Merge branch 'release-intune-2206' of https://github.com/MicrosoftDocs/memdocs-pr into in2205-model-14439211

Author: mestew

memdocs/intune/apps/apps-add-android-for-work.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 05/05/2022
+ms.date: 06/08/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -21,7 +21,7 @@ ms.assetid: 2f6c06bf-e29a-4715-937b-1d2c7cf663d4
 #ROBOTS:
 #audience:
 
-ms.reviewer: chrisbal
+ms.reviewer: ilwu
 ms.suite: ems
 search.appverid: MET150
 #ms.tgt_pltfrm:
@@ -268,7 +268,7 @@ For Managed Google Play apps deployed to Android Enterprise personally-owned wor
 
 ## Working with Managed Google Play closed testing tracks
 
-You can distribute a non-production version of a Managed Google Play app to devices enrolled in an Android Enterprise scenario (**Android Enterprise personally-owned work profile (BYOD)**, **Android Enterprise fully managed (COBO)**, **Android Enterprise dedicated devices (COSU)**, and **Android Enterprise corporate-owned work profile (COPE)**) in order to perform testing. In Intune, you can see whether an app has a pre-production build test track published to it, as well as be able to assign that track to Azure Active Directory user groups or device groups. The workflow for assigning a production version to a group that currently exists is the same as assigning a non-production channel. After deployment, the install status of each track will correspond with the track's version number in Managed Google Play. For more information, see [Google Play's closed test tracks for app pre-release testing](https://support.google.com/googleplay/android-developer/answer/3131213).
+You can distribute a non-production version of a Managed Google Play app to devices enrolled in an Android Enterprise scenario (**Android Enterprise personally-owned work profile (BYOD)**, **Android Enterprise fully managed (COBO)**, **Android Enterprise dedicated devices enrolled with Azure AD shared mode (aka COSU)**, and **Android Enterprise corporate-owned work profile (COPE)**) in order to perform testing. In Intune, you can see whether an app has a pre-production build test track published to it, as well as be able to assign that track to Azure Active Directory user groups or device groups. The workflow for assigning a production version to a group that currently exists is the same as assigning a non-production channel. After deployment, the install status of each track will correspond with the track's version number in Managed Google Play. For more information, see [Google Play's closed test tracks for app pre-release testing](https://support.google.com/googleplay/android-developer/answer/3131213).
 
 > [!NOTE]
 > Required app deployments for non-production app tracks are currently unavilable for devices enrolled in Android Enterprise personally-owned work profile (BYOD).
@@ -285,6 +285,10 @@ When necessary, you can delete Managed Google Play apps from Microsoft Intune. T
 
 You can enable an Android Enterprise system app for [Android Enterprise dedicated devices](../enrollment/android-kiosk-enroll.md) or [fully managed devices](../enrollment/android-fully-managed-enroll.md). For more information about adding an Android Enterprise system app, see [Add Android Enterprise system apps to Microsoft Intune](apps-ae-system.md).
 
+## MAM policies with AE dedicated devices enrolled with Azure AD shared mode
+
+Intune-managed Android Enterprise dedicated devices enrolled with Azure AD shared mode can receive MAM policies and can be targeted separately from other Android enterprise devices. ntune-managed Android Enterprise dedicated devices that are not in Shared Device Mode will continue to be blocked from getting MAM. For more information about Intune-managed Android Enterprise dedicated devices enrolled with Azure AD shared mode, see [Android Enterprise dedicated devices](../fundamentals/deployment-guide-enrollment-android.md#android-enterprise-dedicated-devices).
+
 ## Next steps
 
 - [Assign apps to groups](apps-deploy.md)

memdocs/intune/apps/company-portal-app.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 05/23/2022
+ms.date: 06/08/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -21,7 +21,7 @@ ms.assetid: dec6f258-ee1b-4824-bf66-29053051a1ae
 #ROBOTS:
 #audience:
 
-ms.reviewer: esthermsft
+ms.reviewer: abstarr
 ms.suite: ems
 search.appverid: MET150
 #ms.tgt_pltfrm:
@@ -300,7 +300,7 @@ For more information about notifications, see [Receive a custom notification](..
 
