Merge branch 'release-cm2203-tp' of https://github.com/MicrosoftDocs/memdocs-pr into 2203tp-finalize

mestew · mestew · commit 5e0006e39c38 · 2022-03-02T13:56:27.000-08:00
diff --git a/memdocs/autopilot/enrollment-autopilot.md b/memdocs/autopilot/enrollment-autopilot.md
@@ -73,6 +73,9 @@ ms.collection:
 
 3. Select **Create**.
 
+[!NOTE] 
+Anything assigned to these attributes will only be assigned if the device is Autopilot registered.
+
 ## Add devices
 
 For information about formatting and using a CSV file to manually add Windows Autopilot devices, see [Manually register devices with Windows Autopilot](add-devices.md).
@@ -131,4 +134,4 @@ You can group Windows devices by a correlator ID when enrolling using [Autopilot
 
 After you have created a device group, you can configure and apply a Windows Autopilot deployment profile to each device in the group. Deployment profiles determine the deployment mode, and customize the OOBE for your end users. For more information, see [Configure deployment profiles](profiles.md).
 
-For more information about managing your Windows Autopilot devices, see [What is Microsoft Intune device management?](../intune/remote-actions/device-management.md)
+For more information about managing your Windows Autopilot devices, see [What is Microsoft Intune device management?](../intune/remote-actions/device-management.md)
diff --git a/memdocs/autopilot/known-issues.md b/memdocs/autopilot/known-issues.md
@@ -28,6 +28,10 @@ This article describes known issues that can often be resolved by configuration
 
 ## Known issues
 
+### Device goes through Autopilot deployment without an assigned profile
+
+When a device is registered in Autopilot and no profile is assigned, it will take the default Autopilot profile. This is by design to ensure that all devices registered with Autopilot, goes through the Autopilot experience. If you do not want the device to go through an Autopilot deployment, you must remove the Autopilot registration. 
+
 ### White screen during HAADJ deployment
 
 There is a UI bug on Autopilot HAADJ deployments where the Enrollment Status page is displayed as a white screen. This issue is limited to the UI and should not impact the deployment process. 
diff --git a/memdocs/autopilot/profiles.md b/memdocs/autopilot/profiles.md
@@ -103,6 +103,8 @@ After you've created an Autopilot deployment profile, you can edit certain parts
     > [!NOTE]
     > Changes to the profile are applied to devices assigned to that profile. However, the updated profile won't be applied to a device that has already enrolled in Intune until after the device is reset and reenrolled.
 
+If a device is registered in Autopilot and a profile is not assigned, it will receive the default Autopilot profile. If you do not want a device to go through Autopilot, you must remove the Autopilot registration.
+
 ## Alerts for Windows Autopilot unassigned devices
 <!-- 163236 -->
 
diff --git a/memdocs/autopilot/registration-overview.md b/memdocs/autopilot/registration-overview.md
@@ -44,6 +44,8 @@ Registration can also be performed within your organization by collecting the ha
 - [Automatic registration](automatic-registration.md)
 - [Manual registration](manual-registration.md)
 
+Once a device is registered in Autopilot if a profile is not assigned, it will receive the default Autopilot profile. If you do not want a device to go through Autopilot, you must remove the Autopilot registration. 
+
 ## Terms
 
 The following terms are used to refer to various steps in the registration process:
diff --git a/memdocs/configmgr/core/get-started/2022/includes/2203/10454717.md b/memdocs/configmgr/core/get-started/2022/includes/2203/10454717.md
@@ -1,13 +1,42 @@
 ---
-author: mestew
-ms.author: mstewart
+author: aczechowski
+ms.author: aaroncz
 ms.prod: configuration-manager
 ms.technology: configmgr-core
 ms.topic: include
 ms.date: 03/01/2022
 ms.localizationpriority: medium
 ---
 
-## <a name="bkmk_anchor"></a> Feature Name
-<!--CMADO#-->
+## <a name="bkmk_blmts"></a> Escrow BitLocker recovery password to the site during a task sequence
 
+<!--10454717-->
+
+You can now configure the **Enable BitLocker** step of a task sequence to escrow the BitLocker recovery information for the OS volume to Configuration Manager. Previously, you had to escrow to Active Directory, or wait for the Configuration Manager client to receive BitLocker management policy after the task sequence. This new option makes sure that the device is fully protected by BitLocker when the task sequence completes, and that you can recover the OS volume immediately.
+
+For more general information, see [Plan for BitLocker management](../../../../../protect/plan-design/bitlocker-management.md).
+
+### Prerequisites for escrowing BitLocker recovery password during a task sequence
+
+The client will only escrow its key to the Configuration Manager site if you configure one of the following options:
+
+- Create and use a certificate to encrypt the site database for BitLocker management.
+
+- Enable the BitLocker client management policy option to **Allow recovery information to be stored in plain text**.
+
+For more information, see [Encrypt recovery data in the database](../../../../../protect/deploy-use/bitlocker/encrypt-recovery-data.md).
+
+### Try it out!
+
+Try to complete the tasks. Then send [Feedback](../../../../understand/product-feedback.md) with your thoughts on the feature.
+
+1. If needed, first [create a task sequence to deploy an OS](../../../../../osd/deploy-use/manage-task-sequences-to-automate-tasks.md).
+
+1. [Use the task sequence editor](../../../../../osd/understand/task-sequence-editor.md) to edit the task sequence.
+
+1. If the task sequence doesn't already include the **Enable BitLocker** step, add it. For more information, see [About task sequence steps: Enable BitLocker](../../../../../osd/understand/task-sequence-steps.md#BKMK_EnableBitLocker).
+
+1. On the properties of the **Enable BitLocker** step, select the option to **Automatically store the recovery key**, and then select **The Configuration Manager database**.
+
+    > [!NOTE]
+    > If Configuration Manager can't escrow the key, by default this task sequence step fails.
diff --git a/memdocs/configmgr/hotfix/2111/12896009.md b/memdocs/configmgr/hotfix/2111/12896009.md
@@ -0,0 +1,136 @@
+---
+title: Update rollup for Microsoft Endpoint Configuration Manager version 2111
+titleSuffix: Configuration Manager
+description: Update rollup for Configuration Manager 2111
+ms.date: 03/02/2022
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: reference
+ms.assetid: 7bd4295d-20c0-4d5f-b2e4-fa770ebc2ca6
+author: bhuney
+ms.author: brianhun
+manager: dougeby
+---
+
+# Update rollup for Microsoft Endpoint Configuration Manager version 2111
+
+*Applies to: Configuration Manager (current branch, version 2111)*
+
+## Summary of KB12896009
+This article describes issues that are fixed in this update rollup for Microsoft Endpoint Configuration Manager current branch, version 2111. This update applies both to customers who opted in through a PowerShell script to the early update ring deployment, and customers who installed the globally available release.
+For more information on changes in Configuration Manager version 2111, see:
+- [What’s new in version 2111 of Configuration Manager current branch](../../core/plan-design/changes/whats-new-in-version-2111.md)
+- [Summary of changes in Microsoft Endpoint Configuration Manager current branch, version 2111](../../hotfix/2111/11052354.md)
+
+## Issues that are fixed
+
+<!-- 12905440 -->
+- The Configuration Manager console fails to open after installing an updated version of a required console extension.
+
+<!-- 12923578 -->
+- Users without the **Read Client Status Settings** permission on the **Site** object are unable to see the client health dashboard.
+
+<!-- 12905525 -->
+- Windows LEDBAT isn't automatically enabled or disabled for a distribution point when selecting the **Adjust the download
+speed to use the unused network bandwidth (Windows LEDBAT)** setting in site properties. 
+
+<!-- 12909958 -->
+- Automatic registration of the Configuration Manager PowerShell module (*ConfigurationManager.psd1*) can trigger a false positive alert from security software.
+
+<!-- 12785033 -->
+- The Configuration Manager console now allows wildcards when defining Microsoft Defender Attack Surface Reduction (ASR) rules.
+
+<!-- 12785058 -->
+- CMPivot queries against the **Processor** entity may fail with an "Invalid query" error.
+
+<!-- 12905518 -->
+- Clients that aren't Intune enrolled will  record the following error in the execmgr.log file after receiving a task sequence policy.
+   ```text
+   Failed to check enrollment url, 0x00000001:
+   ```
+
+<!-- 12981663 -->
+- The OneTrace log file viewer (*CMPowerLogViewer.exe*) may terminate unexpectedly when opening a log file.
+
+<!-- 12952864 -->
+- The **Show Table** link in the Windows Servicing dashboard displays repetitive information after selecting different collections.
+
+<!-- 13059770 -->
+- The Post Installation task **Installing SMS_EXECUTIVE service** displays a status of *Completed with warning* even though it was successful and no warnings are recorded in the sitecomp.log file.
+
+<!-- 13069590 -->
+- Clients will now throttle communication with a cloud management gateway if they make five unsuccessful contact attempts in five minutes.
