Merge branch 'main' into release-cm2208-tp

Author: v-alje

memdocs/configmgr/hotfix/2207/14978429.md

@@ -0,0 +1,68 @@
+---
+title: Connected cache update for Microsoft Endpoint Configuration Manager version 2203
+titleSuffix: Configuration Manager
+description: Console update for 2203
+ms.date: 8/29/2022
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: reference
+ms.assetid: 006f3396-a9d0-44f8-9db1-6408259e405ef
+author: bhuney
+ms.author: brianhun
+manager: dougeby
+---
+
+# Connected cache update for Microsoft Endpoint Configuration Manager versions 2103 - 2207
+
+*Applies to: Configuration Manager (current branch, versions 2103 - 2207)*
+## Summary of KB14978429
+
+An update is available that fixes the following issues with the Microsoft Connected Cache feature in Configuration Manager current branch, versions 2103 - 2207.
+ 
+- Incorrect access control list (ACL) set on the cache folder prevents installations from completing in some environments.
+- Uninstall race condition that prevents a scheduled task from being cleaned up as expected.
+- An incorrect failure state can persist after installation in some cases.
+ 
+In addition, the following enhancements are included in this release.
+
+- Added general supportability enhancements to improve logging, troubleshooting, and discoverability of error conditions.
+- Added support for the latest Office Click-to-Run (C2R) host.
+- Decreased installation time by approximately 30 percent.
+
+## Update information for Microsoft Endpoint Configuration Manager
+The following hotfix to resolve this problem is available for download from the Microsoft Download Center:
+
+[Download this hotfix now](https://download.microsoft.com/download/8/e/d/8ed826e2-0a9d-4160-a1a0-725efa0d0971/1.5.5.14088/DoincInstall.exe).
+
+After you download this hotfix, refer to the following installation instructions.
+
+## Installation instructions
+1. Confirm there is not currently an installation of the MCC component in progress. This is done by checking for status message **9522**, generated by the `SMS_DISTRIBUTION_MANAGER` component. The 9522 message indicates that installation is no longer being retried.
+2. Copy the new version of `DoincInstall.exe`, version **1.5.5.14088**, to the `{SMSInstallDir}\bin\x64` folder on all site servers, including the Central Administration Site (CAS) if present, and any passive sites.
+3. Uncheck the **Enable this distribution point to be used as Microsoft Connected Cache server** option in the affected distribution point’s properties.
+4. Wait for the uninstall of MCC to complete on the distribution point. This can be confirmed by looking for a **9152** success status message, combined with the following entry in `distmgr.log`.
+   ```text
+   Finished waiting for DoincInstall. InvocationState: UninstallCompleted. InvocationExitCode: 0. InvocationMessage: .
+   ```
+5. Recheck the **Enable this distribution point to be used as Microsoft Connected Cache server** option for the affected distribution point.
+
+   > [!TIP]
+   > For sites with a large number of distribution points, replace steps 3 - 5 above with the following.
+   > - Create an empty file named `resetdps.trn` and place it in the `{SMSInstallDir}\inboxes\distmgr.box` folder. This will reinstall all distribution points for that site using the latest version of `DoincInstall.exe` copied in step 2. above. 
+
+## Prerequisites
+To apply this hotfix, you must be using Microsoft Endpoint Configuration Manager, versions 2103 through versions 2203.
+
+## Restart information
+You don't have to restart the computer after you apply this hotfix. 
+
+## Hotfix replacement information
+This hotfix replaces the following previously released hotfix.
+
+[KB12819689 Connected cache update for Microsoft Endpoint Configuration Manager version 2111](../../hotfix/2111/12819689.md)
+
+## File information
+File information is available in the downloadable [KB14978429_FileList.txt](https://aka.ms/KB14978429_FileList) text file.
+
+## Release history
+- August 29, 2022: Initial hotfix release

memdocs/configmgr/hotfix/TOC.yml

@@ -1,6 +1,10 @@
 items:
 - name: Hotfix documentation
   href: index.yml
+- name: Version 2207
+  items:
+  - name: KB 14978429  Connected cache update for Microsoft Endpoint Configuration Manager version 2207
+    href: 2207/14978429.md
 - name: Version 2203
   items:
   - name: KB 13174460 Summary of changes in 2203

memdocs/intune/fundamentals/azure-virtual-desktop-multi-session.md

@@ -33,7 +33,7 @@ ms.collection:
 
 Azure Virtual Desktop multi-session with Microsoft Intune is now generally available.
 
-You can now use Microsoft Intune to manage Windows 10 or Windows 11 Enterprise multi-session remote desktops in the Microsoft Endpoint Manager admin center just as you can manage a shared Windows 10 or Windows 11 client device. When managing such virtual machines (VMs), you'll be able to use both device-based and user configuration. 
+You can now use Microsoft Intune to manage Windows 10 or Windows 11 Enterprise multi-session remote desktops in the Microsoft Endpoint Manager admin center just as you can manage a shared Windows 10 or Windows 11 client device. When managing such virtual machines (VMs), you'll be able to use both device-based configuration targeted to devices or user-based configuration targeted to users. 
 
