Merge pull request #6955 from MicrosoftDocs/main

Publish 03/04/2022, 10:30 AM

Author: v-dihans

memdocs/autopilot/known-issues.md

@@ -28,6 +28,24 @@ This article describes known issues that can often be resolved by configuration
 
 ## Known issues
 
+### Device-based Conditional Access policies
+
+1. The Intune Enrollment app must be excluded from any Conditional Access policy requiring **Terms of Use** because it isn’t supported.  See [Per-device terms of use](/azure/active-directory/conditional-access/terms-of-use#per-device-terms-of-use).
+
+2. Exceptions to Conditional Access policies to exclude **Microsoft Intune Enrollment** and **Microsoft Intune** cloud apps are needed to complete Autopilot enrollment in cases where restrictive polices are present such as:
+    - Conditional Access policy 1: Block all apps except those on an exclusion list.
+    - Conditional Access policy 2: Require a compliant device for the apps on the exclusion list.
+ 
+    In this case, Microsoft Intune Enrollment and Microsoft Intune should be included in that exclusion list of policy 1.
+
+    If a policy is in place such that **all cloud apps** require a compliant device (there is no exclusion list), Microsoft Intune Enrollment will already be excluded by default, so that the device can register with Azure AD and enroll with Intune and avoid a circular dependency.
+
+3. **Hybrid Azure AD devices**: When Hybrid Azure AD devices are deployed with Autopilot, 2 device IDs are initially associated with the same device – one Azure AD and one hybrid.  The hybrid compliance state will display as **N/A** when viewed from the devices list in the Azure portal until a user signs in. Intune only syncs with the Hybrid device ID after a successful user sign-in. 
+
+    The temporary **N/A** compliance state can cause issues with device based Conditional Access polices that block access based on compliance. In this case, Conditional Access is behaving as intended. To resolve the conflict, a user must to sign in to the device, or the device-based policy must be modified. For more information, see [Conditional Access: Require compliant or hybrid Azure AD joined device](/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device).
+
+4. Conditional Access policies such as BitLocker compliance require a grace period for Autopilot devices, because until the device has been rebooted the status of BitLocker and Secure Boot have not been captured, and cannot be used as part of the Compliance Policy. The grace period can be as short as 0.25 days.
+
 ### Device goes through Autopilot deployment without an assigned profile
 
 When a device is registered in Autopilot and no profile is assigned, it will take the default Autopilot profile. This is by design to ensure that all devices registered with Autopilot, goes through the Autopilot experience. If you do not want the device to go through an Autopilot deployment, you must remove the Autopilot registration. 

memdocs/intune/protect/certificates-digicert-configure.md

@@ -340,4 +340,4 @@ Intune Certificate Connector service logs are available in **%ProgramFiles%\Micr
 
 ## Next steps
 
-Use the information in this article with the information in [What are Microsoft Intune device profiles?](../configuration/device-profiles.md) to manage your organization's devices and the certificates on them.
+Use the information in this article with the information in [What are Microsoft Intune device profiles?](../configuration/device-profiles.md) to manage your organization's devices and the certificates on them. <!-- test -->

memdocs/intune/protect/endpoint-security-account-protection-policy.md

@@ -34,7 +34,7 @@ Use Intune endpoint security policies for account protection to protect the iden
 
 Find the endpoint security policies for Account protection under *Manage* in the **Endpoint security** node of the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
-View [settings for account protection profiles](../protect/endpoint-security-asr-profile-settings.md).
+View [settings for account protection profiles](../protect/endpoint-security-account-protection-profile-settings.md).
 
 ## Prerequisites for Account protection profiles
 

memdocs/intune/protect/microsoft-tunnel-configure.md

@@ -5,7 +5,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 03/02/2022
+ms.date: 03/03/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -27,7 +27,6 @@ ms.collection: M365-identity-device-management
 
 # Configure Microsoft Tunnel for Intune
 
-
 - Review and [Configure prerequisites for Microsoft Tunnel](microsoft-tunnel-prerequisites.md).
 - Run the Microsoft Tunnel [readiness tool](../protect/microsoft-tunnel-prerequisites.md#run-the-readiness-tool) to confirm your environment is ready to support use of the tunnel.
 