+
+<!-- 13104384 -->
+- If a client computer is offline for multiple days with a pending state message resync request, it will receive duplicate policies for the resync when it comes back online. This leads to repeated resynchronization of the same messages.
+
+<!-- 13039356 -->
+- When the Configuration Manager console is installed on a computer with an x86 processor, it doesn't detect the installation state of console extensions.
+
+<!-- 13219303 -->
+- The built-in cloud features notification message continues to display in the Configuration Manager console even after it is dismissed.
+
+<!-- 13104468 -->
+- A remote control session doesn't display as expected when the target computer has multiple monitors and the display has a custom scale over 125 percent.
+
+<!-- 13515162 -->
+- Internet-based clients fail to register over the cloud management gateway when the management point is hosted on a remote site system. This occurs for clients installed using a Windows Imaging Task sequence and boot media over an internet connection.
+
+<!-- 13486459 -->
+- After updating to Configuration Manager version 2111, client policies for **Windows Defender Firewall Remote Management** that were previously disabled may be re-enabled.
+ 
+
+## Hotfixes that are included in this update
+
+- KB [12709700](../../hotfix/2111/12709700.md) Update for Microsoft Endpoint Configuration Manager version 2111
+- KB [12959506](../../hotfix/2111/12959506.md) Client update for Configuration Manager current branch, version 2111
+
+## Update information for Microsoft Endpoint Configuration Manager current branch, version 2111
+
+This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using early update ring or globally available builds of version 2111.
+
+Members of the Configuration Manager Technology Adoption Program (TAP) must first apply the private TAP rollup before this update is displayed.
+
+To verify which build is in use, look for a Package GUID by adding the Package GUID column to the details pane of the Updates and Servicing node in the console. The update applies to installations from packages that have the following GUIDs:
+
+- **653BACCA-5BCE-4B4C-9A83-10932A561F71**
+- **B07144F6-3B8E-4587-B1F0-BB47DA54C566**
+- **C77888E5-7499-4885-9EED-811BB2D958C0**
+- **44CE0720-6C46-4554-89CF-C9713E9C06C6**
+
+
+The update is also applicable to TAP builds with the private TAP rollup (**C30077BF-D610-4C8A-BDB1-9B2D5442380E**) installed.
+New installations from 2111 media, as opposed to updates from prior versions, will not have any package GUIDs listed.
+
+### Restart information
+
+This update doesn't require a computer restart but will initiate a [site reset](../../core/servers/manage/modify-your-infrastructure.md#bkmk_reset) after installation.
+
+### Additional installation information
+
+After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select **Administration** > **Site Configuration** > **Sites** >  **Recover Secondary Site**, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site aren't affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
+
+Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
+   ```code
+   select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
+   ```
+If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
+
+If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the **Recover Secondary Site** option to update the secondary site.
+
+## Version information
+The following major components are updated to the versions specified:
+
+| Component | Version |
+|---|---|
+| Configuration Manager console | 5.2111.1052.2500 |
+| Client | 5.0.9068.1026 |
+
+## File information
+File information is available in the downloadable [KB12896009_FileList.txt](https://aka.ms/KB12896009_FileList) text file.
+
+## Release history
+- March 2, 2022: Initial hotfix release
+
+## References
+[Updates and servicing for Configuration Manager](../../core/servers/manage/updates.md)
diff --git a/memdocs/configmgr/hotfix/TOC.yml b/memdocs/configmgr/hotfix/TOC.yml
@@ -11,6 +11,8 @@ items:
     href: 2111/12959506.md
   - name: KB 12819689 Connected cache update for Microsoft Endpoint Configuration Manager version 2111
     href: 2111/12819689.md
+  - name: KB 12896009 Update rollup for Microsoft Endpoint Configuration Manager version 2111
+    href: 2111/12896009.md
 - name: Version 2107
   items:
   - name: KB 10096997 Summary of changes in 2107
diff --git a/memdocs/configmgr/hotfix/index.yml b/memdocs/configmgr/hotfix/index.yml
@@ -25,6 +25,8 @@ landingContent:
             url: 2111/11052354.md
           - text: KB 12709700 Update for Configuration Manager 2111
             url: 2111/12709700.md
+          - text: KB 12896009 Update rollup for Configuration Manager 2111
+            url: 2111/12896009.md
   - title: Configuration Manager 2107
     linkLists:
       - linkListType: overview
diff --git a/memdocs/intune/apps/lob-apps-macos.md b/memdocs/intune/apps/lob-apps-macos.md
diff --git a/memdocs/intune/protect/endpoint-security-firewall-policy.md b/memdocs/intune/protect/endpoint-security-firewall-policy.md
diff --git a/memdocs/intune/protect/microsoft-tunnel-configure.md b/memdocs/intune/protect/microsoft-tunnel-configure.md
