Merge pull request #7423 from MicrosoftDocs/main

Publish 04/21/2022 3:30 PM PT

Author: Angela Fleischmann

.openpublishing.redirection.json

@@ -1097,6 +1097,31 @@
             "source_path": "memdocs/configmgr/sum/deploy-use/uup-preview.md",
             "redirect_url": "/mem/configmgr/sum/index",
             "redirect_document_id": true
+        },
+        {
+            "source_path": "windows-365/enterprise/on-premises-network-connections.md",
+            "redirect_url": "/windows-365/enterprise/azure-network-connections",
+            "redirect_document_id": false
+        },
+        {
+            "source_path": "windows-365/enterprise/create-on-premises-network-connection.md",
+            "redirect_url": "/windows-365/enterprise/create-azure-network-connection",
+            "redirect_document_id": false
+        },
+        {
+            "source_path": "windows-365/enterprise/edit-on-premises-network-connection.md",
+            "redirect_url": "/windows-365/enterprise/edit-azure-network-connection",
+            "redirect_document_id": false
+        },
+        {
+            "source_path": "windows-365/enterprise/delete-on-premises-network-connection.md",
+            "redirect_url": "/windows-365/enterprise/delete-azure-network-connection",
+            "redirect_document_id": false
+        },
+        {
+            "source_path": "windows-365/enterprise/troubleshoot-on-premises-network-connection.md",
+            "redirect_url": "/windows-365/enterprise/troubleshoot-azure-network-connection",
+            "redirect_document_id": false
         }
     ]
 }

memdocs/intune/enrollment/android-dedicated-devices-fully-managed-enroll.md

@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 01/19/2022
+ms.date: 04/21/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -33,6 +33,9 @@ ms.collection:
 
 # Enroll your Android Enterprise dedicated, fully managed, or corporate-owned with work profile devices
 
+> [!IMPORTANT]
+>  It's important that device users do not restart devices until enrollment is complete. If device users setting up fully managed devices or corporate-owned devices with a work profile restart their devices in the middle of enrollment, their devices may not be able to register with Microsoft Intune. Devices that restarted may appear to be enrolled but they won't be protected by your Intune policies.  
+
 After you've set up your Android Enterprise [dedicated devices](android-kiosk-enroll.md), [fully managed devices](android-fully-managed-enroll.md), or [corporate-owned work profile devices](android-corporate-owned-work-profile-enroll.md) in Intune, you can enroll the devices. Intune enrollment for dedicated devices, fully managed devices, and corporate-owned with a work profile start with a factory reset. How you enroll your Android Enterprise devices depends on the operating system.
 
 | Enrollment method | Minimum Android OS version for dedicated and fully managed devices |

memdocs/intune/enrollment/enrollment-restrictions-set.md

@@ -19,8 +19,8 @@ items:
     href: lifecycle.md
   - name: Provisioning
     href: provisioning.md
-  - name: On-premises network connections
-    href: on-premises-network-connections.md
+  - name: Azure network connections
+    href: azure-network-connections.md
   - name: Device images
     href: device-images.md
   - name: Lifecycle and operating system end of support
@@ -57,14 +57,14 @@ items:
         href: deployment-overview.md
       - name: Assign licenses
         href: assign-licenses.md
-      - name: On-premises network connection
+      - name: Azure network connection
         items:
-        - name: Create on-premises network connection
-          href: create-on-premises-network-connection.md
-        - name: Edit on-premises network connection
-          href: edit-on-premises-network-connection.md
-        - name: Delete on-premises network connection
-          href: delete-on-premises-network-connection.md
+        - name: Create Azure network connection
+          href: create-azure-network-connection.md
+        - name: Edit Azure network connection
+          href: edit-azure-network-connection.md
+        - name: Delete Azure network connection
+          href: delete-azure-network-connection.md
       - name: Provide a localized Windows experience
         items:
         - name: Provide a localized Windows experience
@@ -177,9 +177,9 @@ items:
       href: troubleshooting.md
     - name: Known issues 
       href: known-issues-enterprise.md
-    - name: On-premises network connections
-      href: troubleshoot-on-premises-network-connection.md
-    - name: On-premises network connection health checklist
+    - name: Azure network connections
+      href: troubleshoot-azure-network-connection.md
+    - name: Azure network connection health checklist
       href: health-checks.md
     - name: Remote Desktop client
       href: /azure/virtual-desktop/troubleshoot-client?context=/windows-365/context/pr-context

windows-365/enterprise/TOC.yml

@@ -37,14 +37,14 @@ Windows 365 provides a per-user per-month license model by hosting Cloud PCs on
 Each Cloud PC has a virtual network interface card (NIC) in Microsoft Azure. You have two NIC management options:
 
