Merge pull request #6761 from MicrosoftDocs/main

Publish 02/09/2022 3:30 PM PT

Author: Angela Fleischmann

memdocs/autopilot/enrollment-autopilot.md

@@ -9,7 +9,7 @@ author: greg-lindsay
 ms.author: greglin
 ms.reviewer: jubaptis
 manager: dougeby
-ms.date: 03/16/2021
+ms.date: 02/09/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -80,8 +80,7 @@ For information about formatting and using a CSV file to manually add Windows Au
 ## Assign a user to a specific Autopilot device
 
 > [!NOTE]
-> This functionality has been removed as of September 30, 2021.
-> While the option to assign user to a device in Autopilot is still available in the GUI portal and PowerShell, it will be ignored by the device during provisioning.
+> Assigning a licensed user to a registered Autopilot device using Microsoft Endpoint Manager no longer pre-fills any user information as described below. Please see [Updates to the Windows Autopilot sign-in and deployment experience](https://techcommunity.microsoft.com/t5/intune-customer-success/updates-to-the-windows-autopilot-sign-in-and-deployment/ba-p/2848452) for details on this change. This change does not impact user assigned policies and apps which are still deployed to the device when a licensed user is assigned. See [Windows Autopilot for pre-provisioned deployment](/mem/autopilot/pre-provision#preparation) for details on this.
 
 You can assign a licensed Intune user to a specific Autopilot device. This assignment:
 - Pre-fills a user from Azure Active Directory in the [company-branded](/azure/active-directory/fundamentals/customize-branding) sign-in page during Windows setup.

memdocs/autopilot/images/app-picker.png

@@ -28,6 +28,14 @@ This article describes known issues that can often be resolved by configuration
 
 ## Known issues
 
+### Reset button causes pre-provisioning to fail on retry
+
+When ESP fails during the pre-provisioning flow and the user selects the reset button, TPM attestation may fail during the retry. 
+
+### TPM attestation failure on Windows 11 error code 0x81039023
+
+Some devices may fail TPM attestation on Windows 11 during the pre-provisioning technician flow or self-deployment mode with the error code 0x81039023. There is no workaround currently for this error code, we are working to resolve this issue. 
+
 ### Duplicate device objects with hybrid Azure AD deployments 
 
 A device object is pre-created in Azure AD once a device is registered in Autopilot. If a device goes through a hybrid Azure AD deployment, by design, another device object is created resulting in duplicate entries. 
@@ -56,7 +64,7 @@ When [customizations are applied to the company branding settings](/azure/active
 
 ### TPM attestation is not working on Intel Tiger Lake platforms
 
-TPM attestation support for Intel firmware TPM Tiger Lake platforms are only supported on devices with Windows 10 version 21H2 or higher.
+TPM attestation support for Intel firmware TPM Tiger Lake platforms are only supported on devices with Windows 10 version 21H2 or higher. This issue should be resolved by applying the November 2021 LCU. 
 
 ### Blocking apps specified in a user-targeted Enrollment Status Profile are ignored during device ESP
 

memdocs/autopilot/known-issues.md

@@ -13,7 +13,7 @@ author: greg-lindsay
 ms.author: greglin
 ms.reviewer: jubaptis
 manager: dougeby
-ms.date: 12/17/2020
+ms.date: 02/09/2022
 ms.collection: M365-modern-desktop
 ms.topic: troubleshooting
 ---
@@ -32,6 +32,9 @@ Windows Autopilot is designed to simplify all parts of the Windows device lifecy
 - How Windows Autopilot [device profiles](#profile-download) are downloaded
 - [Key activities](#key-troubleshooting-activities) to perform during troubleshooting
 
+## Windows Autopilot diagnostics page
+On Windows 11, you can open the Autopilot diagnostic page to view additional detailed troubleshooting information about the Autopilot provisioning process. The diagnostics page can be enabled by going to the ESP profile and selecting **Yes** to **Turn on log collection and diagnostics page for end users**. Once it is enabled you can select the **View Diagnostics button** or the keyboard shortcut Ctrl+Shift+D to access any diagnostic information. The diagnostics page is currently supported for commercial OOBE, and Autopilot user-driven mode.
+
 ## Windows Autopilot flow
 
