Merge pull request #7867 from MicrosoftDocs/main

Publish 06/22/2022, 10:30 AM

Author: v-dihans

memdocs/autopilot/windows-autopilot-hybrid.md

@@ -8,7 +8,7 @@ keywords:
 author: ErikjeMS
 ms.author: erikje
 manager: dougeby
-ms.date: 06/07/2021
+ms.date: 06/22/2021
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -113,12 +113,23 @@ The organizational unit that's granted the rights to create computers must match
 
 ## Install the Intune Connector
 
-The Intune Connector for Active Directory must be installed on a computer that's running Windows Server 2016 or later. The computer must also have access to the internet and your Active Directory. To increase scale and availability, you can install multiple connectors in your environment. We recommend installing the Connector on a server that's not running any other Intune connectors. Each connector must be able to create computer objects in any domain that you want to support.
+### Before you begin
 
-> [!NOTE]
-> If your organization has multiple domains and you install multiple Intune Connectors, you must use a service account that's able to create computer objects in all domains, even if you plan to implement hybrid Azure AD join only for a specific domain. If these are untrusted domains, you must uninstall the connectors from domains in which you don't want to use Windows Autopilot. Otherwise, with multiple connectors across multiple domains, all connectors must be able to create computer objects in all domains.
+- The Intune Connector for Active Directory must be installed on a computer that's running Windows Server 2016 or later. 
+- The computer must have access to the internet and your Active Directory. 
+- To increase scale and availability, you can install multiple connectors in your environment. We recommend installing the Connector on a server that's not running any other Intune connectors. Each connector must be able to create computer objects in any domain that you want to support.
+
+- If your organization has multiple domains and you install multiple Intune Connectors, you must use a service account that can create computer objects in all domains, even if you plan to implement hybrid Azure AD join only for a specific domain. If these are untrusted domains, you must uninstall the connectors from domains in which you don't want to use Windows Autopilot. Otherwise, with multiple connectors across multiple domains, all connectors must be able to create computer objects in all domains.
+
+  This connector service account must have the following permissions:
+
+  - **[Log on as a service](/system-center/scsm/enable-service-log-on-sm)**
+  - Must be part of the **Domain user** group
+  - Must be a member of the local **Administrators** group on the Windows server that hosts the connector
+
+- The Intune Connector requires the [same endpoints as Intune](../intune/fundamentals/intune-endpoints.md).
 
-The Intune Connector requires the [same endpoints as Intune](../intune/fundamentals/intune-endpoints.md).
+### Install steps
 
 1. Turn off IE Enhanced Security Configuration. By default Windows Server has Internet Explorer Enhanced Security Configuration turned on. If you're unable to sign in to the Intune Connector for Active Directory, then turn off IE Enhanced Security Configuration for the Administrator. [How To Turn Off Internet Explorer Enhanced Security Configuration](/archive/blogs/chenley/how-to-turn-off-internet-explorer-enhanced-security-configuration). 
 2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Windows** > **Windows enrollment** > **Intune Connector for Active Directory** > **Add**. 
@@ -131,13 +142,10 @@ The Intune Connector requires the [same endpoints as Intune](../intune/fundament
 8. Go to **Devices** > **Windows** > **Windows enrollment** > **Intune Connector for Active Directory**, and then confirm that the connection status is **Active**.
 
 > [!NOTE]
-> The Global administrator role is a temporary requirement at the time of installation.
-
-> [!NOTE]
-> After you sign in to the Connector, it might take a couple of minutes to appear in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). It appears only if it can successfully communicate with the Intune service.
-
-> [!NOTE]
-> Inactive Intune connectors will still appear in the Intune Connectors blade and will automatically be cleaned up after 30 days.
+> 
+> - The Global administrator role is a temporary requirement at the time of installation.
+> - After you sign in to the Connector, it can take several minutes to appear in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). It appears only if it can successfully communicate with the Intune service.
+> - Inactive Intune connectors still appear in the Intune Connectors blade and will automatically be cleaned up after 30 days.
 
 ### Configure web proxy settings
 

memdocs/intune/enrollment/device-enrollment-shared-ipad.md

@@ -128,7 +128,7 @@ The following are known limitations when working with shared iPads:
 
 - **Disabled settings and system apps:** Shared iPads provide users access to a limited number of settings and system apps. For more information on what settings and apps are disabled on Shared iPads. For more information, see [Shared iPad and Managed Apple IDs](https://support.apple.com/guide/mdm/shared-ipad-and-managed-apple-ids-mdm9992c9a34/web).
 - **App Store installations are disabled:** The App Store is available by default on Shared iPad. But app installation is disabled for App Store apps when a device is set up as a Shared iPad. It is recommended that you disable App Store using configuration profiles in Intune.
-- **Company Portal and available apps are not supported:** Intune Company Portal app, the Intune Company Portal website are not supported on Shared iPads. Apps must be assigned as “required” to device groups containing the Shared iPad to install. Available apps are supported on Shared iPad.
+- **Company Portal and available apps are not supported:** Intune Company Portal app and the Intune Company Portal website are not supported on Shared iPad. Apps must be assigned as _required_ to device groups containing the Shared iPad to install. Available apps are not supported on Shared iPad.
 - **Passcode complexity cannot be managed on Shared iPad:** The passcode complexity for Shared iPad is a complex 8 character alphanumeric and cannot be changed in Apple Business Manager. The passcode complexity and length settings available in device configuration profile do not apply to Shared iPads. The MDM administrator can set the grace period – a number of minutes during which the user can unlock the iPad without a passcode.
 - **Unsupported scenarios:** Some Intune scenarios are not supported on Shared iPads, namely, app-based and device-based Conditional Access, app protection policies and compliance policies.
 - **Wallpaper is not supported:** Setting a wallpaper image is currently not supported on Shared iPad. For more information on wallpaper, see [iOS/iPadOS Device Features](../configuration/ios-device-features-settings.md#wallpaper). 

memdocs/intune/fundamentals/role-based-access-control.md

@@ -41,7 +41,7 @@ For advice and suggestions about Intune RBAC, you can check out this series of f
 ## Roles
 A role defines the set of permissions granted to users assigned to that role.
 You can use both the built-in and custom roles. Built-in roles cover some common Intune scenarios. You can [create your own custom roles](create-custom-role.md) with the exact set of permissions you need. Several Azure Active Directory roles have permissions to Intune.
-To see a role, choose **Intune** > **Tenant administration** > **Roles** > **All roles** > choose a role. You'll can manage the role on the following pages:
+To see a role, choose **Endpoint Manager** > **Tenant administration** > **Roles** > **All roles** > choose a role. You can manage the role on the following pages:
 
 - **Properties**: The name, description, permissions, and scope tags for the role. 
 - **Assignments**: A list of [role assignments](assign-role.md) defining which users have access to which users/devices. A role can have multiple assignments, and a user can be in multiple assignments.
@@ -54,11 +54,14 @@ You can assign built-in roles to groups without further configuration. You can't
 
 - **Application Manager**: Manages mobile and managed applications, can read device information and can view device configuration profiles.
 - **Endpoint Security Manager**: Manages security and compliance features, such as security baselines, device compliance, conditional access, and Microsoft Defender for Endpoint.
-- **Help Desk Operator**: Performs remote tasks on users and devices, and can assign applications or policies to users or devices.
-- **Intune Role Administrator**: Manages custom Intune roles and adds assignments for built-in Intune roles. It's the only Intune role that can assign permissions to Administrators.
-- **Policy and Profile Manager**: Manages compliance policy, configuration profiles, Apple enrollment, corporate device identifiers, and security baselines.
 - **Read Only Operator**: Views user, device, enrollment, configuration, and application information. Can't make changes to Intune.
 - **School Administrator**: Manages Windows 10 devices in [Intune for Education](introduction-intune-education.md).
+- **Policy and Profile Manager**: Manages compliance policy, configuration profiles, Apple enrollment, corporate device identifiers, and security baselines.
+- **Help Desk Operator**: Performs remote tasks on users and devices, and can assign applications or policies to users or devices.
+- **Intune Role Administrator**: Manages custom Intune roles and adds assignments for built-in Intune roles. It's the only Intune role that can assign permissions to Administrators.
+- **Cloud PC Administrator**: A Cloud PC Administrator has read and write access to all Cloud PC features located within the Cloud PC blade.
+- **Cloud PC Reader**: A Cloud PC Reader has read access to all Cloud PC features located within the Cloud PC blade.
+
 
 ### Custom roles
 You can create your own roles with custom permissions. For more information about custom roles, see [Create a custom role](create-custom-role.md).

memdocs/intune/protect/compliance-custom-script.md

@@ -35,7 +35,7 @@ The discovery script:
 
 - Is added to Intune before you create a compliance policy. After it's added, it will be available to select when you create a compliance policy with custom settings.
 - Runs on a device that receives the compliance policy. The script evaluates the conditions of the JSON file you upload to the same policy.
-- Identifies one or more settings, as defined in the JSON,  and returns a list of discovered values for those settings. A single script can be assigned to each policy, and supports discovery of multiple settings.
+- Identifies one or more settings, as defined in the JSON, and returns a list of discovered values for those settings. A single script can be assigned to each policy, and supports discovery of multiple settings.
 - Must be compressed to output results in one line. For example: `$hash = @{ ModelName = "Dell"; BiosVersion = "1.24"; TPMChipPresent = $true}`
 - Must include the following line at the end of the script: `return $hash | ConvertTo-Json -Compress`
 
@@ -44,14 +44,17 @@ The discovery script:
 The following is a sample PowerShell script.
 
 ```powershell
-$hash = @{ ModelName = "Dell"; BiosVersion = "1.24"; TPMChipPresent = $true}
+$WMI_ComputerSystem = Get-WMIObject -class Win32_ComputerSystem
+$WMI_BIOS = Get-WMIObject -class Win32_BIOS 
+$TPM = Get-Tpm
+
+$hash = @{ ModelName = $WMI_ComputerSystem.Model; BiosVersion = $WMI_BIOS.SMBIOSBIOSVersion; TPMChipPresent = $TPM.TPMPresent}
 return $hash | ConvertTo-Json -Compress
 ```
 
 The following is the output of the sample script:
 
 ```
-PS C:\Users\apervaiz\Documents> .\sample.ps1
 {"ModelName":  "Dell","BiosVersion":  1.24,"TPMChipPresent":  true}
 ```
 
@@ -72,4 +75,4 @@ PS C:\Users\apervaiz\Documents> .\sample.ps1
 
 - [Use custom compliance settings](../protect/compliance-use-custom-settings.md)  
 - [Create a JSON for custom compliance](../protect/compliance-custom-json.md)
-- [Create a compliance policy](../protect/create-compliance-policy.md)
+- [Create a compliance policy](../protect/create-compliance-policy.md)