Merge pull request #53629 from Stephanie-Rosenzweig/intune-updates

SME updates to Device management with Microsoft Intune

Author: JillGrant615

learn-pr/device-partner-university/microsoft-intune/includes/2-challenges.md

@@ -16,43 +16,58 @@ Available with or without Microsoft Edge on Windows:
 
 - Configure devices to comply with organizational security and compliance policies.
 - Generate reports to identify noncompliant users and devices.
-- Encrypt data to prevent unauthorized access.
-- Monitor the location of corporate tablets, laptops, and mobile phones.
+- Manage Windows data encryption functionality.
+- Initiate an admin-initiated device location request for devices where location services are enabled and allowed.
 - Maintain an up-to-date inventory of enrolled devices.
 - Deploy certificates to devices for streamlined access to corporate networks via Wi-Fi or VPN.
+- Deploy applications.
+- Deploy Windows updates.
+- Deploy scripts to correct misconfiguration or configuration drift.
 
 ### Mobile Application Management (MAM) capabilities
 
-Available only with Microsoft Edge on Windows:
+Available only with and for Microsoft Edge on Windows:
 
 - Remove organizational data from devices that are lost, stolen, or decommissioned.
-- Remotely wipe data and manage access to applications.
+- Remotely wipe organizational data and manage access to applications.
 
 ## Unpack Intune's core features
 
 ### Device management
 
-For company-owned devices enrolled in Intune, you can fully manage and control device settings and access. The devices receive your configurations and rules through policies set in Intune.
+For company-owned devices enrolled in Intune, you can fully manage and control device settings and access. The devices receive configurations and rules through policies set in Intune.
 
-For employees’ personal devices, app protection policies can enforce security measures such as blocking copy-paste actions from the corporate-managed Edge browser to unmanaged apps.
+For employees’ personal devices, [app protection policies](/mem/intune/apps/app-protection-policy) can enforce security measures such as blocking copy-paste actions from the corporate-managed Microsoft Edge browser to any other application.
 
-You can learn more about device management on [Microsoft Learn](/mem/intune/fundamentals/what-is-intune#manage-devices).
+Learn more about [device management](/mem/intune/fundamentals/what-is-intune#manage-devices).
 
 > [!NOTE]
 > As of November 2024, Microsoft Edge is the only corporate-managed app available on Windows.
 
-### App management
+### App management on Windows (Microsoft Edge only)
 
-Intune can provide application-level data protection for both organization-owned and personal devices. On Windows, this capability is available exclusively through Microsoft Edge.
+On Windows, Microsoft Intune currently provides application-level data protection only through Microsoft Edge. This feature helps enable secure access to corporate resources from unmanaged or personal devices without requiring full device enrollment.
 
-You can manage a wide range of apps, including custom and store apps. You can add and assign mobile apps to user groups and devices, configure app settings, and update existing installations. Intune also provides app usage reporting and allows for selective wiping of organizational data from apps.
+Administrators can protect corporate data accessed through the browser using app protection policies. These policies can restrict actions such as copying, pasting, printing, downloading, or saving data locally, and help ensure that organizational data remains isolated from personal data.
 
-Learn more about app management on [Microsoft Learn](/mem/intune/fundamentals/manage-apps).
+This capability supports secure access scenarios and doesn't provide broad application management on Windows.
+
+Supported scenarios include:
+
+- **Bring Your Own Device (BYOD):** Corporate data remains protected while employees can securely access organizational resources using Microsoft Edge on their personal devices.
+
+- **Public or shared devices:** Users can securely sign in from public or shared Windows computers—such as conference kiosks or hotel business centers—without leaving corporate data behind on the device.
+
+Learn more about [app management](/mem/intune/fundamentals/manage-apps).
+
+### App management on iOS and Android
+
+On iOS and Android, Intune can enforce app-level protection policies on managed and unmanaged devices across multiple apps—not just a single browser. Administrators can apply policies to Microsoft apps, supported non-Microsoft apps, and custom apps. These policies can restrict actions such as copying, pasting, printing, or saving organizational data, and support selective wiping of corporate data without affecting personal data. This ensures corporate data remains protected while employees have secure access to resources across multiple apps, not just Microsoft Edge.
 
 ### Compliance & Conditional Access
 
 With Intune, you can deploy device compliance policies to check if a device meets their security and configuration requirements.
 
