Merge pull request #6705 from MicrosoftDocs/main

Angela Fleischmann · web-flow · commit 626632c778e7 · 2022-02-03T16:35:49.000-07:00
Publish 02/03/2022 3:30 PM PT
diff --git a/memdocs/intune/configuration/device-restrictions-android-for-work.md b/memdocs/intune/configuration/device-restrictions-android-for-work.md
@@ -462,12 +462,12 @@ End of comment -->
 #### Fully managed, dedicated, and corporate-owned work profile devices
 
 - **Add new users**: **Block** prevents users from adding new users. Each user has a personal space on the device for custom Home screens, accounts, apps, and settings. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow users to add other users to the device.
+- **User can configure credentials (work profile-level)**: **Block** prevents users from configuring certificates assigned to devices, even devices that aren't associated with a user account. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might make it possible for users to configure or change their credentials when they access them in the keystore.
 
 #### Fully managed and dedicated devices
 
 - **User removal**: **Block** prevents users from removing users. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow users to remove other users from the device.
 - **Personal Google Accounts**: **Block** prevents users from adding their personal Google account to the device. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might allow users to add their personal Google account.
-- **User can configure credentials**: **Block** prevents users from configuring certificates assigned to devices, even devices that aren't associated with a user account. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might make it possible for users to configure or change their credentials when they access them in the keystore.
 
 #### Dedicated devices
 
diff --git a/memdocs/intune/configuration/group-policy-analytics.md b/memdocs/intune/configuration/group-policy-analytics.md
@@ -1,14 +1,14 @@
 ---
 # required metadata
 
-title: Use group policy analytics to import GPOs in Microsoft Intune
+title: Use group policy analytics to import and analyze GPOs in Microsoft Intune
 description: Import and analyze your group policy objects in Microsoft Intune and Endpoint Manager. See the policies that have the same Configuration Service Provider (CSP) setting in the cloud, and assign to your Windows 10/11 users and devices.
 keywords:
 author: MandiOhlinger
 
 ms.author: mandia
 manager: dougeby
-ms.date: 01/19/2022
+ms.date: 02/03/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -33,22 +33,27 @@ ms.collection:
 
 # Analyze your on-premises group policy objects (GPO) using Group Policy analytics in Microsoft Endpoint Manager - Preview
 
-Group policy objects (GPOs) are used on-premises to configure settings on personal computers, and other on-premises devices. In device management, GPOs help control security and features in the Windows OS, Internet Explorer, Office apps, and more.
+> [!TIP]
+> Looking for information on ADMX templates? See [Use Windows 10/11 Administrative Templates to configure group policy settings in Microsoft Endpoint Manager](administrative-templates-windows.md).
 
-Many organizations are looking at cloud solutions to support the growing remote workforce. **Group Policy analytics** is a tool and feature in Microsoft Endpoint Manager that analyzes your on-premises GPOs. It helps you determine how your GPOs translate in the cloud. The output shows which settings are supported in MDM providers, including Microsoft Intune. It also shows any deprecated settings, or settings not available to MDM providers.
+**Group Policy analytics** is a tool and feature in Microsoft Endpoint Manager that analyzes your on-premises GPOs. It helps you determine how your GPOs translate in the cloud. The output shows which settings are supported in MDM providers, including Microsoft Intune. It also shows any deprecated settings, or settings not available to MDM providers.
 
 If your organization uses GPOs, and you want to move some workloads to Microsoft Endpoint Manager and Intune, then Group Policy analytics will help.
 
+Currently, this feature provides importing and analysis. In a future release (no ETA), you'll be able to create a policy based off your imported GPO, and deploy the policy.
+
 This feature applies to:
 
 - Windows 11
 - Windows 10
 
-This article shows you how export your GPOs, import the GPOs into Endpoint Manager, and review the analysis and results. 
+This article shows you how export your GPOs, import the GPOs into Endpoint Manager, and review the analysis and results.
 
 ## Prerequisites
 
-Sign in as the Intune administrator with a role that has the **Security Baselines** permission. For example, the **Endpoint Security Manager** role has the **Security Baselines** permission. For more information on the built-in roles, see [role-based access control](../fundamentals/role-based-access-control.md).
+- In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), sign in as the Intune administrator with a role that has the **Security Baselines** permission.
+
+  For example, the **Endpoint Security Manager** role has the **Security Baselines** permission. For more information on the built-in roles, see [role-based access control](../fundamentals/role-based-access-control.md).
 
