Merge pull request #4921 from MicrosoftDocs/master

7/19/2021 AM Publish

Author: Taojunshen

memdocs/intune/configuration/device-restrictions-windows-10.md

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 06/04/2021
+ms.date: 07/19/2021
 ms.topic: reference
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -1120,11 +1120,13 @@ These settings use the [defender policy CSP](/windows/client-management/mdm/poli
 - **Detect potentially unwanted applications**: This feature identifies and blocks potentially unwanted applications (PUA) from downloading and installing in your network. These applications aren't considered viruses, malware, or other types of threats. But, they can run actions on endpoints that might affect their performance or use. Choose the level of protection when Windows detects PUAs. Your options:
 
   - **Not configured** (default): Intune doesn't change or update this setting. By default, Microsoft Defender might disable this feature.
-  - **Off**: PUA Protection off.
+  - **Off** or **Disabled**: PUA Protection off.
   - **Enable**: Microsoft Defender detects PUAs, and detected items are blocked. These items show in history along with other threats.
   - **Audit**: Microsoft Defender detects PUAs, but takes no action. You can review information about the applications Microsoft Defender would take action against. For example, search for events created by Microsoft Defender in the Event Viewer.
 
-  For more information about potentially unwanted apps, see [Detect and block potentially unwanted applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
+  In **Endpoint Security** > **Antivirus** > **Microsoft Defender Antivirus** > **Remediation**, this setting is called **Action to take on potentially unwanted applications**.
+
+  For more information about potentially unwanted apps, see [Detect and block potentially unwanted applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). 
 
   [Defender/PUAProtection CSP](/windows/client-management/mdm/policy-csp-defender#defender-puaprotection)
 
@@ -1264,4 +1266,4 @@ These settings use the [power policy CSP](/windows/client-management/mdm/policy-
 
 For additional technical details on each setting and what editions of Windows are supported, see [Windows 10 Policy CSP Reference](/windows/client-management/mdm/policy-configuration-service-provider)
 
-[Assign the profile](device-profile-assign.md), and [monitor its status](device-profile-monitor.md).
+[Assign the profile](device-profile-assign.md), and [monitor its status](device-profile-monitor.md).

memdocs/intune/fundamentals/common-scenarios.md

@@ -36,10 +36,8 @@ The needs around enterprise mobility are dynamically evolving, and Microsoft's a
 
 Following are short introductions to the six most common scenarios that rely on Intune, accompanied with links to more information about how to plan and deploy each of them.
 
->[!NOTE]
->
+> [!NOTE]
 > - Want to know how Microsoft IT uses Intune to give corporate access on mobile devices, while also keeping corporate data protected? Check out the [IT Showcase Library](https://www.microsoft.com/itshowcase), and search for "Intune".
->
 > - The [Microsoft Security and Compliance blogs](https://techcommunity.microsoft.com/t5/microsoft-security-and/bg-p/MicrosoftSecurityandCompliance) are a great resource. You can filter on areas that interest you, including Enterprise Mobility + Security, data loss prevention, identity & access management, and more.
 
 ## Protecting your on-premises email and data so it can be safely accessed by mobile devices
@@ -62,29 +60,29 @@ Intune and Microsoft Enterprise Mobility + Security provide a uniquely integrate
 
 The Office mobile apps in their respective app stores are ready to go with data containment policies that you can configure via Intune. This enables you to prevent data from being shared with apps (for example, with native email apps) and storage locations (for example, Dropbox) that aren't managed by IT. All this functionality is built into Microsoft 365 and EMS. You don't have to deploy additional infrastructure to get this value.
 
-A common Microsoft 365 deployment practice is to require devices to enroll into management if they need to be fully set up with corporate apps, certs, Wi-Fi, or VPN configurations, a common scenario for corporate-owned devices.  
+A common Microsoft 365 deployment practice is to require devices to enroll into management if they need to be fully set up with corporate apps, certs, Wi-Fi, or VPN configurations, a common scenario for corporate-owned devices.
 
