Merge pull request #7048 from MicrosoftDocs/main

Thomas Raya · web-flow · commit 1ccd0238d34a · 2022-03-16T13:08:41.000-05:00
Publish 03/16/2022, 10:30 AM
diff --git a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md
@@ -56,6 +56,8 @@ To enable modern authentication during enrollment, push the app to the device by
 
 To enable the Company Portal to update automatically and provide the Company Portal app on devices already enrolled with ADE, deploy the Company Portal app through Intune as a required VPP app with an [application configuration policy](../apps/app-configuration-policies-use-ios.md#configure-the-company-portal-app-to-support-ios-and-ipados-devices-enrolled-with-automated-device-enrollment) applied. Deploy the Company Portal app in this way to enable Device Staging for devices only without user affinity. With Device Staging, a device is fully enrolled and receives device policies before the addition of a user affinity. Device Staging can also be used to transition a device without user affinity, to a device with user affinity.
 
+Specifically for the authentication method Setup Assistant with modern authentication, do not separately deploy the Company Portal app as a client app, with or without an app config targeted to it. ADE devices enrolling with Setup Assistant with modern authentication should be excluded from any separate Company Portal targeting in the tenant. The Company Portal is sent as a required app automatically when Setup Assistant with modern authentication is chosen as the authentication method in the assigned enrollment profile. 
+
 ## What is supervised mode?
 
 Apple introduced supervised mode in iOS/iPadOS 5. An iOS/iPadOS device in supervised mode provides more management control, like blocking of screen captures and blocking of the installation of apps from App Store. So it's especially useful for corporate-owned devices. Intune supports configuring devices for supervised mode as part of ADE.
diff --git a/memdocs/intune/protect/includes/make-configmgr-collection-available-edr.md b/memdocs/intune/protect/includes/make-configmgr-collection-available-edr.md
@@ -16,6 +16,8 @@ ms.date: 12/18/2020
   
    ![Configure cloud sync](../media/tenant-attach-intune/cloud-sync.png)
 
-3. Select **OK** to save the configuration.
+3. Select **Add** and then select the Azure Active Directory group that you would like to synchronize with **Collect membership results**.
+
+4. Select **OK** to save the configuration.
 
    Devices in this collection can now onboard with Microsoft Defender for Endpoint, and support use of Intune endpoint security policies.
diff --git a/memdocs/intune/protect/windows-update-rollout-options.md b/memdocs/intune/protect/windows-update-rollout-options.md
@@ -7,7 +7,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 11/16/2021
+ms.date: 03/16/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -29,7 +29,7 @@ ms.collection: M365-identity-device-management
 
 # Rollout options for Windows Updates in Microsoft Intune
 
-Use rollout options in Microsoft Intune policies for *Feature updates for Windows 10 and later*. With rollout options, you configure schedule options for Windows Update that result in the gradual rollout of updates to to devices that receive your policies.
+Use rollout options in Microsoft Intune policies for *Feature updates for Windows 10 and later*. With rollout options, you configure schedule options for Windows Update that result in the gradual rollout of updates to devices that receive your policies.
 
 > [!TIP]  
 > The default behavior for Windows Update is to make an update available to an assigned device  right away. This doesn’t mean the update will install right away. Instead, when an update is made available, the device becomes eligible to install it. Before a device can install an available update, the device must connect to Windows Update and scan for updates. When the need for an update is confirmed and the device is eligible, the  Windows Update service then offers the update to that device. After a device completes the update, it is then dependent on user behavior and other settings like Deadline.
@@ -56,11 +56,11 @@ To configure this option, you set the following values. Windows Update uses thes
 
 - **Days between groups** – Windows Update uses this value to determine how many offer groups to use when making the update available to devices.
 
-  For example, you set the first group availability to be January 1, and the final group of availability to be January 10. Then you set three days between groups. The results are that Windows Update creates four groups to use for making the update available. Windows Update then makes the update available to devices in the first group on the 1st, available to devices in the next group on the 4th, and so on. The update is offered to devices in the last group on the 10th.  In this example, a quarter of the devices that receive the policy are assigned to each group, and devices can only receive the update offer after the group they're assigned to becomes eligible.
+  For example, you set the first group availability to be January 1, and the final group of availability to be January 10. Then you set three days between groups. The results are that Windows Update creates four groups to use for making the update available. Windows Update then makes the update available to devices in the first group on January 1, available to devices in the next group on January 4, and so on. The update is offered to devices in the last group on the 10th.  In this example, a quarter of the devices that receive the policy are assigned to each group, and devices can only receive the update offer after the group they're assigned to becomes eligible.
 
 The following behaviors apply to the management of offer groups:
 
-- Windows Update assigns targeted devices to the groups randomly, keeping groups evenly-sized.
+- Windows Update assigns targeted devices to the groups randomly, keeping groups evenly sized.
 
 - If you edit a policy to change the date for the first or final group availability, or change the number of days between groups for the policy:
   - Windows Update recalculates the number of groups to use, if necessary.
@@ -72,6 +72,38 @@ The following behaviors apply to the management of offer groups:
   - New devices are distributed to the remaining offer groups.
   - For devices that are no longer targeted by the policy but were offered the update, Windows Update will attempt to retract the offer. However, the offer can’t be retracted if the device has started processing that offer.
 
+## Intelligent rollouts
+
+To enhance your use of gradual rollouts, you can configure *Intelligent rollouts*.
+
+With intelligent rollouts, the Windows Update for Business Deployment Service uses data that it collects from devices to optimize the device members in the offer groups of your gradual rollout deployments. The first offer group will include the fewest number of devices that have the largest pool of variations in your environment. You can think of this as a *pilot ring* for the deployment.
+
+To enable intelligent rollout, you deploy a [settings catalog](../configuration/settings-catalog.md) profile for device configuration to *Allow WUfB Cloud Processing*. Then, you assign the profile to the same groups that you use with your Feature update profiles. You only need to deploy this profile to a device a single time. The change then applies to all future deployments for that device.
+
+### Likely issue safeguard holds
+
+The Windows Update for Business setting that you enable, *Allow WUfB Cloud Processing*, is the same setting that enables the Deployment Service to create a *likely issue* safeguard hold for a device. To learn more, see [Safeguard holds](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) in the documentation for Update Compliance monitoring.
+
+As your rollout progresses, the deployment service monitors for unexpected issues. The service leverages insights from the Windows ecosystem and will create *likely issue* safeguard holds and proactively pause deployments to devices that are likely to encounter an issue. By applying safeguard holds to devices that are likely to have issues with the update, devices and end users are protected from potential productivity affecting issues.
+
+To learn more, see [Manage safeguards using the Windows Update for Business deployment service](/graph/windowsupdates-manage-safeguards) in the Graph API documentation for device updates.
+
+### Enable intelligent rollouts
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+2. Go to **Devices** > **Configuration profiles** > **Create profile**.
+
+3. For Platform, select **Windows 10 and later** and then for Profile type, select **Settings catalog (preview)**.
+
+4. On the **Configuration settings** page, select **Add settings**, and then on the *Settings picker* page, search for **Allow WUfB Cloud Processing**.  You’ll find this setting in the *System* category. Select the checkbox for this setting and then close the *Settings picker* window.
+
+5. Set *Allow WUfB Cloud Processing* to **Enabled**.
+
+6. On the **Assignments** page, assign the profile to the same groups you use for your Feature update profiles, and then complete and *Create* this settings catalog profile, to deploy it.
+
+After the profile deploys, devices that use gradual rollouts for Feature update profiles will also have intelligent optimization applied.
+
 ## Next steps
 
 Configure [Feature Updates policy](../protect/windows-10-feature-updates.md)  
diff --git a/windows-365/enterprise/identity-authentication.md b/windows-365/enterprise/identity-authentication.md
@@ -91,11 +91,13 @@ This authentication triggers an Azure Active Directory prompt, allowing any cred
 
 ### Cloud PC authentication
 
-Users must authenticate with the Windows 365 service when:
+Users must authenticate to their Cloud PC when:
 
 - They navigate to the URL that maps directly to their Cloud PC.
 - They use a [Remote Desktop client](/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients) to connect to their Cloud PC.
 
+This authentication request is processed by Azure AD for Azure AD Joined Cloud PCs and on-premises Active Directory for Hybrid Azure AD Joined Cloud PCs.
+
 >[!NOTE]
 >If a user launches the web browser URL that maps directly to their Cloud PC, they will encounter the Windows 365 service authentication first, then encounter the Cloud PC authentication.
 
@@ -105,6 +107,8 @@ The following credential types are supported for Cloud PC authentication:
     - Smartcard
     - [Windows Hello for Business certificate trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust)
     - [Windows Hello for Business key trust with certificates](/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs)
+>[!NOTE]
+>Smartcard and Windows Hello authentication require the Windows desktop client to be able to perform Kerberos authentication when used with Hybrid AADJ. This requires the physical client to have line of sight to a domain controller.
 - Windows store client
     - Username and password
 - Web client
