyware (preview)** in the drop-down list.
+3. Under **Add connector**, select **HP Anyware** in the drop-down list.
4. Next to **Allow people to use HP Anyware to connect to their Cloud PCs**, set the toggle to **On** > **Add**.
-## Public preview limitations
-
-During the public preview, the following limitations exist:
-
-- The initial release supports selected regions.
-- Windows 365 Frontline isn't supported.
-- Nested groups aren't supported.
-
## Next steps
-To complete the integration, proceed to the HP Anyare Manager. For more information about HP Anyware set up, see [https://aka.ms/HPAnywareDocConnectEntraIDtoHP](https://aka.ms/HPAnywareDocConnectEntraIDtoHP).
+To complete the integration, proceed to the HP Anyware Manager. For more information about HP Anyware set up, see [https://aka.ms/HPAnywareDocConnectEntraIDtoHP](https://aka.ms/HPAnywareDocConnectEntraIDtoHP).
diff --git a/windows-365/enterprise/identity-authentication.md b/windows-365/enterprise/identity-authentication.md
index e3b0756907f..bd36d73aa95 100644
--- a/windows-365/enterprise/identity-authentication.md
+++ b/windows-365/enterprise/identity-authentication.md
@@ -19,7 +19,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: davidbel
+ms.reviewer: davidbel, pratikshah
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -29,6 +29,8 @@ ms.collection:
- tier2
---
+
+
# Windows 365 identity and authentication
A Cloud PC user's identity defines which access management services manage that user and Cloud PC. This identity defines:
diff --git a/windows-365/enterprise/in-development.md b/windows-365/enterprise/in-development.md
index 8a232de692f..4b4111565ca 100644
--- a/windows-365/enterprise/in-development.md
+++ b/windows-365/enterprise/in-development.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 06/28/2024
+ms.date: 10/02/2024
ms.topic: conceptual
ms.service: windows-365
@@ -56,14 +56,6 @@ To help in your readiness and planning, this page lists Windows 365 updates and
## Device management
-### Support for symmetric NAT with RDP Shortpath
-
-In a future update, RDP Shortpath in Windows 365 will support establishing an indirect UDP connection using Traversal Using Relays around NAT (TURN) for symmetric NAT. TURN is a popular standard for device-to-device networking for low latency, high-throughput data transmission. For more information, see [Network Traversal Concepts](/azure/communication-services/concepts/network-traversal). For more information about RDP Shortpath, see [Use RDP Shortpath for public networks with Windows 365](rdp-shortpath-public-networks.md).
-
-### Chroma subsampling default change to 4:2:0
-
-To reduce monitor support issues, the Windows 365 service will default the chroma subsampling at 4:2:0 (instead of the previous 4:4:4).
-
### Cloud PC gallery images update to Microsoft Teams 2.1
In a future update, Windows 365 Cloud PC gallery images with Microsoft 365 applications will be updated to use Microsoft Teams 2.1. These images include:
@@ -72,12 +64,22 @@ In a future update, Windows 365 Cloud PC gallery images with Microsoft 365 appli
- Windows 10 Enterprise + Microsoft 365 Apps 22H2
- Windows 10 Enterprise + Microsoft 365 Apps 21H2
-
-## Device security
+### Azure network connections inactive state
+
+In a future update, Azure network connections that meet either of the following conditions for more than four weeks will be marked as inactive:
+
+- ANCs that aren't associated with provisioning policies.
+- ANCs with provisioning policies that have no Cloud PCs associate with them.
+
+Inactive ANCs:
-### Cloud PC support for FIDO devices and passkeys on macOS and iOS
+- Can't be assigned to provisioning policies.
+- Are skipped during health checks.
-Windows 365 Cloud PCs will support FIDO devices and passkeys for Microsoft Entra ID sign in on macOS and iOS.
+You'll be able to reactive such ANCs.
+
+
+
@@ -97,19 +99,15 @@ End users will be able to manually run connectivity checks on their Cloud PCs fr
The Cloud PC action status report will show batches of devices in which actions have been triggered. Customers will be able to see the batch current progress.
-
-## Provisioning
-
-### New health check: UDP TURN (preview)
+### Remoting connections report deprecation
-A new UDP TURN check will be added to the Azure Network Connections health checks. For more information about health checks, see [Azure network connections health checks](health-checks.md).
+The remoting connection report will be retired on December 31st, 2024. After this date, refer to the [Cloud PC connection quality report](report-cloud-pc-connection-quality.md).
-## Security
-
-### New settings for Windows 365 security baselines
+
-New configuration settings will be introduced for the Windows 365 security baseline.
+
+
diff --git a/windows-365/enterprise/install-windows-365-app-intune.md b/windows-365/enterprise/install-windows-365-app-intune.md
index 2ecf7e6f0ff..593968ceeb9 100644
--- a/windows-365/enterprise/install-windows-365-app-intune.md
+++ b/windows-365/enterprise/install-windows-365-app-intune.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 06/24/2024
+ms.date: 09/30/2024
ms.topic: how-to
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -29,9 +29,9 @@ ms.collection:
- tier2
---
-# Using Intune, install the Windows app on physical devices
+# Using Intune, install Windows App on physical devices
-Some of your users might have physical devices that don't have access to the Microsoft Store to install the Windows app. In these cases, you can install the Windows app to their devices by using Intune app assignment process. By assigning the app to device groups, you can automatically install the Windows 365 app on their devices.
+Some of your users might have physical devices that don't have access to the Microsoft Store to install the Windows app. In these cases, you can install the Windows app to their devices by using Intune app assignment process. By assigning the app to device groups, you can automatically install Windows App on their devices.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Apps** > **All apps** > **Add**.
@@ -39,9 +39,9 @@ Some of your users might have physical devices that don't have access to the Mic
3. On the **Add App** page, select **Search the Microsoft Store app (new)**, search for **Windows app** and select it > choose **Select**.
4. On the **App information** page, you can leave all the settings as is or change them > **Next**. For more information about these settings, see [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft).
5. (Optional) On the **Scope tags** page, you can use scope tags to ensure that the right admins have the correct access and visibility to Intune objects. For more information about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags). Select **Next**.
-6. On the **Assignments** page, add device and/or user groups containing the Cloud PCs on which you want the Windows 365 app to be automatically installed. If you target a user group, the users must first sign in to their Cloud PC before the app is installed. If you target a device group, the app is installed before the user signs in.
- 1. Under **Required**, select **Add group** and add the groups containing the physical devices on which you want the Windows 365 app automatically installed.
- 2. Under **Available for enrolled devices**, select **Add group** and add the user groups. The Windows 365 app is displayed in the Company Portal app and website for users to optionally install.
+6. On the **Assignments** page, add device and/or user groups containing the Cloud PCs on which you want Windows App to be automatically installed. If you target a user group, the users must first sign in to their Cloud PC before the app is installed. If you target a device group, the app is installed before the user signs in.
+ 1. Under **Required**, select **Add group** and add the groups containing the physical devices on which you want Windows App automatically installed.
+ 2. Under **Available for enrolled devices**, select **Add group** and add the user groups. Windows App is displayed in the Company Portal app and website for users to optionally install.
3. After you've selected all the groups, select **Next**
7. On the **Review + create** page, select **Create**.
diff --git a/windows-365/enterprise/introduction-windows-365-government.md b/windows-365/enterprise/introduction-windows-365-government.md
index 11dca78acaa..e0ddc1624cb 100644
--- a/windows-365/enterprise/introduction-windows-365-government.md
+++ b/windows-365/enterprise/introduction-windows-365-government.md
@@ -61,14 +61,13 @@ The following features aren't yet supported for Windows 365 GCC or GCC High.
