Merge pull request #8411 from MandiOhlinger/13949975

13949975: 2209 release

Author: Angela Fleischmann

memdocs/intune/configuration/media/settings-catalog/settings-picker-filter-edition.png

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 08/15/2022
+ms.date: 09/20/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -79,11 +79,11 @@ For information on some features you can configure using the settings catalog, g
 
     For example, select **Windows 10 and later**, then select **Authentication** to see all the settings in this category:
 
-    :::image type="content" source="./media/settings-catalog/settings-picker-authentication.png" alt-text="In Settings Catalog, select Windows and select Authentication in Microsoft Intune and Endpoint Manager admin center.":::
+    :::image type="content" source="./media/settings-catalog/settings-picker-authentication.png" alt-text="Screenshot that shows the Settings Catalog when you select Windows and Authentication in Microsoft Intune and Endpoint Manager admin center.":::
 
     For example, select **macOS**. The **Microsoft Edge - All** category lists all the settings you can configure, including any new settings. The other categories include settings that are obsolete, or settings that apply to older versions:
 
-    :::image type="content" source="./media/settings-catalog/macos-settings-picker-edge-all.png" alt-text="In Settings Catalog, select macOS, and select a feature or category in Microsoft Intune and Endpoint Manager admin center.":::
+    :::image type="content" source="./media/settings-catalog/macos-settings-picker-edge-all.png" alt-text="Screenshot that shows the Settings Catalog when you select macOS and select a feature or category in Microsoft Intune and Endpoint Manager admin center.":::
 
     > [!TIP]
     >
@@ -93,11 +93,11 @@ For information on some features you can configure using the settings catalog, g
 
 8. Select any setting you want to configure. Or, choose **Select all these settings**:
 
-    :::image type="content" source="./media/settings-catalog/settings-picker-select-all-settings.png" alt-text="In Settings Catalog, select all these settings in Microsoft Intune and Endpoint Manager admin center.":::
+    :::image type="content" source="./media/settings-catalog/settings-picker-select-all-settings.png" alt-text="Screenshot that shows the settings when you select all these settings in Microsoft Intune and Endpoint Manager admin center.":::
 
     After you add your settings, close the settings picker. All the settings are shown, and configured with a default value, such as **Block** or **Allow**. These defaults values are the same default values in the OS. If you don't want to configure a setting, then select the minus:
 
-    :::image type="content" source="./media/settings-catalog/default-setting-value-minus-not-configured.png" alt-text="In Settings Catalog, the default value in Microsoft Intune and Endpoint Manager admin center is the same as the OS default value.":::
+    :::image type="content" source="./media/settings-catalog/default-setting-value-minus-not-configured.png" alt-text="Screenshot that shows the Settings Catalog and that the default values in Microsoft Intune and Endpoint Manager admin center are the same as the OS default values.":::
 
     When you select the minus (`-`):
 
@@ -129,15 +129,21 @@ There are thousands of settings available in the settings catalog. To make it ea
 
   For example, search for `internet explorer`. All the settings with `internet explorer` are shown. Select a category to see the available settings:
 
-  :::image type="content" source="./media/settings-catalog/search-internet-explorer.png" alt-text="In Settings Catalog, search for Internet Explorer to see all the settings in Microsoft Intune and Endpoint Manager admin center.":::
+  :::image type="content" source="./media/settings-catalog/search-internet-explorer.png" alt-text="Screenshot that shows the Settings Catalog when you search for Internet Explorer to see all the IE settings in Microsoft Intune and Endpoint Manager admin center.":::
 
-- In your policy, use **Add settings** > **Add filter**. Select the key, operator, and value. In **value**, you can filter to only show the settings that apply to Holographic for Business, Windows Enterprise, and other editions:
+- In your policy, use **Add settings** > **Add filter**. Select the key, operator, and value.
 
-  :::image type="content" source="./media/settings-catalog/settings-picker-filter-edition.png" alt-text="In Settings Catalog, filter the settings list by Windows edition in Microsoft Intune and Endpoint Manager admin center.":::
+  When you **filter on OS Edition**, you can filter the settings that apply to specific Windows editions:
+
+  :::image type="content" source="./media/settings-catalog/settings-picker-filter-edition.png" alt-text="Screenshot that shows the Settings Catalog when you filter the settings list by Windows edition in Microsoft Intune and Endpoint Manager admin center.":::
 
   > [!NOTE]
   > For the Edge, Office, and OneDrive settings, the OS version or edition doesn't determine if the settings apply. So, if you filter to a specific edition, like Windows Professional, then the Edge, Office, and OneDrive settings aren't shown.
 
