MicrosoftDocs
diff --git a/‎memdocs/intune/fundamentals/whats-new.md‎
Lines changed: 14 additions & 0 deletions b/‎memdocs/intune/fundamentals/whats-new.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎memdocs/intune/protect/compliance-custom-json.md‎
Lines changed: 6 additions & 6 deletions b/‎memdocs/intune/protect/compliance-custom-json.md‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎memdocs/intune/protect/compliance-custom-script.md‎
Lines changed: 65 additions & 23 deletions b/‎memdocs/intune/protect/compliance-custom-script.md‎
Lines changed: 65 additions & 23 deletions
diff --git a/‎memdocs/intune/protect/compliance-policy-monitor.md‎
Lines changed: 19 additions & 8 deletions b/‎memdocs/intune/protect/compliance-policy-monitor.md‎
Lines changed: 19 additions & 8 deletions
@@ -76,6 +76,20 @@ For related information, see [Endpoint management documentation]( ../../index.ym
 
 Windows Company Portal now displays a grace period status to account for devices that don't meet compliance requirements but are still within their given grace period. Users are shown the date by which they need to become compliant and the instructions for how to become compliant. If users don't update their device by the given date, their device status changes to noncompliant. For more information about setting grace periods, see [Configure compliance policies with actions for noncompliance](../protect/actions-for-noncompliance.md#available-actions-for-noncompliance) and [Check access from Device details page](../user-help/check-device-access-windows-cpapp.md#check-access-from-device-details-page).
 
+#### Linux device management available in Microsoft Intune<!-- 14616038 -->
+
+Microsoft Intune now supports Linux device management for devices running Ubuntu Desktop 22.04 or 20.04 LTS. Intune admins don't need to do anything to enable Linux enrollment in the Microsoft Endpoint Manager admin center.  Linux users can [enroll supported Linux devices](../user-help/enroll-device-linux.md) on their own and use the Microsoft Edge browser to access corporate resources online.
+
+In the admin center, you can:
+
+- Enforce Conditional Access policies in Microsoft Edge.  
+- [Create a Linux device compliance policy](../protect/device-compliance-get-started.md#device-compliance-policies) with rules about:  
+  - Allowed distributions
+  - Custom compliance
+  - Device encryption
+  - Password policy
+- [Apply custom compliance settings](../protect/compliance-use-custom-settings.md) using POSIX-complaint shell scripts for discovery, and JSON files to define the custom settings you want to use.
+
 ## Week of October 03, 2022
 
 ### Device Security
 
@@ -7,7 +7,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 12/08/2021
+ms.date: 10/19/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -27,17 +27,17 @@ ms.custom: intune-azure
 ms.collection: M365-identity-device-management
 ---
 
-# Custom compliance JSON files
+# Custom compliance JSON files for Microsoft Intune
 
-To support [custom settings for compliance](../protect/compliance-use-custom-settings.md), you create a JSON file that identifies the settings and value pairs that you want to use for custom compliance. The JSON defines what a PowerShell discovery script will evaluate for compliance on the device.
+To support [custom settings for compliance](../protect/compliance-use-custom-settings.md) for Microsoft Intune, you create a JSON file that identifies the settings and value pairs that you want to use for custom compliance. The JSON defines what a discovery script will evaluate for compliance on the device.
 
-You’ll upload the JSON file when you create a compliance policy that includes custom compliance settings. 
+You’ll upload the JSON file when you create a compliance policy that includes custom compliance settings.
 
 A correctly formatted JSON file must include the following information:
 
 - **SettingName** - The name of the custom setting to use for base compliance.
-- **Operator** - Represents a specific action that is used to build a compliance rule. For options, see the following list of supported operators.
-- **DataType** - The type of data that you can use to build your compliance rule. For options, see the following list of supported DataTypes.
+- **Operator** - Represents a specific action that is used to build a compliance rule. For options, see the following list of *supported operators*.
+- **DataType** - The type of data that you can use to build your compliance rule. For options, see the following list of *supported DataTypes*.
 - **Operand** - Represent the values that the operator works on.
 - **MoreInfoURL** - A URL that’s shown to device users so they can learn more about the compliance requirement when their device is noncompliant for a setting. You can also use this to link to instructions to help users bring their device into compliance for this setting.
 - **RemediationStrings** - Information that gets displayed in the Company Portal when a device is noncompliant to a setting. This information is intended to help users understand the remediation options to bring a device to a compliant state.
 