 ## Configure feedback settings for Company Portal and Microsoft Intune apps
 
-There are a number of M365 enterprise policies which affect whether feedback must be enabled or disabled for currently logged users. These policies are available via the [Microsoft 365 Apps admin center](https://config.office.com/). In relation to Microsoft Intune, these policies affect feedback and surveys for the Intune Company Portal app and Microsoft Intune app.
+There are a number of M365 enterprise policies which affect whether feedback must be enabled or disabled for currently logged users. These policies are available via the [Microsoft 365 Apps admin center](https://config.office.com/). In relation to Microsoft Intune, these policies affect feedback and surveys for the Intune Company Portal app, the Web Company Portal, and Microsoft Intune app.
 
 M365 feedback policies include the following policies:
 

memdocs/intune/enrollment/android-aosp-corporate-owned-user-associated-enroll.md

@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 02/10/2022
+ms.date: 06/27/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -81,7 +81,9 @@ Create an enrollment profile to enable enrollment on devices.
 4. Select **Next**. Review the details of your profile and then select **Create** to save the profile.  
 
 ### Access enrollment token  
-After you create a profile, Intune generates a token that's needed for enrollment. To access the token:
+After you create a profile, Intune generates a token that's needed for enrollment. The token appears as a QR code. During device setup, when prompted to, scan the QR code to enroll the device in Intune.   
+
+To access the token:
 
 1. Go to **Corporate-owned, user-associated devices**.
 2. From the list, select your enrollment profile. 
@@ -92,7 +94,7 @@ Another way to find the token is:
 2. Locate your profile in the list, and then select the **More** (**...**) menu that's next to it.
 3. Select **View enrollment token**. 
 
-The token appears as a QR code. During device setup, when prompted to, scan the QR code to enroll the device in Intune.   
+For devices that can't scan QR codes, you can export the enrollment profile JSON file and QR code image.  
 
 > [!IMPORTANT]
 >- The QR code will contain any credentials provided in the profile in plain text to allow the device to successfully authenticate with the network. This is required as the user will not be able to join a network from the device.  

memdocs/intune/enrollment/macos-enroll.md

@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 03/29/2022
+ms.date: 06/27/2022
 ms.topic: overview
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -66,13 +66,9 @@ Intune supports the following enrollment methods for company-owned macOS devices
 - [Device enrollment manager (DEM)](device-enrollment-manager-enroll.md): Use this method for large-scale deployments and when there are multiple people in your organization who can help with enrollment setup. Someone with device enrollment manager (DEM) permissions can enroll up to 1,000 devices with a single Azure Active Directory account. This method uses the Company Portal app or Microsoft Intune app to enroll devices. You can't use a DEM account to enroll devices via Automated Device Enrollment.   
 - [Direct enrollment](device-enrollment-direct-enroll-macos.md): Direct enrollment enrolls devices with no user affinity, so this method is best for devices that aren't associated with a single user. This method requires you to have physical access to the Macs you're enrolling.  
 
-## Bootstrap tokens (preview)    
-
-> [!IMPORTANT]
-> This feature is in [public preview](../fundamentals/public-preview.md).   
-
-Intune supports the use of bootstrap tokens on enrolled Macs running macOS 10.15 or later. Bootstrap tokens grant volume ownership status to local user and guest accounts, so that non-admin users can approve important operations that an admin would otherwise need to do.  Operations such as: 
+## Bootstrap tokens   
 
+Intune supports the use of bootstrap tokens on enrolled Macs running macOS 10.15 or later. Bootstrap tokens grant volume ownership status to local user and guest accounts so that non-admin users can approve important operations that an admin would otherwise need to do.  Operations such as: 
 
 * User-initiated software updates  
 

memdocs/intune/fundamentals/azure-virtual-desktop-multi-session.md

@@ -33,7 +33,7 @@ ms.collection:
 
 Azure Virtual Desktop multi-session with Microsoft Intune is now generally available.
 
-You can now use Microsoft Intune to manage Windows 10 or Windows 11 Enterprise multi-session remote desktops in the Microsoft Endpoint Manager admin center just as you can manage a shared Windows 10 or Windows 11 client device. When managing such virtual machines (VMs), you must use device-based configurations. Such configurations require user-less enrollments. 
+You can now use Microsoft Intune to manage Windows 10 or Windows 11 Enterprise multi-session remote desktops in the Microsoft Endpoint Manager admin center just as you can manage a shared Windows 10 or Windows 11 client device. When managing such virtual machines (VMs), you'll be able to use both device-based and user configuration. 
 
 Windows 10 or Windows 11 Enterprise multi-session is a new Remote Desktop Session Host exclusive to [Azure Virtual Desktop](/azure/virtual-desktop/) on Azure. It provides the following benefits:
 
@@ -45,8 +45,18 @@ You can manage **Windows 10** and **Windows 11 Enterprise multi-session** VMs cr
 
 ## Overview
 
-Microsoft Intune only supports managing Windows 10 or Windows 11 Enterprise multi-session with device configurations. This means only [policies defined in the OS scope](/windows/client-management/mdm/policy-configuration-service-provider) and apps configured to install in the system context can be applied to Azure Virtual Desktop multi-session VMs. Additionally, all multi-session configurations must be targeted to devices or device groups. User scope policies aren't supported at this time.
+Device configuration support in Microsoft Intune for Windows 10 or Windows 11 Enterprise multi-session is Generally Available (GA). This means [policies defined in the OS scope](/windows/client-management/mdm/policy-configuration-service-provider) and apps configured to install in the system context can be applied to Azure Virtual Desktop multi-session VMs. Additionally, multi-session configurations can be targeted to devices or device groups. 
 
+User configuration support in Microsoft Intune for Windows 11 multi-session VMs is in public preview. With this you'll be able to:
+
+ - Configure user scope policies using **Settings catalog** and assign to groups of users. You can use the search bar to search all configurations with scope set to "user".
+ 
+ - Configure user certificates and assign to users.
+
+ - Configure PowerShell scripts to install in the user context and assign to users.
+
+> [!NOTE]
+> User configuration support for Windows 10 multi-session builds will be available later this year.
 
 ## Prerequisites
 
@@ -70,7 +80,7 @@ See [What is Azure Virtual Desktop?](/azure/virtual-desktop/overview#requirement
 
 Windows 10 or Windows 11 Enterprise multi-session VMs are treated as a separate OS edition and some Windows 10 or Windows 11 Enterprise configurations won’t be supported for this edition. Using Microsoft Intune doesn't depend on or interfere with Azure Virtual Desktop management of the same VM.
 
-## Create the device configuration profile
+## Create the configuration profile
 
 To configure configuration policies for Windows 10 or Windows 11 Enterprise multi-session VMs, you'll need to use the [Settings catalog](../configuration/settings-catalog.md) in the Microsoft Endpoint Manager admin center.
 
@@ -95,7 +105,7 @@ Microsoft Intune won't deliver unsupported templates to multi-session devices, a
     - **Key**: **OS edition**
     - **Operator**: **==**
     - **Value**: **Enterprise multi-session**
-    - Select **Apply**. The filtered list now shows all configuration profile categories that support Windows 10 or Windows 11 Enterprise multi-session. You can see the scope for the policy in parentheses (Device or User). Currently, only device settings are supported for multi-session.
+    - Select **Apply**. The filtered list now shows all configuration profile categories that support Windows 10 or Windows 11 Enterprise multi-session. The scope for a policy is shown in parantheses. For user scope it shows as (User) and all the rest are policies with device scope. 
 8. From the filtered list, pick the categories that you want.
     - For each category you pick, select the settings that you want to apply to your new configuration profile.
     - For each setting, select the value that you want for this configuration profile.
@@ -110,6 +120,7 @@ Windows 10 or Windows 11 Administrative Templates are supported for Windows 10 o
 
 - ADMX-backed policies are supported. Some policies aren't yet available in the Settings catalog.
 - ADMX-ingested policies are supported, including Office and Microsoft Edge settings available in Office administrative template files and Microsoft Edge administrative template files. For a complete list of ADMX-ingested policy categories, see [Win32 and Desktop Bridge app policy configuration](/windows/client-management/mdm/win32-and-centennial-app-policy-configuration#overview). Some ADMX ingested settings won't be applicable to Windows 10 or Windows 11 Enterprise multi-session.
+- ADMX - ingested policies are not supported for user targetting at this time.
 
 ## Compliance and Conditional access
 
@@ -163,7 +174,9 @@ All Windows 10 or Windows 11 apps can be deployed to Windows 10 or Windows 11 En
 
 ## Script deployment
 
-Scripts configured to run in the system context are supported on Windows 10 or Windows 11 Enterprise multi-session. This can be configured under Script settings by setting **Run this script using the logged on credentials** to **No**.
+Scripts configured to run in the system context and assigned to devices are supported on Windows 10 or Windows 11 Enterprise multi-session. This can be configured under Script settings by setting **Run this script using the logged on credentials** to **No**.
+
+Scripts configured to run in the user context and assigned to users are supported on Windows 11 Enterprise multi-session. This can be configured under Script settings by setting **Run this script using the logged on credentials** to **Yes**.
 
 ## Windows Update for Business
 

memdocs/intune/protect/endpoint-security.md

@@ -7,7 +7,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 11/16/2021
+ms.date: 06/21/2022
 ms.topic: overview
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -82,7 +82,7 @@ To learn more about using Security tasks, see [Use Intune to remediate vulnerabi
 
 ## Use policies to manage device security
 
-As a security admin, use the security policies that are found under *Manage* in the Endpoint security node. With these policies, you can configure device security without the overhead of navigating the larger body and range of settings from device configuration profiles and security baselines.
+As a security admin, use the security policies that are found under *Manage* in the Endpoint security node. With these policies, you can configure device security without having to navigate the larger body and range of settings in device configuration profiles or security baselines.
 
 ![Manage policies](./media/endpoint-security/endpoint-security-policies.png)
 
@@ -151,12 +151,18 @@ You can view the following list of permissions in the Microsoft Endpoint Manager
 
 **Permissions:**
 
+- **Android FOTA**
+  - Read
 - **Android for work**
   - Read
 - **Audit data**
   - Read
+- **Certificate Connector**
+  - Read
 - **Corporate device identifiers**
   - Read
+- **Derived Credentials**
+  - Read
 - **Device compliance policies**
   - Assign
   - Create
@@ -166,6 +172,7 @@ You can view the following list of permissions in the Microsoft Endpoint Manager
   - View reports
 - **Device configurations**
   - Read
+  - View reports
 - **Device enrollment managers**
   - Read
 - **Endpoint protection reports**
@@ -174,6 +181,8 @@ You can view the following list of permissions in the Microsoft Endpoint Manager
   - Read device
   - Read profile
   - Read token
+- **Filters**
+  - Read
 - **Intune data warehouse**
   - Read
 - **Managed apps**
@@ -183,23 +192,35 @@ You can view the following list of permissions in the Microsoft Endpoint Manager
   - Read
   - Set primary user
   - Update
+  - View reports
+- **Microsoft Defender ATP**
+  - Read
+- **Microsoft Store for Business**
+  - Read
+- **Mobile Threat Defense**
+  - Modify
+  - Read
 - **Mobile apps**
   - Read
 - **Organization**
   - Read
+- **Partner Device Management**
+  - Read
 - **PolicySets**
   - Read
-- **Remote assistance**
+- **Remote assistance connectors**
   - Read
+  - View reports
 - **Remote tasks**
   - Get FileVault key
   - Initiate Configuration Manger action
-  - Microsoft Defender
   - Reboot now
   - Remote lock
   - Rotate BitLockerKeys (Preview)
   - Rotate FileVault key
+  - Shut down
   - Sync devices
+  - Windows defender
 - **Roles**
   - Read
 - **Security baselines**
@@ -215,6 +236,8 @@ You can view the following list of permissions in the Microsoft Endpoint Manager
   - Read
 - **Terms and conditions**
   - Read
+- **Windows Enterprise Certificate**
+  - Read
 
 ## Avoid policy conflicts