Merge branch 'main' into EnrollmentRestrctionsGuide

lenewsad · web-flow · commit 3c725db8e0d7 · 2022-08-08T14:57:51.000-04:00
diff --git a/memdocs/autopilot/autopilot-mbr.md b/memdocs/autopilot/autopilot-mbr.md
@@ -180,10 +180,6 @@ To reregister an Autopilot device from Intune, an IT Admin would:
 2. Navigate to Device enrollment > Windows enrollment > Devices > Import.
 3. Click the **Import** button to upload a csv file containing the device ID of the device to be reregistered. The device ID was the 4K HH captured by the PowerShell script or OA3 tool described previously in this document.
 
-The following video provides a good overview of how to (re)register devices via MSfB.<br>
-
-> [!VIDEO https://www.youtube.com/embed/IpLIZU_j7Z0]
-
 ### Reregister from MPC
 
 To reregister an Autopilot device from MPC, an OEM or CSP would:
diff --git a/memdocs/intune/enrollment/toc.yml b/memdocs/intune/enrollment/toc.yml
@@ -31,14 +31,23 @@ items:
     displayName: COD   
   - name: Incomplete user enrollment report
     href: enrollment-report-company-portal-abandon.md
-  - name: Restrictions
-    href: enrollment-restrictions-set.md  
   - name: Terms and conditions
     href: terms-and-conditions-create.md
   - name: Intune and Azure AD device limits  
     href: device-limit-intune-azure.md    
 - name: How-to guides
   items:
+  - name: Set enrollment restrictions
+    href: enrollment-restrictions-set.md  
+  - name: Add device enrollment manager  
+    href: device-enrollment-manager-enroll.md  
+  - name: Configure device categories  
+    href: device-group-mapping.md   
+  - name: Get Apple MDM push certificate  
+    href: apple-mdm-push-certificate-get.md 
+  - name: Require multi-factor authentication  
+    href: multi-factor-authentication.md
+    displayName: mfa; multifactor   
   - name: Set up Windows enrollment
     items:
     - name: Windows enrollment methods
diff --git a/memdocs/intune/fundamentals/filters-device-properties.md b/memdocs/intune/fundamentals/filters-device-properties.md
@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 02/10/2022
+ms.date: 08/08/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -39,6 +39,8 @@ This article describes the different [device properties](#device-properties) and
 
 ## Device properties
 
+You can use the following device properties in your filter rules:
+
 - **Device Name**: Create a filter rule based on the Intune device name property. Enter a string value for the device's full name (using `-eq`, `-ne`, `-in`, `-notIn` operators), or partial value (using `-startswith`, `-contains`, `-notcontains` operators).
 
   Examples:
diff --git a/windows-365/enterprise/TOC.yml b/windows-365/enterprise/TOC.yml
@@ -29,8 +29,12 @@ items:
     href: customer-permissions.md  
   - name: Device configuration with MEM
     href: device-configuration.md
-  - name: Encryption
-    href: encryption.md
+  - name: Security
+    items:
+    - name: Windows 365 security
+      href: security.md
+    - name: Encryption
+      href: encryption.md
   - name: Privacy and personal data
     href: privacy-personal-data.md
 - name: How-to guides
diff --git a/windows-365/enterprise/known-issues-enterprise.md b/windows-365/enterprise/known-issues-enterprise.md
@@ -53,6 +53,13 @@ Upgrading an existing Cloud PC from Windows 10 to Windows 11 using the Settings
 1. Edit the related provisioning policy to change the gallery image to Windows 11.
 2. Reprovision the Cloud PC.
 