- Audit logs support in Azure Log Analytics
- [New Microsoft Teams client](/microsoftteams/new-teams-desktop-admin)
- Windows 365 Boot (available for GCC, not available for GCC High)
-- Windows App
- Microsoft Purview forensic evidence
- Windows 365 Switch
- Windows 365 Frontline (available for GCC, not available for GCC High)
-- Cloud PC connection quality report
- Cross region disaster recovery
- [Support for Omnissa Horizon clients and the Blast protocol](set-up-omnissa-horizon.md)
-- [Microsoft Purview Customer Key](purview-customer-key.md)
+- [Microsoft Purview Customer Key](purview-customer-key.md)
+- [HP Anyware for Windows 365](hp-anyware-set-up.md)
## Next steps
diff --git a/windows-365/enterprise/known-issues-enterprise.md b/windows-365/enterprise/known-issues-enterprise.md
index 1df8bdba788..8edc0ee451f 100644
--- a/windows-365/enterprise/known-issues-enterprise.md
+++ b/windows-365/enterprise/known-issues-enterprise.md
@@ -245,7 +245,7 @@ This applies to the following gallery images:
For newly provisioned Cloud PCs, verify WebRTC is available. If it’s not, you can use either of the following options:
-- To add the WebRTC Redirector Service app to the list of apps to install by default onto Cloud PCs, follow the steps: [Add Microsoft 365 Apps to Windows 10/11 devices with Microsoft Intune](/intune/apps/apps-add-office365).
+- To add the WebRTC Redirector Service app to the list of apps to install by default onto Cloud PCs, follow the steps: [Add Microsoft 365 Apps to Windows 10/11 devices with Microsoft Intune](/mem/intune/apps/apps-add-office365).
- To add the WebRTC Redirector Service app to an individual Cloud PC, follow the steps: [install the Remote Desktop WebRTC Redirector Service](/azure/virtual-desktop/teams-on-avd#install-the-remote-desktop-webrtc-redirector-service). To get the most up-to-date installer, use this link: [https://aka.ms/msrdcwebrtcsvc/msi]( https://aka.ms/msrdcwebrtcsvc/msi).
diff --git a/windows-365/enterprise/media/partner-integration-scenarios/partner-integration-connection-process.png b/windows-365/enterprise/media/partner-integration-scenarios/partner-integration-connection-process.png
new file mode 100644
index 00000000000..dac101df5f4
Binary files /dev/null and b/windows-365/enterprise/media/partner-integration-scenarios/partner-integration-connection-process.png differ
diff --git a/windows-365/enterprise/media/report-cloud-pc-connection-quality/view-report-connection-quality.png b/windows-365/enterprise/media/report-cloud-pc-connection-quality/view-report-connection-quality.png
index dbcc193cd50..3037537ce78 100644
Binary files a/windows-365/enterprise/media/report-cloud-pc-connection-quality/view-report-connection-quality.png and b/windows-365/enterprise/media/report-cloud-pc-connection-quality/view-report-connection-quality.png differ
diff --git a/windows-365/enterprise/media/report-cloud-pcs-not-available/view-report-cloud-pcs-not-available.png b/windows-365/enterprise/media/report-cloud-pcs-not-available/view-report-cloud-pcs-not-available.png
index 25b64eaf966..c641dc7b0e1 100644
Binary files a/windows-365/enterprise/media/report-cloud-pcs-not-available/view-report-cloud-pcs-not-available.png and b/windows-365/enterprise/media/report-cloud-pcs-not-available/view-report-cloud-pcs-not-available.png differ
diff --git a/windows-365/enterprise/media/restrict-office-365-cloud-pcs/create-conditional-policy.png b/windows-365/enterprise/media/restrict-office-365-cloud-pcs/create-conditional-policy.png
index 20b2e2445cb..efec5d69195 100644
Binary files a/windows-365/enterprise/media/restrict-office-365-cloud-pcs/create-conditional-policy.png and b/windows-365/enterprise/media/restrict-office-365-cloud-pcs/create-conditional-policy.png differ
diff --git a/windows-365/enterprise/media/restrict-office-365-cloud-pcs/include-apps.png b/windows-365/enterprise/media/restrict-office-365-cloud-pcs/include-apps.png
index 8291926c478..24ecaac81b6 100644
Binary files a/windows-365/enterprise/media/restrict-office-365-cloud-pcs/include-apps.png and b/windows-365/enterprise/media/restrict-office-365-cloud-pcs/include-apps.png differ
diff --git a/windows-365/enterprise/media/restrict-office-365-cloud-pcs/select-group.png b/windows-365/enterprise/media/restrict-office-365-cloud-pcs/select-group.png
index 2b222bce2fa..90ac3526a6a 100644
Binary files a/windows-365/enterprise/media/restrict-office-365-cloud-pcs/select-group.png and b/windows-365/enterprise/media/restrict-office-365-cloud-pcs/select-group.png differ
diff --git a/windows-365/enterprise/partner-integration-scenarios.md b/windows-365/enterprise/partner-integration-scenarios.md
new file mode 100644
index 00000000000..a37893f4727
--- /dev/null
+++ b/windows-365/enterprise/partner-integration-scenarios.md
@@ -0,0 +1,64 @@
+---
+# required metadata
+title: Partner integration scenarios for Windows 365.
+titleSuffix:
+description: Learn about partner integration scenarios for Windows 365.
+keywords:
+author: ErikjeMS
+ms.author: erikje
+manager: dougeby
+ms.date: 10/23/2024
+ms.topic: overview
+ms.service: windows-365
+ms.subservice: windows-365-enterprise
+ms.localizationpriority: high
+ms.assetid:
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: aradinger
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.custom: intune-azure; get-started
+ms.collection:
+- M365-identity-device-management
+- tier2
+---
+
+# Windows 365 partner integration supported scenarios
+
+The following partner integration scenarios support partner protocols on top of Windows 365, without compromising the simplicity and predictability that Windows 365 delivers.
+
+| Partner | Supported clients | Gateway service | Connection protocol | Supported service plans |
+| --- | --- | --- | --- | --- |
+| Citrix | Citrix Workspace web client
Citrix Workspace desktop clients for supported platforms | Citrix Cloud Gateway Service | Citrix HDX | Enterprise, Frontline
+| HP | HP Anyware web client
HP Anyware desktop clients for supported platforms | HP Anyware Cloud Gateway Service | HP Anyware | Enterprise |
+| Omnissa | Omnissa Workspace ONE web client
Omnissa ONE desktop clients for supported platforms | Omnissa Cloud Gateway Service | Omnissa Blast | Enterprise |
+
+While scenarios not listed here might still work in customers’ production environment, they aren't supported by Microsoft.
+
+> [!NOTE]
+>
+> On-premises gateway services aren't supported.
+
+## User connection process with partner integration
+
+
+
+1. A user authenticates using Microsoft Entra ID, on-premises Active Directory, or a third party identity provider.
+2. Windows 365 establishes a connection to the partner cloud gateway using partner protocols.
+3. A Cloud PC is assigned to the user and is accessible from the web/workspace portals.
+4. Windows 365 establishes a connection to the Cloud PC using partner protocols.
+
+
+## Next steps
+
+[Set up Citrix HDX Plus for Windows 365 Enterprise](set-up-citrix.md).
+
+[Set up HP Anywhere for Windows 365 Enterprise](set-up-citrix.md).