 ## Export GPOs as an XML file
 
@@ -62,7 +67,7 @@ Sign in as the Intune administrator with a role that has the **Security Baseline
 
 Be sure the file is less than 4 MB and has a proper unicode encoding. If the exported file is greater than 4 MB, then include fewer GPOs when you save your report from the GPMC.msc tool.
 
-## Use Group Policy analytics
+## Import GPOs and run analytics
 
 1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Group Policy analytics (preview)**.
 2. Select **Import**, and then select your saved XML file. When you select the XML file, Intune automatically analyzes the GPO in the XML file.
@@ -76,9 +81,9 @@ Be sure the file is less than 4 MB and has a proper unicode encoding. If the exp
     - **MDM Support**: Shows the percentage of group policy settings in the GPO that have the same setting in Intune.  
 
         > [!NOTE]
-        > Whenever the Microsoft Intune product team makes changes to the mapping in Intune, the percentage under MDM Support automatically updates to reflect those changes.   
+        > Whenever the Microsoft Intune product team makes changes to the mapping in Intune, the percentage under MDM Support automatically updates to reflect those changes.
 
-    - **Unknown Settings**: Shows GPO settings that fall outside of the list of the Configuration Service Providers (CSPs) that this tool can parse.
+    - **Unknown Settings**: There are some CSPs that can't be analyzed. **Unknown Settings** lists the GPOs that can't be analyzed.
     - **Targeted in AD**: **Yes** means the GPO is linked to an OU in on-premises group policy. **No** means the GPO isn't linked to an on-premises OU.
     - **Last imported**: Shows the date of the last import.
 
@@ -96,8 +101,6 @@ Be sure the file is less than 4 MB and has a proper unicode encoding. If the exp
 
       **No** means there isn't a matching setting available to MDM providers, including Intune.
 
-      For more information on device configuration profiles, see [Apply features and settings on your devices using device profiles](device-profiles.md).
-
     - **Value**: Shows the value imported from the GPO. It shows different values, such `true`, `900`, `Enabled`, `false`, and so on.
     - **Scope**: Shows if the imported GPO targets users or targets devices.
     - **Min OS Version**: Shows the minimum Windows OS version build numbers that the GPO setting applies. It may show `18362` (1903), `17130` (1803), and other Windows client versions.
@@ -106,7 +109,7 @@ Be sure the file is less than 4 MB and has a proper unicode encoding. If the exp
 
     - **CSP Name**: A Configuration Service Provider (CSP) exposes device configuration settings in Windows client. This column shows the CSP that includes the setting. For example, you may see Policy, BitLocker, PassportforWork, and so on.
 
-      For more information on CSPs, see the [CSP reference](/windows/client-management/mdm/configuration-service-provider-reference).
+      The [CSP reference](/windows/client-management/mdm/configuration-service-provider-reference) lists the available CSPs, shows the supported OS editions, and more.
 
     - **CSP Mapping**: Shows the OMA-URI path for the on-premises policy. You can use the OMA-URI in a [custom device configuration profile](custom-settings-configure.md). For example, you may see `./Device/Vendor/MSFT/BitLocker/RequireDeviceEnryption`.
 
@@ -141,7 +144,7 @@ Currently, the Group Policy analytics (preview) tool only supports non-ADMX sett
 
 3. Select the **Reports** tab > **Group policy migration readiness**. In this report, you can:
 
-    - See the number of settings in your GPO that are available in a device configuration profile, if they can be in a custom profile, aren't supported, or are deprecated.
+    - See the number of settings in your GPO that can be configure in a device configuration profile. It also shows if the settings can be in a custom profile, aren't supported, or are deprecated.
     - Filter the report output using the **Migration Readiness**, **Profile type**, and **CSP Name** filters.
     - Select **Generate report** or **Generate again** to get current data.
     - See the list of settings in your GPO.
@@ -151,10 +154,11 @@ Currently, the Group Policy analytics (preview) tool only supports non-ADMX sett
     > [!NOTE]
     > After you add or remove your imported GPOs, it can take about 20 minutes to update the Migration Readiness reporting data.
 