 - If you use Azure Active Directory (Azure AD) Join and a Microsoft hosted network, you don’t need to bring an Azure subscription or manage the NIC.
-- If you bring your own network and use an on-premises network connection, the NICs are created by Windows 365 in your Azure subscription.
+- If you bring your own network and use an Azure network connection (ANC), the NICs are created by Windows 365 in your Azure subscription.
 
-The NICs are attached to an Azure Virtual Network based on your [on-premises network connection (OPNC)](on-premises-network-connections.md) configuration.
+The NICs are attached to an Azure Virtual Network based on your [Azure network connection (ANC)](azure-network-connections.md) configuration.
 
 Windows 365 is [supported in many Azure regions](requirements.md#supported-azure-regions-for-cloud-pc-provisioning). You can control which Azure region is used in two ways:
 
 - By selecting the Microsoft-hosted network and an Azure region.
-- By selecting an Azure virtual network from your Azure subscription when [creating an OPNC](create-on-premises-network-connection.md).
+- By selecting an Azure virtual network from your Azure subscription when [creating an ANC](create-azure-network-connection.md).
 
 The Azure virtual network's region determines where the Cloud PC is created and [hosted](architecture.md#hosted-on-behalf-of-architecture).
 
@@ -127,7 +127,7 @@ Windows 365 Cloud PCs don't support third-party connection brokers.
 
 The "hosted on behalf of" architecture lets Microsoft services, after they’re delegated appropriate and scoped permissions to a virtual network by a subscription owner, attach hosted Azure services to a customer subscription. This connectivity model lets a Microsoft service provide software-as-a-service and user licensed services as opposed to standard consumption-based services.
 
-The following diagrams show the logical architecture for an Azure AD Join configuration using a Microsoft hosted network, an Azure AD Join configuration using a customer's network connection ("bring your own network"), and a Hybrid Azure AD Join configuration using an OPNC, respectively.
+The following diagrams show the logical architecture for an Azure AD Join configuration using a Microsoft hosted network, an Azure AD Join configuration using a customer's network connection ("bring your own network"), and a Hybrid Azure AD Join configuration using an ANC, respectively.
 
 ![Azure AD Join architecture with Microsoft hosted network](media/architecture/aadjhostednetwork.png)
 
@@ -137,7 +137,7 @@ The following diagrams show the logical architecture for an Azure AD Join config
 
 All Cloud PC connectivity is provided by the virtual network interface card. The "hosted on behalf of" architecture means that the Cloud PCs exist in the subscription owned by Microsoft. Therefore, Microsoft incurs the costs for running and managing this infrastructure.
 
-Windows 365 manages the capacity and in-region availability in the Windows 365 subscriptions. Windows 365 determines the size and type of VM based on the [license](cloud-pc-size-recommendations.md) you [assign to the user](assign-licenses.md). Windows 365 determines the Azure region to host your Cloud PCs in based on the virtual network you select when [creating an on-prem network connection](create-on-premises-network-connection.md).
+Windows 365 manages the capacity and in-region availability in the Windows 365 subscriptions. Windows 365 determines the size and type of VM based on the [license](cloud-pc-size-recommendations.md) you [assign to the user](assign-licenses.md). Windows 365 determines the Azure region to host your Cloud PCs in based on the virtual network you select when [creating an on-prem network connection](create-azure-network-connection.md).
 
 Windows 365 aligns with Microsoft 365 data protection policies and provisions. Customer data within Microsoft's enterprise cloud services is protected by various technologies and processes:
 

windows-365/enterprise/architecture.md

@@ -39,4 +39,4 @@ Before a user can use a Cloud PC, you must assign a [Windows 365 license](https:
 <!-- ########################## -->
 Next, check out the following article: 
 
-[Create on-premises network connection](create-on-premises-network-connection.md).
+[Create Azure network connection](create-azure-network-connection.md).

windows-365/enterprise/assign-licenses.md

@@ -30,7 +30,7 @@ ms.collection: M365-identity-device-management
 
 # Automated provisioning steps
 
-As an admin, you create provisioning policies and on-premises network connections to set up Windows 365 to provision Cloud PCs. Using this information, Windows 365 provisions Cloud PCs for your licensed users. This article explains all of the steps that Windows 365 completes automatically in the provisioning process.
+As an admin, you create provisioning policies and Azure network connections to set up Windows 365 to provision Cloud PCs. Using this information, Windows 365 provisions Cloud PCs for your licensed users. This article explains all of the steps that Windows 365 completes automatically in the provisioning process.
 