-However, if your user simply needs to access corporate email and documents, which is often the case for personally owned devices, then you can require the user to use the Office mobile apps (to which you have applied [app protection policies](../apps/app-protection-policies.md) and skip enrolling the device altogether.  
+However, if your user simply needs to access corporate email and documents, which is often the case for personally owned devices, then you can require the user to use the Office mobile apps (to which you have applied [app protection policies](../apps/app-protection-policies.md)) and skip enrolling the device altogether.
 
 Either way, the Microsoft 365 data will be secured by policies you've defined.
 
 <!-- Learn more about how to plan and deploy Intune to help secure Microsoft 365 email and data. -->
 
 ## Offer a bring your own device program to all employees
 
-Bring your own device (BYOD) continues to grow in popularity among organizations as a means to reduce hardware expenditures or increase mobile productivity choices for employees. Just about everyone has a personal phone these days so why put another one in their pocket? The main challenge has always been to convince employees to enroll their personal device into management, as they are fearful of what their IT department will be able to see and do with their device.  
+Bring your own device (BYOD) continues to grow in popularity among organizations as a means to reduce hardware expenditures or increase mobile productivity choices for employees. Just about everyone has a personal phone these days so why put another one in their pocket? The main challenge has always been to convince employees to enroll their personal device into management, as they are fearful of what their IT department will be able to see and do with their device.
 
-When device enrollment is not a viable option, Intune offers an alternative BYOD approach of simply [managing the apps that contain corporate data](../apps/app-protection-policies.md). Intune protects the corporate data even if the app in question accesses both corporate and personal data, as is the case for Office mobile apps.  
+When device enrollment is not a viable option, Intune offers an alternative BYOD approach of simply [managing the apps that contain corporate data](../apps/app-protection-policies.md). Intune protects the corporate data even if the app in question accesses both corporate and personal data, as is the case for Office mobile apps.
 
 As an administrator, you can require users to access Microsoft 365 from the Office mobile apps and configure the apps with policies that keep the data protected (such as encrypting it, protecting it with a pin, and so on). These app protection policies prevent data loss from unmanaged apps and storage locations -- inside or outside of those apps. For example, the policies prevent a user from copying text from a corporate email profile into a consumer email profile even if both profiles are configured within Outlook Mobile. Similar configurations can be deployed for other services and applications that are required by your BYOD users.
 
 <!-- Learn more about how to plan and deploy Intune to support BYOD.-->
 
 ## Issue corporate-owned phones to your employees
 
-Many employees are mobile these days, making productivity on mobile devices an imperative to be competitive. These employees need seamless access to all corporate apps and data, at any time, wherever they are. You need to ensure that corporate data is secure and administrative costs are low.  
+Many employees are mobile these days, making productivity on mobile devices an imperative to be competitive. These employees need seamless access to all corporate apps and data, at any time, wherever they are. You need to ensure that corporate data is secure and administrative costs are low.
 
-Intune offers [bulk provisioning and management solutions](../enrollment/device-enrollment.md) that are integrated with the major corporate device management platforms on the market today, including the Apple Device Enrollment Program and the Samsung Knox mobile security platform. Centralized authoring of device configurations with Intune helps make provisioning of corporate devices something that can be highly automated.  
+Intune offers [bulk provisioning and management solutions](../enrollment/device-enrollment.md) that are integrated with the major corporate device management platforms on the market today, including the Apple Device Enrollment Program and the Samsung Knox mobile security platform. Centralized authoring of device configurations with Intune helps make provisioning of corporate devices something that can be highly automated.
 