@@ -1,13 +1,13 @@
 ---
 # required metadata
 
-title: Create a PowerShell script to use for discover of custom compliance settings in Microsoft Intune
-description: Create the PowerShell script that runs discovery on devices that receive device compliance policies for custom settings in Intune.
+title: Create a discovery script for custom compliance policy in Microsoft Intune
+description: Create scripts for Linux or Windows devices to discover the settings you define as custom compliance settings for Microsoft Intune.
 keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 11/16/2021
+ms.date: 10/19/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -27,21 +27,39 @@ ms.custom: intune-azure
 ms.collection: M365-identity-device-management
 ---
 
-# Custom PowerShell scripts for discovery
+# Custom compliance discovery scripts for Microsoft Intune
 
-Before you can use [custom settings for compliance](../protect/compliance-use-custom-settings.md) with Intune, you must define a PowerShell script for discovery of custom compliance settings on devices.
+Before you can use [custom settings for compliance](../protect/compliance-use-custom-settings.md) with Microsoft Intune, you must define a script for discovery of custom compliance settings on devices. The script you use depends on the platform:
 
-The discovery script:
+- Linux devices, use a POSIX-compliant shell script
+- Windows devices use a PowerShell script
 
-- Is added to Intune before you create a compliance policy. After it's added, it will be available to select when you create a compliance policy with custom settings.
-- Runs on a device that receives the compliance policy. The script evaluates the conditions of the JSON file you upload to the same policy.
-- Identifies one or more settings, as defined in the JSON, and returns a list of discovered values for those settings. A single script can be assigned to each policy, and supports discovery of multiple settings.
-- Must be compressed to output results in one line. For example: `$hash = @{ ModelName = "Dell"; BiosVersion = "1.24"; TPMChipPresent = $true}`
+The script deploys to devices as part of your custom compliance policies. When compliance runs, the script discovers the settings that are defined by the JSON file that you also provide through custom compliance policy.
+
+All discovery scripts:
+
+- Are added to Intune before you create a compliance policy. After being added, scripts are available to select when you create a compliance policy with custom settings.
+- Run on a device that receives the compliance policy. The script evaluates the conditions of the JSON file you upload when creating a custom compliance policy.
+- Identify one or more settings, as defined in the JSON, and return a list of discovered values for those settings. A single script can be assigned to each policy, and supports discovery of multiple settings.
+
+In addition, the PowerShell script for Windows:
+
+- Must be compressed to output results in a single line. For example: `$hash = @{ ModelName = "Dell"; BiosVersion = "1.24"; TPMChipPresent = $true}`
 - Must include the following line at the end of the script: `return $hash | ConvertTo-Json -Compress`
 
-## Sample discovery script
+## Limits
+
+The scripts you write must be within the following limits in order to successfully return compliance data to Intune:
+
+- Scripts can be no larger than 1 megabyte (MB) each.
+- Output generated by each script can be no larger than 1 MB.
+- Scripts must have a limited run time:  
+  - On Linux, scripts must take five minutes or less to run.
+  - On Windows, scripts must take 10 minutes or less to run.
 
-The following example is a sample PowerShell script.
+## Sample discovery script for Windows
+
+The following example is a sample PowerShell script that you would use for Windows devices:
 
 ```powershell
 $WMI_ComputerSystem = Get-WMIObject -class Win32_ComputerSystem
@@ -59,26 +77,50 @@ PS C:\Users\apervaiz\Documents> .\sample.ps1
 {"ModelName":  "Dell","BiosVersion":  1.24,"TPMChipPresent":  true}
 ```
 