 Based on whether a device is compliant or not, you can decide to allow or block access to company resources. This way, only devices that are properly managed and compliant can connect to the organization's network, email, Microsoft 365 services, and apps.
 
-Learn more about Conditional Access on [Microsoft Learn](/mem/intune/protect/device-compliance-get-started).
+Learn more about Conditional Access on [Microsoft Learn](/mem/intune/protect/device-compliance-get-started).

learn-pr/device-partner-university/microsoft-intune/includes/3-ways-to-use-intune.md

@@ -2,26 +2,44 @@
 
 Many organizations need a reliable way to secure email access for employees using internet-connected devices. With Intune’s Conditional Access solution, email stays protected by ensuring only devices enrolled in Intune can access it—and there’s no need to set up a gateway machine at the edge of the network to make this happen.
 
-Intune also supports secure access to services and apps through Intune-managed certificates, a standard VPN gateway or proxy, and [Microsoft Entra Private Access](/entra/global-secure-access/concept-private-access). There are also non-Microsoft options available, often referred to as Zero Trust Network Access (ZTNA) or Secure Access Service Edge (SASE) solutions—all helping to maintain robust security while providing flexible and secure access to resources.
+Intune also supports secure access to services and apps using Intune-managed certificates, a standard VPN gateway or proxy, and [Microsoft Entra Private Access](/entra/global-secure-access/concept-private-access). There are also non-Microsoft options available, often referred to as Zero Trust Network Access (ZTNA) or Secure Access Service Edge (SASE) solutions—all helping to maintain robust security while providing flexible and secure access to resources.
 
-## Offer a BYOD policy to employees
+![A photograph of an employee smiling while working on a laptop at a desk in an office building.](../media/intune-worker.png)
 
-Device enrollment isn’t practical when employees want to retain control over their personal devices, which is often the case with Bring Your Own Device (BYOD) policies.
+## Issue corporate-owned devices to employees
 
-Fortunately, you can still manage apps that handle corporate data without fully controlling the employee’s device, even if those apps access both corporate and personal information. *On Windows, this capability is available exclusively through Microsoft Edge.*
+Windows Autopilot provides bulk provisioning and integrates with Intune for ongoing device management—streamlining deployment and management processes for large numbers of devices. For instance, when an employee powers on their new company-owned device, they go through a corporate-branded setup process where they must authenticate themselves. Once authenticated, the device is seamlessly configured with the necessary security policies, apps, and other admin configured settings. After this, the employee can launch the Intune Company Portal app to install the optional corporate apps available to them.
 
-[App protection policies](/mem/intune/apps/app-protection-policy) help prevent data loss from unmanaged apps and storage locations. For example, Intune can block users from copying text from a corporate email profile to a personal email profile, even when both profiles are configured in Outlook Mobile.
+## Issue limited-use shared devices to employees
 
-![A photograph of an employee smiling while working on a laptop at a desk in an office building.](../media/intune-worker.png)
+Employees sometimes use shared devices for tasks like processing sales or checking inventory. These devices typically run in kiosk mode, which restricts what the user can interact with to just a single line-of-business app. By using Intune, you can easily secure and centrally manage these devices, ensuring they’re configured to operate in kiosk mode. This provides greater control over how devices are used—giving you confidence that your systems are protected.
 
-## Issue corporate-owned devices to employees
+## Explore Intune data using natural language
 
-Windows Autopilot provides bulk provisioning and integrates with Intune for ongoing device management—streamlining deployment and management processes for large numbers of devices. For instance, when an employee powers on their new company-owned device, they go through a corporate-branded setup process where they must authenticate themselves. Once authenticated, the device is seamlessly configured with the necessary security policies. After this, the employee can launch the Intune Company Portal app to access the optional corporate apps available to them.
+Using natural language—in your own words—you can query and explore your Intune data. An intelligent search matches your request to query views available in Intune.
 