+
+[Set up Omnissa Horizon for Windows 365 Enterprise](set-up-citrix.md).
diff --git a/windows-365/enterprise/privacy-personal-data.md b/windows-365/enterprise/privacy-personal-data.md
index 081c7926334..2e3185bfc3f 100644
--- a/windows-365/enterprise/privacy-personal-data.md
+++ b/windows-365/enterprise/privacy-personal-data.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 09/13/2023
+ms.date: 10/02/2024
ms.topic: conceptual
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -19,7 +19,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: anbiswas
+ms.reviewer: tnevins1, pratikshah
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -30,6 +30,8 @@ ms.collection:
- essentials-privacy
---
+
+
# Privacy, customer data, and customer content in Windows 365
Windows 365 is a cloud-based service that lets you provision and manage Cloud PC for your users. You manage the Cloud PCs with the rest of your devices by using Microsoft Intune (Windows 365 Enterprise) or a self-serviced experience (Windows 365 Business). This documentation provides details on data platform and privacy compliance for Windows 365. Unless otherwise specified, the term Windows 365 in this document refers to both Windows 365 Enterprise and the Windows 365 Business. Where the details below differ, each product is called out individually.
@@ -47,7 +49,7 @@ To protect and maintain enrolled devices, Windows 365 processes and copies data
## Windows 365 data storage
-Depending on a tenant's region and preference, Windows 365 stores its customer content in Azure regions in North America, Europe, or Asia Pacific. Cloud PC virtual disk, customer content, data and storage associated with the Cloud PC lives in the Azure region that the Cloud PC is [provisioned](provisioning.md) in. For Windows 365 Enterprise, the region is defined in the [Azure network connection's](azure-network-connections.md) (ANC) **Virtual network** setting. Windows 365 Business stores customer data in the Azure region of the Cloud PC itself.
+Depending on a tenant's region and preference, Windows 365 stores its customer content in Azure regions in North America, Europe, or Asia Pacific. Cloud PC virtual disk, customer content, data and storage associated with the Cloud PC lives in the Azure region that the Cloud PC is [provisioned](provisioning.md) in. For Windows 365 Enterprise, the region is defined in the Microsoft hosted network or [Azure network connection](azure-network-connections.md) (ANC) settings within the Cloud PC's associated provisioning policy. Windows 365 Business stores customer data in the Azure region of the Cloud PC itself.
To manage the Cloud PC, certain data relating to the Cloud PC (like the machine’s name, diagnostic data, and service-generated data) is stored in Azure data centers in North America, Europe, or Asia Pacific, as defined by the tenant's location. This storage is mapped based on Microsoft Online tenant's country/region to the nearest Azure region.
diff --git a/windows-365/enterprise/provisioning-errors.md b/windows-365/enterprise/provisioning-errors.md
index 5a94a5b80e8..cdd3421b403 100644
--- a/windows-365/enterprise/provisioning-errors.md
+++ b/windows-365/enterprise/provisioning-errors.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 07/16/2024
+ms.date: 09/13/2024
ms.topic: how-to
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -169,6 +169,25 @@ Windows 365 provisioned the Cloud PC but didn’t disable the built-in Windows r
**Suggested test**: Retry provisioning.
+## Blocking High Risk Ports: One or more high risk ports couldn’t be disabled
+
+Windows 365 provisioned the Cloud PC but was unable to block all high-risk ports based on Microsoft security standards. Windows 365 disables high risk ports used for the management of resources or unsecure/unencrypted data transmission and shouldn't be exposed to the internet by default.
+
+If you are seeing this error, some factors to consider are:
+
+- Sometimes an enterprise will implement an Intune group policy that enables one of these ports by default.
+- Make sure that there are no Intune policies that may override Windows 365's default of disabling these high-risk ports.
+
+**Suggested test**: Try any of these solutions:
+
+- Retry provisioning.
+- If the device is Intune-enrolled, you can apply Intune policy to disable the ports.
+- The user can also disable the ports manually by adding a local firewall rule onto their device. For a list of high risk ports that are recommended for blocking, please see [Security admin rules in Azure Virtual Network Manager](/azure/virtual-network-manager/concept-security-admins#protect-high-risk-ports).
+
+## Other provisioning failures
+
+If you encounter other provisioning errors not covered above, make sure all the required endpoints are allowed on the VNet used for your ANC and any gateway device.
+
## Next steps
[Troubleshooting](troubleshooting.md).
diff --git a/windows-365/enterprise/report-cloud-pc-actions.md b/windows-365/enterprise/report-cloud-pc-actions.md
index d968c398635..8f2dcd3cb12 100644
--- a/windows-365/enterprise/report-cloud-pc-actions.md
+++ b/windows-365/enterprise/report-cloud-pc-actions.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 12/6/2023
+ms.date: 10/30/2024
ms.topic: overview
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -31,7 +31,12 @@ ms.collection:
# Cloud PC actions report (preview)
-This report shows you what actions admins have taken on which Cloud PCs, and the status of those actions.
+This report shows you the status and completion progress of actions admins have taken on Cloud PCs, for both:
+
+- Single actions on the **Devices** tab.
+- Multiple devices using **Bulk device actions** on the **Bulk batches** tab.
+
+ The report shows action statuses for the last 90 days.
The Cloud PC actions report is in [public preview](..\public-preview.md).
@@ -39,11 +44,11 @@ The Cloud PC actions report is in [public preview](..\public-preview.md).
To get to the **Cloud PC actions** report, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Monitor** > **Cloud PC actions (preview)**.
-## Report data
+## Devices tab
:::image type="content" source="./media/report-cloud-pc-actions/report.png" alt-text="Screenshot of the Cloud PC actions report." lightbox="./media/report-cloud-pc-actions/report.png":::
-The report shows the following columns:
+The tab shows the following columns:
- **Device name**
- **Primary user UPN**
@@ -64,6 +69,17 @@ The report shows the following columns:
- **Review required**: An admin must take action to complete the action. For example, assigning a target license to a device in **Resize Pending License** state for the **Resize** action.
- **Date initiated**
+## Bulk batches tab
+
+When an admin takes an action on multiple Cloud PCs at once using **Bulk device actions**, the actions are combined into a batch.
+
+The tab shows the following columns:
+
+- **Batch name** - An automatically generated name for a batch of devices undergoing a remote action.
+- **Action** - Same as **Devices** tab.
+- **Completion** - The progress of the action on the batch of devices.
+- **Date initiated**
+
## Next steps
diff --git a/windows-365/enterprise/report-cloud-pc-connection-quality.md b/windows-365/enterprise/report-cloud-pc-connection-quality.md
index 86e6fbc3d8a..f5006b63761 100644
--- a/windows-365/enterprise/report-cloud-pc-connection-quality.md
+++ b/windows-365/enterprise/report-cloud-pc-connection-quality.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 03/27/2024
+ms.date: 10/18/2024
ms.topic: overview
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -35,7 +35,7 @@ The **Connection quality report** helps Windows 365 administrators identify devi
## Use the Cloud PC connection quality report
-To get to the **Cloud PC connection quality** report, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Overview** > **Cloud PC performance** > **View report** (under **Connection quality**).
+To get to the **Cloud PC connection quality** report, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Reports** > **Cloud PC overview** > **Connection quality**.
diff --git a/windows-365/enterprise/report-cloud-pc-recommendations.md b/windows-365/enterprise/report-cloud-pc-recommendations.md
index b790a3ed7da..d58276759b9 100644
--- a/windows-365/enterprise/report-cloud-pc-recommendations.md
+++ b/windows-365/enterprise/report-cloud-pc-recommendations.md
@@ -42,11 +42,9 @@ An evolving model analyzes this data to determine whether Cloud PCs are:
- Under-used.
- Sized appropriately.
-The Cloud PC recommendations report is in [public preview](..\public-preview.md).
