Merge pull request #6276 from MicrosoftDocs/main

12/2/2021 PM Publish

Author: Taojunshen

memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2107.md

@@ -433,19 +433,17 @@ For more information on changes to the Windows PowerShell cmdlets for Configurat
 
 Aside from new features, this release also includes other changes such as bug fixes. For more information, see [Summary of changes in Configuration Manager current branch, version 2107](../../../hotfix/2107/10096997.md).
 
-<!--
-The following update rollup (4517869) is available in the console starting on October 1, 2019: [Update rollup for Configuration Manager current branch, version 1906](https://support.microsoft.com/help/4517869).
--->
 
-<!--
+The following update rollup (11121541) is available in the console starting on October 27, 2021: [Update rollup for Configuration Manager current branch, version 2107](../../../hotfix/2107/11121541.md).
+
+
 ### Hotfixes
 
 The following additional hotfixes are available to address specific issues:
 
 | ID | Title | Date | In-console |
 |---------|---------|---------|---------|
-| [9833643](../../../hotfix/2107/9833643.md) | Console update for Microsoft Endpoint Configuration Manager version 2107 | May 11, 2021 | No |
--->
+| [12636660](../../../hotfix/2107/12636660.md) | Client update for Microsoft Endpoint Configuration Manager version 2107 | December 2, 2021 | No |
 
 ## Next steps
 

memdocs/configmgr/hotfix/2107/12636660.md

@@ -0,0 +1,70 @@
+---
+title: Client update for Microsoft Endpoint Configuration Manager version 2107
+titleSuffix: Configuration Manager
+description: Client update for 2107
+ms.date: 12/02/2021
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: reference
+ms.assetid: a8e89ce4-e3f6-476e-baad-d11cb1bb70f6
+author: bhuney
+ms.author: brianhun
+manager: dougeby
+---
+
+# Update for Microsoft Endpoint Configuration Manager version 2107
+
+*Applies to: Configuration Manager (current branch, version 2107)*
+## Summary of KB12636660
+
+An update is available to resolve the following issue with Configuration Manager after installing the [Update rollup for Microsoft Endpoint Configuration Manager version 2107](./11121541.md).
+
+- Clients in untrusted domains do not use the network access account as a fallback authentication method to access content on distribution points. This leads to content download failures when other authentication methods are unavailable.
+
+## Update information for Microsoft Endpoint Configuration Manager, version 2107
+The following hotfix to resolve this problem is available for download from the Microsoft Download Center:
+
+[Download this hotfix now](https://configmgrbits.azureedge.net/qfe/2107/KB12636660_9058.1048/CM2107-KB12636660.ConfigMgr.Update.exe).
+
+After you download the hotfix, see the following documentation for installation instructions:
+
+[Use the Update Registration Tool to import hotfixes to Configuration Manager](../../core/servers/manage/use-the-update-registration-tool-to-import-hotfixes.md)
+
+#### Prerequisites
+To apply this hotfix, you must have Microsoft Endpoint Configuration Manager, version 2107 installed in addition to the following update:
+
+[KB11121541](./11121541.md) Update rollup for Microsoft Endpoint Configuration Manager version 2107
+
+#### Restart information
+This update does not require a computer restart or initiate a site reset.
+
+### Other installation information
+After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select **Administration** > **Site Configuration** > **Sites** >  **Recover Secondary Site**, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
+
+Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
+   ```code
+   select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
+   ```
+If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
+
+If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the **Recover Secondary Site** option to update the secondary site.
+
+## Version information
+The following major components are updated to the versions specified:
+
+|Component |Version |
+|---|---|
+| Configuration Manager client | 5.00.9058.1048 |
+
+## File information
+File information is available in the downloadable [KB12636660_FileList.txt](https://aka.ms/KB12636660_FileList) text file.
+
+## Release history
+- December 2, 2021: Initial hotfix release
+
+## References
+[Updates and servicing for Configuration Manager](../../core/servers/manage/updates.md)
+[Network access account](../../core/plan-design/hierarchy/fundamental-concepts-for-content-management.md#network-access-account)
+
+
+