@@ -45,7 +44,10 @@ Use of a *Server configuration* lets you create a configuration a single time an
 
 3. On the **Settings** tab, configure the following items:
 
-   - **IP address range**: IP addresses within this range are leased to devices when they connect to Tunnel Gateway. For example, *169.254.0.0/16*.
+   - **IP address range**: IP addresses within this range are leased to devices when they connect to Tunnel Gateway. The Tunnel Client IP address range specified must not conflict with an on-premises network range.
+     - Consider using the Automatic Private IP Addressing (APIPA) range of 169.254.0.0/16, as this range avoids conflicts with other corporate networks.
+     - If the client IP address range conflicts with the destination, it will loopback and fail to communicate with the corporate network.
+     - You can select any client IP address range you want to use if it does not conflict with your corporate network IP address ranges.
 
    - **DNS servers**: These servers are used when a DNS request comes from a device that's connected to Tunnel Gateway.
 

memdocs/intune/protect/microsoft-tunnel-overview.md

@@ -5,7 +5,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 03/01/2022
+ms.date: 03/03/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -131,7 +131,7 @@ The Microsoft Tunnel Gateway runs in containers that run on Linux servers.
 >
 > - Tunnel gateway maintains two channels with the client. A control channel is established over TCP, and TLS. This also serves as a backup data channel. It then looks to establish a UDP channel using DTLS (Datagram TLS, an implementation of TLS over UDP) that serves as the main data channel. If the UDP channel fails to establish or is temporarily unavailable, the backup channel over TCP/TLS is used. By default port 443 is used for both TCP and UDP, but this can be customized via the Intune Server Configuration - [*Server port* setting](../protect/microsoft-tunnel-configure.md#create-a-server-configuration). If changing the default port (443) ensure your inbound firewall rules are adjusted to the custom port.
 >
-> - The assigned client IP addresses (the*IP address range* setting in a [Server configuration](../protect/microsoft-tunnel-configure.md#to-create-a-server-configuration) for Tunnel) are not visible to other devices on the network. These addresses won't conflict with any internal/corporate network IP address on the network.  Client traffic will have the source IP address of the Linux server host. Microsoft Tunnel Gateway uses port address translation (PAT). PAT is a type of network address translation (NAT) where multiple private IP addresses from the Server configuration are mapped into a single IP (many-to-one) by using ports. Client traffic will have the source IP address of the Linux server host.
+> - The assigned client IP addresses (the *IP address range* setting in a [Server configuration](../protect/microsoft-tunnel-configure.md#to-create-a-server-configuration) for Tunnel) are not visible to other devices on the network. Microsoft Tunnel Gateway uses port address translation (PAT). PAT is a type of network address translation (NAT) where multiple private IP addresses from the Server configuration are mapped into a single IP (many-to-one) by using ports. Client traffic will have the source IP address of the Linux server host.
 
 **Break and inspect**:
 
@@ -155,8 +155,6 @@ The following outlines where break and inspect is not supported and where it is
 
 - The Management Agent is authorized against Azure AD using Azure app ID/secret keys.
 
-- The Tunnel Gateway server uses NAT to provide addresses to VPN clients that are connecting to the corporate network.
-  
 ## Next steps
 
 [Prerequisites for the Microsoft Tunnel in Intune](microsoft-tunnel-prerequisites.md)

memdocs/intune/protect/microsoft-tunnel-prerequisites.md

@@ -5,7 +5,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 02/17/2022
+ms.date: 03/03/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -109,6 +109,73 @@ with documentation for the application, and packages with helper utilities. For
 
 - **TLS version**: By default, connections between Microsoft Tunnel clients and servers use TLS 1.3. When TLS 1.3 isn’t available, the connection can fall back to use TLS 1.2.
 
