Merge pull request #7337 from MicrosoftDocs/main

merge main to live, 10:30 Tuesday

Author: jborsecnik

memdocs/configmgr/apps/deploy-use/deploy-applications.md

@@ -107,7 +107,7 @@ On the **Deployment Settings** page, specify the following information:
 
 - **Allow clients on a metered Internet connection to download content after the installation deadline, which might incur additional costs**: This option is only available for deployments with a purpose of **Required**.
 
-- **Automatically upgrade any superseded version of this application**: The client upgrades any superseded version of the application with the superseding application.
+- **Automatically upgrade any superseded versions of this application**: The client upgrades any superseded version of the application with the superseding application.
 
     > [!NOTE]
     > This option works regardless of administrator approval. If an administrator already approved the superseded version, they don't need to also approve the superseding version. Approval is only for new requests, not superseding upgrades.<!--515824-->

memdocs/configmgr/core/servers/deploy/configure/boundary-groups-management-points.md

@@ -24,7 +24,7 @@ Previously, a common problem occurred when you had a protected management point
 > [!NOTE]
 > If you enable distribution points in the site default boundary group to fallback, and a management point is collocated on a distribution point, the site also adds that management point to the site default boundary group.<!--VSO 2841292-->
 
-If a client is in a boundary group that with no assigned management point, the site gives the client the entire list of management points. This behavior makes sure that a client always receives a list of management points.
+If a client is in a boundary group with no assigned management point, the site gives the client the entire list of management points. This behavior makes sure that a client always receives a list of management points.
 
 > [!TIP]
 > If you enable the option to **Prefer cloud-based sources over on-premises sources** then clients will prefer a cloud management gateway (CMG) for both policy and content.

memdocs/configmgr/core/support/support-center.md

@@ -51,7 +51,7 @@ Support Center includes Support Center Viewer, a tool that support personnel use
 
 Support Center includes a modern log viewer. This tool replaces CMTrace and provides a customizable interface with support for tabs and dockable windows. It has a fast presentation layer, and can load large log files in seconds.
 
-### Support Center OneTrace (Preview)
+### Support Center OneTrace
 
 <!--3555962-->
 **OneTrace** is a new log viewer with Support Center. It works similarly to CMTrace, with improvements. For more information, see [Support Center OneTrace](support-center-onetrace.md).

memdocs/configmgr/develop/reference/core/clients/collections/addmembershiprules-method-in-class-sms_collection.md

@@ -1,6 +1,7 @@
 ---
 title: "AddMembershipRules Method"
 titleSuffix: "Configuration Manager"
+description: "In Configuration Manager, the AddMembershipRules WMI class method adds multiple new rules to the CollectionRules property of the SMS_Collection Server WMI Class object."
 ms.date: "09/20/2016"
 ms.prod: "configuration-manager"
 ms.technology: configmgr-sdk

memdocs/intune/configuration/edition-upgrade-windows-settings.md

@@ -2,7 +2,7 @@
 # required metadata
 
 title: Windows 10 upgrade and S mode settings in Microsoft Intune
-description: See a list of all the settings, and what they do when upgrading a Windows 10 edition on a device, or enable S mode on a device using a device configuration profile in Microsoft Intune.
+description: See a list of all the settings, and what they do when upgrading a Windows 10 edition on a device, or switch out of S mode on a device using a device configuration profile in Microsoft Intune.
 keywords:
 author: MandiOhlinger
 ms.author: mandia
@@ -33,7 +33,7 @@ ms.collection: M365-identity-device-management
 > [!NOTE]
 > [!INCLUDE [not-all-settings-are-documented](../includes/not-all-settings-are-documented.md)]
 
-Microsoft Intune includes many settings to help manage and protect your devices. This article describes some of the settings to upgrade Windows client editions, or enable S mode on Windows 10 devices. These settings are created in an upgrade configuration profile in Intune that are pushed or deployed to devices.
+Microsoft Intune includes many settings to help manage and protect your devices. This article describes some of the settings to upgrade Windows client editions, or switch out of S mode on Windows 10 devices. These settings are created in an upgrade configuration profile in Intune that are pushed or deployed to devices.
 