-
## Use the Cloud PC recommendations report
-To get to the **Cloud PC recommendations** report, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Reports** > **Cloud PC Overview** > **Cloud PC recommendations (preview)**.
+To get to the **Cloud PC recommendations** report, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Reports** > **Cloud PC Overview** > **Cloud PC recommendations**.
diff --git a/windows-365/enterprise/report-cloud-pcs-not-available.md b/windows-365/enterprise/report-cloud-pcs-not-available.md
index 751476e1a15..021a70a8027 100644
--- a/windows-365/enterprise/report-cloud-pcs-not-available.md
+++ b/windows-365/enterprise/report-cloud-pcs-not-available.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 08/28/2024
+ms.date: 10/18/2024
ms.topic: overview
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -37,7 +37,7 @@ This report displays recent conditions up to 5 to 15 minutes ago. Therefore, Clo
## Use the Cloud PCs that aren't available report
-To get to the **Cloud PCs that aren't available** report, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Overview** > **Cloud PC performance** > **Cloud PCs that aren't available**.
+To get to the **Cloud PCs that aren't available** report, sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Reports** > **Cloud PC overview** > **Cloud PCs that aren't available**.
diff --git a/windows-365/enterprise/report-remoting-connection.md b/windows-365/enterprise/report-remoting-connection.md
index 0c6800d6289..aec5263dc3c 100644
--- a/windows-365/enterprise/report-remoting-connection.md
+++ b/windows-365/enterprise/report-remoting-connection.md
@@ -31,6 +31,9 @@ ms.collection:
# Remoting connection report
+> [!IMPORTANT]
+> The remoting connection report will be retired on December 31st, 2024. After this date, refer to the [Cloud PC connection quality report](report-cloud-pc-connection-quality.md).
+
The Remoting connection report in [Endpoint analytics](/mem/analytics/overview) helps you monitor key performance metrics for connecting to the Cloud PCs. There are two metrics in this report:
- **Round trip time (ms)**
diff --git a/windows-365/enterprise/requirements.md b/windows-365/enterprise/requirements.md
index 7563cd8e369..aedc7dd898a 100644
--- a/windows-365/enterprise/requirements.md
+++ b/windows-365/enterprise/requirements.md
@@ -63,7 +63,7 @@ A subscription in Azure Government is required for Windows 365 Government custom
## Microsoft Entra ID and Intune requirements
- A valid and working Intune and Microsoft Entra tenant.
-- Intune device type enrollment restrictions set to Allow Windows (MDM) platform for corporate enrollment.
+- Intune default device type enrollment restrictions must be set to Allow Windows (MDM) platform for corporate enrollment. For more information, see [Device Enrollment Restrictions Limitations](/mem/intune/enrollment/enrollment-restrictions-set#limitations).
- Infrastructure configuration: If you plan on provisioning Microsoft Entra hybrid joined Cloud PCs, you must configure your infrastructure to automatically Microsoft Entra hybrid join any devices that domain join to the on-premises Active Directory. This [configuration lets them be recognized and managed in the cloud](/azure/active-directory/devices/overview).
- Microsoft Entra Domain Services isn't supported because it doesn't support Microsoft Entra hybrid join.
diff --git a/windows-365/enterprise/resilience.md b/windows-365/enterprise/resilience.md
index ef7b894a036..256891b7655 100644
--- a/windows-365/enterprise/resilience.md
+++ b/windows-365/enterprise/resilience.md
@@ -19,7 +19,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: thhickli
+ms.reviewer: thhickli, rkiran
ms.suite: ems
search.appverid: MET150
#ms.tgt_pltfrm:
@@ -29,6 +29,8 @@ ms.collection:
- tier2
---
+
+
# Windows 365 service resilience
Windows 365 is designed to provide a resilient and reliable service for organizations and end users, connecting to, and using their Cloud PCs.
diff --git a/windows-365/enterprise/resize-cloud-pc.md b/windows-365/enterprise/resize-cloud-pc.md
index 63cb93cc6b4..abe679ca475 100644
--- a/windows-365/enterprise/resize-cloud-pc.md
+++ b/windows-365/enterprise/resize-cloud-pc.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 07/09/2024
+ms.date: 10/03/2024
ms.topic: overview
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -31,30 +31,7 @@ ms.collection:
# Resize a Cloud PC
-The **Resize** remote action, which preserves user and disk data, lets you:
-
-- Upgrade the RAM, CPU, and storage size of a Cloud PC.
-- Downgrade the RAM and CPU of Cloud PC. Resizing doesn't let you downsize disk space.
-
-These operations don't require reprovisioning of the Cloud PC.
-
-You might consider resizing a Cloud PC when a user needs:
-
-- Higher RAM and VCPU cores to run CPU intensive applications.
-- More disk space for file storing.
-- Less RAM and vCPU cores to run their current workload applications.
-
-Resizing supports:
-
-- Direct and group-based licenses.
-- Paid, preview, and trial licenses.
-- Bulk and single device operations.
-
-Resizing doesn't support:
-
-- GPU Cloud PCs. GPU Cloud PCs might show up in the resize flow, but trying to resize a GPU Cloud PC will result in an error.
-
-Resizing automatically disconnects the user from their session and any unsaved work might be lost. Therefore, it's best to coordinate any resizing with the user before you begin. Contact your end users and have them save their work and sign out before you begin resizing.
+[!INCLUDE [Resize a Cloud PC intro](../includes/resize-introduction.md)]
Downsizing may impact support for nested virtualization. For more information, see [Set up virtualization-based workloads support](nested-virtualization.md).
@@ -65,7 +42,7 @@ Downsizing may impact support for nested virtualization. For more information, s
To resize a Cloud PC, the admin must have certain built-in Microsoft Entra roles.
- For a Cloud PC provisioned with a direct assigned license, at least one of the following roles
- - Intune Service Administrator
+ - Intune Service Administrator
- Intune Reader + Cloud PC Admin roles
- Intune Reader + Windows 365 Administrator
- For a Cloud PC provisioned with a group-based license, at least one of the following roles
@@ -75,24 +52,9 @@ To resize a Cloud PC, the admin must have certain built-in Microsoft Entra roles
Alternatively, you can assign a custom role that includes the permissions of these built-in roles.
-## IP address requirements
+[!INCLUDE [Resize a Cloud PC IP requirements](../includes/resize-ip-address-requirements.md)]
-When resizing a Microsoft Entra hybrid join bring-your-own-network Cloud PC, a second IP address must be available in the subnet for the Cloud PC to be resized.
-
-During the resizing operation, a second IP address is used when moving to the new size. This precaution makes sure that the Cloud PC can be rolled back to the original should an issue occur.
-
-To account for this precaution, you can:
-
-- Make sure that adequate IP addresses are available in the vNET for all Cloud PCs to be resized, or
-- Stagger your resize operations to make sure that the address scope is maintained.
-
-If inadequate addresses are available, resize failures can occur.
-
-### Other requirements
-
-In order to use **Resize** there must be available licenses in inventory for the resized Cloud PC configuration.
-
-To **Resize** a Cloud PC, it must have a status of **Provisioned** in the Windows 365 provisioning node.
+[!INCLUDE [Resize a Cloud PC other requirements](../includes/resize-other-requirements.md)]
## Resize a single Cloud PC provisioned with a direct assigned license
@@ -102,7 +64,7 @@ When resizing Cloud PCs provisioned through direct assigned licenses the Windows
- Assigning the new license on behalf of the admin.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **All Devices** > choose a device > **Resize**.