+  You can also **filter the settings by device or user scope**. For more information on user scope and device scope, go to [Device scope vs. user scope settings](#device-scope-vs-user-scope-settings) (in this article):
+
+  :::image type="content" source="./media/settings-catalog/settings-picker-filter-scope.png" alt-text="Screenshot that shows the user and device scope filter in the settings catalog in Microsoft Intune and Endpoint Manager admin center.":::
+
 ## Copy a profile  
 
 Select **Duplicate** to create a copy of an existing profile. Duplicating is useful when you need a profile that's similar yet distinct from the original one. The copy contains the same setting configurations and scope tags as the original profile, but doesn't have assignments attached to it. After you give the new profile a name, you can edit the profile to adjust the settings and add assignments.
@@ -154,15 +160,15 @@ You create the policy, and assign it to your groups. In the Endpoint Manager adm
 
 1. In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Device configuration profiles**. In the list, select the policy you created using the Settings Catalog. The **Profile type** column shows **Settings Catalog**:
 
-    :::image type="content" source="./media/settings-catalog/profile-type-shows-settings-catalog.png" alt-text="In Microsoft Intune and Endpoint Manager admin center, the profile type shows Settings Catalog.":::
+    :::image type="content" source="./media/settings-catalog/profile-type-shows-settings-catalog.png" alt-text="Screenshot that shows how to open the settings catalog in Microsoft Intune and Endpoint Manager admin center.":::
 
 2. When you select the policy, the device status shows. It shows a summary of your policy state and the policy properties. You can also change or update your policy in the **Configuration settings** section:
 
-    :::image type="content" source="./media/settings-catalog/settings-catalog-policy-device-status-report.png" alt-text="Select the settings catalog policy to see the device status, policy state, and properties in Microsoft Intune and Endpoint Manager admin center.":::
+    :::image type="content" source="./media/settings-catalog/settings-catalog-policy-device-status-report.png" alt-text="Screenshot that shows how to select the settings catalog policy to see the device status, policy state, and properties in Microsoft Intune and Endpoint Manager admin center.":::
 
 3. Select **View report**. The report shows detailed information, including the device name, the policy status, and more. You can also filter on the deployment status, and **Export** the report to a `.csv` file:
 
-    :::image type="content" source="./media/settings-catalog/settings-catalog-policy-view-report.png" alt-text="See detailed report information in Microsoft Intune and Endpoint Manager admin center, including device name, policy status, and more.":::
+    :::image type="content" source="./media/settings-catalog/settings-catalog-policy-view-report.png" alt-text="Screenshot that shows how to see detailed report information in Microsoft Intune and Endpoint Manager admin center, including device name, policy status, and more." lightbox="./media/settings-catalog/settings-catalog-policy-view-report.png":::
 
 4. You can also look at the states of each setting using the **per-setting status**. This status shows the total number of devices affected by each setting in the policy.
 
@@ -190,9 +196,9 @@ Conflicts happen when the same setting is updated to different values. Conflicts
 
 When you create the policy, you have two policy types: **Settings catalog** and **Templates**:
 
-:::image type="content" source="./media/settings-catalog/select-windows-policy-type.png" alt-text="When you create a Windows or macOS policy, select settings catalog or templates in Microsoft Intune and Endpoint Manager admin center.":::
+:::image type="content" source="./media/settings-catalog/select-windows-policy-type.png" alt-text="Screenshot that shows when you create a Windows or macOS policy, select settings catalog or templates in Microsoft Intune and Endpoint Manager admin center.":::
 
-The **Templates** include a logical group of settings, such as device restrictions, kiosk, and more. Use this option if you want to use these groupings to configure your settings.
+The **Templates** include a logical group of settings, such as kiosk, VPN, Wi-Fi, and more. Use this option if you want to use these groupings to configure your settings.
 
 The **Settings catalog** lists all the available settings. If you want to see all the available Firewall settings, or all the available BitLocker settings, then use this option. Also, use this option if you're looking for specific settings.
 
@@ -204,6 +210,8 @@ For more information on user scope and device scope, see the [Policy CSP](/windo
 
 Device and user groups are used when you assign your policies. Device and user scopes describe how a policy is enforced.
 