+## In-place Windows updgrade may change computer name
+
+Upgrading an existing Cloud PC between release versions of Windows 10 to Windows 11 may cause the computer name to be changed to a name with a prefix of "pps" while leaving the Intune device name unchanged.
+
+**Troubleshooting steps**: Find and manage the Cloud PC in Microsoft Endpoint Manager by using the unchanged Intune device name, either through the **Devices > All devices** list or the **Devices > Windows 365 > All Cloud PCs** list.
+
+
 ## Windows 365 provisioning fails<!--38483005-->
 
 Windows 365 provisioning failures may occur because both:
diff --git a/windows-365/enterprise/report-remoting-connection.md b/windows-365/enterprise/report-remoting-connection.md
@@ -7,7 +7,7 @@ keywords:
 author: ErikjeMS  
 ms.author: erikje
 manager: dougeby
-ms.date: 08/30/2021
+ms.date: 08/08/2022
 ms.topic: overview
 ms.service: cloudpc
 ms.subservice:
@@ -57,13 +57,13 @@ The **Remoting connection** tab lists the following information:
 - Average = 100-200 milliseconds
 - Poor = more than 200 milliseconds
 
-**Sign in time (sec)** is the total time users take to connect to the Cloud PC. Times are given for the most recent sign in time (p95 (Last)) and the Median sign in time. The times for the ratings are:
+**Sign in time (sec)** is the time taken for traffic from users' devices to reach Cloud PC and return. This metric is an indicator of the quality of the connection and can be used to determine the user’s experience. Values displayed are for the median time of the most recent reading of the metric’s 95th percentile value (p95 (Last)). A rating is provided for these values based on the criteria below. The times for the ratings are:
 
 - Good = 0-30 seconds
 - Average = 30-60 seconds
 - Poor = more than 60 seconds
 
-**Insights and recommendations** suggests actions that you can take to improve your scores.
+**Insights and recommendations** provide information about the actions that you can take to improve scores for specific Cloud PCs that have poor or average ratings.
 
 ![Screenshot of using the remoting connection tab](./media/report-remoting-connection/remoting-connection-tab.png)
 
@@ -75,13 +75,16 @@ You can review the **Round trip time** and **Sign in time** for each Cloud PC mo
 
 ## Device performance tab
 
-You can review the **Round trip time** and **Sign in time** for each Cloud PC device in your organization.
+You can review a list of the **Round trip time** and **Sign in time** values for all the Cloud PC devices in your organization.
 
 ![Screenshot of using the device performance tab](./media/report-remoting-connection/device-performance-tab.png)
 
 ## Device history
 
-When you select on a particular device in one of the reports, you'll see specific information for that device.  
+Select a device in one of the reports to see a daily aggregate bar chart for that device over the last 14 days. Days that have no values are excluded from the chart. Hover over individual days to see values at the bottom of the chart.
+
+> [!NOTE]
+> There may be days when users have signed in but the graph does not display a value. This is caused by the method the graph uses to calculate some edge cases than can result in incorrect data.
 
 ![Screenshot of using the device history](./media/report-remoting-connection/device-history.png)
 