-
+
2. Under **Resize**, there's a list of the sizes that you can upgrade or downsize to based on the licenses available in your inventory. You can upgrade/downgrade a Cloud PC’s RAM and vCPU. You can only upgrade the OS disk storage. If you're downgrading a user’s Cloud PC, options with lower storage are grayed out. Select one of the available options.
3. Select **Resize**.
@@ -113,13 +75,13 @@ If there are available licenses, the resizing starts.
1. Create a new target Microsoft Entra group. Add the users from the source Microsoft Entra group that you want to resize. Alternately, you can use existing Microsoft Entra groups if you're mapping the groups to individual Windows 365 license types.
2. Assign the existing provisioning policy targeting the original source Microsoft Entra group to the new target Microsoft Entra group. You only need to do this step if you don't have a discrete Microsoft Entra group for your provisioning policy assignment. If you have discrete Microsoft Entra groups to manage your provisioning policy assignments, you can omit this step.
3. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **All Devices** > choose the device that you want added to the Microsoft Entra target group > **Resize**.
-
+
4. A list is displayed with all the possible SKUs that you can upgrade or downsize to based on the licenses that you have available in your inventory. You can upgrade/downgrade a Cloud PC’s RAM and vCPU. You can only upgrade the OS disk storage. If you're downsizing a user’s Cloud PC, options with lower storage are grayed out. Select one of the available options.
5. Select **Resize**.
6. The user’s Cloud PC is placed in the **Resize pending license** state as can be seen in the Windows 365 provisioning blade.
7. Select **Users** > search for the user name assigned to the Cloud PC and select it > **Groups**.
8. To retrieve the old license, remove the users from the original source Microsoft Entra group. If you don’t perform this step, a new Cloud PC will be provisioned with the original source license after you assign the target license.
- - When using Microsoft Entra ID hybrid in your environment, after removing the user from the original group, you must wait until Microsoft Entra Connect synchronizes your on-premises Active Directory with with your Microsoft Entra ID. This can take up to 30 minutes. Then you can add the user to the new group.
+ - When using Microsoft Entra ID hybrid in your environment, after removing the user from the original group, you must wait until Microsoft Entra Connect synchronizes your on-premises Active Directory with your Microsoft Entra ID. This can take up to 30 minutes. Then you can add the user to the new group.
9. Assign the target license to the new target Microsoft Entra group. The resizing process now begins.
## Bulk resizing Cloud PCs
@@ -159,7 +121,7 @@ Up to 5,000 Cloud PCs can be resized at a time.
7. Under **Select groups to include**, choose the groups containing the users who own the devices that you want to resize > **Next**.
8. On the **Review + create** page, select **Create**. The user’s Cloud PC is placed in the **Resize pending license** state as can be seen in the Windows 365 provisioning blade.
9. To retrieve the old license, remove the users from the original source Microsoft Entra group. If you don’t perform this step, a new Cloud PC will be provisioned with the original source license after you assign the target license.
- - When using Microsoft Entra ID hybrid in your environment, after removing the user from the original group, you must wait until Microsoft Entra Connect synchronizes your on-premises Active Directory with with your Microsoft Entra ID. This can take up to 30 minutes. Then you can add the user to the new group.
+ - When using Microsoft Entra ID hybrid in your environment, after removing the user from the original group, you must wait until Microsoft Entra Connect synchronizes your on-premises Active Directory with your Microsoft Entra ID. This can take up to 30 minutes. Then you can add the user to the new group.
10. Assign the target license to the new target Microsoft Entra group. The resizing process now begins.
## Resizing details
@@ -172,15 +134,9 @@ If the source license isn't removed first, and the new license is assigned to th
If the source license isn't removed, and the target license isn't assigned within 48 hours, the device returns to the **Provisioned** state.
-When resizing starts, the user is automatically disconnected from their Cloud PC and any unsaved work might be lost.
-
-Resizing can take from 15 to 20 minutes before the user can access their Cloud PC again. You can monitor the status in the Windows 365 provisioning blade. Users can see their Cloud PC status at https://windows365.microsoft.com.
-
If you have a combination of paid and trial licenses, the resize feature uses your paid licenses first. After these licenses run out, the resize operation uses your trial licenses.
-If there are no licenses in your inventory, the resizing fails. To request more licenses, contact your procurement admin. After you purchase the license and added to the inventory in the Microsoft 365 admin center, you can retry the resize operation. Licenses can be purchased from various channels: EA, CSP, MCA, and Web Direct.
-
-Devices with a state of **Resize not supported** aren't resized. The status message and details can help you identify the issue. You can still proceed with a bulk resize even if you have devices in the list that are marked as **Resize not supported**.
+[!INCLUDE [Resize a Cloud PC details](../includes/resize-details.md)]
## Resize with Step-up Licenses
diff --git a/windows-365/enterprise/restrict-office-365-cloud-pcs.md b/windows-365/enterprise/restrict-office-365-cloud-pcs.md
index bc128eb9aea..bd087454bfd 100644
--- a/windows-365/enterprise/restrict-office-365-cloud-pcs.md
+++ b/windows-365/enterprise/restrict-office-365-cloud-pcs.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 09/27/2023
+ms.date: 09/30/2024
ms.topic: how-to
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -36,18 +36,27 @@ Administrators can deny access to Office 365 services on any device other than a
This article describes how to limit access to Office 365 services. You can use the same strategy with any cloud service that uses Microsoft Entra ID as the authentication source.
1. Create a Microsoft Entra security group to manage which users are controlled by the new policy. Add to this group all the Cloud PC users who will be subjected to the new policy. Only users in this group will be restricted to using Cloud PCs when accessing Office 365 services. If you want to change a user’s access, you can just remove them from this group.
+
2. Sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Endpoint security** > **Conditional access** > **Create new policy**.
+
+
3. Type a **Name** for your new Conditional Access policy. For example, “Restrict Office 365 access to CPCs”.
+
4. Select **0 users and groups selected** > **Include** > **Select users and groups** > **Users and groups** > select the Microsoft Entra security group that you created > **Select**.
+
-5. Select **No cloud apps, actions, or authentication contexts selected** > **Include** > **Select apps** > **None** (under **Select**) > search for and select **Office 365** > **Select**.
+
+5. Select **No target resources selected** > **Include** > **Select apps** > **None** (under **Select**) > search for and select **Office 365** > **Select**.
+
+
6. Select **Exclude** > **None** (under **Select excluded cloud apps**) > search for and select **Azure Virtual Desktop** and **Windows 365** apps > **Select**.
- 
-7. Select **0 conditions selected** > **Not configured** (under **Filter for devices**).
- 
+
+7. Select **0 conditions selected** (under **Conditions**) > **Not configured** (under **Filter for devices**).
+
8. In the **Filter for devices** pane:
+
1. Set **Configure** to **Yes**.
2. Select **Exclude filtered devices from policy**.
3. Select the dropdown option under **Property** > **Model**.
@@ -55,12 +64,14 @@ This article describes how to limit access to Office 365 services. You can use t
5. In the text box under **Value**, type the value as **Cloud PC**. If the Cloud PC naming conventions change, change the filter value to match the device names.
6. Select **Done** to set the filter.
- 
+ 
You can set more options in this policy as needed, but such additions are outside the scope of this article.
+
9. Select **0 controls selected** (under **Grant**) > **Block Access** >**Select**.
- 
+
10. Select **On** (under **Enable policy**). This policy will restrict users from accessing Office 365 services on non-Cloud PC devices. You may want to select **Report-only** to monitor the policy and build confidence prior to enforcing it.