+## Sample discovery script for Linux
+
+Discovery scripts for Linux must be POSIX-compliant shell scripts, such as Bash. However, the scripts can call more complex interpreters from inside the script, like Python. To successfully use other interpreters, they must be correctly installed and configured on the devices in advance of receiving the discovery script.  
+
+**About POSIX-compliant syntax**: Because the custom compliance script interpreter for Linux supports only a POSIX-compliant shell, it’s important to use POSIX-syntax.
+
+The following are examples of syntax that is compliant vs not compliant:
+
+- Compliant:
+
+  ```Shell
+  functionName() {
+    // scope of function with compliant syntax
+    }
+  ```
+
+   For example, `["$a = foo]` - Use of a single equal sign for a string comparison is POSIX-complaint.
+
+- Not compliant:
+
+  ```Shell
+  function functionName() {
+    // scope of function with non POSIX compliant syntax
+    }
+  ```
+
+   For example, `["$a == foo]` - Use of a double equal sign for a string comparison isn't POSIX-complaint.
+
+For more information, the following guide might be of use [POSIX Shell Tutorial (grymoire.com)](https://www.grymoire.com/Unix/Sh.html), a third-party website.
+
 ## Add a discovery script to Intune
 
-1. Sign into Microsoft Endpoint Manager admin center and go to  **Endpoint security** > **Device compliance** > **Scripts** > **Add** > **Windows 10 and later**.
+Before deploying your script in production, test it in an isolated environment to ensure the syntax you use behaves as expected.
+
+1. Sign into Microsoft Endpoint Manager admin center and go to  **Endpoint security** > **Device compliance** > **Scripts** > **Add** > *(choose your platform)*.
 2. On **Basics**, provide a *Name*.
 3. On **Settings**, add your script to *Detection script*. Review your script carefully. Intune doesn’t validate the script for syntax or programmatic errors.
-4. On **Settings**, configure the following behavior for the script:
+4. ***For Windows only*** - On **Settings**, configure the following behavior for the PowerShell script:
 
    - **Run this script using the logged on credentials** – By default, the script runs in the System context on the device. Set this value to Yes to have it run in the context of the logged-on user. If the user isn’t logged in, the script defaults back to the System context.
    - **Enforce script signature check** – For more information, see [about_Signing](/powershell/module/microsoft.powershell.core/about/about_signing?view=powershell-7.1&preserve-view=true) in the PowerShell documentation.
    - **Run script in 64 bit PowerShell Host** – By default, the script runs using the 32-bit PowerShell host. Set this value to *Yes* to force the script to run using the 64-bit host instead.
 
-5. Complete the script creation process. The script is now visible in the *Scripts* pane of the Microsoft Endpoint Manager admin center and will be available to select when configuring compliance policies.
-
-## Limits
-
-The scripts you write must be within these limits in order to successfully return compliance data to Intune:
-
-- Scripts can be no larger than 1 megabyte (MB) each.
-- Output generated by each script can be no larger than 1 MB.
-- Scripts must take 10 minutes or less to run.
+5. Complete the script creation process. The script is now visible in the *Scripts* pane of the Microsoft Endpoint Manager admin center and is available to select when configuring compliance policies.
 
 ## Next steps
 
 
@@ -7,7 +7,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 08/24/2022
+ms.date: 10/19/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -36,6 +36,16 @@ Compliance reports help you understand when devices fail to meet your [complianc
 - The compliance status for an individual policy
 - Drill down into individual devices to view specific settings and policies that affect the device
 
+This article applies to:
+
+- Android device administrator
+- Android (AOSP) (*preview*)
+- Android Enterprise
+- iOS/iPadOS
+- Linux - Ubuntu Desktop, version 20.04 LTS and 22.04 LTS
+- macOS
+- Windows 10 and later
+
 ## Open the compliance dashboard
 
 Open the **Intune Device compliance dashboard**:
@@ -72,11 +82,11 @@ Descriptions of the different device compliance policy states:
 
 - **Compliant**: The device successfully applied one or more device compliance policy settings.
 