+### Default bridge network
+
+Both Podman and Docker containers use a bridge network to forward traffic through the Linux host. When the containers bridge network conflicts with a corporate network, Tunnel Gateway can’t successfully route traffic to that corporate network.
+
+The default bridge networks are:
+
+- Docker:  **172.17.0.0/16**
+- Podman: **10.0.88.0.0/16**
+
+To avoid conflicts, you can reconfigure both Podman and Docker to use a bridge network that you specify.
+
+> [!IMPORTANT]
+> The Tunnel Gateway server must be installed before you can change the bridge network configuration.
+
+#### Change the default bridge network used by Docker
+
+Docker uses the file **/etc/docker/daemon.json** to configure a new default bridge IP address. In the file, the bridge IP address must be specified in CIDR (Classless inter-domain routing) notation, a compact way to represent an IP address along with its associated subnet mask and routing prefix.  
+
+> [!IMPORTANT]
+> The IP address that's used in the following steps is an example. Be sure the IP address you use doesn't conflict with your corporate network.
+
+1. Use the following command to stop the MS Tunnel Gateway container:  `sudo mst-cli server stop ; sudo mst-cli agent stop`
+
+2. Next, run the following command to remove the existing Docker bridge device: `sudo ip link del docker0`
+
+3. If the file **/etc/docker/daemon.json** is present on your server, use a file editor like *vi* or *nano* to modify the file. Run the file editor with root or sudo permissions:
+
+   - When the **“bip”:** entry is present with an IP address, modify it by adding a new IP address in CIDR notation.
+   - When the **“bip”:** entry isn't present, you must add both the value **"bip":** and the new IP address in CIDR notation.
+
+   The following example shows the structure of a *daemon.json* file with an updated **“bip”:** entry that uses a modified IP address of **“192.168.128.1/24”**.
+
+   Example of daemon.json:
+
+   ```
+   {
+   "bip": "192.168.128.1/24"
+   }
+   ```
+
+4. If the file **/etc/docker/daemon.json** isn’t present on your server, run a command similar to the following example to create the file and define the bridge IP that you want to use.
+
+   Example: `sudo echo '{ "bip":"192.168.128.1/24" }' > /etc/docker/daemon.json`
+
+5. Use the following command to start the MS Tunnel Gateway container: `sudo mst-cli agent start ; sudo mst-cli server start`
+
+For more information, see [Use bridge networks](https://docs.docker.com/network/bridge/#configure-the-default-bridge-network) in the Docker documentation.
+
+#### Change the default bridge network used by Podman
+
+Podman uses the file **/etc/cni/net.d as 87-podman-bridge.conflist** to configure a new default bridge IP address.
+
+1. Use the following command to stop the MS Tunnel Gateway container: `sudo mst-cli server stop ; sudo mst-cli agent stop`
+
+2. Next, run the following command to remove the existing Podman bridge device: `sudo ip link del cni-podman0`
+
+3. Using root permissions and a file editor like *vi* or *nano*, modify **/etc/cni/net.d as 87-podman-bridge.conflist** to update the defaults for **“subnet:”** and **“gateway:”** by replacing the Podman default values with your desired subnet and gateway addresses. The *subnet* address must be specified in CIDR notation.
+
+   The Podman defaults are:
+
+   - subnet: 10.88.0.0/16
+   - gateway: 10.88.0.1
+
+4. Use the following command to restart the MS Tunnel Gateway containers: `sudo mst-cli agent start ; sudo mst-cli server start`
+
+For more information, see [Configuring container networking with Podman](https://www.redhat.com/sysadmin/container-networking-podman) in the Red Hat documentation.
+
 ## Network
 
 - **Enable packet forwarding for IPv4**: Each Linux server that hosts the Tunnel server software must have IP forwarding for IPv4 enabled. To check on the status of IP forwarding, on the server run one of the following generic commands as *root* or *sudo*. Both commands return a value of **0** for *disabled* and a value of **1** for *enabled*:

memdocs/intune/protect/remove-certificates.md

@@ -257,4 +257,4 @@ PKCS certificates stay on the device (certificates aren't revoked or removed) wh
 
 ## Next steps
 
-[Use certificates for authentication](certificates-configure.md)
+[Use certificates for authentication](certificates-configure.md)  <!-- Test for second -->

windows-365/business/whats-new.md

@@ -64,6 +64,13 @@ To make it easier for admins to set up Windows 365, a link has been added to the
 
 Cloud PC users can now choose a higher screen resolution when they connect to their Cloud PC from https://windows365.microsoft.com.
 
+<!-- vvvvvvvvvvvvvvvvvvvvvv -->
+### Documentation
+
+#### New documentation article: Windows 365 approved partners
+
+We’ve published a new help documentation article. For more information, see [Windows 365 approved partners](../partners.md).
+
 <!-- ########################## -->
 ## Week of December 6, 2021 (Service release 2111)
 

windows-365/enterprise/whats-new.md

@@ -61,6 +61,13 @@ Administrators and users can now restore a Cloud PC to a state from a previous p
 
 Cloud PC users can now choose a higher screen resolution when they connect to their Cloud PC from https://windows365.microsoft.com.
 
+<!-- vvvvvvvvvvvvvvvvvvvvvv -->
+### Documentation
+
+#### New documentation article: Windows 365 approved partners
+
+We’ve published a new help documentation article. For more information, see [Windows 365 approved partners](../partners.md).
+
 <!-- ########################## -->
 ## Week of February 14, 2022