 Picture this: hand an employee an unopened iPhone box. The employee powers it on and is walked through a corporate-branded setup flow where they must authenticate themselves. The iPhone is seamlessly configured with [security policies](../configuration/device-profiles.md).
 

memdocs/intune/fundamentals/filters.md

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 05/10/2021
+ms.date: 07/19/2021
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -163,7 +163,16 @@ After the filter is created, it's ready to use when assigning your apps or polic
     :::image type="content" source="./media/filters/edit-compliance-policy-assignment.png" alt-text="Select a policy or profile, and edit the assignment in Microsoft Endpoint Manager and Microsoft Intune.":::
 
 3. Assign your policy to a users group or a devices group.
-4. Select **Edit filter**. You can choose to **include filtered devices** or **exclude filtered devices**. A list of filters that match the policy platform is shown.
+4. Select **Edit filter**. Your options:
+
+    - **Do not apply a filter**: All targeted users or devices recieve the app or policy without filtering.
+    - **Include filtered devices in assignment**: Devices that match the filter conditions recieve the app or policy. Devices that don't match the filter conditions don't receive the app or policy.
+
+      A list of filters that match the policy platform is shown.
+
+    - **Exclude filtered devices in assignment**: Devices that match the filter conditions don't recieve the app or policy. Devices that don't match the filter conditions receive the app or policy.
+
+      A list of filters that match the policy platform is shown.
 
 5. Select your filter > **Select**.
 

memdocs/intune/protect/certificate-authority-add-scep-overview.md

@@ -141,7 +141,7 @@ The following third-party certification authorities support Intune:
 - [HID Global](https://help.hydrantid.com/HydrantID_Intune_Integration.pdf)
 - [GlobalSign](https://downloads.globalsign.com/acton/attachment/2674/f-6903f60b-9111-432d-b283-77823cc65500/1/-/-/-/-/globalsign-aeg-microsoft-intune-integration-guide.pdf)
 - [IDnomic](https://www.idnomic.com/)
-- [SCEPman](https://azuremarketplace.microsoft.com/marketplace/apps/gluckkanja.scepman)
+- [SCEPman](https://azuremarketplace.microsoft.com/marketplace/apps/glueckkanja-gabag.scepman)
 - [Sectigo](https://sectigo.com/products)
 - [SecureW2](https://www.securew2.com/solutions/managed-devices/scep-ca-integration-with-microsoft-intune)
 - [Venafi](https://www.venafi.com/platform/enterprise-mobility)

memdocs/intune/protect/windows-10-expedite-updates.md

@@ -7,7 +7,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 07/12/2021
+ms.date: 07/19/2021
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -54,7 +54,7 @@ The actual time that a device starts to update depends on the device being onlin
   > [!IMPORTANT]
   > In some scenarios, Windows Update can install an update that is more recent than the update you specify in expedite update policy. For more information about this scenario, see [About installing the latest applicable update](#identify-the-latest-applicable-update), later in this article.
 
-- Expedite update policies ignore and override any quality [update deferral periods](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) for the update version you deploy. You can configure quality updates deferrals by using Intune [Widows 10 update rings](../protect/windows-10-update-rings.md) and the setting for **Quality update deferral period**.
+- Expedite update policies ignore and override any quality [update deferral periods](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) for the update version you deploy. You can configure quality updates deferrals by using Intune [Windows 10 update rings](../protect/windows-10-update-rings.md) and the setting for **Quality update deferral period**.
 
 - When a restart is required to complete installation of the update, the policy helps to manage the restart. In the policy, you can configure a period that users have to restart a device before the policy forces an automatic restart. Users can also choose to schedule the restart or let the device try to find the best time outside of the devices *Active Hours*. Before reaching the restart deadline, the device displays notifications to alert device users about the deadline and includes options to schedule the restart.
 
@@ -142,6 +142,10 @@ Group Policy settings override mobile device management policies, and the follow
 - **DeferFeatureUpdates** - Select when Preview Builds and Feature Updates are received.
 - **Disable Dual Scan** - Don't allow update deferral policies to cause scans against Windows Update.
 
+**Enable Windows Health Monitoring**:
+
+Before you can monitor results and update status for expedited updates, your Intune tenant must enable [Windows Health Monitoring](../configuration/windows-health-monitoring.md). While configuring Windows Health Monitoring, be sure to set the **Scope** to **Windows updates**.
+ 
 ## Create and assign an expedited quality update
 
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).