Merge pull request #6981 from MicrosoftDocs/main

Publish 03/09/2022, 10:30 AM

Author: v-dihans

memdocs/configmgr/comanage/workloads.md

@@ -50,7 +50,7 @@ For more information on the Intune feature, see [Manage Windows software updates
 ## Resource access policies
 
 > [!IMPORTANT]
-> Starting in Configuration Manager version 2103, these company resource access features of Configuration Manager and this co-management workload are [deprecated](../core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md).<!-- 9315387 --> Use Microsoft Intune to [deploy resource access profiles](../../intune/configuration/device-profiles.md).
+> Starting in Configuration Manager version 2103, these company resource access features of Configuration Manager and this co-management workload are [deprecated](../core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md).<!-- 9315387 --> Use Microsoft Intune to [deploy resource access profiles](../../intune/configuration/device-profiles.md). For more information, see [Frequently asked questions about resource access deprecation](../protect/plan-design/resource-access-deprecation-faq.yml).
 
 Resource access policies configure VPN, Wi-Fi, email, and certificate settings on devices.
 

memdocs/configmgr/core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md

@@ -5,7 +5,7 @@ description: Learn about the features that Configuration Manager no longer suppo
 ms.prod: configuration-manager
 ms.technology: configmgr-core
 ms.topic: conceptual
-ms.date: 01/10/2022
+ms.date: 03/09/2022
 author: mestew
 ms.author: mstewart
 manager: dougeby
@@ -42,7 +42,7 @@ The following features are deprecated. You can still use them now, but Microsoft
 | The BitLocker management implementation for the [recovery service](../../../../protect/deploy-use/bitlocker/recovery-service.md) has changed. The legacy MBAM-based service is replaced by the messaging processing engine on the management point. | March 2021 | The first release after May 2022 |
 |Desktop Analytics data for Windows 7, Windows 8, and earlier versions of Windows 10 that don't support the [Windows diagnostic data processor configuration](../../../../desktop-analytics/whats-new.md#support-for-the-windows-diagnostic-data-processor-configuration).<!-- 10220671 -->|July 2021|January 31, 2022|
 |Older style of console extensions that haven't been approved in the **Console Extension** node, will no longer be supported. For more information about new console extensions, see [Manage console extensions](../../../servers/manage/admin-console-extensions.md). <!--3555909-->|April 2021|TBD<sup>[Note 1](#bkmk_note1)</sup>|
-| The following compliance settings for **Company resource access**: <!-- 9315387 --> [Certificate profiles](../../../../protect/deploy-use/introduction-to-certificate-profiles.md), [VPN profiles](../../../../protect/deploy-use/vpn-profiles.md), [Wi-Fi profiles](../../../../protect/deploy-use/create-wifi-profiles.md), [Windows Hello for Business settings](../../../../protect/deploy-use/windows-hello-for-business-settings.md), and email profiles. This deprecation includes the [co-management resource access workload](../../../../comanage/workloads.md#resource-access-policies). Use Microsoft Intune to [deploy resource access profiles](../../../../../intune/configuration/device-profiles.md). | March 2021 | The first release after March 1, 2022 |
+| The following compliance settings for **Company resource access**: <!-- 9315387 --> [Certificate profiles](../../../../protect/deploy-use/introduction-to-certificate-profiles.md), [VPN profiles](../../../../protect/deploy-use/vpn-profiles.md), [Wi-Fi profiles](../../../../protect/deploy-use/create-wifi-profiles.md), [Windows Hello for Business settings](../../../../protect/deploy-use/windows-hello-for-business-settings.md), and email profiles. This deprecation includes the [co-management resource access workload](../../../../comanage/workloads.md#resource-access-policies). Use Microsoft Intune to [deploy resource access profiles](../../../../../intune/configuration/device-profiles.md). For more information, see [Frequently asked questions about resource access deprecation](../../../../protect/plan-design/resource-access-deprecation-faq.yml). | March 2021 | The first release after March 1, 2022 |
 | Sites that allow HTTP client communication. Configure the site for HTTPS or Enhanced HTTP. For more information, see [Enable the site for HTTPS-only or enhanced HTTP](../../../servers/deploy/install/list-of-prerequisite-checks.md#enable-site-system-roles-for-https-or-enhanced-http).<!-- 9390933,9572265 --> | March 2021 | The first release after November 1, 2022 |
 |The geographical view in the **Site Hierarchy** node of the **Monitoring** workspace in the Configuration Manager console.<!--8116777-->|August 2020|TBD|
 |The implementation for sharing content from Azure has changed. Use a content-enabled cloud management gateway. Starting in version 2107, you can't create a traditional cloud distribution point.<!-- 10247883 -->|February 2019| The first release after October 5, 2022|

memdocs/configmgr/mdt/user-driven-installation-developers-guide.md

@@ -3973,7 +3973,7 @@ Table 84 provides information about the [DLLs](#DLLs) element.
 ##### Element Attributes  
  Table 86 lists the attributes of the [Error](#Error) element and provides a description of each.  
 
-###  
+### Table 86. Error Element Information 
 
 | **Attribute** |                                                                                                                                                                                      **Description**                                                                                                                                                                                       |
 |---------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|

memdocs/configmgr/protect/TOC.yml

@@ -25,6 +25,8 @@ items:
       href: plan-design/security-and-privacy-for-wifi-vpn-profiles.md
     - name: Certificate profiles
       href: plan-design/security-and-privacy-for-certificate-profiles.md
+  - name: Resource access deprecation FAQ
+    href: plan-design/resource-access-deprecation-faq.yml
 - name: Deploy and use
   items:
   - name: Endpoint Protection

memdocs/configmgr/protect/deploy-use/introduction-to-certificate-profiles.md

@@ -17,7 +17,7 @@ ms.localizationpriority: medium
 *Applies to: Configuration Manager (current branch)*
 
 > [!IMPORTANT]
-> Starting in Configuration Manager version 2103, this company resource access feature is [deprecated](../../core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md).<!-- 9315387 --> Use Microsoft Intune to [deploy resource access profiles](../../../intune/configuration/device-profiles.md).
+> Starting in Configuration Manager version 2103, this company resource access feature is [deprecated](../../core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md).<!-- 9315387 --> Use Microsoft Intune to [deploy resource access profiles](../../../intune/configuration/device-profiles.md). For more information, see [Frequently asked questions about resource access deprecation](../plan-design/resource-access-deprecation-faq.yml).
 
 Certificate profiles work with Active Directory Certificate Services and the Network Device Enrollment Service (NDES) role. Create and deploy authentication certificates for managed devices so that users can easily access organizational resources. For example, you can create and deploy certificate profiles to provide the necessary certificates for users to connect to VPN and wireless connections.
 

memdocs/configmgr/protect/deploy-use/vpn-profiles.md

@@ -17,7 +17,7 @@ ms.localizationpriority: medium
 *Applies to: Configuration Manager (current branch)*
 
 > [!IMPORTANT]
-> Starting in Configuration Manager version 2103, this company resource access feature is [deprecated](../../core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md).<!-- 9315387 --> Use Microsoft Intune to [deploy resource access profiles](../../../intune/configuration/device-profiles.md).
+> Starting in Configuration Manager version 2103, this company resource access feature is [deprecated](../../core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md).<!-- 9315387 --> Use Microsoft Intune to [deploy resource access profiles](../../../intune/configuration/device-profiles.md). For more information, see [Frequently asked questions about resource access deprecation](../plan-design/resource-access-deprecation-faq.yml).
 
 <!--1283610-->
 To deploy VPN settings to users in your organization, use VPN profiles in Configuration Manager. By deploying these settings, you minimize the end-user effort required to connect to resources on the company network.  

memdocs/configmgr/protect/deploy-use/windows-hello-for-business-settings.md

@@ -20,7 +20,7 @@ ms.localizationpriority: medium
 Configuration Manager integrates with Windows Hello for Business. (This feature was formerly known as Microsoft Passport for Work.) Windows Hello for Business is an alternative sign-in method for Windows 10 devices. It uses Active Directory or an Azure Active Directory (Azure AD) account to replace a password, smart card, or virtual smart card. Hello for Business lets you use a *user gesture* to sign in instead of a password. A user gesture might be a PIN, biometric authentication, or an external device such as a fingerprint reader.
 
 > [!Important]  
-> Starting in Configuration Manager version 2103, this company resource access feature is [deprecated](../../core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md).<!-- 9315387 --> Use Microsoft Intune to [deploy resource access profiles](../../../intune/configuration/device-profiles.md).
+> Starting in Configuration Manager version 2103, this company resource access feature is [deprecated](../../core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md).<!-- 9315387 --> Use Microsoft Intune to [deploy resource access profiles](../../../intune/configuration/device-profiles.md). For more information, see [Frequently asked questions about resource access deprecation](../plan-design/resource-access-deprecation-faq.yml).
 >
 > Starting in version 1910, certificate-based authentication with Windows Hello for Business settings in Configuration Manager isn't supported. For more information, see [deprecated features](../../core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md). Key-based authentication is still valid.
 >

memdocs/configmgr/protect/plan-design/resource-access-deprecation-faq.yml

@@ -0,0 +1,64 @@
+### YamlMime:FAQ
+metadata:
+  title: FAQ for resource access deprecation
+  titleSuffix: Configuration Manager
+  description: Frequently asked questions (FAQ) about the end of support for compliance settings for company resource access features.
+  author: aczechowski
+  ms.author: aaroncz
+  ms.reviewer: dannygu
+  manager: dougeby
+  ms.date: 02/17/2022
+  ms.topic: faq
+  ms.prod: configuration-manager
+  ms.technology: configmgr-protect
+  ms.localizationpriority: medium
+
+title: Frequently asked questions about resource access deprecation
+summary: |
+  *Applies to: Configuration Manager (current branch)* 
+
+  Starting in Configuration Manager version 2103, the following company resource access [features are deprecated](../../core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md):<!-- 9315387 -->
+
+  - Certificate profiles
+  - VPN profiles
+  - Wi-Fi profiles
+  - Windows Hello for Business settings
+  - Email profiles
+  - The co-management resource access workload
+
+  This article answers your frequently asked questions about these deprecated features.
+
+sections:
+  - name: Ignored
+    questions:
+      - question: |
+          When will these features be removed from Configuration Manager?
+        answer: |
+          Starting in version 2203, these features will still be in Configuration Manager, but no longer tested or supported. These features will be removed in version 2207.
+
+      - question: |
+          What functionality is available to replace these features?
+        answer: |
+          Use Microsoft Intune to deploy resource access profiles. For more information, see [Apply features and settings on your devices using device profiles in Microsoft Intune](../../../intune/configuration/device-profiles.md).
+
+          Use [co-management](../../comanage/overview.md) to enroll Configuration Manager clients to Intune.
+
+      - question: |
+          What do I do if I'm deploying wi-fi profiles with Configuration Manager?
+        answer: |
+          Before you upgrade to Configuration Manager version 2203, [enable co-management](../../comanage/how-to-enable.md), and deploy the same wi-fi profiles with Intune. For more information, see [Add and use Wi-Fi settings on your devices in Microsoft Intune](../../../intune/configuration/wi-fi-settings-configure.md). If you don't take action, the existing wi-fi profiles will persist on devices but are unmanaged.
+
+      - question: |
+          What happens if I don't enable co-management?
+        answer: |
+          If you currently use these features, they're not tested or supported in version 2203. When you upgrade to version 2207, they'll cause error prerequisite checks. You can't deploy any wi-fi, VPN, Windows Hello for Business, or certificate (SCEP, PFX, or root CA) profiles to Configuration Manager clients. Any existing deployed profiles won't be removed from devices, and will continue to function. These existing profiles will be unmanaged. For example, When a certificate expires, Configuration Manager won't renew it.
+
+      - question: |
+          What happens if I've enabled co-management, but haven't switched the resource access workload?
+        answer: |
+          Starting in version 2207, co-managed clients will get their policy for this workload from the Intune management authority. This behavior is the same as if you used Configuration Manager version 2111 or earlier to switch the resource access workload to Intune.
+
+      - question: |
+          What alternative options are available?
+        answer: |
+          Configuration Manager version 2111 fully supports these features and is supported until June 2023. For more information, see [Supported versions](../../core/servers/manage/updates.md#supported-versions).

memdocs/intune/configuration/wi-fi-settings-windows.md

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 01/20/2022
+ms.date: 03/08/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -70,7 +70,7 @@ Basic or personal profiles use WPA/WPA2 to secure the Wi-Fi connection on device
   - **Open (no authentication)**: Only use this option if the network is unsecured.
   - **WPA/WPA2-Personal**: A more secure option, and is commonly used for Wi-Fi connectivity. For more security, you can also enter a pre-shared key password or network key.
 
-    - **Pre-shared key** (PSK): Optional. Shown when you choose **WPA/WPA2-Personal** as the security type. When your organization's network is set up or configured, a password or network key is also configured. Enter this password or network key for the PSK value. Enter a string between 8-64 characters. If your password or network key is 64 characters, enter hexadecimal characters.
+    - **Pre-shared key** (PSK): Optional. Shown when you choose **WPA/WPA2-Personal** as the security type. When your organization's network is set up or configured, a password or network key is also configured. Enter this password or network key for the PSK value. Enter an ASCII string that is 8-63 characters long or use 64 hexadecimal characters.
 
       > [!IMPORTANT]
       > The PSK is the same for all devices you target the profile to. If the key is compromised, it can be used by any device to connect to the Wi-Fi network. Keep your PSKs secure to avoid unauthorized access.

memdocs/intune/enrollment/device-group-mapping.md

@@ -51,6 +51,8 @@ You can create any device categories you want. For example:
 
 ## How to configure device categories
 
+You need to be a Global Administrator or Intune Administrator to perform these steps.
+
 ### Step 1: Create device categories in Intune
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Choose **Devices** > **Device categories** > **Create device category** to add a new category.