diff --git a/windows-365/enterprise/requirements.md b/windows-365/enterprise/requirements.md
@@ -81,7 +81,7 @@ Windows 365 manages the capacity and availability of underlying Azure resources
 - US Central
 - US East
 - US East 2
-- US West 2
+- US West 2 (Restricted, contact support)
 - US West 3
 - US South central
 - Asia Southeast
diff --git a/windows-365/enterprise/security.md b/windows-365/enterprise/security.md
@@ -0,0 +1,94 @@
+---
+# required metadata
+title: Overview of security concepts in Windows 365
+titleSuffix:
+description: Learn about security concepts in Windows 365.
+keywords:
+author: ErikjeMS  
+ms.author: erikje
+manager: dougeby
+ms.date: 07/20/2022
+ms.topic: overview
+ms.service: cloudpc
+ms.subservice:
+ms.localizationpriority: high
+ms.technology:
+ms.assetid: 
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: chrimo
+ms.suite: ems
+search.appverid: 
+#ms.tgt_pltfrm:
+ms.custom: intune-azure; get-started
+ms.collection: M365-identity-device-management
+---
+
+# Windows 365 security
+
+Windows 365 provides an end-to-end connection flow for users to do their work effectively and securely. Windows 365 is built with [Zero Trust](/security/zero-trust/zero-trust-overview) in mind, providing the foundation for you to implement controls to better secure your environment across the 6 pillars of Zero Trust. You can implement Zero Trust controls for the following categories:
+
+- Securing the access to the Cloud PC
+    - This aligns with securing the **Identity**, where you can place additional measures on who can access the Cloud PC and under which conditions.
+- Securing the Cloud PC device itself
+    - This aligns with securing the **Endpoint**, where you can place additional measures on the Cloud PC devices since that is the device being used to access organizational data.
+- Securing the Cloud PC data and other data available while using the Cloud PC
+    - This aligns with securing the **Data**, where you can place additional measures on the data itself or on how the Cloud PC user access the data.
+
+Take a look at the sections below to better understand the components and features available to you to secure your Cloud PC environment.
+
+## Secure Cloud PC access
+
+The first consideration for securing your environment is to secure access to the Cloud PC.
+
+As described in [identity and authentication](/windows-365/enterprise/identity-authentication#authentication), there are two authentication challenges to access the Cloud PC:
+
+- The Windows 365 service.
+- The Cloud PC.
+
+The primary control for securing access is by using Azure Active Directory (Azure AD) Conditional Access to conditionally grant access to the Windows 365 service. To secure access to the Cloud PC, see [set conditional access policies](/windows-365/enterprise/set-conditional-access-policies).
+
+## Secure Cloud PC devices
+
+The second consideration for securing your environment is to secure the Cloud PC device itself.
+
+### Security features enabled by default
+
+All new Cloud PCs have the following security components enabled by default:
+
+- **vTPM**: Short for virtual Trusted Platform Module, a vTPM provides Cloud PCs their own dedicate TPM instance that acts as a secure vault for keys and measurements. For more information, see [vTPM](/azure/virtual-machines/trusted-launch#vtpm).
+- **Secure Boot**: Secure Boot is a feature that will prevent the Windows operating system from booting if untrusted rootkits or boot kits are installed on the machine. For more information, see [secure boot](/azure/virtual-machines/trusted-launch#secure-boot).
+
+With both security components enabled, Windows 365 supports enabling the following Windows security features:
+
+- Hypervisor Code Integrity (HVCI)
+- [Microsoft Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage)
+
+### Security features requiring specific Cloud PC SKUs or configuration
+
+The following security components are enabled by default on specific Cloud PC SKUs or configurations:
+
+- **Virtualization-based workloads**
+    - **Description**: Virtualization-based workloads typically require the Windows device to enable the Hyper-V feature and run the workloads in an isolated space, to protect the Windows OS from any security threats.
+    - **Security features supported**:
+        - [Microsoft Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)
+        - [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)
+    - **Required configuration**: Cloud PC must have 8 vCPU and 32 GB RAM. See [set up virtualization-based workloads support](nested-virtualization.md#requirements) for more information.
+
+## Secure Cloud PC data
+
+The third consideration for securing your environment is to secure the Cloud PC data and other data that is made available by using the Cloud PC.
+
+### Security of Cloud PC data
+
+The data of the Cloud PC data itself is secured through encryption. For more details, see [data encryption in Windows 365](/windows-365/enterprise/encryption).
+
+### Security of data available on the Cloud PC
+
+Securing the data available to users on their Cloud PCs should be no different than securing the data available to users on work-assigned Windows PCs, with the caveat that the Cloud PC is being accessed through Remote Desktop Protocol (RDP).
+
+To manage RDP features available to the user during their Cloud PC connection, see [manage RDP device redirections for Cloud PCs](/windows-365/enterprise/manage-rdp-device-redirections).
diff --git a/windows-365/enterprise/whats-new.md b/windows-365/enterprise/whats-new.md
@@ -7,7 +7,7 @@ keywords:
 author: ErikjeMS  
 ms.author: erikje
 manager: dougeby
-ms.date: 08/04/2022
+ms.date: 08/08/2022
 ms.topic: reference
 ms.service: cloudpc
 ms.subservice:
@@ -48,6 +48,15 @@ Learn what new features are available in Windows 365 Enterprise.
 ### End user experience
 -->
 
+<!-- ########################## -->
+## Week of August 8, 2022
+
+### Documentation
+
+#### New documentation article: Windows 365 security
+
+We’ve published a new help documentation article. For more information, see [Windows 365 security](security.md).
+
 <!-- ########################## -->
 ## Week of July 25, 2022
 