 As part of your mobile device management (MDM) solution, use these settings to control the Windows client edition and Window 10 S mode options for your Windows devices.
 

memdocs/intune/configuration/tutorial-walkthrough-administrative-templates.md

@@ -538,7 +538,7 @@ This section uses the following resources. We'll install these resources in this
 11. Find the definition ID using the setting display name. Enter:
 
     ```powershell
-    $desiredSettingDefinition = $settingDefinitions.value | ? {$_.DisplayName -Match "Silently sign in users to the OneDrive sync client with their Windows credentials"}
+    $desiredSettingDefinition = $settingDefinitions.value | ? {$_.DisplayName -Match "Silently sign in users to the OneDrive sync app with their Windows credentials"}
     ```
 
 12. Configure a setting. Enter:

memdocs/intune/protect/create-conditional-access-intune.md

@@ -1,14 +1,14 @@
 ---
 # required metadata
 
-title: Set up device-based Conditional Access with Intune
+title: Set up device-based Conditional Access policies with Intune
 titleSuffix: Microsoft Intune
-description: Learn how to create a device-based Conditional Access policy based on Microsoft Intune device compliance and mobile app management.
+description: Configure a device-based Conditional Access policy that uses device status from a Microsoft Intune device compliance policies.
 keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 06/10/2021
+ms.date: 04/11/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -30,87 +30,81 @@ ms.collection: M365-identity-device-management
 
 # Create a device-based Conditional Access policy
 
-With Intune, enhance Conditional Access in Azure Active Directory by adding mobile device compliance to the access controls. With Intune compliance policy that defines requirements for devices to be compliant, you can use a device's compliance status to either allow or block access to your apps and services. You can do this by creating a Conditional Access policy that uses the setting **Require device to be marked as compliant**.
+With Microsoft Intune device compliance policies, your Azure Active Directory (Azure AD) Conditional Access policies can use a devices status to either grant or deny access to your organizations apps and services.
 
-A Conditional Access policy specifies the app or services you want to protect, the conditions under which the apps or services can be accessed, and the users the policy applies to. Although Conditional Access is an Azure AD premium feature, the Conditional Access node you access from *Intune* is the same node as accessed from *Azure AD*.
+You can use the Microsoft Endpoint Manager admin center to configure your device-based Conditional Access policies. From within the admin center you have access to the Conditional Access policy UI as found in Azure AD. Use of the Azure AD UI provides access to all the options you would have if you were to configure the policy from within the Azure portal. The policies you create can specify the apps or services you want to protect, the conditions under which the apps or services can be accessed, and the users the policy applies to.
 
 To Create a device-based Conditional Access policy your account must have one of the following permissions in Azure AD:
 
-- Global administrator	
-- Intune Service administrator	
-- Conditional Access administrator	
+- Global administrator
+- Intune Service administrator
+- Conditional Access administrator
+
+To take advantage of device compliance status, configure Conditional Access policies to **Require device to be marked as compliant**. This option is set while configuring *Grant* access during step 6 of the following procedure.
 
 > [!IMPORTANT]
 > Before you set up Conditional Access, you'll need to set up Intune device compliance policies to evaluate devices based on whether they meet specific requirements. See [Get started with device compliance policies in Intune](device-compliance-get-started.md).
 
-## Create Conditional Access policy
+## Create the Conditional Access policy
 
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 
 2. Select **Endpoint security** > **Conditional Access** > **Policies** > **New policy**.
 :::image type="content" source="./media/create-conditional-access-intune/create-ca.png" alt-text="Create a new Conditional Access policy":::
 
-3. Under **Assignments**, select **Users and groups**.
-
-4. On the **Include** tab, identify the users or groups that this Conditional Access policy applies to. Once you've chosen groups or users to include, use the **Exclude** tab if there are any users, roles, or groups you want to exclude from this policy.
-
-   - **All users**: Select this option to apply the policy to all users and groups, including internal and guest users.
-
-   - **Select users and groups**: Select this option and specify one or more of the following options:
-  
-     1. **All guest users**: Select this option to include or exclude external guest users (for example, partners, external collaborators)
-
-     2. **Directory roles**: Select one or more Azure AD roles to include or exclude users who are assigned these roles.
-
-     3. **Users and groups**: Select this option to search for and select individual users or groups you want include or exclude.
+   The **New** pane opens, which is the configuration pane from Azure AD. The policy you’re creating is an Azure AD policy for conditional access. To learn more about this pane and Conditional Access policies, see [Conditional Access policy components](/azure/active-directory/conditional-access/concept-conditional-access-policies) in the Azure AD content.
 
