Merge pull request #7997 from MicrosoftDocs/main

merge main to live Wednesday 10:30

Author: jborsecnik

memdocs/autopilot/existing-devices.md

@@ -258,7 +258,7 @@ After you save the file, move it to a location for a Microsoft Endpoint Configur
     - _Limiting collection_: **All Systems**
 
       > [!NOTE]
-      > You can optionally choose to use an alternative collection for the limiting collection. The device to be upgraded must be running the Configuration Manaber client in the collection that you select.
+      > You can optionally choose to use an alternative collection for the limiting collection. The device to be upgraded must be running the Configuration Manager client in the collection that you select.
 
 1. On the **Membership Rules** page, select **Add Rule**. Specify either a direct or query-based collection rule to add the target Windows 8.1 devices to the new collection.
 

memdocs/autopilot/oem-registration.md

@@ -1,13 +1,8 @@
 ---
 title: Windows Autopilot OEM registration process
 description: How OEMs add devices to Windows Autopilot
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
 ms.prod: w10
-ms.mktglfcycl: deploy
 ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
 author: aczechowski
 ms.author: aaroncz
 ms.reviewer: jubaptis
@@ -36,6 +31,10 @@ When you purchase devices from an OEM, that OEM can automatically register the d
 
 OEMs must follow [device guidelines](autopilot-device-guidelines.md) for Windows Autopilot devices.
 
+### Service data
+
+Windows Autopilot is managed and maintained by Microsoft. This service provides the backend database that associates hardware hashes with customer tenants. When an OEM registers devices for a customer, they are writing that data to this database and not directly to the customer's tenant. No permissions to the customer's tenant are granted or required for OEMs to register devices on the customer's behalf.
+
 ### Customer consent
 
 Before an OEM can register devices for an organization, the organization must grant the OEM permission to do so. The OEM begins this process with approval granted by an Azure AD global administrator from your organization. For more information see [OEM authorization](registration-auth.md#oem-authorization).

memdocs/configmgr/core/servers/manage/updates.md

@@ -59,7 +59,6 @@ The following supported versions of Configuration Manager are currently availabl
 | [**2111**](../../plan-design/changes/whats-new-in-version-2111.md)<br /> (5.00.9068) | December 1, 2021 | June 1, 2023 | No | Yes |
 | [**2107**](../../plan-design/changes/whats-new-in-version-2107.md)<br /> (5.00.9058) | August 2, 2021 | February 2, 2023 | No | Yes |
 | [**2103**](../../plan-design/changes/whats-new-in-version-2103.md)<br /> (5.00.9049) | April 5, 2021 | October 5, 2022 | Yes<sup>[Note 1](#bkmk_note1)</sup> | Yes |
-| [**2010**](../../plan-design/changes/whats-new-in-version-2010.md)<br /> (5.00.9040) | November 30, 2020 | May 30, 2022 | No | Yes |
 
 
 > [!NOTE]
@@ -84,6 +83,7 @@ The following table lists historical versions of Configuration Manager current b
 
 | Version                          | Availability date | Support end date   | Baseline | In-console update |
 |----------------------------------|-------------------|--------------------|----------|-------------------|
+| **2010** <br /> (5.00.9040)      | November 30, 2020     | May 30, 2022    | No      | Yes               |
 | **2006** <br /> (5.00.9012)      | August 11, 2020     | February 11, 2022    | No      | Yes               |
 | **2002** <br /> (5.00.8968)      | April 1, 2020     | October 1, 2021    | Yes      | Yes               |
 | **1910** <br /> (5.00.8913)      | November 29, 2019 | May 29, 2021       | No       | Yes               |

memdocs/configmgr/protect/deploy-use/defender-advanced-threat-protection.md

@@ -32,7 +32,7 @@ Microsoft Defender for Endpoint's cloud-based portal is [Microsoft Defender Secu
 You can onboard the following operating systems:
 
 - Windows 8.1
-- Windows 10, version 1607 or later
+- Windows 10, version  1709 or later
 - Windows 11
 - Windows Server 2012 R2
 - Windows Server 2016

memdocs/configmgr/sum/deploy-use/third-party-software-updates.md

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 06/21/2022
+ms.date: 07/12/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -515,7 +515,13 @@ End of comment -->
   - **Wi-Fi only**: Updates are installed only when the device is connected to a Wi-Fi network.
   - **Always**: Updates are installed when they're available.
 
