Merge branch 'main' into release-cm2203-cb

Author: v-alje

.openpublishing.redirection.json

@@ -924,15 +924,20 @@
             "redirect_document_id": false
         },
         {
-            "source_path": "windows-365/end-user-access-cloud-pc.md",
-            "redirect_url":"/windows-365/enterprise/end-user-access-cloud-pc",
+            "source_path": "windows-365/enterprise/end-user-access-cloud-pc.md",
+            "redirect_url":"windows-365/end-user-access-cloud-pc",
             "redirect_document_id": false
         },
         {
-            "source_path": "windows-365/end-user-hardware-requirements.md",
-            "redirect_url":"/windows-365/enterprise/end-user-hardware-requirements",
+            "source_path": "windows-365/enterprise/end-user-hardware-requirements.md",
+            "redirect_url":"windows-365/end-user-hardware-requirements",
             "redirect_document_id": false
-        },
+        },                
+        {
+            "source_path": "windows-365/business/get-users-started.md",
+            "redirect_url":"/windows-365/get-users-started",
+            "redirect_document_id": false
+        },                        
         {
             "source_path": "windows-365/get-cloud-pc-audit-logs-using-powershell.md",
             "redirect_url":"/windows-365/enterprise/get-cloud-pc-audit-logs-using-powershell",
@@ -1094,4 +1099,4 @@
             "redirect_document_id": true
         }
     ]
-}
+}

memdocs/intune/fundamentals/media/premium-add-ons/confirm-order.png

@@ -0,0 +1,94 @@
+---
+# required metadata
+
+title: Premium add-ons for Microsoft Intune
+titleSuffix: Microsoft Intune
+description: When you purchase licenses for Premium add-ons for Microsoft Intune, you expand the capabilities for device management with Microsoft Endpoint Manager.  
+keywords:
+author: smbhardwaj 
+ms.author: smbhardwaj
+manager: dougeby
+ms.date: 04/05/2022
+ms.topic: conceptual
+ms.service: microsoft-intune
+ms.subservice: fundamentals
+ms.localizationpriority: high
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: aanavath
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.custom: intune-azure
+ms.collection: 
+  - M365-identity-device-management 
+  - highpri
+---
+
+# Use Premium add-ons capabilities with Intune
+
+Microsoft Endpoint Manager now offers Premium add-ons. You can find premium add-ons in Intune under **Tenant administration** > **Premium add-ons**. The **Summary** blade shows all premium add-ons that have been released, a short description, and the status of the add-on. You can view the status of each add-on as either **Active** or **Available for trial or purchase**. 
+
+Licenses for the Premium add-ons can be added for an additional cost to the licensing options that include Microsoft Endpoint Manager or Intune.
+
+Global and Billing administrators can use the **Premium add-ons** page from the [Microsoft 365 admin center](https://admin.microsoft.com) to start a free trial or purchase licenses for each Premium add-on. 
+
+> [!NOTE]
+Premium add-ons are currently not supported in Sovereign clouds.
+
+## What add-ons capabilities are available 
+
+The following Premium add-ons are available: 
+
+- [Remote help](..\remote-actions\remote-help.md)
+
+## What happens when you try/buy the Premium add-ons capability 
+
+Global and Billing administrators can choose to start free trials or purchase licenses for Premium add-ons through the [Microsoft 365 admin center](https://admin.microsoft.com).  
+ 
+Starting a free trial gives you a 90-day period to use the Premium add-on capability without any charge. Trials can be up to 250 users per tenant. At the end of the trial period, there's a 30-day grace period. After this point, you'll be unable to use the Premium add-on capability in Endpoint Manager for users within your tenant unless you've purchased the appropriate licenses. There's a one-time limit to start a trial for each tenant.  
+ 
+Purchasing licenses lets you use the Premium add-on capability in your tenant for the duration in which the licenses are active on your tenant based on the option selected during the Billing process. 
+
+## How to try or buy the premium add-ons capability 
+
+Premium add-on capabilities are disabled in [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) unless you are in the free trial period or have purchased licenses. Global and Billing administrators can choose to start a free trial or purchase licenses for Premium add-ons through the [Microsoft 365 admin center](https://admin.microsoft.com). 
+
+Administrators who aren't Global or Billing administrators can still see the status of their tenant's Premium add-ons trial or active licenses in the centralized Premium add-on page in Endpoint Manager (but can't start a free trial or purchase licenses).  
+
+### How to start a trial through the Microsoft 365 admin center 
+
+1. Navigate to **Tenant administration** > **Premium add-ons** as a Global or Billing administrator.
+2. Find the Premium add-on to start a trial. For add-ons that say **Available for trial or purchase** in their status, you don't have a free trial started or any licenses purchased for those add-ons.
+3. Click **View details** and see the details. :::image type="content" source="./media/premium-add-ons/remote-help-details.png" alt-text="Remote help details.":::
+4. Click the **To try or buy, go to Purchase services** link to navigate to the Microsoft 365 Admin Center. A new tab opens on the **Product details** page for the relevant Premium add-on. :::image type="content" source="./media/premium-add-ons/remote-help-product-details.png" alt-text="Remote help product details."::: 
+5. In the Microsoft 365 Admin Center, follow the prompts to **Start free trial** and confirm your order. :::image type="content" source="./media/premium-add-ons/confirm-order.png" alt-text="Confirm order."::: 
+6. Navigate to **Tenant administration** > **Premium add-ons** and see that the Premium add-on capability you added is now **Active**.
+
+### How to purchase premium add-ons
+
+Licenses for Premium add-ons can be purchased just as you would purchase Intune licenses through the following ways:
+   
+- web direct purchase in the Microsoft 365 Admin Center
+- Microsoft Volume License Servicing Center (VLSC) 
+- existing relationships with Microsoft partners/resellers
+ 
+After you buy licenses via any source, the licenses are available in your Tenant and the status of the Premium add-ons capability will update accordingly. 
+
+## How to assign licenses 
+
+For information on how to assign licenses in Microsoft Endpoint Manager admin center, see [Assign Microsoft Intune licenses](licenses-assign.md)
+
+## Monitor license use 
+
+Each of the Premium add-ons might have their own requirements for how many licenses need to be purchased.
+
+- [Remote help](..\remote-actions\remote-help.md)
+
+## Next steps
+
+Learn about [Remote help](..\remote-actions\remote-help.md). 

memdocs/intune/fundamentals/media/premium-add-ons/remote-help-details.png

@@ -214,6 +214,8 @@ items:
       href: filters-reports-troubleshoot.md
   - name: Use policy sets
     href: ../fundamentals/policy-sets.md
+  - name: Premium add-ons
+    href: premium-add-ons.md
   - name: Developer guidance
     href: ../developer/index.yml
   - name: Get help and support

memdocs/intune/fundamentals/media/premium-add-ons/remote-help-product-details.png

@@ -7,7 +7,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 03/25/2022
+ms.date: 04/05/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -60,6 +60,18 @@ You can use RSS to be notified when this page is updated. For more information,
 ### Scripts
 -->
 
+## Week of April 4, 2022
+
+### Device management
+
+#### Microsoft Endpoint Manager premium add-ons<!-- 12953253  -->
+
+Microsoft Endpoint Manager is introducing a new centralized experience to help IT admins identify premium add-on capabilities. These capabilities can be added for an additional licensing cost available for Microsoft Endpoint Manager using Intune. The first premium add-on is Remote Help.
+
+You can find premium add-ons in Intune under **Tenant administration** > **Premium add-ons**. The **Summary** blade shows all premium add-ons that have been released, a short description, and the status of the add-on. You can view the status of each add-on as either **Active** or **Available for trial or purchase**. The premium add-ons capability can be used by Global and Billing administrators to start trials or purchase licenses for premium add-ons.
+
+For more information about Premium add-ons, see [Use Premium add-ons capabilities with Intune](../fundamentals/premium-add-ons.md).
+
 ## Week of March 28, 2022
 
 ### App management

memdocs/intune/fundamentals/premium-add-ons.md

@@ -67,7 +67,7 @@ In this example, the admin has applied app protection policies to the Outlook ap
 
 1. The user tries to authenticate to Azure AD from the Outlook app.
 
-2. The user gets redirected to the app store to install a broker app when trying to authenticate for the first time. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices.
+2. The user gets redirected to the app store to install a broker app when trying to authenticate for the first time. The broker app can be the Microsoft Authenticator for iOS, or either the Microsoft Authenticator or Microsoft Company portal for Android devices.
 
    If users try to use a native e-mail app, they'll be redirected to the app store to then install the Outlook app.
 

memdocs/intune/fundamentals/toc.yml

@@ -49,6 +49,7 @@ You need the following to configure Conditional Access with Jamf Pro:
 
 - Jamf Pro 10.1.0 or later
 - Microsoft Intune and Microsoft AAD Premium P1 licenses (recommended Microsoft Enterprise Mobility + Security license bundle)
+- Global admin role in Azure Active Directory.
 - A user with Microsoft Intune Integration privileges in Jamf Pro
 - [Company Portal app for macOS](https://aka.ms/macoscompanyportal)
 - macOS devices with OS X 10.12 Yosemite or later
@@ -107,12 +108,19 @@ To connect Intune with Jamf Pro:
 8. Next, we will add permissions to update device attributes. At the top left of the **API permissions** page, select **Add a permission** to add a new permission. 
 
 9. On the **Request API permissions** page, select **Intune**, and then select **Application permissions**. Select only the check box for **update_device_attributes** and save the new permission.
+10. Under **Microsoft Graph**, select **Application permissions**, then select **Application.Read.All**.
 
-10. Next, grant admin consent for this app by selecting **Grant admin consent for _\<your tenant>_** in the top left of the **API permissions** page. You may need to re-authenticate your account in the new window and grant the application access by following the prompts.  
+11. Select **Add permissions**.
 