-        > [!TIP]
-        > Test the policy against a smaller group of users to make sure it works as expected.
+3. Under **Assignments**, select **Users or workload identities** to configure the Identities in the directory that the policy applies to. To learn more, see [Users and groups](/azure/active-directory/conditional-access/concept-conditional-access-users-groups) in the Azure AD documentation.
 
-5. Select **Done**.
+   - On the **Include** tab, configure the user and groups you want to include.  
+   - Use the **Exclude** tab if there are any users, roles, or groups you want to exclude from this policy.
 
-6. Under **Assignments**, select **Cloud apps or actions**.
+   > [!TIP]
+   > Test the policy against a smaller group of users to make sure it works as expected.
 
-7. On the **Include** tab, use available options to identify the apps and services you want to protect with this Conditional Access policy. Then you can use the **Exclude** tab if there are any apps or services you want to exclude from this policy.
+4. Next select **Cloud apps or action**, which is also under *Assignments*. Configure this policy to apply to **Cloud apps**.
 
-   - **All cloud apps**: Select this option to apply the policy to all apps.
-     > [!IMPORTANT]
-     > The Microsoft Azure Management app for access to the Azure portal, and the Microsoft Intune app are included in this list. Be sure to use the **Exclude** tab either here or in the **Users and groups** options to make sure you (or the users or groups you designate) are able to sign in to the Azure portal or Microsoft Endpoint Manager admin center.
+   - On the **Include** tab, use available options to identify the apps and services you want to protect with this Conditional Access policy.
 
-   - **Select apps**: Select this option, choose **Select**, and then use the applications list to search for and select the apps or services you want to protect.
+     If you choose **Select apps**, select the apps and services you want to protect with this policy. 
 
-   When ready, select **Done**.
+     > [!CAUTION]
+     > If you choose  **All cloud apps**, be sure to review the warning, and then **Exclude** from this policy your account or other relevant users and groups that should retain access to use the Azure portal or Microsoft Endpoint Manager admin center after this policy takes effect.
 
-8. Under **Assignments**, select **Conditions**.
+   - Use the **Exclude** tab if there are any apps or services you want to exclude from this policy.
 
-   - **Sign-in risk**: Select *Yes* to use Azure AD Identity Protection sign-in risk detection with this policy, and then choose the sign-in risk levels the policy should apply to.
+   For more information, see [Cloud apps or actions](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps) in the Azure AD documentation.
 
-   - **Device platforms**: On the **Include** tab, identify the device platforms you want to this Conditional Access policy to apply to. Use the **Exclude** tab to exclude platforms from this policy.
+5. Next, configure **Conditions**. Select the signals you want to use as conditions for this policy. Options include:
 
-   - **Client apps**: Select *Yes* to specify if the policy should apply to browser apps, mobile apps, and desktop clients.
+   - User risk
+   - Sign-in risk
+   - Device platforms
+   - Locations
+   - Client as
+   - Filter for devices
 
-   - **Device state**: The Conditional Access policy will apply to all device states unless you choose Yes and specifically exclude the states Device Hybrid Azure AD joined or Device marked as compliant (or both).
+   For information about these options, see [Conditions](/azure/active-directory/conditional-access/concept-conditional-access-conditions) in the Azure AD documentation.
 
-     > [!TIP]
-     > If you want to protect both **Modern authentication** clients and **Exchange ActiveSync clients**, create two separate Conditional Access policies, one for each client type. Although Exchange ActiveSync supports modern authentication, the only condition that is supported by Exchange ActiveSync is platform. Other conditions, including multi-factor authentication, are not supported. To effectively protect access to Exchange Online from Exchange ActiveSync, create a Conditional Access policy that specifies the cloud app Microsoft 365 Exchange Online and the client app Exchange ActiveSync with Apply policy only to supported platforms selected.
+   > [!TIP]
+   > If you want to protect both **Modern authentication** clients and **Exchange ActiveSync clients**, create two separate Conditional Access policies, one for each client type. Although Exchange ActiveSync supports modern authentication, the only condition that is supported by Exchange ActiveSync is platform. Other conditions, including multi-factor authentication, are not supported. To effectively protect access to Exchange Online from Exchange ActiveSync, create a Conditional Access policy that specifies the cloud app Microsoft 365 Exchange Online and the client app Exchange ActiveSync with Apply policy only to supported platforms selected.
 
-9. Select **Done**.
+6. Under **Access controls**, select **Grant** and then one or more requirements. To learn about the options for Grant, see [Grant](/azure/active-directory/conditional-access/concept-conditional-access-grant) in the Azure AD Documentation.
 
-10. Under **Access controls**, select **Grant**. Configure what happens based on the conditions you've set up.  You can select from the following options:
+   - **Block access**: The users specified in this policy will be denied access to the apps or services under the conditions you've specified.
+   - **Grant access**: The users specified in this policy will be granted access, but you can require any of the following further actions:
+     - Require multi-factor authentication
+     - *Require device to be marked as compliant* - This option is required for the policy to use device compliance status.
+     - Require Hybrid Azure AD joined device
+     - Require approved client app
+     - Require app protection policy
+     - Require password change
 
-    - **Block access**: The users specified in this policy will be denied access to the apps under the conditions you've specified.
-    - **Grant access**: The users specified in this policy will be granted access, but you can require any of the following further actions:
-      - **Require multi-factor authentication**: The user will need to complete additional security requirements, like a phone call or text.
-      - **Require device to be marked as compliant**: The device must be Intune compliant. If the device is noncompliant, the user will be given the option to enroll the device in Intune.
-      - **Require Hybrid Azure AD joined device**: Devices must be Hybrid Azure AD joined.
-      - **Require approved client app**: The device must use approved client apps. 
-      - **For multiple controls**: Select **Require all the selected controls** so that all of the requirements are enforced when a device attempts to access the app.
-      
-      :::image type="content" source="./media/create-conditional-access-intune/create-ca-grant-access-settings.png" alt-text="Access controls Grant settings":::
+     :::image type="content" source="./media/create-conditional-access-intune/create-ca-grant-access-settings.png" alt-text="Screen shot of the configuration surface and options for Grant":::
 
-11. Under **Enable policy**, select **On**.
+7. Under **Enable policy**, select **On**. By default, the policy is set to *Report-only*.
 
-12. Select **Create**.
+8. Select **Create**.
 
 ## Next steps
 

memdocs/intune/protect/device-compliance-get-started.md

@@ -163,7 +163,7 @@ The following table describes how noncompliant settings are managed when a compl
 |**Policy setting**| **Platform** |
 | --- | ----|
 | **PIN or password configuration** | - **Android 4.0 and later**: Quarantined<br>- **Samsung Knox Standard 4.0 and later**: Quarantined<br>- **Android Enterprise**: Quarantined  <br>  <br>- **iOS 8.0 and later**: Remediated<br>- **macOS 10.11 and later**: Remediated  <br>  <br>- **Windows 8.1 and later**: Remediated|
-| **Device encryption** | - **Android 4.0 and later**: Quarantined<br>- **Samsung Knox Standard 4.0 and later**: Quarantined<br>- **Android Enterprise**: Quarantined<br><br>- **iOS 8.0 and later**: Remediated (by setting PIN)<br>- **macOS 10.11 and later**: Quarantined<br><br>- **Windows 8.1 and later**: Not applicable|
+| **Device encryption** | - **Android 4.0 and later**: Quarantined<br>- **Samsung Knox Standard 4.0 and later**: Quarantined<br>- **Android Enterprise**: Quarantined<br><br>- **iOS 8.0 and later**: Remediated (by setting PIN)<br>- **macOS 10.11 and later**: Quarantined<br><br>- **Windows 8.1 and later**: Quarantined|
 | **Jailbroken or rooted device** | - **Android 4.0 and later**: Quarantined (not a setting)<br>- **Samsung Knox Standard 4.0 and later**: Quarantined (not a setting)<br>- **Android Enterprise**: Quarantined (not a setting)<br><br>- **iOS 8.0 and later**: Quarantined (not a setting)<br>- **macOS 10.11 and later**: Not applicable<br><br>- **Windows 8.1 and later**: Not applicable |
 | **Email profile** | - **Android 4.0 and later**: Not applicable<br>- **Samsung Knox Standard 4.0 and later**: Not applicable<br>- **Android Enterprise**: Not applicable<br><br>- **iOS 8.0 and later**: Quarantined<br>- **macOS 10.11 and later**: Quarantined<br><br>- **Windows 8.1 and later**: Not applicable |
 | **Minimum OS version** | - **Android 4.0 and later**: Quarantined<br>- **Samsung Knox Standard 4.0 and later**: Quarantined<br>- **Android Enterprise**: Quarantined<br><br>- **iOS 8.0 and later**: Quarantined<br>- **macOS 10.11 and later**: Quarantined<br><br>- **Windows 8.1 and later**: Quarantined|