+
11. Select **Create** to complete the creation of policy.
>[!NOTE]
diff --git a/windows-365/enterprise/security.md b/windows-365/enterprise/security.md
index 5e6fc627a48..f2f46f5b6f3 100644
--- a/windows-365/enterprise/security.md
+++ b/windows-365/enterprise/security.md
@@ -19,7 +19,7 @@ ms.assetid:
#ROBOTS:
#audience:
-ms.reviewer: chrimo
+ms.reviewer: lakasa, pratikshah, saudm, jonshi
ms.suite: ems
search.appverid:
#ms.tgt_pltfrm:
@@ -30,6 +30,8 @@ ms.collection:
- essentials-security
---
+
+
# Windows 365 security
Windows 365 provides an end-to-end connection flow for users to do their work effectively and securely. Windows 365 is built with [Zero Trust](/security/zero-trust/zero-trust-overview) in mind, providing the foundation for you to implement controls to better secure your environment across the 6 pillars of Zero Trust. You can implement Zero Trust controls for the following categories:
@@ -106,7 +108,7 @@ To manage RDP features available to the user during their Cloud PC connection, s
Windows 365 Cloud PCs can be accessed from various operating system platforms and clients available in those platforms.
-- **Windows OS platforms**: Windows 365 can be accessed using Remote Desktop client for Windows and the Windows 365 App. Both these apps receive updates using the Windows Update service. For more information, see [Windows Update security](/windows/deployment/update/windows-update-security).
+- **Windows OS platforms**: Windows 365 can be accessed using Remote Desktop client for Windows and the Windows App. Both these apps receive updates using the Windows Update service. For more information, see [Windows Update security](/windows/deployment/update/windows-update-security).
- **Apple devices (macOS and iOS)**: Remote desktop client apps and their updates are distributed by Apple's app store. For more information about MacOS and iOS security measures, see [Apple Platform Security](https://support.apple.com/en-sg/guide/security/welcome/web).
- **Android platforms**: Android platform apps downloaded from Google play stores conform to the Google play store terms and conditions. For more information, see [Google Play Terms of Service](https://play.google.com/about/play-terms/index.html).
diff --git a/windows-365/enterprise/set-up-tenants-windows-365-gcc.md b/windows-365/enterprise/set-up-tenants-windows-365-gcc.md
index ec7c952fd86..f90cb495457 100644
--- a/windows-365/enterprise/set-up-tenants-windows-365-gcc.md
+++ b/windows-365/enterprise/set-up-tenants-windows-365-gcc.md
@@ -80,11 +80,11 @@ If you want to use Microsoft Entra join or Microsoft Entra hybrid join, consider
For the Windows 365 GCC Setup Tool to complete tenant mapping, the Windows 365 Microsoft Entra application must be given permission to access your Azure Government AD tenant through a service principal. The service principal object defines what the app can do in the tenant, who can access the app, and what resources the app can access. Before running the Windows 365 GCC Setup Tool the first time, you must do the following:
1. If not already completed, install the Azure CLI on the computer where you will be creating the service principal. For more information, see [How to install the Azure CLI](/cli/azure/install-azure-cli).
-2. Sign into your Azure Government AD tenant by using the Azure CLI steps defined in [Sign in with Azure CLI](/cli/azure/authenticate-azure-cli). Global Administrator permissions are required to create the service principal for the Windows 365 App.
+2. Sign into your Azure Government AD tenant by using the Azure CLI steps defined in [Sign in with Azure CLI](/cli/azure/authenticate-azure-cli). Global Administrator permissions are required to create the service principal for Windows App.
3. For more information about working with service principals in Azure, see [Work with Azure service principal using the Azure CLI](/cli/azure/azure-cli-sp-tutorial-1). Grant the Windows 365 Microsoft Entra app permissions to your tenant by running the following PowerShell command: ```az ad sp create --id 0af06dc6-e4b5-4f28-818e-e78e62d137a5```.
-4. After the command completes successfully, you should be able to view details about the service principal by running the following PowerShell command: ```az ad sp show --id 0af06dc6-e4b5-4f28-818e-e78e62d137a5```. You should see the Windows 365 application listed in the **All Applications** view in the Enterprise application blade in Azure portal.
+4. After the command completes successfully, you should be able to view details about the service principal by running the following PowerShell command: ```az ad sp show --id 0af06dc6-e4b5-4f28-818e-e78e62d137a5```. You should see Windows App listed in the **All Applications** view in the Enterprise application blade in Azure portal.
-The Windows 365 App service principal can only access Azure resources necessary to configure custom image and Azure Network Connection (ANC) support in Windows 365. After it's created, the service principal can only be deleted when custom images, ANC objects and corresponding Cloud PCs using them have been deprovisioned. Otherwise, Cloud PC provisioning tasks may fail, and existing Cloud PCs may become inaccessible.
+The Windows App service principal can only access Azure resources necessary to configure custom image and Azure Network Connection (ANC) support in Windows 365. After it's created, the service principal can only be deleted when custom images, ANC objects and corresponding Cloud PCs using them have been deprovisioned. Otherwise, Cloud PC provisioning tasks may fail, and existing Cloud PCs may become inaccessible.
## Get started with the Windows 365 GCC Setup Tool
diff --git a/windows-365/enterprise/share-restore-points-storage.md b/windows-365/enterprise/share-restore-points-storage.md
index 0ab1e097594..d1b3f0df0e1 100644
--- a/windows-365/enterprise/share-restore-points-storage.md
+++ b/windows-365/enterprise/share-restore-points-storage.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 08/28/2024
+ms.date: 10/18/2024
ms.topic: conceptual
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -42,8 +42,8 @@ You might want to share (move or copy) a Cloud PC and its contents to:
## Share a single restore point
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **All devices** > select a device > select the ellipses (**...**) > **Share**.
-1. In the **Select restore point** area, select a **Subscription** and **Storage account**.
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows 365** > **All Cloud PCs** > select a device > **Restore points** > select the ellipses (**...**) > **Share**.
+1. In the **Share restore point** area, select a **Subscription** and **Storage account**.
1. Select **Share**.
A folder is created in the storage account. The folder name is identical to the Cloud PC name. The folder contains a VHD copy of the Cloud PC device disk.
diff --git a/windows-365/enterprise/teams-on-cloud-pc.md b/windows-365/enterprise/teams-on-cloud-pc.md
index e63c81c2f1a..0b1876f149c 100644
--- a/windows-365/enterprise/teams-on-cloud-pc.md
+++ b/windows-365/enterprise/teams-on-cloud-pc.md
@@ -56,7 +56,7 @@ Some of the key benefits of the optimizations are:
Media optimization for Microsoft Teams is only available for the Windows and macOS endpoints. Media optimizations require:
-- [Windows 365 app for Windows](/azure/virtual-desktop/teams-on-avd) via the Microsoft Store (ideally the latest version).
+- [Windows App for Windows](/azure/virtual-desktop/teams-on-avd) via the Microsoft Store (ideally the latest version).
- Remote Desktop client for Windows, version 1.2.1026.0 or later (ideally the latest version).
- Remote Desktop client for macOS, version 10.7.7 or later ([beta client](https://aka.ms/rdmacbeta)). If you upgrade from versions earlier than 10.7.7, you'll also need to go to Microsoft **Remote Desktop Preferences** > **General** and turn on Teams optimizations. If you're using the client for the first time and already have version 10.7.7 or later installed, you won't need to turn that on. In that case, Teams optimizations are turned on by default.
diff --git a/windows-365/enterprise/troubleshoot-azure-network-connection.md b/windows-365/enterprise/troubleshoot-azure-network-connection.md
index 8f491982c94..ac09deec0ba 100644
--- a/windows-365/enterprise/troubleshoot-azure-network-connection.md
+++ b/windows-365/enterprise/troubleshoot-azure-network-connection.md
@@ -119,6 +119,8 @@ If this test fails, make sure that:
- There are no firewall rules (physical, virtual, or in Windows) that might block required traffic.