-
 ## Send product feedback
 
-You can provide feedback on Group Policy Analytics when you select **Got feedback**. Examples of feedback areas:
+You can provide feedback on Group Policy Analytics. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Group Policy analytics (preview)** > **Got feedback**.
+
+Examples of feedback areas:
 
 - You received errors during GPO import or analytics, and you need more specific information.
 - How easy is it to use Group Policy analytics to find the supported group policies in Microsoft Intune?
diff --git a/memdocs/intune/fundamentals/deployment-guide-enrollment-android.md b/memdocs/intune/fundamentals/deployment-guide-enrollment-android.md
@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 02/02/2022
+ms.date: 02/03/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -234,13 +234,13 @@ When you create the Intune enrollment profile, you decide if the devices are use
 ---
 | Feature | Use this enrollment option when |
 | --- | --- |
-| Use Google Mobile Services (GMS). | ❌ AOSP doesn't use [GMS](https://www.android.com/gms/) (opens Android's web site). For example, some countries don't support GMS. <br/><br/> If your devices will use GMS, then use [dedicated devices](#android-enterprise-dedicated-devices) (in this article) or [fully managed](#android-enterprise-fully-managed) (in this article) enrollment. |
+| Use Google Mobile Services (GMS). | ❌ <br/><br/> Device doesn't support [GMS](https://www.android.com/gms/) (opens Android's web site). Some countries don't support GMS. <br/><br/> If your devices will use GMS, then use [dedicated devices](#android-enterprise-dedicated-devices) (in this article) or [fully managed](#android-enterprise-fully-managed) (in this article) enrollment. |
 | Devices are owned by the organization or school. | ✔️ |
 | You have new or existing devices. | ✔️ |
 | Need to enroll a few devices, or a large number of devices (bulk enrollment). | ❌ <br/><br/> Can only enroll one device at a time. |
 | Devices are associated with a single user. | ✔️ |
 | Devices are user-less, such as kiosk, dedicated, or shared. | ✔️ |
-| Devices are personal or BYOD. | ❌ <br/><br/>BYOD or personal devices should be enrolled using [Android Enterprise personally owned devices with a work profile](#byod-android-enterprise-personally-owned-devices-with-a-work-profile) (in this article).|
+| Devices are personal or BYOD. | ❌ <br/><br/> [Android Enterprise personally owned devices with a work profile](#byod-android-enterprise-personally-owned-devices-with-a-work-profile) (in this article) support [GMS](https://www.android.com/gms/) (opens Android's web site).|
 |Devices are managed by another MDM provider. | ❌ <br/><br/> To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune. |
 | You use the optional device enrollment manager (DEM) account | ❌ <br/><br/> The DEM account isn't supported. |
 
@@ -270,7 +270,7 @@ Admins can complete the enrollment themselves, and then give the devices to the
 1. Users turn on the device, and are prompted for information, including the enrollment method: QR Code. If you created a user-associated devices enrollment profile, then they may be asked to sign in with their organization credentials (`user@contoso.com`).
 2. If you created a userless devices enrollment profile, then wait for the enrollment wizard to complete. When it does, the device is ready to use.
 
-    If you created a user-associated devices enrollment profile, then users enter the required information, and your enrollment profile applies to the device. For more specific steps, see [enroll the device](../user-help/enroll-device-android-microsoft-intune-app.md).
+    If you created a user-associated devices enrollment profile, then users enter the required information. Then, wait for the enrollment wizard to complete. For more specific steps, see [enroll the device](../user-help/enroll-device-android-microsoft-intune-app.md).
 
 [!INCLUDE [users-dont-like-enroll](../includes/users-dont-like-enroll.md)]
 
diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md
@@ -495,7 +495,7 @@ We have added 9 [BitLocker settings that were previously only available in Group
 ### Monitor and troubleshoot
 
 #### MDM support data to refresh automatically in Group Policy analytics tool<!-- 7852080 -->
-Now whenever Microsoft makes changes to the mappings in Intune, the **MDM Support** column in the GP analytics tool automatically updates to reflect the changes. The automation is an improvement over the previous behavior, which required you to reimport your Group Policy object (GPO) to refresh the data. For more information about Group Policy analytics, see [Use Group Policy analytics](../configuration/group-policy-analytics.md#use-group-policy-analytics).  
+Now whenever Microsoft makes changes to the mappings in Intune, the **MDM Support** column in the GP analytics tool automatically updates to reflect the changes. The automation is an improvement over the previous behavior, which required you to reimport your Group Policy object (GPO) to refresh the data. For more information about Group Policy analytics, see [Use Group Policy analytics](../configuration/group-policy-analytics.md).  
 
 ## Week of November 8, 2021
 