 There are three stages that Windows 365 automatically completes for Cloud PC provisioning:
 
@@ -44,7 +44,7 @@ Core provisioning is optimized to only perform necessary steps to make sure a Cl
 
 1. **Allocate Azure capacity**: When provisioning first begins, Windows 365 allocates Azure capacity in the customer’s supported region of choice. Customers don’t need to manage capacity and allocation manually.
 2. **Create VM**: A virtual machine is created based on the Windows 365 license assigned to the user. Each Windows 365 license includes hardware capacity information. The VM is created with these specs.
-3. **Attach the VM to the appropriate network**: When the VM is created, a virtual NIC is also created. If the provisioning policy specifies a Microsoft hosted network, the NIC is attached to an existing or new virtual network in the selected region specifically for the customer. If the provisioning policy specifies an on-premises network connection, the NIC is injected into the customers provided vNet. This lets the Cloud PC connect to the customers on-premises network.
+3. **Attach the VM to the appropriate network**: When the VM is created, a virtual NIC is also created. If the provisioning policy specifies a Microsoft hosted network, the NIC is attached to an existing or new virtual network in the selected region specifically for the customer. If the provisioning policy specifies an Azure network connection, the NIC is injected into the customers provided vNet. This lets the Cloud PC connect to the customers on-premises network.
 4. **Join to Azure AD**: After the VM is running, the device will be joined to Azure AD in one of two ways:
 
     - Through Azure AD Join: the device performs the Azure AD Join operation and has no Windows Server Active Directory dependency.

windows-365/enterprise/automated-provisioning-steps.md

@@ -0,0 +1,138 @@
+---
+# required metadata
+title: Azure network connection overview
+titleSuffix:
+description: Learn about Azure network connections in Windows 365
+keywords:
+author: ErikjeMS  
+ms.author: erikje
+manager: dougeby
+ms.date: 02/16/2022
+ms.topic: overview
+ms.service: cloudpc
+ms.subservice:
+ms.localizationpriority: high
+ms.technology:
+ms.assetid: 
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: mattsha
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.custom: intune-azure; get-started
+ms.collection: M365-identity-device-management
+---
+
+# Azure network connection overview
+
+An Azure network connection (ANC) is an object in the Microsoft Endpoint Manager admin center that provides Cloud PC provisioning profiles with required information to connect to network-based resources. ANCs are used:
+
+- When a Cloud PC is initially provisioned.
+- When Windows 365 periodically checks the connection to the on-premises infrastructure to ensure the best end-user experience.
+
+## Network connection types
+
+There are two kinds of ANCs based on their join type. Both let you manage traffic and Cloud PC access to network based resources but they have different connectivity requirements.
+
+- **Azure AD Join**: Doesn't require connectivity to a Windows Server Active Directory (AD) domain.
+- **Hybrid Azure AD Join**: Requires connectivity to a Windows Server AD domain. You must provide the AD domain details when you [create the ANC](create-azure-network-connection.md).
+
+
+## Provisioning
+
+When a Cloud PC is provisioned, the information in the ANC is used by the provisioning policy to provision the Cloud PC the Azure subnet. The information required in an ANC includes:
+
+- **Network details**: The Azure subscription, resource group, virtual network, and subnet that the Cloud PC will be associated with. When a provisioning policy runs, it creates a Cloud PC in the Microsoft hosted Azure subscription. To connect to a customers on-premises network, a virtual network interface card (vNic) is injected into a customer-provided Azure virtual network (vNet). To create this vNic, Windows 365 needs sufficient access to an Azure subscription.
+- **Active Directory domain**: The Active Directory domain to join, an Organizational Unit (OU) destination for the computer object, and Active Directory user credentials with sufficient permissions to perform the domain join. When a provisioning policy runs, the Cloud PC is joined to this Active Directory domain. The credentials will be stored securely in the Windows 365 service.
+
+During provisioning, the Cloud PC is connected to the Azure subnet and joined to a domain (either Windows Server Active Directory or Azure Active Directory (Azure AD)). This process results in a Cloud PC that is:
+
+- On your network.
+- Registered to Azure AD.
+- Enrolled into Microsoft Endpoint Manager.
+- Ready to accept user sign-in requests.
+
+The ANC settings are applied to the Cloud PC only at the time of provisioning.
+
+## First health check
+
+The information included in the ANC is used to provision a Cloud PC. For provisioning to succeed, the resources referenced in the ANC must be healthy and accessible. After an ANC object is created, Windows 365 verifies that:
+
+- The objects referenced by the ANC are healthy.
+- Connections can be made to these objects.
+
+These health checks use the ANC information provided to provision a Cloud PC. For a complete list of checks, see [Azure network connection health checks](health-checks.md).
+
+While this first ANC health check is underway, you can’t assign it to a provisioning policy. After the health check is complete and successful, the ANC can be assigned to one or more provisioning policies.
+
+## Periodic health checks
+
+After provisioning, the information in an ANC is also used to monitor the connection health between your network-based resources and the Cloud PC hosted in the Microsoft hosted subscription. Windows 365 will report configuration issues that may cause provisioning failures or poor end-user experiences. This monitoring reduces your management overhead. For more information on these periodic checks, see [Azure network connection health checks](health-checks.md).
+
+## Health check frequency
+
+ANC checks are performed once every one to six hours.
+
+The comprehensive, end-to end health check can take up to 30 minutes. The health checks are run on a temporary Azure virtual machine that is automatically created specifically for this purpose. This virtual machine is created automatically and deleted when the health checks are completed. The virtual machine is connected to your specified vNet and checks are performed to ensure provisioning should be successful.
+
+After a check is complete, the results are posted on the Azure network connection pane of the Microsoft Endpoint Manager admin center. For information about the check results, see [Azure network connections health checks](health-checks.md).  
+
+## Retry health check
+
+To manually trigger a full health check, sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Windows 365 (under Provisioning)** > **Azure network connection** > select an Azure network connection > **Retry**.
+
+## Permissions required for Azure network connections
+
+The ANC wizard requires access to Azure and, optionally, on-premises domain resources. The following permissions are required for the ANC:
+
+- Azure
+  - Subscription Owner or Subscription User Access Administrator.
+- Active directory (Hybrid Azure AD Join ANCs only)
+  - An Active Directory user account with sufficient permissions to join the AD domain into this Organizational Unit.
+
+To create, edit , or delete an ANC, you'll also need to have one of the following permissions:
+
+- Intune Administrator in Azure AD
+- Cloud PC administrator
+- Global Administrator
+
+For a full list of requirements, see [Windows 365 requirements](requirements.md).
+
+## Changing an Azure network connection
+
+Changing the settings in an ANC won’t affect Cloud PCs previously provisioned with that ANC. Only Cloud PCs provisioned after the changes to the ANC will reflect such later changes.
+
+If you want to change the ANC related settings on a previously provisioned Cloud PC, you must reprovision the Cloud PC. Reprovisioning is a destructive action, so be sure it's an action you really want to take. For more information, see [reprovisioning](provisioning.md#reprovisioning).  
+
+## Delete an Azure network connection
+
+You can’t delete an ANC that's in use. Before the object can be deleted, you must do one of the following actions for every provisioning policy that uses this ANC:
+
+- Change the policy to use a different ANC.
+- Delete the policy. For more information, [Delete an Azure network connection](delete-azure-network-connection.md).
+
+After completing either of these operations, you can delete the ANC.
+
+## Maximum Azure network connections
+
+Each tenant has a limit of 10 Azure network connections. If your organization needs more than 10 Azure network connections, contact support.
+
+## User sign-in
+
+When users attempt to sign in to their Cloud PC, user authentication occurs.
+
+For Hybrid Azure AD Join ANCs, the ANC is used to route the authentication request to your domain controllers. If the ANC or the network connection to your domain is unhealthy, user sign-in can't occur. Windows cached credentials can't be used over the remote desktop channel, so domain controller availability is critical. Ensure your network is stable or place a domain controller server on the same subnet as your Cloud PCs.
+
+For Azure AD Join ANCs, the ANC is used to route the authentication request to Azure AD. Windows cached credentials can’t be used over the remote desktop channel, so connectivity to Azure AD is critical.
+
+<!-- ########################## -->
+## Next steps
+
+[Learn about device images](device-images.md)
+
+[Create an Azure network connection](create-azure-network-connection.md)