-- **Allow access to all apps in Google Play store**: When set to **Allow**, users get access to all apps in Google Play store. They can't access [client apps](../apps/apps-add-android-for-work.md) that aren't assigned to them. For more information on excluding users and groups from specific apps, see [Include and exclude app assignments](../apps/apps-inc-exl-assignments.md).
+- **Allow access to all apps in Google Play store**: When set to **Allow**:
+
+  - Users get access to all apps in the Google Play store.
+  - Users can't use apps that are explicitly targeted with uninstall.
+  - Users can't use apps that are added to a blocklist on the personal profile of corporate-owned devices with a work profile. 
+
+  For more information on excluding users and groups from specific apps, see [Include and exclude app assignments](../apps/apps-inc-exl-assignments.md).
 
   When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might:
 

memdocs/intune/configuration/device-restrictions-android-for-work.md

@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 07/11/2022
+ms.date: 07/12/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -51,7 +51,7 @@ Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.co
 ### Step 1. Grant Microsoft permission to send user and device information to Apple
 Select **I agree.** to give Microsoft permission to send data to Apple.
 
-![The Configure MDM Push Certificate screen with MDM Push not set up.](./media/apple-mdm-push-certificate-get/create-mdm-push-certificate.png)
+:::image type="content" source="./media/apple-mdm-push-certificate-get/create-mdm-push-certificate.png" alt-text="Screenshof of the Configure MDM Push Certificate screen with MDM Push not set up.":::
 
 ### Step 2. Download the Intune certificate signing request required to create an Apple MDM push certificate
 Select **Download your CSR** to download and save the request file locally. The file is used to request a trust relationship certificate from the Apple Push Certificates Portal.

memdocs/intune/enrollment/apple-mdm-push-certificate-get.md

@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 05/10/2022
+ms.date: 07/12/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -59,7 +59,18 @@ These Azure AD roles can manage device enrollment managers:
 * Global Administrator 
 * Intune Service Administrator role in Azure AD    
 
-They can add and delete device enrollment managers, and view all DEM users in the Microsoft Endpoint Manager admin center.  
+People assigned these roles can add and delete device enrollment managers, and view all DEM users in the Microsoft Endpoint Manager admin center.  
+
+## Add a device enrollment manager
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Devices** > **Enroll devices**.
+3. Select **Device enrollment managers**.  
+4. Select **Add**.
+3. In the **User name** field, enter the user principal name of the user you're adding.
+6. Select **Add**. The new device enrollment manager is added to the list of DEM users. 
+
+To remove someone as a device enrollment manager, select their name in the list and then choose **Delete**.  
 
 ## Limitations 
 
@@ -97,20 +108,4 @@ Only the local device appears in the Company Portal app or Company Portal websit
 ### Number of accounts  
 There's a limit of 150 DEM accounts in Microsoft Intune.  
 
-## Add a device enrollment manager
-
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Enroll devices** > **Device enrollment managers**.
-
-2. Select **Add**.
-
-3. On the **Add User** blade, enter a user principal name for the DEM user, and select **Add**. The DEM user is added to the list of DEM users.
-
-
-## Remove device enrollment manager permissions
-
-Removing a device enrollment manager doesn't affect enrolled devices.
-
-### To remove a device enrollment manager
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Enroll devices** > **Device enrollment managers**.
-2. On the **Device enrollment managers** blade, select the DEM user, and select **Delete**.  

memdocs/intune/enrollment/device-enrollment-manager-enroll.md

@@ -33,65 +33,51 @@ ms.collection: M365-identity-device-management
 
 [!INCLUDE [azure_portal](../includes/azure_portal.md)]
 
-To make managing devices easier, you can use Microsoft Intune device categories to automatically add devices to groups based on categories that you define.
+Device categories allow you to easily manage and group devices in Microsoft Intune. Create a category, such as *sales* or *accounting*, and Intune automatically add all devices that fall within that category to the corresponding device group in Intune.    
 
-Device categories use the following workflow:
-1. Create categories that users can choose from when they enroll their device.
-2. When users of iOS/iPadOS and Android devices enroll a device, they must choose a category from the list of categories you configured. To assign a category to a Windows device, users must use the Company Portal website.
-3. You can then deploy policies and apps to these groups.
+To enable categories in your tenant, you must create a category in the Microsoft Endpoint Manager admin center and set up dynamic Azure Active Directory (Azure AD) security groups.  
+ 
+This article describes how to configure and edit device categories.   
 
-You can create any device categories you want. For example:
-- Point-of-sale device
-- Demonstration device
-- Sales
-- Accounting
-- Manager
+## Configure device categories
 
-## How to configure device categories
+You must be a Global Administrator or Intune Administrator to perform these steps.  
 
-You need to be a Global Administrator or Intune Administrator to perform these steps.
-
-### Step 1: Create device categories in Intune
+### Step 1: Create device category in Intune  
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Choose **Devices** > **Device categories** > **Create device category** to add a new category.
-3. On the **Create device category** pane, enter a **Name** for the new category, and an optional **Description**.
-4. When you are done, select **Create**. You can see the new category in the list of categories.
-
-You'll use the device category name when you create Azure Active Directory (Azure AD) security groups in step 2.
-
-### Step 2: Create Azure Active Directory security groups
-In this step, you'll create dynamic groups in the Azure portal, based on the device category and device category name.
-
-To continue, refer to [Using attributes to create advanced rules](/azure/active-directory/users-groups-roles/groups-dynamic-membership#using-attributes-to-create-rules-for-device-objects) in the Azure AD documentation.
-
-Use the information in this section to create a device group with an advanced rule, by using the **deviceCategory** attribute. For example: **device.deviceCategory -eq** "*the device category name you got from the Azure portal*".
+2. Choose **Devices** > **Device categories**.
+3. Select **Create device category** to add a new category.
+4. Enter the name of the new category, such as `HR` and an optional description.
+5. Select **Next**.  
+6. Optionally, assign a scope tag, like `US-NC IT Team` or `JohnGlenn_ITDepartment`, to limit management of the category to specific IT groups. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](../fundamentals/scope-tags.md).  
+7. Select **Next**.  
+8. Select **Create**. The new category is added to your **Device categories** list.   
 
-After you configure device groups, and users enroll their device, they are presented with a list of the categories you configured. After they choose a category and finish enrollment, their device is added to the Active Directory security group that corresponds with the category they chose.
+You'll use the device category name when you create Azure Active Directory (Azure AD) security groups in the next step.  
 
-### View the categories of devices that you manage
+### Step 2: Create Azure AD security groups 
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **All devices**.
+To enable automatic grouping, you must create a dynamic group using attribute-based rules in Azure AD. For instructions, see [Using attributes to create advanced rules](/azure/active-directory/users-groups-roles/groups-dynamic-membership#using-attributes-to-create-rules-for-device-objects) in the Azure AD documentation. Create an advanced rule for your group using the **deviceCategory** attribute and the category name you created in [Step 1](device-group-mapping.md#step-1-create-device category-in-Intune) of this article. 
 
-2. In the list of devices, examine the **Device category** column.
+For example, to create a rule that automatically groups devices belonging in the HR category, use the following rule syntax: `device.deviceCategory -eq "HR"`    
 
-If the **Device category** column isn't shown, select **Columns** > **Category** > **Apply**.
+### View categories of all devices 
+ Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Devices** > **All devices** for a list of all devices. The **Device category** column shows the category assigned to each device. 
+ 
+ If the **Device category** column isn't visible in the table, select **Columns**  and then choose **Category** > **Apply**.  
 
-### Change the category of a device
+When you delete a category, devices assigned to it appear as **Unassigned**.  
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **All devices** > choose the device you want > **Properties**.
-2. On the next blade, you can change the **Device category** of the selected device to any of the category names you previously configured.
+### Change the category of a device  
+If you edit a category, be sure to update any Azure AD security groups that reference the category in their rules.  
 
-## After you configure device groups
-
-When users of iOS/iPadOS and Android devices enroll their device, they must choose a category from the list of categories you configured. After they choose a category and finish enrollment, their device is added to the Intune device group, or the Active Directory security group that corresponds with the category they chose.
-
-Windows users should use the Company Portal website or the Company Portal app to select a category.
-
-Regardless of platform, your users can always go to portal.manage.microsoft.com after enrolling the device. Have the user access the Company Portal website, and go to **My Devices**. The user can choose an enrolled device listed on the page, and then select a category.
-
-After choosing a category, the device is automatically added to the corresponding group you created. If a device is already enrolled before you configure categories, the user sees a notification about the device on the Company Portal website. This lets the user know to select a category the next time they access the Company Portal app on iOS/iPadOS or Android.
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Devices** > **All devices**.
+3. Select a device.
+4. On the device details page, select **Properties**.  
+5. Change your selection in the **Device category** field.  
 
-## Further information
-- You can edit a device category in the Azure portal, but you must manually update any Azure AD security groups that reference this category.
+## Best practices  
+Device categories are supported on devices running Android, iOS/iPadOS, or Windows. People with Windows devices must use the Company Portal website to select their category. Regardless of platform, any device user can sign in to portal.manage.microsoft.com at anytime and go to **My devices** to select a category. 
 
-- If you delete a category, devices assigned to it display the category name **Unassigned**.
+If an iOS/iPadOS or Android device is already enrolled before you configure categories, the user will receive a notification about the device on the Company Portal website. The notification informs them that they need to select a category the next time they're in the Company Portal app.    

memdocs/intune/enrollment/device-group-mapping.md

@@ -1,9 +1,9 @@
 ---
 # required metadata
 
-title: Incomplete user enrollments report in Intune
+title: Incomplete user enrollments report overview  
 titleSuffix: Microsoft Intune
-description: Learn about the Incomplete user enrollments report.
+description: Learn about the incomplete user enrollments report generated by Microsoft Intune.   
 keywords:
 author: Lenewsad
 ms.author: lanewsad
@@ -33,7 +33,7 @@ ms.collection: M365-identity-device-management
 
 This report tells you where in the Company Portal enrollment process users are not completing the enrollment process.
 
-To see the report, choose **Intune** > **Device enrollment** > **Incomplete user enrollments**.
+To see the report, sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). Then select **Devices** > **Monitor* > **Incomplete user enrollments**.  
 
 Using this information, you can update your onboarding documents to help users complete enrollment. For example, if many users are quitting at the Terms of Use, you might investigate that area and make it more intuitive for users.
 
@@ -74,7 +74,7 @@ The line graph shows the daily incomplete enrollments for each of the four core
 
 ### User abandonment actions
 
-The following tables show the list of user actions that qualify as prompting an incomplete enrollment. To see examples of enrollment screens, you can watch the [iOS](https://channel9.msdn.com/Series/IntuneEnrollment/iOS-Enrollment) and [Android](https://channel9.msdn.com/Series/IntuneEnrollment/Android-Enrollment) enrollment videos. 
+The following tables list the user actions that indicate enrollment is incomplete.  
 
 
 #### Setup checklist section