- You consider testing the endpoints from a VM on the same subnet declared for Cloud PCs.
+If you aren't using Azure CloudShell, make sure that your PowerShell execution policy is configured to allow Unrestricted scripts. If you use Group Policy to set execution policy, make sure that the Group Policy Object (GPO) targeted at the Organizational Unit (OU) defined in the ANC is configured to allow Unrestricted scripts. For more information, see [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy).
+
## Environment and configuration are ready
This check is used for many infrastructure related issues that might be related to infrastructure that customers are responsible for. It can include errors such as internal service time outs or errors caused by customers deleting/changing Azure resources while checks are being run.
diff --git a/windows-365/enterprise/troubleshoot-windows-365-boot.md b/windows-365/enterprise/troubleshoot-windows-365-boot.md
index 3dfa6d9661e..48e7ac9b159 100644
--- a/windows-365/enterprise/troubleshoot-windows-365-boot.md
+++ b/windows-365/enterprise/troubleshoot-windows-365-boot.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 09/26/2023
+ms.date: 09/26/2024
ms.topic: troubleshooting
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -39,9 +39,15 @@ If the user can't access the Cloud PC from the Windows 365 Boot physical device,
1. Check to see if you can sign in to the Cloud PC from either:
- The browser at windows365.microsoft.com.
- - The Windows 365 app on another (non-Windows 365 Boot) device.
-2. If you can log into the Cloud PC from either method, then there's an issue with the Windows 365 Boot physical device. In this case, confirm that the physical device is correctly configured and has the requisite software versions. For more information, see [Windows 365 Boot physical device requirements](windows-365-boot-physical-device-requirements.md).
-3. Admins can try to manually click on **Device sync** to get the policies delivered faster on the device. Users can try to restart the device.
+ - The Windows App on another (non-Windows 365 Boot) device.
+2. If a user has more than one Cloud PC, make sure they have selected a default Cloud PC to use each time they sign in. To set this default:
+ - Navigate to https://windows365.microsoft.com.
+ - In the card for the Cloud PC you want to set as default, select the ellipses (...) > Settings.
+ - In the **Integrated experiences** tab, under **Boot to this Cloud PC**, select **Connect while signed into device**.
+ - Select **Save**.
+3. If you can sign into the Cloud PC from the app or web, and a default Cloud PC has been set, then there's an issue with the Windows 365 Boot physical device. In this case, confirm that the physical device is correctly configured and has the requisite software versions. For more information, see [Windows 365 Boot physical device requirements](windows-365-boot-physical-device-requirements.md).
+4. Admins can try to manually click on **Device sync** to get the policies delivered faster on the device. Users can try to restart the device.
+
## Physical device registry key configuration
@@ -64,7 +70,7 @@ Get-AppxPackage –AllUsers -name *MicrosoftCorporationII*
This command shows all the Microsoft-maintained apps (like QuickAssist, Microsoft Family, and so on) on the physical device. In order for Windows 365 Boot to work correctly, confirm the following versions:
-- Windows 365 app version 1.1.162.0 or later.
+- Windows App version 1.1.162.0 or later.
- Azure Virtual Desktop (HostApp) app version 1.2.4159. or later.
Windows 365 Boot also requires the latest version of Windows 11.
diff --git a/windows-365/enterprise/whats-new.md b/windows-365/enterprise/whats-new.md
index 1511fc45426..3016d91a521 100644
--- a/windows-365/enterprise/whats-new.md
+++ b/windows-365/enterprise/whats-new.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 08/29/2024
+ms.date: 10/23/2024
ms.topic: conceptual
ms.service: windows-365
ms.subservice: windows-365-enterprise
@@ -52,9 +52,125 @@ For more information about public preview items, see [Public preview in Windows
### Scripts
### End user experience
### Windows 365 Government
-### Windows 365 app
+### Windows 365 app
-->
+
+## Week of October 28, 2024 (Service release 2410)
+
+
+### Device management
+
+#### Bulk Troubleshoot action now generally available
+
+The Troubleshoot action in bulk has moved out of preview and into general availability.
+
+For more information, see [Remotely manage Windows 365 devices](remotely-manage-cloud-pc.md).
+
+
+### Monitor and troubleshoot
+
+### Update to Cloud PC action status report
+
+The Cloud PC action status report now shows batches of devices on which actions were triggered. You can see the batch current progress. For more information, see [Cloud PC actions report ](report-cloud-pc-actions.md).
+
+### Azure network connections inactive state
+
+Azure network connections that meet either of the following conditions for more than four weeks are now marked as inactive:
+
+- ANCs that aren't associated with provisioning policies.
+- ANCs with provisioning policies that have no Cloud PCs associate with them.
+
+
+## Week of October 21, 2024
+
+
+### Partners
+
+#### Use Citrix HDX Plus with Windows 365 Frontline
+
+You can now use Citrix HDX Plus with Windows 365 Frontline Cloud PCs.
+
+
+## Week of October 14, 2024
+
+
+### Device security
+
+#### New Windows 365 IP subnet for RDP connectivity
+
+Core TCP-based RDP traffic for Cloud PC connections uses the *.wvd.microsoft.com wildcard fully qualified domain name (FQDN). The FQDN remains unchanged, but the underlying IP addresses associated with it will shortly be changed to a single subnet. This will simplify optimization of this traffic and reduce the need for future change management.
+
+
+### Device management
+
+#### Call redirection
+
+Windows 365 now supports multimedia redirection call redirection. For more information, see [Use multimedia redirection](/azure/virtual-desktop/multimedia-redirection).
+
+
+### Partners
+
+#### HP Anyware for Windows 365 is now generally available
+
+HP Anyware for Windows 365 has moved out of preview and into general availability.
+
+For more information, see [Set up HP Anyware for Windows 365 Enterprise](hp-anyware-set-up.md)
+
+
+
+## Week of September 30, 2024 (Service release 2409)
+
+
+### Monitor and troubleshoot
+
+#### Unavailable Cloud PCs report added to Reporting overview page
+
+The **Cloud PCs that aren't available** report has been added to the **Reports** > **Cloud PC overview** page.
+
+
+### Device provisioning
+
+#### Windows 11 24H2 cloud PCs gallery images
+
+The latest Windows Enterprise 24H2 images are available for provisioning new devices. You can update your provisioning policies to use either of the following images:
+
+- Windows 11 Enterprise 24H2
+- Windows 11 Enterprise + Microsoft 365 Apps 24H2
+
+
+
+## Week of September 23, 2024
+
+
+### Device management
+
+#### Windows 11 Cloud PCs now support EN-NZ
+
+Windows 365 Cloud PCs now support EN-NZ for Windows 11.
+
+
+## Week of September 16, 2024
+
+
+### Device management
+
+#### Support for symmetric NAT with RDP Shortpath
+
+RDP Shortpath in Windows 365 now supports establishing an indirect UDP connection using Traversal Using Relays around NAT (TURN) for symmetric NAT. TURN is a popular standard for device-to-device networking for low latency, high-throughput data transmission with Azure Communication Services. For more information about TURN and Azure Communication Services, see [Network Traversal Concepts](/azure/communication-services/concepts/network-traversal). For more information about RDP Shortpath, see [Use RDP Shortpath for public networks with Windows 365](rdp-shortpath-public-networks.md).