 Whether you're performing user-driven or self-deploying device deployments, the troubleshooting process is about the same. It's useful to understand the flow for a specific device:

memdocs/autopilot/troubleshooting.md

@@ -13,7 +13,7 @@ author: greg-lindsay
 ms.author: greglin
 manager: dougeby
 ms.reviewer: jubaptis
-ms.date: 10/20/2021
+ms.date: 02/09/2022
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -28,6 +28,17 @@ ms.topic: article
 - Windows 10
 - Windows Holographic, version 2004
 
+## Enrollment Status Page
+
+With the 2022 Intune release, functionality has been added to the [Enrollment Status Page](enrollment-status.md) UI. The application picker for selecting blocking apps has additional improvements for admins:
+- A search box has been added for easier selection of apps
+- Fixes issue where store apps could not be differentiated between Online and Offline modes
+- A new column has been added for **Version** to see which version of the application is selected
+
+See the following example:
+
+![Application picker](images/app-picker.png)
+
 ## Autopilot agility rolling out
 
 Autopilot agility is a new feature that allows updates and bug fixes to the OOBE experience. These updates occur before device enrollment, after the AADJ login page and may result in an additional reboot and authentication prompt to the user. This feature is rolling out to Windows 10 1909 and 2004/20H2 with August cumulative update and is not yet available for Windows 11.

memdocs/autopilot/windows-autopilot-whats-new.md

@@ -77,7 +77,7 @@ After you create Exploit Guard policies, use the Deploy Exploit Guard Policy wiz
 ## Windows Defender Exploit Guard policy settings
 
 ### <a name="bkmk_ASR"></a> Attack Surface Reduction policies and options
-Attack Surface Reduction can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office, script, and mail-based malware. Learn more about [Attack Surface Reduction](/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction) and the Event IDs used for it. 
+Attack Surface Reduction can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office, script, and mail-based malware. Learn more about [Attack Surface Reduction](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement) and the Event IDs used for it. 
 
 - **Files and Folders to exclude from Attack Surface Reduction rules** - Click on **Set** and specify any files or folders to exclude. 
   

memdocs/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy.md

@@ -40,15 +40,20 @@ To create, edit, or assign roles, your account must have one of the following pe
 
 2. On the **Endpoint Manager roles - All roles** blade, choose the built-in role you want to assign > **Assignments** > **+ Assign**.
 
-5. On the **Basics** page, enter an **Assignment name** and optional **Assignment description**, and then choose **Next**.
+3. On the **Basics** page, enter an **Assignment name** and optional **Assignment description**, and then choose **Next**.
 
-6. On the **Admin Groups** page, select the group that contains the user you want to give the permissions to. Choose **Next**
+4. On the **Admin Groups** page, select the group that contains the user you want to give the permissions to. Choose **Next**.
 
-7. On the **Scope (Groups)** page, choose a group containing the users/devices that the member above will be allowed to manage. You also have the option to choose all users and/or all devices. Choose **Next**.
+5. On the **Scope (Groups)** page, choose a group containing the users/devices that the member above will be allowed to manage. You also have the option to choose all users and/or all devices. Choose **Next**.
+  
+      > [!NOTE] 
+      > The **All users** and **All devices** are [Intune virtual groups](groups-add.md) and not Azure Active Directory (Azure AD) security groups. As a result, for **Scope (Groups)** assignment purposes you cannot use them as parents of Azure AD security groups. If you need both **All users** and **All devices** and specific Azure AD security groups for **Scope (Groups)** assignments, you must add them separately with separate assignments. Otherwise, even if the **Scope (Groups)** assignment for a role is set to **All Users** the admin in this role won't have access to specific Azure AD user groups.
+      >  
+      > For Azure AD security groups, nesting is supported.
 
-8. On the **Scope (Tags)** page, choose tags where this role assignment will be applied. Choose **Next**.
+7. On the **Scope (Tags)** page, choose tags where this role assignment will be applied. Choose **Next**.
 
