Merge branch 'main' into release-intune-2204

Author: v-alje

memdocs/intune/enrollment/device-enrollment-manager-enroll.md

@@ -61,8 +61,8 @@ You can use the following methods to enroll devices using DEM accounts:
 
 - [Windows Autopilot](../../autopilot/enrollment-autopilot.md)
 - [Windows devices bulk enrollment](windows-bulk-enroll.md)
-- [DEM initiated via Company Portal](../user-help/use-managed-devices-to-get-work-done.md)
-- [DEM initiated via Azure AD join](/mem/intune/enrollment/device-enrollment-manager-enroll)
+- DEM initiated via Company Portal
+- DEM initiated via Azure AD join
 
 ## Add a device enrollment manager
 

memdocs/intune/enrollment/device-enrollment.md

@@ -39,7 +39,7 @@ Intune lets you manage your workforce's devices and apps and how they access you
 
 As you can see in the following tables, there are several methods to enroll your workforce's devices. Each method depends on the device's ownership (personal or corporate), device type (iOS, Windows, Android), and management requirements (resets, affinity, locking).
 
-By default, devices for all platforms are allowed to enroll in Intune. However, you can [restrict devices by platform](enrollment-restrictions-set.md#create-a-device-type-restriction).
+By default, devices for all platforms are allowed to enroll in Intune. However, you can [restrict devices by platform](enrollment-restrictions-set.md#create-a-device-platform-restriction) in Intune.
 
 ## iOS/iPadOS enrollment methods
 

memdocs/intune/enrollment/enrollment-restrictions-set.md

@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 01/25/2022
+ms.date: 04/14/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -21,7 +21,7 @@ ms.assetid: 9691982c-1a03-4ac1-b7c5-73087be8c5f2
 #ROBOTS:
 #audience:
 
-ms.reviewer: dagerrit
+ms.reviewer: maholdaa
 ms.suite: ems
 search.appverid: MET150
 #ms.tgt_pltfrm:
@@ -58,78 +58,56 @@ The specific enrollment restrictions that you can create include:
   - Maximum version.
 - Restrict [personally owned devices](device-enrollment.md#bring-your-own-device) (iOS, Android device administrator, Android Enterprise work profile, macOS, and Windows).
 
-## Default restrictions
 
-Default restrictions are automatically provided for both device type and device limit enrollment restrictions. You can change the options for the defaults. Default restrictions apply to all user and userless enrollments. You can override these defaults by creating new restrictions with higher priorities.
+## Default restrictions  
 
-## Create a device type restriction
-
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Enroll Devices** > **Enrollment restrictions** > **Create restriction** > **Device type restriction**.
-2. On the **Basics** page, give the restriction a **Name** and optional **Description**.
-3. Choose **Next** to go to the **Platform settings** page.
-4. Under **Platform**, choose **Allow** for the platforms that you want this restriction to allow.
-:::image type="content" source="./media/enrollment-restrictions-set/choose-platform-settings.png" alt-text="Device type restriction platform settings blade":::
-5. Under **Versions**, choose the minimum and maximum versions that you want the allowable platforms to support. For iOS and Android, version restrictions only apply to devices enrolled with the Company Portal.
-     Supported version formats include:
-    - Android device administrator and Android Enterprise work profile support major.minor.rev.build.
-    - iOS/iPadOS supports major.minor.rev. Operating system versions don't apply to Apple devices that enroll with the Device Enrollment Program, Apple School Manager, or the Apple Configurator app.
-    - Windows supports major.minor.build.rev for Windows 10 and Windows 11 only.
-    
-    > [!IMPORTANT]
-    > Android Enterprise work profile and Android device administrator platforms have the following behavior:
-    > - If both platforms are allowed for the same group, then users will be enrolled with a work profile if their device supports it, otherwise they will enroll as device administrator. 
-    > - If both platforms are allowed for the group and refined for specific and non-overlapping versions, then users will receive the enrollment flow defined for their OS version. 
-    > - If both platforms are allowed, but blocked for the same versions, then users on devices with the blocked versions will be taken down the Android device administrator enrollment flow and then get blocked from enrollment and prompted to sign out. 
-    >
-    > Worth noting that neither work profile or device administrator enrollment will work unless the appropriate prequisites have been completed in Android Enrollment. 
-
-6. Under **Personally-owned**, choose **Allow** for the platforms that you want to permit as personally owned devices.
-7. Under **Device manufacturer**, enter a comma-separated list of the manufacturers that you want to block.
-8. Choose **Next** to go to the **Scope tags** page.
-9. On the **Scope tags** page, optionally add the scope tags you want to apply to this restriction. For more information about scope tags, see [Use role-based access control and scope tags for distributed IT](../fundamentals/scope-tags.md). When using scope tags with enrollment restrictions, users can only re-order policies for which they have scope. Also, they can only reorder for the policy positions for which they have scope. Users see the true policy priority number on each policy. A scoped user can tell the relative priority of their policies even if they can't see all the other policies.
-10. Choose **Next** to go to the **Assignments** page.
-11. Choose **Select groups to include** and then use the search box to find groups that you want to include in this restriction. The restriction applies only to groups to which it's assigned. If you don't assign a restriction to at least one group, it won't have any effect. Then choose **Select**. 
-    ![Screen cap for choosing platform settings](./media/enrollment-restrictions-set/select-groups.png)
-12. Select **Next** to go to the **Review + create** page.
-13. Select **Create** to create the restriction.
-14. The new restriction is created with a priority just above the default. You can [change the priority](#change-enrollment-restriction-priority).  
-
-
-## Create a device platform restriction 
+Default policies are available in Intune for both device type and device limit enrollment restrictions. The defaults apply to all user and userless enrollments. You can edit and change the defaults. You can also override the default restrictions by creating new restriction policies with higher priority.    
 
+ 
+## Create a device platform restriction   
 
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).  
-2. In the side menu, go to **Devices** and scroll down to **Policy**. Select **Enrollment device platform restrictions**. You can also access this policy by going to **Devices** > **Enroll devices** > **Enrollment device platform restrictions**.  
-
-3. At the top of the page, select the tab that corresponds with the platform you're configuring. Your options:  
+2. Go to **Devices** > **Enroll devices** > **Enrollment device platform restrictions**.  
+3. Select the tab along the top of the page that corresponds with the platform you're configuring. Your options:  
 
     * **Android restrictions**
     * **Windows restrictions**
     * **MacOS restrictions**
     * **iOS restrictions**  
 
-    Then select **Create restriction**.  
-
-    > [!div class="mx-imgBorder"]
-    > ![Example image of the Enrollment device platform restrictions page highlighting the platform tabs and Create restriction option.](./media/enrollment-restrictions-set/intune-enrollment-device-platform-restrictions-2112.png) 
-4. On the **Basics** page, give the restriction a **Name** and optional **Description**. Then select **Next**.  
-5. On the **Platform settings** page, configure the restrictions for your selected platform. Your options:       
+4. Select **Create restriction**.  
+5. On the **Basics** page, give the restriction a name and optional description. 
+6. Select **Next**.  
+7. On the **Platform settings** page, configure the restrictions for your selected platform. Your options:       
     - **Platform** (Android only): Select **Allow** to permit devices running the Android or Android Enterprise platforms to enroll in Intune.  
-    - **MDM** (Windows, macOS, and iOS/iPadOS only): Select **Allow** to permit devices running the selected platform to enroll in Intune. 
-    - **Allow min/max range** (Android, Windows, iOS/iPadOS only): Enter the minimum and maximum OS versions allowed to enroll. For iOS and Android, version restrictions only apply to devices enrolled with the Company Portal. Supported version formats include:  
-      - Android device administrator and Android Enterprise work profile support major.minor.rev.build.
-      - iOS/iPadOS supports major.minor.rev. Operating system versions don't apply to Apple devices that enroll with the Device Enrollment Program, Apple School Manager, or the Apple Configurator app.
-      - Windows supports major.minor.build.rev for Windows 10 and Windows 11 only.
+    - **MDM** (Windows, macOS, and iOS/iPadOS): Select **Allow** to permit devices running the selected platform to enroll in Intune. 
+    - **Allow min/max range** (Android, Windows, iOS/iPadOS only): Enter the minimum and maximum OS versions allowed to enroll. For iOS and Android, version restrictions only apply to devices enrolled through the Company Portal. Supported version formats include:  
+        - Android device administrator and Android Enterprise work profile support major.minor.rev.build.
+        - iOS/iPadOS supports major.minor.rev. Operating system versions don't apply to Apple devices that enroll with the Device Enrollment Program, Apple School Manager, or the Apple Configurator app.
+        - Windows supports major.minor.build.rev for Windows 10 and Windows 11 only.
     - **Personally-owned**: Select **Allow** to permit devices to enroll and operate as personal devices.  
     - **Device manufacturer**: Enter a comma-separated list of the manufacturers that you want to block.  
 
-6. On the **Scope tags** page, optionally add the scope tags you want to apply to this restriction. For more information about scope tags, see [Use role-based access control and scope tags for distributed IT](../fundamentals/scope-tags.md). When using scope tags with enrollment restrictions, users can only re-order policies for which they have scope. Also, they can only reorder for the policy positions for which they have scope. Users see the true policy priority number on each policy. A scoped user can tell the relative priority of their policies even if they can't see all the other policies. When you're done, select **Next**. 
-7. On the **Assignments** page, select **Add groups** and then use the search box to find groups that you want to include in this restriction. Choose **Select** to add the groups. To assign the restriction to all device users instead, select **Add all users**. If you don't assign a restriction to at least one group, the restriction won't take effect.  
-8. Optionally, after you assign groups, select **Edit filter** to restrict the policy assignment further. When you finish adding filters, choose **Select** > **Next**. Filters are available for macOS, iOS, and Windows policies. For more information, see [Using filters with enrollment restriction and ESP policies](enrollment-restrictions-set.md#using-filters-with-enrollment-restriction-and-esp-policies) (in this article).  
-9. On the **Review + create** page, select **Create** to create the restriction.   
+8. Select **Next**. 
+9. Optionally, add scope tags to the restriction. For more information about scope tags, see [Use role-based access control and scope tags for distributed IT](../fundamentals/scope-tags.md). 
+
+      > [!NOTE]
+      >  When using scope tags with enrollment restrictions, users can only re-order policies for which they have scope. Also, they can only reorder for the policy positions for which they have scope. Users see the true policy priority number on each policy. A scoped user can tell the relative priority of their policies even if they can't see all the other policies. 
+10. Select **Next**. 
+11. On the **Assignments** page, select **Add groups** and then use the search box to find and select groups. To assign the restriction to all device users, select **Add all users**. If you don't assign a restriction to at least one group, the restriction won't take effect.  
+12. Optionally, after you assign groups, select **Edit filter** to restrict the policy assignment further with filters. Filters are available for macOS, iOS, and Windows policies. For more information, see [Using filters with enrollment restriction and ESP policies](enrollment-restrictions-set.md#using-filters-with-enrollment-restriction-and-esp-policies) (in this article).  
+13. Select **Next**. 
+14. On the **Review + create** page, select **Create** to save and create your restriction.  
 
 You can view the new restriction and access its properties from the **Device type restrictions** table. Select and drag the restriction to reposition it in the table and change its priority.  
 
+### Applying Android restrictions  
+Neither work profile nor device administrator enrollment will work unless the appropriate prerequisites for Android enrollment are complete. The Android Enterprise work profile and Android device administrator platforms have the following behavior when restrictions are applied:  
+
+* If you allow both OS platforms for the same group, users on supported devices will enroll with a work profile. Devices that aren't supported will enroll under Android device administrator, without a profile. 
+* If you allow both OS platforms for the same group and refine it for specific and non-overlapping versions, devices will go through the enrollment throw that's selected for their version.   
+* If you allow both platforms, but block the same versions, devices running blocked versions will go through the Android device administrator enrollment flow, get blocked from enrollment, and be prompted to sign out.  
+
 
 ## Create a device limit restriction
 
@@ -166,7 +144,7 @@ During BYOD enrollments, users see a notification that tells them when they've m
 
 ## Change enrollment restrictions
 
-You can change the settings for an enrollment restriction by following the steps below. These restrictions don't effect devices that have already been enrolled. 
+You can change the settings for an enrollment restriction by following the steps below. These restrictions don't affect devices that have already been enrolled. 
 
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Enrollment restrictions** > choose the restriction that you want to change > **Properties**.
 2. Choose **Edit** next to the settings that you want to change.

memdocs/intune/fundamentals/deployment-guide-intune-setup.md

@@ -310,7 +310,7 @@ This section includes an overview of the steps. Use these steps as guidance, and
 
 6. By default, all device platforms can enroll in Intune. If you want to prevent specific platforms, then create a restriction.
 
-    For more information, see [Create a device type restriction](../enrollment/enrollment-restrictions-set.md#create-a-device-type-restriction).
+    For more information, see [Create a device platform restriction](../enrollment/enrollment-restrictions-set.md#create-a-device-platform-restriction).
 
 7. Customize the Company Portal app so it includes your organization details. Users will use this app to enroll their devices, install apps, and get IT help desk support.
 

memdocs/intune/fundamentals/manage-os-versions.md

@@ -49,7 +49,7 @@ Organizations are using device type restrictions to control access to organizati
 1. Use minimum operating system version to keep end users on current and supported platforms in your organization.
 2. Leave maximum operating system unspecified (no limit) or set it to the last validated version in your organization to allow time for internal testing of new operating system releases.
 
-For details, see [Set device type restrictions](../enrollment/enrollment-restrictions-set.md#create-a-device-type-restriction).
+For details, see [Create a device platform restriction](../enrollment/enrollment-restrictions-set.md#create-a-device-platform-restriction).
 
 ## Operating system version reporting and compliance with Intune MDM device compliance policies
 
@@ -71,7 +71,7 @@ Organizations are using device compliance policies for the same scenarios as enr
 For details, see [Get started with device compliance](../protect/device-compliance-get-started.md).
 
 ## Operating system version controls using Intune app protection policies    
-Intune app protection policies and mobile application management (MAM) access settings let you to specify the minimum operating system version at the app layer. This lets you inform and encourage, or require, your end users to update their operating system to a specified minimum version.
+Intune app protection policies and mobile application management (MAM) access settings let you specify the minimum operating system version at the app layer. This lets you inform and encourage, or require, your end users to update their operating system to a specified minimum version.
 
 You have two different options: 
 - **Warn** - Warn informs the end user that they should upgrade if they open an app with an application protection policy or MAM access settings on a device with an operating system version below the specified version. Access is allowed for the app and organizational data.  
@@ -100,6 +100,6 @@ You can use the Intune capabilities described in this article to help you move y
 
 Use the following resources to manage operating system versions in your organization:
 
-- [Set device type restrictions](../enrollment/enrollment-restrictions-set.md#create-a-device-type-restriction)
+- [Set device type restrictions](../enrollment/enrollment-restrictions-set.md)
 - [Get started with device compliance](../protect/device-compliance-get-started.md)
 - [How to create and assign app protection policies](../apps/app-protection-policies.md)