+
+### Windows 365 support for HEVC video coding
+Windows 365 will support Hardware High Efficiency Video Coding (HEVC) h.265 4:2:0 on Compatible GPU-enabled Cloud PCs. For more information, see [Enable GPU acceleration for Azure Virtual Desktop](/azure/virtual-desktop/enable-gpu-acceleration?tabs=intune).
+
+
+### Windows App
+
+#### Windows App is now generally available
+
+Windows App has moved out of preview and into general availability.
+
+For more information, see [What is Windows App?](/windows-app/overview)
+
## Week of August 26, 2024 (Service release 2408)
@@ -137,9 +253,9 @@ New GPU offerings for Window 365 Enterprise Cloud PCs have moved out of preview
### Windows 365 Frontline
-#### Windows 365 Frontline sign in time and shift change buffer improvements are now generally available
+#### The Windows 365 Frontline concurrency buffer is now generally available
-Sign in time and shift change buffer improvements have moved out of preview and into general availability.
+The Windows 365 concurrency buffer has moved out of preview and into general availability.
## Week of July 23, 2024
@@ -926,7 +1042,7 @@ Users now have two options when they select the **Open in browser** drop-down bu
#### Windows 365 app update notifications for users
-Windows 365 app users will get a notification when an udpate is available. If users choose to update, the app closes and they'll get a Windows notification when the update is complete.
+Windows 365 app users will get a notification when an update is available. If users choose to update, the app closes and they'll get a Windows notification when the update is complete.
### Monitor and troubleshoot
diff --git a/windows-365/enterprise/windows-365-boot-known-issues.md b/windows-365/enterprise/windows-365-boot-known-issues.md
index 68093cd4030..f5fd4858f6f 100644
--- a/windows-365/enterprise/windows-365-boot-known-issues.md
+++ b/windows-365/enterprise/windows-365-boot-known-issues.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 09/26/2023
+ms.date: 09/26/2024
ms.topic: troubleshooting
ms.service: windows-365
ms.subservice: windows-365-enterprise
diff --git a/windows-365/enterprise/zoom-support.md b/windows-365/enterprise/zoom-support.md
index 9c6ebba9233..250f83a716f 100644
--- a/windows-365/enterprise/zoom-support.md
+++ b/windows-365/enterprise/zoom-support.md
@@ -40,9 +40,8 @@ To optimize Zoom, you’ll need to install the Zoom VDI Client on the Cloud PC a
## Requirements
-- **Windows 365 app for Windows**\*
- **Windows Remote Desktop Client**\*
-- **Windows 365 app**
+- **Windows App**
- **Operating system**: Windows
\* These don't support connections through a web browser.
diff --git a/windows-365/includes/resize-details.md b/windows-365/includes/resize-details.md
new file mode 100644
index 00000000000..55922f99024
--- /dev/null
+++ b/windows-365/includes/resize-details.md
@@ -0,0 +1,18 @@
+---
+title: include file
+description: include file
+author: ErikjeMS
+ms.service: windows-365
+ms.topic: include
+ms.date: 09/25/2024
+ms.author: erikje
+ms.custom: include file
+---
+
+When resizing starts, the user is automatically disconnected from their Cloud PC and any unsaved work might be lost.
+
+Resizing can take from 15 to 20 minutes before the user can access their Cloud PC again. You can monitor the status in the Windows 365 provisioning blade. Users can see their Cloud PC status at https://windows365.microsoft.com.
+
+If there are no licenses in your inventory, the resizing fails. To request more licenses, contact your procurement admin. After you purchase the license and added to the inventory in the Microsoft 365 admin center, you can retry the resize operation. Licenses can be purchased from various channels: EA, CSP, MCA, and Web Direct.
+
+Devices with a state of **Resize not supported** aren't resized. The status message and details can help you identify the issue. You can still proceed with a bulk resize even if you have devices in the list that are marked as **Resize not supported**.
diff --git a/windows-365/includes/resize-introduction.md b/windows-365/includes/resize-introduction.md
new file mode 100644
index 00000000000..b2e6f32975b
--- /dev/null
+++ b/windows-365/includes/resize-introduction.md
@@ -0,0 +1,35 @@
+---
+title: include file
+description: include file
+author: ErikjeMS
+ms.service: windows-365
+ms.topic: include
+ms.date: 09/25/2024
+ms.author: erikje
+ms.custom: include file
+---
+
+The **Resize** remote action, which preserves user and disk data, lets you:
+
+- Upgrade the RAM, CPU, and storage size of a Cloud PC.
+- Downgrade the RAM and CPU of Cloud PC. Resizing doesn't let you downsize disk space.
+
+These operations don't require reprovisioning of the Cloud PC.
+
+You might consider resizing a Cloud PC when a user needs:
+
+- Higher RAM and VCPU cores to run CPU intensive applications.
+- More disk space for file storing.
+- Less RAM and vCPU cores to run their current workload applications.
+
+Resizing supports:
+
+- Direct and group-based licenses.
+- Paid, preview, and trial licenses.
+- Bulk and single device operations.
+
+Resizing doesn't support:
+
+- GPU Cloud PCs. GPU Cloud PCs might show up in the resize flow, but trying to resize a GPU Cloud PC will result in an error.
+
+Resizing automatically disconnects the user from their session and any unsaved work might be lost. Therefore, it's best to coordinate any resizing with the user before you begin. Contact your end users and have them save their work and sign out before you begin resizing.
diff --git a/windows-365/includes/resize-ip-address-requirements.md b/windows-365/includes/resize-ip-address-requirements.md
new file mode 100644
index 00000000000..ece90d30b21
--- /dev/null
+++ b/windows-365/includes/resize-ip-address-requirements.md
@@ -0,0 +1,23 @@
+---
+title: include file
+description: include file
+author: ErikjeMS
+ms.service: windows-365
+ms.topic: include
+ms.date: 09/25/2024
+ms.author: erikje
+ms.custom: include file
+---
+
+## IP address requirements
+
+When you resize a Microsoft Entra hybrid join bring-your-own-network Cloud PC, a second IP address must be available in the subnet for the Cloud PC to be resized.
+
+During the resizing operation, a second IP address is used when moving to the new size. This precaution makes sure that the Cloud PC can be rolled back to the original should an issue occur.
+
+To account for this precaution, you can:
+
+- Make sure that adequate IP addresses are available in the vNET for all Cloud PCs to be resized, or
+- Stagger your resize operations to make sure that the address scope is maintained.
+
+If inadequate addresses are available, resize failures can occur.
\ No newline at end of file
diff --git a/windows-365/includes/resize-other-requirements.md b/windows-365/includes/resize-other-requirements.md
new file mode 100644
index 00000000000..e0a48720526
--- /dev/null
+++ b/windows-365/includes/resize-other-requirements.md
@@ -0,0 +1,16 @@
+---
+title: include file
+description: include file
+author: ErikjeMS
+ms.service: windows-365
+ms.topic: include
+ms.date: 09/25/2024
+ms.author: erikje
+ms.custom: include file
+---
+
+### Other requirements
+
+In order to use **Resize** there must be available licenses in inventory for the resized Cloud PC configuration.
+
+To **Resize** a Cloud PC, it must have a status of **Provisioned** in the Windows 365 provisioning node.
\ No newline at end of file
diff --git a/windows-365/overview.md b/windows-365/overview.md
index 58f3a798e68..2f6fe3036ad 100644
--- a/windows-365/overview.md
+++ b/windows-365/overview.md
@@ -7,7 +7,7 @@ keywords:
author: ErikjeMS
ms.author: erikje
manager: dougeby
-ms.date: 11/27/2023
+ms.date: 09/26/2024
ms.topic: overview
ms.service: windows-365
ms.subservice: