Merge branch 'master' into patch-10

Author: lenewsad

memdocs/autopilot/add-devices.md

@@ -161,8 +161,8 @@ You can delete Windows Autopilot devices that aren't enrolled into Intune:
 
 Completely removing a device from your tenant requires you to delete the Intune device, the Azure Active Directory device, and the Windows Autopilot device records. These deletions can all be done from Intune:
 
-1. First, delete the devices from Windows Autopilot at **Devices** > **Windows** > **Windows enrollment** > **Devices** (under **Windows Autopilot Deployment Program**). Choose the devices you want to delete, then choose **Delete**. Windows Autopilot device deletion can take a few minutes to complete.
-2. If the devices are enrolled in Intune, you must [delete them from the Intune All devices blade](../intune/remote-actions/devices-wipe.md#delete-devices-from-the-intune-portal).
+1. First if the devices are enrolled in Intune, you must [delete them from the Intune All devices blade](../intune/remote-actions/devices-wipe.md#delete-devices-from-the-intune-portal).
+2. Once device is not enrolled in Intune, delete the devices from Windows Autopilot at **Devices** > **Windows** > **Windows enrollment** > **Devices** (under **Windows Autopilot Deployment Program**). Choose the devices you want to delete, then choose **Delete**. Windows Autopilot device deletion can take a few minutes to complete.
 3. Delete the devices in Azure Active Directory devices at **Devices** > **Azure AD devices**.
 
 ## Next steps

memdocs/configmgr/comanage/overview.md

@@ -118,9 +118,6 @@ Enabling co-management itself doesn't require that you onboard your site with Az
 
 Upgrade your devices to Windows 10, version 1709 or later. For more information, see [Adopting Windows as a service](../core/understand/configuration-manager-and-windows-as-service.md#key-articles-about-adopting-windows-as-a-service).
 
-> [!IMPORTANT]
-> Windows 10 mobile devices don't support co-management.
-
 ### Permissions and roles
 
 <!--SCCMDocs issue #667-->

memdocs/configmgr/core/servers/deploy/configure/troubleshoot-microsoft-connected-cache.md

@@ -213,6 +213,17 @@ The DO cache server adds the following rewrite rules:
 - `Doinc_Outbound_SetHeader_X_CID_E77D08D0-5FEA-4315-8C95-10D359D59294`
 - `Doinc_Outbound_SetHeader_X_CCC_E77D08D0-5FEA-4315-8C95-10D359D59294`
 
+### IIS custom headers
+
+If requests with `X-Forwarded-For` headers are blocked on a proxy server, either allow the header on the proxy server or change the custom header name in IIS for each server farm.
+
+To change the custom header name for each server farm:
+
+1. Open IIS Manager.
+1. Select **Server Farms**.
+1. Select a server farm and the proxy icon. 
+1. Under **Custom Headers**, change the value `X-Forwarded-For` to `X-Forwarded-For-<custom-name>`.
+
 ## Manage server resources
 
 Disk space required for each DO cache server may vary, based on your organization's update requirements. 100 GB should be enough space to cache the following content:
@@ -227,4 +238,4 @@ If the IIS and ARR log files take up too much space on the server, there are sev
 
 ## See also
 
-[Microsoft Connected Cache in Configuration Manager](../../../plan-design/hierarchy/microsoft-connected-cache.md)
+[Microsoft Connected Cache in Configuration Manager](../../../plan-design/hierarchy/microsoft-connected-cache.md)

memdocs/intune/apps/apps-add-android-for-work.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 09/16/2021
+ms.date: 11/08/2021
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -216,6 +216,32 @@ By default, an Android Enterprise fully managed device will not allow employees
 > [!NOTE]
 > The Microsoft Intune app, the Microsoft Authenticator app, and the Company Portal app will be installed as required apps onto all fully managed devices during onboarding. Having these apps automatically installed provides Conditional Access support, and Microsoft Intune app users can see and resolve compliance issues. 
 
+## Update a Managed Google Play app
+By default, Managed Google Play apps will not update unless the following conditions are met:
+
+- The device is connected to wi-fi
+- The device is charging
+- The device is not actively being used 
+- The app to be updated is not running on the foreground
+
+For more information, see the [Manage App Updates](https://support.google.com/googleplay/work/answer/9350374?hl=en) documentation from Google. 
+
+You can choose to configure the wi-fi requirement for dedicated, fully managed, and corporate-owned work profile devices by configuring app auto-updates in [device configurations policies](../configuration/device-restrictions-android-for-work.md).
+
+For dedicated, fully managed, and corporate-owned work profile devices, you can choose an app update mode when an app is assigned to groups. The update modes available are:
+
+- **Default**: The app's updates are subject to default conditions (described above). 
+- **High Priority**: The app will update as soon as possible from when a new update is released, disregarding all of the default conditions. This may be disruptive for some users since the update can occur while the device is being used.
+
+To edit the app update mode:
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Apps** > **All apps**.
+3. Select the app from the apps list.
+4. Select **Properties**.
+5. Select **Edit** by the **Assignments** section.
+6. Find the group you'd like to edit the app update mode for by clicking the corresponding group mode for that group.
+7. Under **app settings**, select the desired update mode.
+
 ## Manage Android Enterprise app permissions
 Android Enterprise requires you to approve apps in the Managed Google Play web console before you sync them with Intune and assign them to your users. Because Android Enterprise allows you to silently and automatically push the apps to users' devices, you must accept the app permissions on behalf of all your users. Users don't see any app permissions when they install the apps, so it's important that you understand the permissions.
 

memdocs/intune/apps/apps-supported-intune-apps.md

@@ -6,7 +6,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 10/15/2021
+ms.date: 11/04/2021
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -173,6 +173,7 @@ The following apps support the core Intune App Protection Policy settings. Apps
 | **Notate for Intune**<p><img alt="Partner app - Notate for Microsoft Intune icon" src="./media/apps-supported-intune-apps/icon-p-notate.png" width="100"> | Notate is the ultimate Exchange Information Manager. Go paperless and improve collaboration. Let Notate advance your digital transformation. | [App Store link (iOS)](https://apps.apple.com/app/notate-for-microsoft-intune/id1511979523) | 
 | **Now<sup>&#174;</sup> Mobile - Intune**<p><img alt="Partner app - Now Mobile for Intune icon" src="./media/apps-supported-intune-apps/icon-p-now-mobile.png" width="100"> | Now employees can find answers and get work done across IT, HR, Facilities, Finance, Legal and other departments, all from a modern mobile app powered by the Now Platform<sup>&#174;</sup>.<p>The Now Platform<sup>&#174;</sup> delivers employee experiences and productivity through digital workflows across departments, systems and people.<p>Examples of things you can do in the app:<ul><li>IT: Request a laptop or a reset password</li><li>Facilities: Find and book a conference room</li><li>Finance: Request a corporate credit card</li><li>Legal: Have a new vendor sign a non-disclosure agreement (NDA)</li><li>HR: Find the next company holiday and check the vacation policy</li></ul><p>Now<sup>&#174;</sup> Mobile powered by the Now Platform<sup>&#174;</sup> - finally work life can be as great as real life | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.servicenow.requestor.mam.intune),<br>[App Store link (iOS)](https://apps.apple.com/app/now-mobile-intune/id1494183300) | 
 | **Omnipresence Go**<p><img alt="Partner app - Omnipresence Go icon" src="./media/apps-supported-intune-apps/icon-p-omnipresence.png" width="100"> | Omnipresence is a Customer Experience Management platform for Life Sciences companies. You can use Omnipresence CXM to engage with customers and patients of Life Sciences companies. <p>Omnipresence is built by life sciences experts who understand pharma, biotech, and med-device business needs and compliance requirements. As a unified platform, functional teams can work together using a shared view of their customers and plans across devices, online and offline, in harmony with their Microsoft applications. By using Omnipresence, you can focus on enabling great customer experiences based on advanced analytics and AI that deliver insights to enrich every stage of the customer journey.| [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.omnipresence.live),<br>[App Store link (iOS)](https://apps.apple.com/in/app/omnipresence-technologies/id1504126395#?platform=iphone) | 
+| **PenPoint**<p><img alt="Partner app - PenPoint icon" src="./media/apps-supported-intune-apps/icon-p-penpoint.png" width="100"> | PenPoint works with PenLink’s on-premise software, PLX, to conduct lawful communications surveillance operations in the support of law enforcement investigations. PenPoint for Intune provides secure mobile access to communications surveillance data collected and stored by a PLX system. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.penlink.PenPoint),<br>[App Store link (iOS)](https://itunes.apple.com/app/penpoint/id1451352658?mt=8) | 
 | **PrinterOn for Microsoft**<p><img alt="Partner app - PrinterOn for Microsoft icon" src="./media/apps-supported-intune-apps/icon-p-printeron.png" width="100"> | PrinterOn's wireless mobile printing solutions enable users to remotely print from anywhere at any time over a secure network.| [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.printeron.droid.phone),<br>[App Store link (iOS)](https://apps.apple.com/us/app/printeron-for-microsoft/id1258715414?mt=8) | 
 | **Qlik Sense Mobile**<p><img alt="Partner app - Qlik Sense Mobile icon" src="./media/apps-supported-intune-apps/icon-p-qlik.png" width="100"> | Qlik Sense is a market leading, next generation application for self-service oriented analytics. Qlik's patented associative technology allows people to easily combine data from many different sources and explore it freely, without the limitations of query-based tools. | [Google Play link (Android)](https://play.google.com/store/apps/details?id=com.qlik.qliksense.mobile),<br>[App Store link (iOS)](https://apps.apple.com/app/qlik-sense-mobile/id1217049362) | 
 | **SAP Fiori**<p><img alt="Partner app - SAP Fiori icon" src="./media/apps-supported-intune-apps/icon-p-sap-fiori.png" width="100"> | Increase your daily productivity by tackling your most common business tasks anywhere and anytime with the SAP Fiori Client mobile app for iPhone and iPad. Deliver a next-level mobile experience with enhanced attachment handling and full-screen operations using this enhanced mobile runtime for the Web version of over 750 SAP Fiori app. Plus, access custom SAP Fiori mobile apps—built by customers using SAP Fiori mobile service—that are ready to support Intune mobile app management. | [App Store link (iOS)](https://apps.apple.com/us/app/sap-fiori-client/id824997258?mt=8) |  

memdocs/intune/apps/apps-win32-supersedence.md

@@ -6,7 +6,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 07/19/2021
+ms.date: 11/04/2021
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -39,6 +39,12 @@ Supersedence relationships can be created when adding or modifying a Win32 app w
 
 App supersedence can only be applied to Win32 apps. For more information, see [Add a Win32 app](apps-win32-add.md) to Intune.
 
+A Microsoft Endpoint Manager permission will be required to create and edit Win32 app supersedence and dependency relationships with other apps. The permission is available under the **Mobile apps** category by selecting **Relate**. Starting in the **2202** service release, MEM admins will need this permission to add supersedence and dependency apps when creating or editing a Win32 app in Microsoft Endpoint Manager admin center. To find this permission in [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Roles** > **All roles** > **Create**.
+
+This Win32 app supersedence permission has been added to the following built-in roles:
+- Application Manager
+- School administrator
+
 ## Create a Supersedence relationship in Intune
 
 The following steps help you create a supersedence relationship between apps:

memdocs/intune/apps/intune-management-extension.md

@@ -7,7 +7,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 07/15/2021
+ms.date: 11/18/2021
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -54,7 +54,7 @@ The Intune management extension supplements the in-box Windows 10 MDM features.
 
 - End users aren't required to sign in to the device to execute PowerShell scripts.
 
-- The Intune management extension agent checks with Intune once every hour and after every reboot for any new scripts or changes. After you assign the policy to the Azure AD groups, the PowerShell script runs, and the run results are reported. Once the script executes, it doesn't execute again unless there's a change in the script or policy. If the script fails, the Intune management extension agent retries the script three times for the next three consecutive Intune management extension agent check-ins.
+- The Intune management extension agent checks after every reboot for any new scripts or changes. After you assign the policy to the Azure AD groups, the PowerShell script runs, and the run results are reported. Once the script executes, it doesn't execute again unless there's a change in the script or policy. If the script fails, the Intune management extension agent retries the script three times for the next three consecutive Intune management extension agent check-ins.
 
 - For shared devices, the PowerShell script will run for every new user that signs in.
 
@@ -225,7 +225,6 @@ To see if the device is auto-enrolled, you can:
     > The **Microsoft Intune Management Extension** is a service that runs on the device, just like any other service listed in the Services app (services.msc). After a device reboots, this service may also restart, and check for any assigned PowerShell scripts with the Intune service. If the **Microsoft Intune Management Extension** service is set to Manual, then the service may not restart after the device reboots.
 
 - Be sure devices are [joined to Azure AD](/azure/active-directory/user-help/user-help-join-device-on-network). Devices that are only joined to your workplace or organization ([registered](/azure/active-directory/user-help/user-help-register-device-on-network) in Azure AD) won't receive the scripts.
-- The Intune management extension client checks once per hour for any changes in the script or policy in Intune.
 - Confirm the Intune management extension is downloaded to `%ProgramFiles(x86)%\Microsoft Intune Management Extension`.
 - Scripts don't run on Surface Hubs or Windows 10 in S mode.
 - Review the logs for any errors. See [Intune management extension logs](#intune-management-extension-logs) (in this article).

memdocs/intune/apps/media/apps-supported-intune-apps/icon-p-penpoint.png

@@ -4,7 +4,7 @@ description: Add or create settings using ADMX administrative templates to confi
 ms.author: mandia
 author: MandiOhlinger
 manager: dougeby
-ms.date: 02/26/2021
+ms.date: 11/04/2021
 audience: ITPro
 ms.topic: how-to
 ms.service: microsoft-intune
@@ -34,6 +34,9 @@ This article applies to:
 
   For Microsoft Edge version 45 and earlier, see [Microsoft Edge Browser device restrictions](device-restrictions-windows-10.md#microsoft-edge-legacy-version-45-and-older).
 
+> [!NOTE]
+> Additional ADMX settings for Edge 95 and Edge updater have been added to Administrative Templates. This includes support for "Target Channel override" which allows customers to opt into the **[Extended Stable](https://blogs.windows.com/msedgedev/2021/07/15/opt-in-extended-stable-release-cycle/)** release cycle option at any point using Group Policy or through Intune.
+
 When you use Intune to manage and enforce policies, it's similar to using Active Directory group policy, or configuring local Group Policy Object (GPO) settings on user devices. But, Intune is 100% cloud.
 
 This article shows you how to configure Microsoft Edge policy settings using administrative templates in Microsoft Intune.

memdocs/intune/configuration/administrative-templates-configure-edge.md

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 10/19/2021
+ms.date: 11/15/2021
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -446,6 +446,8 @@ End of comment -->
 
 ### Applications
 
+#### Fully managed, dedicated, and corporate-owned work profile devices
+
 - **Allow installation from unknown sources**: **Allow** lets users turn on **Unknown sources**. This setting allows apps to install from unknown sources, including sources other than the Google Play Store. It allows users to side-load apps on the device using means other than the Google Play Store. When set to **Not configured** (default), Intune doesn't change or update this setting. By default, the OS might prevent users from turning on **Unknown sources**.
 
 - **App auto-updates (work profile-level)**: Devices check for app updates daily. Choose when automatic updates are installed. Your options:
@@ -464,6 +466,17 @@ End of comment -->
 
 If you want to enable side-loading, set the **Allow installation from unknown sources** and **Allow access to all apps in Google Play store** settings to **Allow**.
 
+#### Dedicated devices
+
+- **Clear local data in apps not optimized for Shared device mode (Public Preview)**: Add any app not optimized for shared device mode to the list. The app's local data will be cleared whenever a user signs out of an app that's optimized for shared device mode. Available for dedicated devices enrolled with Shared mode running Android 9 and later. 
+
+  When you use this setting, users cannot initiate sign out from non-optimized apps and get single sign-out. 
+  - Users will need to sign out of an app that has been optimized for Shared Device mode. Microsoft apps that are optimized for Shared device mode on Android include Teams and Intune’s Managed Home Screen. 
+  - For apps that have not been optimized for Shared Device mode, deleting application data extends to local app storage only. Data may be left in other areas of the device. User identifying artifacts such as email address and username may be left behind on the app and visible by others. 
+  - Non-optimized apps that provide support for multiple accounts could exhibit indeterminate behavior and are therefore not recommended. 
+  
+  All non-optimized apps should be thoroughly tested before being used in multi-user scenarios on shared devices to ensure they work as expected. For example, validate your core scenarios in each app, verify that the app signs out properly, and that all data is sufficiently cleared for your organization’s needs.
+
 ### Connectivity
 
 #### Fully managed, dedicated, and corporate-owned work profile devices