Merge branch 'main' into release-intune-2201

Author: Erikre

memdocs/analytics/enroll-configmgr.md

@@ -33,10 +33,7 @@ Before you start this tutorial, make sure you have the following prerequisites:
 
 ### Licensing Prerequisites
 
-Endpoint analytics is included in the following plans:
-
-- [Enterprise Mobility + Security E3](https://www.microsoftvolumelicensing.com/ProductResults.aspx?doc=Product%20Terms,OST&fid=51) or higher
-- [Microsoft 365 Enterprise E3](https://www.microsoft.com/en-us/microsoft-365/enterprise?rtc=1) or higher.
+Devices enrolled in Endpoint analytics need a valid license for the use of Microsoft Endpoint Manager. For more information, see [Microsoft Intune licensing](../intune/fundamentals/licenses.md) or [Microsoft Endpoint Configuration Manager licensing](../configmgr/core/understand/learn-more-editions.md).
 
 ## Endpoint analytics permissions
 

memdocs/analytics/enroll-intune.md

@@ -43,10 +43,7 @@ To enroll devices to Endpoint analytics, they need to send required functional d
 
 ### Licensing Prerequisites
 
-Endpoint analytics is included in the following plans:
-
-- [Enterprise Mobility + Security E3](https://www.microsoftvolumelicensing.com/ProductResults.aspx?doc=Product%20Terms,OST&fid=51) or higher
-- [Microsoft 365 Enterprise E3](https://www.microsoft.com/en-us/microsoft-365/enterprise?rtc=1) or higher.
+Devices enrolled in Endpoint analytics need a valid license for the use of Microsoft Endpoint Manager. For more information, see [Microsoft Intune licensing](../intune/fundamentals/licenses.md) or [Microsoft Endpoint Configuration Manager licensing](../configmgr/core/understand/learn-more-editions.md).
 
 ### Endpoint analytics permissions
 

memdocs/configmgr/core/plan-design/security/includes/enable-tls-1-2-protocol-security-provider.md

@@ -11,4 +11,4 @@ ms.localizationpriority: medium
 
 TLS 1.2 is enabled by default. Therefore, no change to these keys is needed to enable it. You can make changes under `Protocols` to disable TLS 1.0 and TLS 1.1 after you've followed the rest of the guidance in these articles and you've verified that the environment works when only TLS 1.2 enabled.
 
-Verify the `\SecurityProviders\SCHANNEL\Protocols` registry subkey setting, as shown in [Transport layer security (TLS) best practices with the .NET Framework](/dotnet/framework/network-programming/tls#configuring-security-via-the-windows-registry).
+Verify the `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols` registry subkey setting, as shown in [Transport layer security (TLS) best practices with the .NET Framework](/dotnet/framework/network-programming/tls#configuring-security-via-the-windows-registry).

memdocs/configmgr/hotfix/2010/5001600.md

@@ -16,6 +16,12 @@ ms.localizationpriority: medium
 *Applies to: Configuration Manager (current branch, versions 1910 - 2010)*
 
 ## Summary of KB5001600
+> [!NOTE]
+> This update is replaced by the following newer version effective January 21, 2022
+>
+> [KB 12819689 Connected cache update for Microsoft Endpoint Configuration Manager version 2111](../../hotfix/2111/12819689.md)
+>
+
 Due to content delivery network changes, the Microsoft Connected Cache (MCC) server component installation fails when enabled for distribution points *after* **March 5, 2021**.
 This component is enabled by selecting the **Enable this distribution point to be used as Microsoft Connected Cache server** option in a distribution point's properties. 
 After March 5, 2021, once enabled, the component will retry installation three times before stopping. 

memdocs/configmgr/hotfix/2111/12709700.md

@@ -69,7 +69,7 @@ The following major components are updated to the versions specified:
 
 |Component |Version |
 |---|---|
-| Site | 5.00.9060.1000 |
+| Full Version | 5.00.9068.1008 |
 | Configuration Manager console | 5.2111.1052.1700 |
 | Client | 5.00.9068.1008 |
 

memdocs/configmgr/hotfix/2111/12819689.md

@@ -0,0 +1,63 @@
+---
+title: Connected cache update for Microsoft Endpoint Configuration Manager version 2111
+titleSuffix: Configuration Manager
+description: Console update for 2111
+ms.date: 1/21/2022
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: reference
+ms.assetid: 41afa274-7561-4c0e-80af-2d0fe01699ef
+author: bhuney
+ms.author: brianhun
+manager: dougeby
+---
+
+# Connected cache update for Microsoft Endpoint Configuration Manager version 2111
+
+*Applies to: Configuration Manager (current branch, version 2111)*
+## Summary of KB12819689
+
+An update is available to resolve the following issue with Configuration Manager current branch, version 2111.
+
+- The Microsoft Connected Cache (MCC) feature is not used as expected for Win32 apps deployed through Microsoft Intune in a co-managed environment.
+Review of the IntuneManagementExtension.log file shows an internet-based **DownloadURL** value. 
+The MCC component is enabled by selecting the **Enable this distribution point to be used as Microsoft Connected Cache server** option in a distribution point's properties.
+ 
+
+## Update information for Microsoft Endpoint Configuration Manager, version 2111
+The following hotfix to resolve this problem is available for download from the Microsoft Download Center:
+
+[Download this hotfix now](https://download.microsoft.com/download/a/3/a/a3af1ea3-79ba-4600-8953-c2a4b6b8b970/DoincInstall.exe).
+
+After you download this hotfix, refer to the following installation instructions.
+
+## Installation instructions
+1. Confirm there is not currently an installation of the MCC component in progress. This is done by checking for status message **9522**, generated by the `SMS_DISTRIBUTION_MANAGER` component. The 9522 message indicates that installation is no longer being retried.
+2. Copy the new version of `DoincInstall.exe`, version **1.5.5.9002**, to the `{SMSInstallDir}\bin\x64` folder on all site servers, including the Central Administration Site (CAS) if present, and any passive sites.
+3. Uncheck the **Enable this distribution point to be used as Microsoft Connected Cache server** option in the affected distribution point’s properties.
+4. Wait for the uninstall of MCC to complete on the distribution point. This can be confirmed by looking for a **9152** success status message, combined with the following entry in `distmgr.log`.
+   ```text
+   Finished waiting for DoincInstall. InvocationState: UninstallCompleted. InvocationExitCode: 0. InvocationMessage: .
+   ```
+5. Recheck the **Enable this distribution point to be used as Microsoft Connected Cache server** option for the affected distribution point.
+
+   > [!TIP]
+   > For sites with a large number of distribution points, replace steps 3 - 5 above with the following.
+   > - Create an empty file named `resetdps.trn` and place it in the `{SMSInstallDir}\inboxes\distmgr.box` folder. This will reinstall all distribution points for that site using the latest version of `DoincInstall.exe` copied in step 2. above. 
+
+## Prerequisites
+To apply this hotfix, you must be using Microsoft Endpoint Configuration Manager, versions 1910 through versions 2111.
+
+## Restart information
+You don't have to restart the computer after you apply this hotfix. 
+
+## Hotfix replacement information
+This hotfix replaces the following previously released hotfix.
+
+[KB5001600 Microsoft Connected Cache component fails to install on Configuration Manager current branch](../../hotfix/2010/5001600.md)
+
+## File information
+File information is available in the downloadable [KB12819689_FileList.txt](https://aka.ms/KB12819689_FileList) text file.
+
+## Release history
+- January 21, 2022: Initial hotfix release

memdocs/configmgr/hotfix/TOC.yml

@@ -9,6 +9,8 @@ items:
     href: 2111/12709700.md
   - name: KB 12959506 Client update for Configuration Manager 2111
     href: 2111/12959506.md
+  - name: KB 12819689 Connected cache update for Microsoft Endpoint Configuration Manager version 2111
+    href: 2111/12819689.md
 - name: Version 2107
   items:
   - name: KB 10096997 Summary of changes in 2107

memdocs/intune/apps/app-protection-framework.md

@@ -52,7 +52,7 @@ Microsoft recommends the following deployment ring approach for the APP data pro
 | Deployment ring  | Tenant  | Assessment teams  | Output  | Timeline  |
 |--------------------|------------------------|-------------------------------------------------------------------|----------------------------------------------------------|----------------------------------------|
 | Quality Assurance  | Pre-production tenant  | Mobile capability owners, Security, Risk Assessment, Privacy, UX  | Functional scenario validation, draft documentation  | 0-30 days  |
-| Preview  | Production tenant  | Mobile capability owners, UX  | End user scenario validation, user facing documentation  | 7-14 days, post Quality Assurance  |
+| Preview  | Production tenant  | Mobile capability owners, UX  | End-user scenario validation, user facing documentation  | 7-14 days, post Quality Assurance  |
 | Production  | Production tenant  | Mobile capability owners, IT help desk  | N/A  | 7 days to several weeks, post Preview  |
 
 As the above table indicates, all changes to the App Protection Policies should be first performed in a pre-production environment to understand the policy setting implications. Once testing is complete, the changes can be moved into production and applied to a subset of production users, generally, the IT department and other applicable groups. And finally, the rollout can be completed to the rest of the mobile user community. Rollout to production may take a longer amount of time depending on the scale of impact regarding the change. If there is no user impact, the change should roll out quickly, whereas, if the change results in user impact, rollout may need to go slower due to the need to communicate changes to the user population.
@@ -106,7 +106,7 @@ The policies in level 1 enforce a reasonable data access level while minimizing
 
 | Setting | Setting description |             Value  |             Platform        |
 |-----------------|--------------------------------------------------------|-----------------------|----------------------------------------|
-| Data   Transfer |             Backup org data to…  |             Allow  |             iOS/iPadOS, Android        |
+| Data   Transfer |             Back up org data to…  |             Allow  |             iOS/iPadOS, Android        |
 | Data   Transfer |       Send org   data to other apps  |             All apps  |             iOS/iPadOS, Android        |
 | Data   Transfer |       Receive   data from other apps  |             All apps  |             iOS/iPadOS, Android        |
 | Data   Transfer |       Restrict   cut, copy, and paste between apps  |             Any app  |             iOS/iPadOS, Android        |
@@ -129,7 +129,7 @@ The policies in level 1 enforce a reasonable data access level while minimizing
 | Simple PIN  | Allow  | iOS/iPadOS, Android  |   |
 | Select Minimum PIN length  | 4  | iOS/iPadOS, Android  |   |
 | Touch ID instead of PIN for access (iOS 8+/iPadOS)  | Allow  | iOS/iPadOS  |   |
-| Fingerprint instead of PIN for access (Android 6.0+)  | Allow  | Android  |   |
+| Fingerprint instead of PIN for access (Android 9.0+)  | Allow  | Android  |   |
 | Override biometrics with PIN after timeout  | Require  | iOS/iPadOS  |   |
 | Override fingerprint with PIN after timeout  | Require  | Android  |   |
 | Timeout (minutes of activity)  | 720  | iOS/iPadOS, Android  |   |
@@ -149,8 +149,8 @@ The policies in level 1 enforce a reasonable data access level while minimizing
 | App conditions |       Offline   grace period  |          720 /   Block access (minutes)  |          iOS/iPadOS,   Android  |                  |
 | App conditions |       Offline   grace period  |          90 / Wipe   data (days)  |          iOS/iPadOS,   Android  |                  |
 | Device conditions  |       Jailbroken/rooted   devices  |        N/A / Block   access  |          iOS/iPadOS,   Android  |                  |
-| Device conditions  |       SafetyNet   device attestation  |          Basic   integrity and certified devices / Block access  |          Android  |          <p>This   setting configures Google's SafetyNet Attestation on end user   devices. Basic integrity validates the integrity of the device. Rooted   devices, emulators, virtual devices, and devices with signs of tampering fail   basic integrity. </p><p> Basic  integrity and certified devices validates the compatibility of   the device with Google's services. Only unmodified devices that have been   certified by Google can pass this check.</p>  |
-| Device conditions  |       Require   threat scan on apps  |        N/A / Block   access  |          Android  |          This   setting ensures that Google's Verify Apps scan is turned on for end   user devices. If configured, the end user will be blocked from access until   they turn on Google's app scanning on their Android device.        |
+| Device conditions  |       SafetyNet   device attestation  |          Basic   integrity and certified devices / Block access  |          Android  |          <p>This   setting configures Google's SafetyNet Attestation on end-user   devices. Basic integrity validates the integrity of the device. Rooted   devices, emulators, virtual devices, and devices with signs of tampering fail   basic integrity. </p><p> Basic  integrity and certified devices validates the compatibility of   the device with Google's services. Only unmodified devices that have been   certified by Google can pass this check.</p>  |
+| Device conditions  |       Require   threat scan on apps  |        N/A / Block   access  |          Android  |          This   setting ensures that Google's Verify Apps scan is turned on for end   user devices. If configured, the end-user will be blocked from access until   they turn on Google's app scanning on their Android device.        |
 | Device conditions  |       Require device lock  |        N/A / Block   access  |         Android  |          This   setting ensures that Android devices have a device PIN, password, or pattern are set to enable a device lock.  This condition does not distinguish between lock options or the complexity.                |
 
 #### Level 2 enterprise enhanced data protection
@@ -163,7 +163,7 @@ The policy settings enforced in level 2 include all the policy settings recommen
 
 | Setting | Setting description |             Value  |             Platform        | Notes |
 |---------------|----------------------------------------------------------|-----------------------------------------------|---------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Data Transfer |       Backup org   data to…  |          Block  |          iOS/iPadOS,   Android  |                  |
+| Data Transfer |       Back up org   data to…  |          Block  |          iOS/iPadOS,   Android  |                  |
 | Data Transfer |       Send org   data to other apps  |          Policy   managed apps  |          iOS/iPadOS,   Android  |          <p>With   iOS/iPadOS, administrators can configure this value to be "Policy managed   apps", "Policy managed apps with OS sharing", or "Policy managed apps   with Open-In/Share filtering". </p><p>Policy managed apps with OS   sharing is available when the device is also enrolled with Intune. This   setting allows data transfer to other policy managed apps, as well as   file transfers to other apps that have are managed by   Intune. </p><p>Policy managed apps with Open-In/Share filtering   filters the OS Open-in/Share dialogs to only display policy managed   apps. </p><p> For more information, see [iOS app protection policy   settings](app-protection-policy-settings-ios.md).</p> |
 | Data Transfer |       Select apps to exempt  |          Default / skype;app-settings;calshow;itms;itmss;itms-apps;itms-appss;itms-services;  |          iOS/iPadOS  |                  |
 | Data Transfer |       Save   copies of org data  |          Block  |          iOS/iPadOS,   Android  |                  |