-9. On the **Review + Create** page, when you're done, choose **Create**. The new assignment is displayed in the list of assignments.
+8. On the **Review + Create** page, when you're done, choose **Create**. The new assignment is displayed in the list of assignments.
 
 ## Next steps
 - [Learn more about role-based access control in Intune](role-based-access-control.md)

memdocs/intune/fundamentals/assign-role.md

@@ -8,7 +8,7 @@ keywords:
 author: dougeby 
 ms.author: dougeby
 manager: dougeby
-ms.date: 02/03/2022
+ms.date: 02/09/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -65,6 +65,9 @@ You can use RSS to be notified when this article is updated. For more informatio
 
 ## App management
 
+### iOS Company Portal minimum required version<!-- 13016075 -->
+With the March 2203 release of the MS Authenticator app, users will be required to update to v5.2203 of the iOS Company Portal. If you have enabled the **[Block installing apps using App Store](../configuration/device-restrictions-ios.md#settings-apply-to-automated-device-enrollment-supervised)** device restriction setting, you will likely need to push an update to the related devices that use this setting. Otherwise, no action is needed. If you have a helpdesk, you may want to make them aware of the prompt to update the Company Portal app. In most cases, users have app updates set to automatic, so they receive the updated Company Portal app without taking any action. Users that have an earlier app version will be prompted to update to the latest Company Portal app.
+
 ### Password complexity for Android devices<!-- 9321870 -->
 The **Require device lock** setting in Intune will be extended to include values (**Low Complexity**, **Medium Complexity**, and **High Complexity**). If the device lock doesn't meet the minimum password requirement, you'll be able to **warn**, **wipe data**, or **block** the end user from accessing a managed account in a managed app. 
 

memdocs/intune/fundamentals/in-development.md

@@ -60,6 +60,7 @@ Windows 365 is available in two editions: [Windows 365 Business](./business/inde
 | Monitoring | Not supported. | Endpoint Analytics reporting and monitoring, service health, and operational health alerts. |
 | Troubleshooting | Not supported | Microsoft Endpoint Manager troubleshooting including the Troubleshooting blade, device management actions, and reprovisioning of Cloud PCs to their initial state. |
 | Partner/programmatic access | Not supported | Partners can manage Cloud PCs through Microsoft 365 Lighthouse or restful web APIs (Graph) to support Managed Service Provider tooling for up to 300 seats.  |
+| Universal Print | Not supported. | Supported. |
 
 ## End user comparisons
 

windows-365/business-enterprise-comparison.md

@@ -56,11 +56,11 @@ To use these remote actions, you must have either of the following Azure Active
 ## Remotely manage Cloud PCs by using the Microsoft 365 admin center
 
 1. Sign in to [Microsoft 365 admin center](https://admin.microsoft.com).
-2. In the left navigation select **Users** -> **Active users**.
+2. In the left navigation, select **Users** -> **Active users**.
 3. Select the user whose Cloud PC you want to manage.
 4. Select **Devices**.
 5. Select the Cloud PC you want to manage.
-6. Select the action that you want to perform .
+6. Select the action that you want to perform.
 
 ## Remote management actions
 
@@ -76,11 +76,13 @@ The following remote actions are supported on winodws365.microsoft.com and the M
 - Removes all apps and locally stored files.
 - Removes changes made to settings.
 
+For Windows 365 Business users, it’s not possible to upgrade their Windows 10 Cloud PC to Windows 11 and retain their data and settings. Instead, to upgrade them to a Windows 11 Cloud PC, you must use the **Reset** remote action and choose Windows 11. Reset is a destructive action that removes all the user's data and settings from their Cloud PC.
+
 **Restart**: Restart a user’s Cloud PC on their behalf.
 
 ## Grant remote action permissions to another user
 
-If you want to grant remote action permissions to another user, you can assign the Windows 365 Administrator role to them. This role is scoped to performing actions that can alter the state of a Cloud PC. This role cannot manage users, licenses, or billing.
+If you want to grant remote action permissions to another user, you can assign the Windows 365 Administrator role to them. This role is scoped to performing actions that can alter the state of a Cloud PC. This role can't manage users, licenses, or billing.
 
 To assign a Windows 365 Administrator role to a user: