Merge branch 'main' of https://github.com/microsoftdocs/memdocs-pr into ebyignite

Author: dougeby

memdocs/configmgr/comanage/workloads.md

@@ -15,9 +15,9 @@ ms.collection: highpri
 
 # Co-management workloads
 
-You don't have to switch the workloads, or you can do them individually when you're ready. Configuration Manager continues to manage all other workloads, including those workloads that you don't switch to Intune, and all other features of Configuration Manager that co-management doesn't support.
+You don't have to switch any of the workloads. When you're ready, you can switch them individually, several at once, or all at the same time. However, until you switch the workloads over to Intune, Configuration Manager continues to manage the workloads that you don't switch to Intune, along with all other features of Configuration Manager that co-management doesn't support.
 
-If you switch a workload to Intune, but later change your mind, you can switch it back to Configuration Manager.
+If you switch a workload to Intune, but later change your mind, you can switch it back to Configuration Manager, although there might be an impact. For example, Windows and Office versions will remain at a later version if installed by Intune.
 
 Co-management supports the following workloads:
 
@@ -45,6 +45,9 @@ For more information on the Intune feature, see [Use compliance policies to set
 
 Windows Update for Business policies let you configure deferral policies for Windows 10 or later feature updates or quality updates for Windows 10 or later devices managed directly by Windows Update for Business.
 
+> [!NOTE]
+> To use Windows Autopatch with these devices, this workload needs to be managed by Intune. For more information, see [Prerequisites for Windows Autopatch](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites).
+
 For more information on the Intune feature, see [Manage Windows software updates in Intune](../../intune/protect/windows-update-for-business-configure.md).
 
 ## Resource access policies
@@ -96,6 +99,8 @@ The device configuration workload includes settings that you manage for devices
 
 You can still deploy settings from Configuration Manager to co-managed devices even though Intune is the device configuration authority. This exception might be used to configure settings that your organization requires but aren't yet available in Intune. Specify this exception on a [Configuration Manager configuration baseline](../compliance/deploy-use/create-configuration-baselines.md). Enable the option to **Always apply this baseline even for co-managed clients** when creating the baseline. You can change it later on the **General** tab of the properties of an existing baseline.
 
+To use Windows Autopatch with these devices, this workload needs to be managed by Intune. For more information, see [Prerequisites for Windows Autopatch](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites).
+
 For more information on the Intune feature, see [Create a device profile in Microsoft Intune](../../intune/configuration/device-profile-create.md).
 
 > [!NOTE]
@@ -125,6 +130,9 @@ Updates can be managed using either of the following features:
 - [Use Update Channel and Target Version settings to update Microsoft 365 with Microsoft Intune Administrative Templates](../../intune/configuration/administrative-templates-update-office.md)
 - [Manage Microsoft 365 Apps with Configuration Manager](../sum/deploy-use/manage-office-365-proplus-updates.md).
 
+> [!NOTE]
+> To use Windows Autopatch with these devices, this workload needs to be managed by Intune. For more information, see [Prerequisites for Windows Autopatch](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites).
+
 For more information on the Intune feature, see [Add Microsoft 365 apps to Windows devices with Microsoft Intune](../../intune/apps/apps-add-office365.md).
 
 ## Client apps

memdocs/configmgr/hotfix/2207/14840616.md

@@ -40,8 +40,6 @@ The "Issues that are fixed" list isn't inclusive of all changes. Instead, it hig
 - Computers with updated BIOS may be duplicated in some collections. This happens because of duplicate information stored in the hardware inventory tables.
 <!-- 12554467 -->
 - Clients may generate excessive traffic to the Management point while downloading the WebView2 installation files. This happens after enabling the **Display custom tabs with Microsoft Edge WebView2 runtime** client setting. This update adds randomization to the WebView2 download process to reduce overall management point load.
-<!-- 1261946 -->
-- Discovery data for computers from untrusted domains may be marked as obsolete when they go through the client re-registration process. 
 <!-- 13177588 -->
 - The **New-CMFolder** PowerShell cmdlet allows invalid characters as input for folder names. This prevents later modification of the folder name in the Configuration Manager console.
 <!-- 13464778 -->

memdocs/intune/apps/app-discovered-apps.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 03/29/2022
+ms.date: 09/13/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -31,7 +31,7 @@ ms.collection: M365-identity-device-management
 
 # Intune discovered apps
 
-Intune **discovered apps** is a list of detected apps on the Intune enrolled devices in your tenant. It acts as a software inventory for your tenant. **Discovered apps** is a separate report from the [app installation](apps-monitor.md) reports. For personal devices, Intune never collects information on applications that are unmanaged. On corporate devices, any app whether it is a managed app or not is collected for this report. Below is the table mapping the expected behavior. In general, the report refreshes every 7 days from the time of enrollment (not a weekly refresh for the entire tenant). The only exception to this refresh period is application information collected through the Intune Management Extension for Win32 Apps, which is collected every 24 hours.
+Intune **discovered apps** is a list of detected apps on the Intune enrolled devices in your tenant. It acts as a software inventory for your tenant. **Discovered apps** is a separate report from the [app installation](apps-monitor.md) reports. For personal devices, Intune never collects information on applications that are unmanaged. On corporate devices, any app whether it is a managed app or not is collected for this report. Below is the table mapping the expected behavior. In general, the report refreshes every 7 days from the time of enrollment (not a weekly refresh for the entire tenant). The only exception to this refresh cycle for the **Discovered apps** report is application information collected through the Intune Management Extension for Win32 Apps, which is collected every 24 hours.
 
 ## Monitor discovered apps with Intune
 
@@ -71,6 +71,7 @@ The following list provides the app platform type, the apps that are monitored f
 > - Windows 10/11 co-managed devices, as shown in the [client apps](../../configmgr/comanage/workloads.md#client-apps) workload in Configuration Manager, do not currently collect app inventory through the Intune Management Extension (IME) as per the above schedule. To mitigate this issue, the [client apps](../../configmgr/comanage/workloads.md#client-apps) workload in Configuration Manager should be switched to Intune for the IME to be installed on the device (IME is required for Win32 inventory and PowerShell deployment). Note that any changes or updates on this behavior are announced in [in development](../fundamentals/in-development.md) and/or [what's new](../fundamentals/whats-new.md).
 > - Personally-owned macOS devices enrolled before November 2019 may continue to show all apps installed on the device until the devices are enrolled again.
 > - Android Enterprise Fully Managed, Dedicated, and Corporate-Owned Work Profile devices do not display discovered apps.
+> - For customers using a Mobile Threat Defense partner with Intune, [App Sync data](../protect/mtd-connector-enable.md) is sent to Mobile Threat Defense partners at an interval based on device check-in, and should not be confused with the refresh interval for the Discovered Apps report.
 
 The number of discovered apps may not match the app install status count. Possibilities for inconsistencies include:
 

memdocs/intune/apps/app-protection-policy-settings-android.md

@@ -57,7 +57,7 @@ There are three categories of policy settings: data protection settings, access
 |<ul><b><ul><b>**Allow users to open data from selected services** |Select the application storage services that users can open data from. All other services are blocked. Selecting no services will prevent users from opening data.<br><br>Supported services:<ul><li>OneDrive for Business</li><li>SharePoint Online</li><li>Camera</li><li>Photo Library</li></ul>**Note:** Camera does not include Photos or Photo Gallery access. When selecting **Photo Library** in the **Allow users to open data from selected services** setting within Intune, you can allow managed accounts to allow *incoming* data from their device's photo library to their managed apps. |**All selected**  |
 |**Restrict cut, copy and paste between other apps** |Specify when cut, copy, and paste actions can be used with this app. Choose from: <ul><li>**Blocked**:  Do not allow cut, copy, and paste actions between this app and any other app.</li><li>**Policy managed apps**: Allow cut, copy, and paste actions between this app and other policy-managed apps.</li><li>**Policy managed with paste in**: Allow cut or copy between this app and other policy-managed apps. Allow data from any app to be pasted into this app.</li><li>**Any app**: No restrictions for cut, copy, and paste to and from this app. |**Any app** |
 |<ul><b>**Cut and copy character limit for any app** |Specify the number of characters that may be cut or copied from org data and accounts.  This will allow sharing of the specified number of characters when it would be otherwise blocked by the "Restrict cut, copy, and paste with other apps" setting.<p>Default Value = 0<p>**Note**: Requires Intune Company Portal version 5.0.4364.0 or later.  |**0** |
-|**Screen capture and Google Assistant** |Select **Block** to block screen capture and the **Google Assistant** capabilities of the device when using this app. Choosing **Block** will also blur the App-switcher preview image when using this app with a work or school account.|**Block** |
+|**Screen capture and Google Assistant** |Select **Block** to block screen capture and block **Google Assistant** accessing org data on the device when using this app. Choosing **Block** will also blur the App-switcher preview image when using this app with a work or school account.<p>**Note**: Google Assistant may be accessible to users for scenarios that do not access org data.  |**Block** |
 |**Approved keyboards**  |Select *Require* and then specify a list of approved keyboards for this policy. <p>Users who aren't using an approved keyboard receive a prompt to download and install an approved keyboard before they can use the protected app. This setting requires the app to have the Intune SDK for Android version 6.2.0 or later. |**Not required** |
 |<ul><b>**Select keyboards to approve** |This option is available when you select *Require* for the previous option. Choose *Select* to manage the list of keyboards and input methods that can be used with apps protected by this policy. You can add additional keyboards to the list, and remove any of the default options. You must have at least one approved keyboard to save the setting. Over time, Microsoft may add additional keyboards to the list for new App Protection Policies, which will require administrators to review and update existing policies as needed.<p>To add a keyboard, specify: <ul><li>**Name**: A friendly name that that identifies the keyboard, and is visible to the user. </li><li>**Package ID**:  The Package ID of the app in the Google Play store. For example, if the URL for the app in the Play store is `https://play.google.com/store/details?id=com.contoskeyboard.android.prod`, then the Package ID is `com.contosokeyboard.android.prod`. This package ID is presented to the user as a simple link to download the keyboard from Google Play.</li></ul></p> <p>**Note:** A user assigned multiple App Protection Policies will be allowed to use only the approved keyboards common to all policies.</p> ||
 

memdocs/intune/apps/app-protection-policy-settings-ios.md

@@ -74,7 +74,7 @@ There are three categories of policy settings: *Data relocation*, *Access requir
 ### Functionality
 | Setting | How to use | Default value |
 |------|----------|-------|
-|  **Sync policy managed app data with native apps or add-ins** | Choose Block to prevent policy managed apps from saving data to the device's native apps (like Contacts, Calendar and widgets), or to prevent the use of add-ins within the policy managed apps. If you choose Allow, the policy managed app can save data to the native apps or use add-ins, if those features are supported and enabled within the policy managed app.<br><br>When you perform a selective wipe to remove work, or school data from the app, contacts data synced directly from the app to the native Contacts app are removed. Any contacts data synced from the native Contacts app to another external source can't be wiped. Currently, this applies only to Outlook for iOS app; for more information, see [Deploying Outlook for iOS and Android app configuration settings](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune).   | **Allow**  |
+|  **Sync policy managed app data with native apps or add-ins** | Choose Block to prevent policy managed apps from saving data to the device's native apps (Contacts, Calendar and widgets) and to prevent the use of add-ins within the policy managed apps. Applications may provide additional controls to customize the data sync behavior to specific native apps or not honor this control. <br><br>If you choose Allow, the policy managed app can save data to the native apps or use add-ins, if those features are supported and enabled within the policy managed app.<br><br>When you perform a selective wipe to remove work, or school data from the app, contacts data synced directly from the app to the native Contacts app are removed. Any contacts data synced from the native Contacts app to another external source can't be wiped. Currently, this applies only to Outlook for iOS app; for more information, see [Deploying Outlook for iOS and Android app configuration settings](/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune).<br><br>**Note**: *The following apps support this feature: <ul><li>Outlook for iOS</li>*</ul>  | **Allow**  |
 | **Printing Org data** | Select **Block** to prevent the app from printing work or school data. If you leave this setting to **Allow**, the default value, users will be able to export and print all Org data.  | **Allow**  |
 | **Restrict web content transfer with other apps** | Specify how web content (http/https links) is opened from policy-managed applications. Choose from: <ul><li>**Any app**: Allow web links in any app.</li><li>**Intune Managed Browser**: Allow web content to open only in the Intune Managed Browser. This browser is a policy-managed browser.</li><li>**Microsoft Edge**: Allow web content to open only in the Microsoft Edge. This browser is a policy-managed browser.</li><li>**Unmanaged browser**: Allow web content to open only in the unmanaged browser defined by **Unmanaged browser protocol** setting. The web content will be unmanaged in the target browser.<br>**Note**: Requires app to have Intune SDK version 11.0.9 or later.</li></ul> If you're using Intune to manage your devices, see [Manage Internet access using managed browser policies with Microsoft Intune](manage-microsoft-edge.md).<br><br>If a policy-managed browser is required but not installed, your end users will be prompted to install the Microsoft Edge.<p>If a policy-managed browser is required, iOS/iPadOS Universal Links are managed by the **Allow app to transfer data to other apps** policy setting. <p>**Intune device enrollment**<br>If you are using Intune to manage your devices, see Manage Internet access using managed browser policies with Microsoft Intune. <p>**Policy-managed Microsoft Edge**<br>The Microsoft Edge browser for mobile devices (iOS/iPadOS and Android) supports Intune app protection policies. Users who sign in with their corporate Azure AD accounts in the Microsoft Edge browser application will be protected by Intune. The Microsoft Edge browser integrates the Intune SDK and supports all of its data protection policies, with the exception of preventing:<br><ul><li>**Save-as**: The Microsoft Edge browser does not allow a user to add direct, in-app connections to cloud storage providers (such as OneDrive).</li><li>**Contact sync**: The Microsoft Edge browser does not save to native contact lists.</li></ul><br>**Note**: *The Intune SDK cannot determine if a target app is a browser. On iOS/iPadOS devices, no other managed browser apps are allowed.*    | **Not configured**  |
 |<ul>**Unmanaged Browser Protocol** | Enter the protocol for a *single* unmanaged browser. Web content (http/https links) from policy managed applications will open in any app that supports this protocol. The web content will be unmanaged in the target browser. <br><br>This feature should only be used if you want to share protected content with a specific browser that is not enabled using Intune app protection policies. You must contact your browser vendor to determine the protocol supported by your desired browser.<br><br>**Note**: *Include only the protocol prefix. If your browser requires links of the form `mybrowser://www.microsoft.com`, enter `mybrowser`.*<br>Links will be translated as:<br><ul><li>`http://www.microsoft.com` > `mybrowser://www.microsoft.com`</li><li>`https://www.microsoft.com` > `mybrowsers://www.microsoft.com`</li></ul> | **Blank**  |