 Windows 10 or Windows 11 Enterprise multi-session is a new Remote Desktop Session Host exclusive to [Azure Virtual Desktop](/azure/virtual-desktop/) on Azure. It provides the following benefits:
 
@@ -45,7 +45,10 @@ You can manage **Windows 10** and **Windows 11 Enterprise multi-session** VMs cr
 
 ## Overview
 
-Device configuration support in Microsoft Intune for Windows 10 or Windows 11 Enterprise multi-session is Generally Available (GA). This means [policies defined in the OS scope](/windows/client-management/mdm/policy-configuration-service-provider) and apps configured to install in the system context can be applied to Azure Virtual Desktop multi-session VMs. Additionally, multi-session configurations can be targeted to devices or device groups. 
+Device configuration support in Microsoft Intune for Windows 10 or Windows 11 Enterprise multi-session is Generally Available (GA). This means [policies defined in the OS scope](/windows/client-management/mdm/policy-configuration-service-provider) and apps configured to install in the system context can be applied to Azure Virtual Desktop multi-session VMs when assigned to device groups. 
+
+> [!NOTE]
+> Device-based configuration cannot be assigned to users and user-based configuration cannot be assigned to devices. It will be reported as **Error** or **Not applicable**.
 
 User configuration support in Microsoft Intune for Windows 11 multi-session VMs is in public preview. With this you'll be able to:
 
@@ -70,7 +73,7 @@ This feature supports Windows 10 or Windows 11 Enterprise multi-session VMs, whi
   - Configured with [Active Directory group policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy), set to use Device credentials, and set to automatically enroll devices that are Hybrid Azure AD-joined.
   - [Configuration Manager co-management](/configmgr/comanage/overview).
 - Azure AD-joined and enrolled in Microsoft Intune by enabling [Enroll the VM with Intune](/azure/virtual-desktop/deploy-azure-ad-joined-vm#deploy-azure-ad-joined-vms) in the Azure portal.
-- Licensing: The appropriate Microsoft Intune license is required if a user or device benefits directly or indirectly from the Microsoft Intune service, including access to the Microsoft Intune service through a Microsoft API. For more information, see Microsoft Intune licensing. 
+- Licensing: The appropriate Azure Virtual Desktop and Microsoft Intune license is required if a user or device benefits directly or indirectly from the Microsoft Intune service, including access to the Microsoft Intune service through a Microsoft API. For more information, go to [Microsoft Intune licensing](licenses.md).
 
 > [!NOTE]
 > If you're joining session hosts to Azure Active Directory Domain Services, you can't manage them using Intune.
@@ -88,9 +91,9 @@ To configure configuration policies for Windows 10 or Windows 11 Enterprise mult
 
 The existing device configuration profile templates aren't supported for Windows 10 or Windows 11 Enterprise multi-session VMs, except for the following templates:
 
-- [Trusted certificate](../protect/certificates-trusted-root.md#create-trusted-certificate-profiles) - Device (machine) only
-- [SCEP certificate](../protect/certificates-profile-scep.md#create-a-scep-certificate-profile) - Device (machine) only
-- [PKCS certificate](../protect/certificates-pfx-configure.md#create-a-pkcs-certificate-profile) - Device (machine) only
+- [Trusted certificate](../protect/certificates-trusted-root.md#create-trusted-certificate-profiles) - Device (machine) when targeting devices and User when targeting users
+- [SCEP certificate](../protect/certificates-profile-scep.md#create-a-scep-certificate-profile) - Device (machine) when targeting devices and User when targeting users
+- [PKCS certificate](../protect/certificates-pfx-configure.md#create-a-pkcs-certificate-profile) - Device (machine) when targeting devices and User when targeting users
 - [VPN](../configuration/vpn-settings-configure.md#create-the-profile) - Device Tunnel only
 
 Microsoft Intune won't deliver unsupported templates to multi-session devices, and those policies appear as *Not applicable* in reports.
@@ -160,14 +163,17 @@ All other policies report as **Not applicable**.
 > [Conditional Access for Exchange on-premises](../protect/conditional-access-exchange-create.md) isn't supported for Windows 10 or Windows 11 Enterprise multi-session VMs.
 
 > [!NOTE]
-> Configuration and compliance policies for Secure Boot and features leveraging vTPM (Virtual Trusted Platform Module) are not supported at this time for Azure Virtual Desktop VMs.
+> Configuration and compliance policies for BitLocker, Secure Boot, and features leveraging vTPM (Virtual Trusted Platform Module) are not supported at this time for Azure Virtual Desktop VMs.
 
 ## Endpoint security
 
-You can configure profiles under Endpoint security for multi-session VMs by selecting Platform Windows 10, Windows 11, and Windows Server. 
+You can configure profiles under Endpoint security for multi-session VMs by selecting Platform Windows 10, Windows 11, and Windows Server. If that Platform is not available, the profile is not supported on multi-session VMs.
 
 For more information, see [Manage device security with endpoint security policies in Microsoft Intune](../protect/endpoint-security-policy.md)
 
+> [!NOTE]
+> Tamper protection is not supported on Azure Virtual Desktop VMs today. This functionality will be enabled in a future release.
+
 ## Application deployment
 
 All Windows 10 or Windows 11 apps can be deployed to Windows 10 or Windows 11 Enterprise multi-session with the following restrictions:

memdocs/intune/includes/mdm-supported-devices.md

@@ -14,6 +14,11 @@ ms.localizationpriority: high
 - Apple iPadOS 13.0 and later
 - macOS 10.15 and later
 
+> [!NOTE]
+> Intune requires iOS 13.x or later for device enrollment scenarios and app configuration delivered through Managed devices app configuration policies.
+> 
+> For Intune app protection policies and app configuration delivered through Managed apps App configuration policies, Intune requires iOS 14.x or later.
+
 ### Google
 
 - Android 8.0 and later (including Samsung KNOX Standard 2.4 and higher: [requirements](https://www.samsungknox.com/en/knox-platform/supported-devices/2.4+))