-## Issue limited-use shared devices to employees
+Some queries can have parameter inputs that you enter, such as platform type or specific device details. Copilot provides a summary of the results and might offer recommendations based on what it finds.
+
+This feature is helpful for tasks like locating specific devices, identifying users with compliance issues, finding devices that need updates, or finding particular apps or policies. You can use these insights to support troubleshooting and decision-making.
+
+You can also take action from the query results, such as adding users or devices to groups or creating custom reports. For example, you might find devices that are noncompliant and past their grace period, add them to a group, and then target apps or policies to that group.
+
+Learn more about [Explore Intune data using natural language](/intune/intune-service/copilot/copilot-intune-explorer).
+
+## Security Copilot agents in Intune
+
+Security Copilot agents in Intune are AI-powered assistants that enhance enterprise security. They automate tasks for endpoint protection, identity management, threat intelligence, and device configuration. They help IT teams quickly address vulnerabilities, policy gaps, and emerging threats.
+
+Agents are built on Microsoft Security Copilot's generative AI and automation capabilities. They observe, reason, and act with oversight and review from your administrators. Each agent is tailored to a specific use case, operates within the Intune admin center, and uses role-based access controls.
+
+The following agents are available:
+
+- **Change Review Agent**: Evaluates the impact of approval requests in Intune and provides recommendations for actions you can take.
+
+- **Device Offboarding Agent**: Identifies stale or misaligned devices across Intune and Microsoft Entra ID, delivers actionable insights, and requires admin approval before offboarding any devices.
 
-Employees sometimes use shared devices for tasks like processing sales or checking inventory. These devices typically run in limited-use mode, which restricts what the user can interact with to just a single line-of-business app. By using Intune, you can easily secure and centrally manage these devices, ensuring they’re configured to operate in limited-use mode. This provides greater control over how devices are used—giving you confidence that your systems are protected.
+- **Policy Configuration Agent**: Allows you to import documents or write instructions in plain language. The agent matches this input to settings in the Intune settings catalog, recommends appropriate values, and can help you create a policy using those settings.
 
-## Access Microsoft 365 from unmanaged public kiosks
+- **Vulnerability Remediation Agent**: Uses Microsoft Defender data to monitor vulnerabilities and prioritize remediation through AI-driven risk assessments.
 
-Sometimes employees need to use devices, apps, or browsers that you can’t manage, such as public computers at trade shows and hotel lobbies. With Intune, access to corporate email is restricted on unmanaged devices. This means that authenticated employees can't inadvertently leave corporate data on untrusted computers, helping ensure that sensitive information remains secure.
+Learn more about [Security Copilot agents in Intune](/intune/agents/).

learn-pr/device-partner-university/microsoft-intune/includes/4-set-up-intune.md

@@ -1,4 +1,4 @@
-Next, we’ll go over steps to set up Intune as your mobile device management (MDM) solution. Keep in mind that while some steps are essential, others may be optional based on your specific needs.
+Next, we’ll go over steps to set up Intune as your mobile device management (MDM) solution. Keep in mind that while some steps are essential, others might be optional based on your specific needs.
 
 Check out the [supported configurations](/mem/intune/fundamentals/supported-devices-browsers) and networking requirements for Intune before beginning the setup process.
 
@@ -32,7 +32,7 @@ Before you can configure, assign, protect, or monitor apps, you must [add them t
 
 ## 6. Set up profiles to manage settings
 
-[Create configuration profiles to manage device settings](/mem/intune/configuration/device-profiles). These profiles allow you to preconfigure settings for email, VPN, Wi-Fi, and device features. Additionally, they can impose restrictions to enhance security for devices and the data they access. For example, you can manage device behavior by blocking features like Bluetooth® or controlling where data is stored on the device.
+[Create configuration profiles to manage device settings](/mem/intune/configuration/device-profiles). These profiles allow you to preconfigure settings for email, VPN, Wi-Fi, and device features. Additionally, they can impose restrictions to enhance security for devices and the data they access. For example, you can manage device behavior by configuring settings such as Taskbar and Start Menu layout, enforcing power settings, enabling OneDrive Known Folder Move, or setting up Windows Backup for Organizations.
 
 ## 7. Customizing the user experience
 

learn-pr/device-partner-university/microsoft-intune/includes/5-adding-assigning-apps.md

@@ -22,7 +22,7 @@ After you add an app to Intune, you can assign the app to other groups of users
 
 Use these steps to add an app to Intune:
 
-1. **Sign in** to Microsoft Endpoint Manager admin center, **select Apps > All apps > Add**.
+1. **Sign in** to Microsoft Intune admin center, **select Apps > All apps > Add**.
 
 2. **Choose the type of app you need** in the Intune 'Select app type' pane.
 