memdocs/configmgr/hotfix/TOC.yml

@@ -9,6 +9,8 @@ items:
     href: 2107/10503003.md
   - name: KB 11121541 Update rollup for 2107
     href: 2107/11121541.md
+  - name: KB 12636660 Network access account update
+    href: 2107/12636660.md
 - name: Version 2103
   items:
   - name: KB 9210721 Summary of changes in 2103

memdocs/intune/apps/apps-company-portal-macos.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 08/19/2021
+ms.date: 12/02/2021
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -52,7 +52,7 @@ You can instruct users to download, install, and sign in to Company Portal for m
 > [!NOTE]
 > When you download the Intune Company Portal for macOS devices version 2.18.2107 and later, it installs the new universal version of the app that runs natively on Apple Silicon Macs. The same app will install the x64 version of the app on Intel Mac machines.
 
-##	Install Company Portal for macOS as a macOS LOB app
+## Install Company Portal for macOS as a macOS LOB app
 
 Company Portal for macOS can be downloaded and installed using the [macOS LOB apps](lob-apps-macos.md) feature. The version downloaded is the version that will always be installed and may need to be updated periodically to ensure users get the best experience during initial enrollment.
 
@@ -75,11 +75,15 @@ Company Portal for macOS can be downloaded and installed using the [macOS Shell
 > [!NOTE]
 > The script will require Internet access when it runs to download the current version of the Company Portal for macOS. 
 
-## Install Company Portal for macOS using the Apple Setup Assistant
+## Signing into the Company Portal for macOS when using Setup Assistant with Modern Authentication 
 
 For macOS devices running 10.15 and later, when creating an Automated Device Enrollment profile, you can now choose a new authentication method: **Setup Assistant with modern authentication**. The user has to authenticate using Azure AD credentials during the setup assistant screens. This will require an additional Azure AD login post-enrollment in the Company Portal app to gain access to corporate resources protected by Conditional Access and for Intune to assess device compliance. The Company Portal can be installed in any of the three ways documented here for Setup Assistant with modern authentication. 
 
-Users must sign into the Company Portal to complete Azure AD authentication and gain access to resources protected by Conditional Access. User affinity is established when users complete the additional Azure AD login into the Company Portal app on the device. If the tenant has multi-factor authentication turned on for these devices or users, the users will be asked to complete multi-factor authentication during enrollment during Setup Assistant. Multi-factor authentication is not required, but it is available for this authentication method within Conditional Access if needed.
+Use one of the ways documented above to deploy the macOS Company Portal to the devices enrolling with Setup Assistant with modern authentication so that the end user can authenticate and complete Azure AD registration.
+
+Users must sign into the Company Portal to complete Azure AD authentication and gain access to resources protected by Conditional Access. User affinity is established when users complete the enrollment and reaches the home screen of the macOS device. If the tenant has multi-factor authentication turned on for these devices or users, the users will be asked to complete multi-factor authentication during enrollment during Setup Assistant. Multi-factor authentication is not required, but it is available for this authentication method within Conditional Access if needed.
+
+For more information about configuring Setup Assistant with modern authentication for macOS, see [Create an Apple enrollment profile](../enrollment/device-enrollment-program-enroll-macos.md#create-an-apple-enrollment-profile).
 
 ## Next steps
 - To learn more about assigning apps, see [Assign apps to groups](apps-deploy.md).

memdocs/intune/fundamentals/reports-export-graph-available-reports.md

@@ -7,7 +7,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 11/02/2021
+ms.date: 12/02/2021
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -665,6 +665,9 @@ The following table contains the possible output when calling the `DevicesWithIn
 | ManagementAgents  | ManagementAgents  |
 | CertExpirationDate  | CertExpirationDate  |
 | IsManaged  | IsManaged  |
+| SystemManagementBIOSVersion  | SystemManagementBIOSVersion  |
+| TPMManufacturerId  | TPMManufacturerId  |
+| TPMManufacturerVersion  | TPMManufacturerVersion  |
 
 You can choose to filter the `DevicesWithInventory` report's output based on the following columns:
 - `CreatedDate`

memdocs/intune/protect/certificate-authority-add-scep-overview.md

@@ -113,6 +113,12 @@ Be sure you have the required permissions to register an Azure AD app. See [Requ
       2. Expand **Application** and select the checkbox for **Application.Read.All** (Read all applications).
       3. Select **Add permissions** to save this configuration.
 
+   1. Select **Add a permission** again.
+      1. On the *Request API permissions* page, select **Azure Active Directory Graph** > **Application permissions**.
+      2. Expand **Application** and select the checkbox for **Application.Read.All** (Read all applications). 
+      3. Select **Add permissions** to save this configuration.
+
+<!-- Pending review to replace step 7.c>
    1. Use *Microsoft Graph* to add the following permissions to the app:
 
       - **Application.Read.All** (Read all applications).
@@ -121,9 +127,7 @@ Be sure you have the required permissions to register an Azure AD app. See [Requ
 
       > [!NOTE]  
       > Previously, these permissions were configured by using Azure AD Graph, and available through the App registration UI. Azure AD Graph is now deprecated and will be retired on June 30, 2022. As part of this deprecation path, the capability to add Azure AD Graph permissions to the required permissions for an app registration through the Azure portal is now disabled.
-      >
-      > In addition to using the information at [Configure Azure AD Graph permissions](/graph/migrate-azure-ad-graph-configure-permissions) to set permission on the app, we recommend that you follow the [App migration planning checklist](/graph/migrate-azure-ad-graph-planning-checklist) to help you transition your apps to the [Microsoft Graph](/graph/overview) API.
-
+-->
 8. Remain on the **API permissions** page, and select **Grant admin consent for** ***\<your tenant>***, and then select **Yes**.  
 
    The app registration process in Azure AD is complete.

memdocs/intune/remote-actions/remote-help.md

@@ -7,7 +7,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 12/01/2021
+ms.date: 12/02/2021
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: remote-actions
@@ -100,9 +100,10 @@ Both the helper and sharer must be able to reach these endpoints over port 443:
 
 Microsoft logs a small amount of session data to monitor the health of the remote help system. This data includes the following information:
 
-- Start and end time of the session
-- Errors arising from remote help itself, such as unexpected disconnections
-- Features used inside the app such as view only, annotation, and session pause
+- Start and end time of the session. This information is stored on Microsoft servers for 30 days.
+- Who helped whom and on what device. This information is stored on Microsoft servers for 30 days.
+- Errors arising from remote help itself, such as unexpected disconnections. This information is stored on the sharer's device in the event viewer.
+- Features used inside the app such as view only and elevation. This information is stored on Microsoft servers for 30 days.
 
 Remote help logs session details to the Windows Event Logs on the device of both the helper and sharer. Microsoft can't access a session or view any actions or keystrokes that occur in the session. Microsoft cannot access a session or view any actions or keystrokes that occur in the session.
 
@@ -114,7 +115,7 @@ The helper and sharer both see the following information about the other individ
 - First and Last name
 - Job title
 
-Microsoft does not store any data about either the sharer or the helper for longer than three days.
+Microsoft does not store any data about either the sharer or the helper for longer than 30 days.
 
 ## Install and update remote help
 

windows-365/enterprise/TOC.yml

@@ -21,6 +21,8 @@ items:
     href: on-premises-network-connections.md
   - name: Device images
     href: device-images.md
+  - name: Lifecycle and operating system end of support
+    href: end-of-support.md
   - name: Device configuration with MEM
     href: device-configuration.md
   - name: Privacy and personal data
@@ -113,6 +115,8 @@ items:
           href: create-custom-image-support-teams.md
       - name: App Assure
         href: app-assure.md
+      - name: Optimize Zoom
+        href: zoom-support.md
     - name: Device management
       items:
       - name: Overview

windows-365/enterprise/end-of-support.md

@@ -0,0 +1,60 @@
+---
+# required metadata
+title: End of support for Windows operating system on Cloud PCs
+titleSuffix:
+description: Learn about lifecycle policies and end of support for operating systems on Cloud PCs and device images.
+keywords:
+author: ErikjeMS  
+ms.author: erikje
+manager: dougeby
+ms.date: 11/30/2021
+ms.topic: how-to
+ms.service: cloudpc
+ms.subservice:
+ms.localizationpriority: high
+ms.technology:
+ms.assetid: 
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: naramkri
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.custom: intune-azure; get-started
+ms.collection: M365-identity-device-management
+---
+
+# Lifecycle policies and end of support for Cloud PC operating systems
+
+Lifecycle policies govern operating system (OS) servicing and support (including end of support). The lifecycle is the time period during which Microsoft supports the OS and releases monthly security updates for it. For more information about lifecycles, see [Lifecycle FAQ - General](/lifecycle/faq/general-lifecycle) and [Lifecycle FAQ - Windows](/lifecycle/faq/windows).
+
+A Windows 365 Cloud PC runs on the Windows OS and follows the [Microsoft Lifecycle Policy](/lifecycle). After the OS on a Cloud PC reaches the end of support, it stops receiving:
+
+- Security updates
+- Non-security updates
+- Assisted support
+
+## Image status
+
+Windows 365 tracks end of support information in Microsoft Endpoint Manager on the **Provisioning policies** page under **Image status**. This column lets you know if the OS on the image used by each provisioning policy is supported or not.
+
+| Image status | Gallery image | Custom image |
+| --- |--- | --- |
+| Supported | Cloud PCs created using this policy have a Windows OS that is supported by Microsoft and can receive updates. | Same as gallery image. |
+| Warning | OS Support expired less than six months ago. Cloud PCs created using this policy have an OS that isn’t supported. Such Cloud PCs are vulnerable and not receiving security updates. | Cloud PCs created using this policy have an OS that isn’t supported. Such Cloud PCs are vulnerable and not receiving security updates.  |
+| Unsupported | Cloud PCs created using this policy have a Windows OS that hasn’t been supported for over six months. This policy can no longer be assigned to users. To resolve this issue, update the OS image in the provisioning policy to an image with a supported OS. Existing Cloud PCs previously created with this policy:<br>- Are vulnerable and not receiving security updates.<br>- Can’t be provisioned or reprovisioned. Attempts to provision a Cloud PC from this policy will fail with a **Windows Image out of Support** message. | Not applicable |
+
+These status values for custom images also appear under the **OS support status** column on the **Device images** page.
+
+## Provisioning policies
+
+Starting on the end of support date, gallery images that use the expired OS won’t be selectable for newly created provisioning policies. The images also won’t be available for use when editing existing provisioning policies.
+
+<!-- ########################## -->
+## Next steps
+
+To change the device image for a provisioning policy, see [Edit provisioning policies](edit-provisioning-policy.md).

windows-365/enterprise/whats-new.md

@@ -7,7 +7,7 @@ keywords:
 author: ErikjeMS  
 ms.author: erikje
 manager: dougeby
-ms.date: 11/03/2021
+ms.date: 11/30/2021
 ms.topic: reference
 ms.service: cloudpc
 ms.subservice:
@@ -47,6 +47,33 @@ Learn what new features are available in Windows 365 Enterprise.
 ### Scripts
 -->
 
+<!-- ########################## -->
+## Week of November 29, 2021 (Service release 2111)
+
+<!-- vvvvvvvvvvvvvvvvvvvvvv -->
+### Device management
+
+#### Operating system end of support status for Cloud PCs<!--36852572 -->
+
+The **Provisioning policies** page has a new column: **Image status**. It tells you if the device image for each provisioning policy uses an operating system (OS) that is supported by Microsoft Windows security and other updates. For more information, see [Lifecycle policies and end of support for Cloud PC OS](end-of-support.md).
+
+#### New documentation article: Optimize Zoom on a Windows 365 Cloud PC<!--37106382-->
+
+We’ve just published a new help documentation article. For more information, see [Optimize Zoom on a Windows 365 Cloud PC](zoom-support.md).
+
+<!-- vvvvvvvvvvvvvvvvvvvvvv -->
+### Device security
+
+#### Two new security baseline settings for Windows 11 Cloud PCs<!--36989243 -->
+
+Windows 365 Enterprise now supports the following Windows 11 security baseline settings:
+
+- **Tamper Protection**: Helps protect Cloud PCs from bad actors bypassing security features like anti-virus protection.
+
+- **Script Scanning**: Helps identify possible threats by intercepting scripts and scanning them before they’re run.
+
+For more information about the security baseline updates for Windows 11, see [Windows 11 Security baseline](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-security-baseline/ba-p/2810772). For more information about setting security baselines for Cloud PCs, see [Deploy security baselines](deploy-security-baselines.md).
+
 <!-- ########################## -->
 ## Week of November 1, 2021 (Service release 2110)