-- **In-grace period:** The device is targeted with one or more device compliance policy settings. But, the user hasn't applied the policies yet. This status means the device is not-compliant, but it's in the grace period defined by the admin.
+- **In-grace period:** *(This status isn’t supported by Linux)* The device is targeted with one or more device compliance policy settings. But, the user hasn't applied the policies yet. This status means the device is not-compliant, but it's in the grace period defined by the admin.
 
   - Learn more about [Actions for noncompliant devices](actions-for-noncompliance.md).
 
-- **Not evaluated**: An initial state for newly enrolled devices. Other possible reasons for this state include:
+- **Not evaluated**: *(This status isn’t supported by Linux)* An initial state for newly enrolled devices. Other possible reasons for this state include:
 
   - Devices that aren't assigned a compliance policy and don't have a trigger to check for compliance
   - Devices that haven't checked in since the compliance policy was last updated
@@ -87,12 +97,13 @@ Descriptions of the different device compliance policy states:
 
 - **Not-compliant:** The device failed to apply one or more device compliance policy settings. Or, the user hasn't complied with the policies.
 
-- **Device not synced:** The device failed to report its device compliance policy status because one of the following reasons:
+- **Device not synced:** *(This status isn’t supported by Linux)* The device failed to report its device compliance policy status because one of the following reasons:
 
   - **Unknown**: The device is offline or failed to communicate with Intune or Azure AD for other reasons.
-
   - **Error**: The device failed to communicate with Intune and Azure AD, and received an error message with the reason.
 
+- **Checking status**: *(Applies only to Linux)* Intune is currently evaluating the devices compliance your organization’s policies.
+
 > [!IMPORTANT]
 > Devices that are enrolled into Intune, but not targeted by any device compliance policies are included in this report under the **Compliant** bucket.
 
@@ -103,12 +114,12 @@ When a setting for a compliance policy returns a value of **Error**, the complia
 ##### Examples:
 
 - A device is initially marked **Compliant**, but then a setting in one of the compliance policies targeted to the device reports **Error**. After three days, compliance evaluation completes successfully and the setting now reports **Not compliant**. The user can continue to use the device to access Conditional Access-protected resources within the first three days after the setting states changes to **Error**, but once the setting returns **Not compliant**, the device is marked **Not compliant** and this access is removed until the device becomes **Compliant** again.
- 
+
 - A device is initially marked **Compliant**, but then a setting in one of the compliance policies targeted to the device reports **Error**. After three days, compliance evaluation completes successfully, the setting returns **Compliant**, and the device's compliance status becomes **Compliant**. The user is able to continue to access Conditional Access protected resources without interruption.
 
-- A device is initially marked **Compliant**, but then a setting in one of the compliance policies targeted to the device reports **Error**. The user is able to access Conditional Access protected resources for seven days, but after seven days, the compliance setting still returns **Error**. At this point, the device becomes Not compliant immediately and the user loses access to the protected resources until the device becomes **Compliant** – even if there's a grace period set for the applicable compliance policy.
+- A device is initially marked **Compliant**, but then a setting in one of the compliance policies targeted to the device reports **Error**. The user is able to access Conditional Access protected resources for seven days, but after seven days, the compliance setting still returns **Error**. At this point, the device becomes Not compliant immediately and the user loses access to the protected resources until the device becomes **Compliant**, even if there's a grace period set for the applicable compliance policy.
 
--  A device is initially marked **Not compliant**, but then a setting in one of the compliance policies targeted to the device reports Error. After three days, compliance evaluation completes successfully, the setting returns **Compliant**, and the device's compliance status becomes **Compliant**. The user is prevented from accessing Conditional Access protected resources for the first three days (while the setting returns **Error**). Once the setting returns **Compliant** and the device is marked **Compliant**, the user can begin to access protected resources on the device.
+- A device is initially marked **Not compliant**, but then a setting in one of the compliance policies targeted to the device reports Error. After three days, compliance evaluation completes successfully, the setting returns **Compliant**, and the device's compliance status becomes **Compliant**. The user is prevented from accessing Conditional Access protected resources for the first three days (while the setting returns **Error**). Once the setting returns **Compliant** and the device is marked **Compliant**, the user can begin to access protected resources on the device.
 
 #### Drill down for more details