@@ -36,7 +36,7 @@ Use these steps to add an app to Intune:
 
 ## Install apps on enrolled devices
 
-Your customers should use the Company Portal app to install apps that are assigned as 'available' (optional). The Company Portal app itself can be installed manually from the Microsoft Store on Windows devices or set as 'required' in Intune, so it installs automatically on assigned devices.
+Your users should use the Company Portal app to install apps that are assigned as 'available' (optional). The Company Portal app itself can be installed manually from the Microsoft Store on Windows devices or set as 'required' in Intune, so it installs automatically on assigned devices.
 
 To verify the app is accessible on your customers' enrolled devices, follow these steps:
 
@@ -48,4 +48,4 @@ To verify the app is accessible on your customers' enrolled devices, follow thes
 
 4. **Select** the app you added via Intune.
 
-5. **Select** Install.
+5. **Select** Install.

learn-pr/device-partner-university/microsoft-intune/includes/6-app-protection-policies.md

@@ -48,15 +48,15 @@ Intune Suite’s add-ons are helpful for people whose needs go beyond basic endp
 
 ### Enhanced security and compliance needs
 
-Endpoint Privilege Management in Intune Suite allows you to manage user permissions by providing granular, just-in-time elevation of privileges for specific tasks.
+Endpoint Privilege Management in Intune Suite enables an admin to allow users to perform local tasks that would normally require elevated or admin permissions.
 
 You can define which tasks require elevated permissions and grant users only the necessary access temporarily—reducing the need for permanent admin rights. You can also review logs of all privileged actions to ensure compliance and monitor for security risks.
 
 ### Comprehensive remote support needs
 
 The Remote Help feature in Intune Suite allows you to securely assist users by troubleshooting and resolving issues on their devices, even when they're working remotely.
 
-You can connect to an end user’s device from any location to diagnose and fix problems in real-time—without the need for in-person support. You can also monitor active Remote Help sessions and view details about past sessions through detailed reports and audit logs in the Intune admin center.
+You can connect to an end user’s device from any location to diagnose and fix problems in real-time—without the need for in-person support. You can also track active Remote Help sessions and view details about past sessions through detailed reports and audit logs in the Intune admin center.
 
 In the Microsoft Intune admin center, you can view reports that include details about who helped who, on what device, and for how long. You can also find details about active sessions.
 

learn-pr/device-partner-university/microsoft-intune/includes/7-intune-plans.md

@@ -1,4 +1,4 @@
-## Microsoft Intune Plan 1 - USD8
+## Microsoft Intune Plan 1
 
 Microsoft Intune is included with subscriptions to Microsoft 365 E3, E5, F1, F3, and Business Premium plans. It’s also included in versions of these suites that don't include Microsoft Teams.
 
@@ -13,7 +13,7 @@ Microsoft Intune is included with subscriptions to Microsoft 365 E3, E5, F1, F3,
 > [!NOTE]
 > Intune Suite features are available for purchase as individual add-ons. [Learn more](https://www.microsoft.com/security/business/microsoft-intune-pricing).
 
-## Microsoft Intune Plan 2 - USD4
+## Microsoft Intune Plan 2
 
 An add-on to Microsoft Intune Plan 1 that offers advanced endpoint management capabilities, such as:
 
@@ -23,7 +23,7 @@ An add-on to Microsoft Intune Plan 1 that offers advanced endpoint management ca
 
 - Microsoft Intune firmware-over-the-air (FOTA) updates
 
-## Microsoft Intune Suite - USD10
+## Microsoft Intune Suite
 
 An add-on to Microsoft Intune Plan 1 that unifies mission-critical advanced endpoint management and security solutions. Microsoft Intune Plan 2 is included in Intune Suite.
 
@@ -37,7 +37,7 @@ An add-on to Microsoft Intune Plan 1 that unifies mission-critical advanced endp
 
 - Microsoft Cloud PKI
 
-> [!NOTE] 
+> [!NOTE]
 > Pricing provided is approximate and intended for informational purposes only. Actual prices might vary based on the type of licensing, volume pricing agreements, and other factors. All prices are subject to change without notice. Check out [Intune plans and pricing](https://www.microsoft.com/security/business/microsoft-intune-pricing?msockid=35e5b6fab66060b80bb3a0edb779616c) for more information.
 
 ## Microsoft Intune free trial