+### Scope assignment behavior
+
 When deploying policy from Intune, you can assign user scope or device scope to any type of target group. Behavior of the policy per user depends on the scope of the setting:
 
 - User scoped policy writes to `HKEY_CURRENT_USER (HKCU)`. 

memdocs/intune/configuration/media/settings-catalog/settings-picker-filter-scope.png

@@ -131,7 +131,7 @@ Devices that run Android Enterprise might require a PIN before SCEP can provisio
        - **CN={{UserName}}**: The user name of the user, such as janedoe.
        - **CN={{UserPrincipalName}}**: The user principal name of the user, such as [email protected].
        - **CN={{AAD_Device_ID}}**: An ID assigned when you register a device in Azure Active Directory (AD). This ID is typically used to authenticate with Azure AD.
-       - **CN={{DeviceId}}**: An ID assigned when you enroll a device in Intune. *(not supported on Android Enterprise for Fully Managed, Dedicated, and Corporate-Owned Work Profile)*
+       - **CN={{DeviceId}}**: An ID assigned when you enroll a device in Intune.
        - **CN={{SERIALNUMBER}}**: The unique serial number (SN) typically used by the manufacturer to identify a device.
        - **CN={{IMEINumber}}**: The International Mobile Equipment Identity (IMEI) unique number used to identify a mobile phone.
        - **CN={{OnPrem_Distinguished_Name}}**: A sequence of relative distinguished names separated by comma, such as *CN=Jane Doe,OU=UserAccounts,DC=corp,DC=contoso,DC=com*.
@@ -157,7 +157,7 @@ Devices that run Android Enterprise might require a PIN before SCEP can provisio
        Format options for the Subject name format include the following variables:
 
        - **{{AAD_Device_ID}}** or **{{AzureADDeviceId}}** - Either variable can be used to identify a device by its Azure AD ID.
-       - **{{DeviceId}}** - The Intune device ID *(not supported on Android Enterprise for Fully Managed, Dedicated, and Corporate-Owned Work Profile)*
+       - **{{DeviceId}}** - The Intune device ID
        - **{{Device_Serial}}**
        - **{{Device_IMEI}}**
        - **{{SerialNumber}}**

memdocs/intune/configuration/settings-catalog.md

@@ -4,7 +4,7 @@ description: include file
 author: brenduns
 ms.service: microsoft-intune
 ms.author: brenduns
-ms.date: 05/12/2022
+ms.date: 09/12/2022
 ms.topic: include
 ---
 ## Prerequisites
@@ -123,13 +123,8 @@ To support Microsoft Defender for Endpoint security configuration management thr
    > [!TIP]
    > Use pilot mode and the proper device tags to test and validate your rollout on a small number of devices. Without using pilot mode, any device that falls into the scope configured will automatically be enrolled.
 
-1. Make sure the relevant users have permissions to manage endpoint security settings in Microsoft Endpoint Manager or grant those permissions by configuring a role in the Microsoft 365 Defender portal. Go to **Settings** > **Roles** > **Add item**:
-   :::image type="content" source="../media/mde-security-integration/add-role-in-mde.png" alt-text="Create a new role in the Defender portal.":::
-   > [!TIP]
-   > You can modify existing roles and add the necessary permissions versus creating additional roles in Microsoft Defender for Endpoint
-1. When configuring the role, add users and be sure to select **Manage endpoint security settings in Microsoft Endpoint Manager**:
+1. Make sure the relevant users have permissions to manage endpoint security settings in Microsoft Endpoint Manager. If not already provided, request for your IT administrator to grant applicable users the Microsoft Endpoint Manager’s **Endpoint Security Manager** [built-in RBAC role](/mem/intune/fundamentals/role-based-access-control).
 
-      :::image type="content" source="../media/mde-security-integration/add-role.png" alt-text="Grant users permissions to manage settings.":::
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Select **Endpoint security** > **Microsoft Defender for Endpoint**, and set **Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations** to **On**.
 

memdocs/intune/protect/certificates-profile-scep.md

@@ -64,7 +64,7 @@ Every failed ANC or success with warning error state includes the technical deta
 - **First party app permissions exist on Azure virtual network**: Sufficient permissions exist on the Azure vNet.
 - **Environment and configuration is ready**: Underlying infrastructure is ready for provisioning to succeed.
 - **Intune enrollment restrictions allow Windows enrollment**: Verify that Intune enrollment restrictions are configured to allow Windows enrollment.
-- **Localization language package readiness**: Verify that the operating system and Microsoft 365 language packages can install. Also verify that the localization package download link is reachable.
+- **Localization language package readiness**: Verify that the operating system and Microsoft 365 language packages are reachable. Also verify that the localization package download link is reachable.
 
 <!-- ########################## -->
 ## Next steps