-11. Refresh the page by click on the **Refresh** button at the top of the page. Confirm that admin consent has been granted for the **update_device_attributes** permission. 
+12. Navigate to **APIs my organization uses**. Search for and select **Windows Azure Active Directory**. Select **Application permissions**, and then select **Application.Read.All**.
 
-12. After the app is registered successfully, the API permissions should only contain one permission called **update_device_attributes** and should appear as follows:
+13. Select **Add permissions**.
+
+14. Next, grant admin consent for this app by selecting **Grant admin consent for _\<your tenant>_** in the top left of the **API permissions** page. You may need to re-authenticate your account in the new window and grant the application access by following the prompts.  
+
+15. Refresh the page by selecting **Refresh** at the top of the page. Confirm that admin consent has been granted for the **update_device_attributes** permission. 
+
+16. After the app is registered successfully, the API permissions should only contain one permission called **update_device_attributes** and should appear as follows:
 
    ![Successful permissions](./media/conditional-access-integrate-jamf/sucessfull-app-registration.png)
 
@@ -135,10 +143,14 @@ The app registration process in Azure AD is complete.
 
 1. Activate the connection in the Jamf Pro console:
 
-   1. Open the Jamf Pro console and navigate to **Global Management** > **Conditional Access**. Click the **Edit** button on the **macOS Intune Integration** tab.
-   2. Select the check box for **Enable Intune Integration for macOS**.
-   3. Provide the required information about your Azure tenant, including **Location**, **Domain name**, the **Application ID**, and the value for the *client secret* that you saved when you created the app in Azure AD.
-   4. Select **Save**. Jamf Pro tests your settings and verifies your success.
+   1. Open the Jamf Pro console and navigate to **Global Management** > **Conditional Access**. Select **Edit** on the **macOS Intune Integration** tab.
+   2. Select the check box for **Enable Intune Integration for macOS**. When this setting is enabled, Jamf Pro sends inventory updates to Microsoft Intune. Clear the selection if you want to disable the connection but save your configuration.
+   3. Select **Manual** under **Connection type**.
+   4. From the **Sovereign Cloud** pop-up menu, select the location of your Sovereign Cloud from Microsoft.
+   5. Select **Open administrator consent URL** and follow the onscreen instructions to allow the Jamf Native macOS Connector app to be added to your Azure AD tenant.
+   6. Add the **Azure AD Tenant Name** from Microsoft Azure.
+   7. Add the **Application ID** and **Client Secret** (previously called Application Key) for the Jamf Pro application from Microsoft Azure.
+   8. Select **Save**. Jamf Pro tests your settings and verifies your success.
 
    Return to the **Partner device management** page in Intune to complete the configuration.
 

memdocs/intune/fundamentals/whats-new.md

@@ -7,7 +7,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 01/12/2022
+ms.date: 04/05/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -46,7 +46,7 @@ This scenario extends the Microsoft Endpoint Manager Endpoint Security surface t
 
 ## Monitor status
 
-Status and reports for MDE policies are available from the policy node under Endpoint security in the Microsoft Endpoint Manager admin center.
+Status and reports for policies targeted at devices in this channel are available from the policy node under Endpoint security in the Microsoft Endpoint Manager admin center.
 
 Drill in to the policy type, Antivirus or Firewall, and then select the policy to view its status. Policies for MDE have a *Policy type* of either *Microsoft Defender Antivirus (Preview)* or *Microsoft Defender Firewall (Preview)*.
 
@@ -58,6 +58,10 @@ When you select a policy, you'll see information about the device check-in statu
 
 ## Known limitations and considerations
 
+### Assignment Filters and Security Management for Microsoft Defender for Endpoint
+
+Assignment filters are not supported for devices communicating through the Microsoft Defender for Endpoint channel. While assignment filters can be added to a policy that could be targeted at these devices, the device will ignore assignment filters. For assignment filter support, the device must be enrolled in to Microsoft Endpoint Manager.
+
 ### Co-existence with Microsoft Endpoint Configuration Manager
 
 When using Configuration Manager, the best path for management of security policy is using the [Configuration Manager tenant attach](../../configmgr/tenant-attach/endpoint-security-get-started.md). In some environments it may be desired to use Security Management for Microsoft Defender for Endpoint. When using Security Management for Microsoft Defender for Endpoint with Configuration Manager, endpoint security policy should be isolated to a single control plane. Controlling policy through both channels will create the opportunity for conflicts and undesired results.
@@ -76,7 +80,7 @@ The following security settings are pending deprecation. The Security Management
 - AllowOnAccessProtection (under **Antivirus**)
 - AllowIntrusionPreventionSystem (under **Antivirus**)
 
-### Managing Security Configurations on domain controllers
+### Managing security configurations on domain controllers
 
 Currently, devices are not supported to complete a Hybrid Join to Azure Active Directory. Since an Azure Active Directory trust is required, domain controllers aren't currently supported. We are looking at ways to add support in the future.