Merge branch 'main' of https://github.com/microsoftdocs/memdocs-pr into erikre-2210ID-15477561

Author: Erikre

memdocs/autopilot/autopilot-mbr.md

@@ -1,18 +1,14 @@
 ---
 title: Windows Autopilot motherboard replacement
-description: Windows Autopilot deployment Motherboard Replacement (MBR) scenarios
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
+description: Understand how Windows Autopilot deployments function when you replace the motherboard on a device.
+ms.prod: windows-client
+ms.technology: itpro-deploy
 ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
 author: aczechowski
 ms.author: aaroncz
 ms.reviewer: jubaptis
 manager: dougeby
-ms.date: 10/10/2021
+ms.date: 09/23/2022
 ms.collection: M365-modern-desktop
 ms.topic: how-to
 ---
@@ -24,17 +20,17 @@ ms.topic: how-to
 - Windows 11
 - Windows 10
 
-This document offers guidance for Windows Autopilot device repair scenarios that Microsoft partners can use in Motherboard Replacement (MBR) situations, and other servicing scenarios.
+This document offers guidance for Windows Autopilot device repair scenarios that Microsoft partners can use in motherboard replacement (MBR) situations, and other servicing scenarios.
 
 Repairing Autopilot enrolled devices is complex, as it tries to balance OEM requirements with Windows Autopilot requirements. Specifically, OEM requirements include strict uniqueness across motherboards, MAC addresses, and so on. Windows Autopilot requires strict uniqueness at the hardware hash level for each device to enable successful registration. The hardware hash doesn't always accommodate all the OEM hardware component requirements. So these requirements are sometimes at odds, causing issues with some repair scenarios. The hardware hash is also known as the hardware ID.
 
-**Motherboard Replacement (MBR)**
+Starting in the September 2022 release of Intune (2209), if a motherboard is replaced on an Autopilot registered device, and it goes back to the same tenant without an OS reset, Autopilot will attempt to register the new hardware components. In Intune, you'll see the profile status **Fix pending**. If the OEM resets the OS, you need to re-register the device. If the new hardware components are registered, the device status goes back to the assigned profile. If it's not, you'll see the profile status **Attention required**.
 
 If a motherboard replacement is needed on a Windows Autopilot device, the following process is recommended:
 
-1. [Deregister the device](#deregister-the-autopilot-device-from-the-autopilot-program) from Windows Autopilot
+1. If the device isn't going back to the original tenant, [deregister it from Windows Autopilot](#deregister-the-autopilot-device-from-the-autopilot-program). If it's going back to the same tenant, you don't need to deregister it.
 2. [Replace the motherboard](#replace-the-motherboard)
-3. [Capture a new device ID (4K HH)](#capture-a-new-autopilot-device-id-4k-hh-from-the-device)
+3. If the device needs to be re-registered because of a re-image or will be used by a new tenant, [capture a new device ID (4K HH)](#capture-a-new-autopilot-device-id-4k-hh-from-the-device). 
 4. [Reregister the device](#reregister-the-repaired-device-using-the-new-device-id) with Windows Autopilot
 5. [Reset the device](#reset-the-device)
 6. [Return the device](#return-the-repaired-device-to-the-customer)

memdocs/autopilot/registration-overview.md

@@ -1,13 +1,9 @@
 ---
 title: Windows Autopilot registration overview
 description: Overview of Windows Autopilot device registration
-keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
-ms.prod: w10
-ms.mktglfcycl: deploy
+ms.prod: windows-client
+ms.technology: itpro-deploy
 ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
 author: aczechowski
 ms.author: aaroncz
 ms.reviewer: jubaptis
@@ -44,6 +40,16 @@ Registration can also be performed within your organization by collecting the ha
 - [Automatic registration](automatic-registration.md)
 - [Manual registration](manual-registration.md)
 
+When you register an Autopilot device, it automatically creates an Azure AD object. The Autopilot deployment process needs this object to identify the device before the user signs in. If you delete this object, the device can fail to enroll through Autopilot. If the device is registered and not enrolled after 180 days, you'll need to re-register the device to complete a successful deployment.
+
+> [!NOTE]
+> Don't register to Autopilot the following types of devices:
+>
+> - [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register), also known as "workplace joined"
+> - [Intune MDM-only enrollment](/mem/intune/enrollment/windows-enrollment-methods#user-self-enrollment-in-intune)
+>
+> These options are intended for users to join personally-owned devices to their organization's network.
+
 Once a device is registered in Autopilot if a profile is not assigned, it will receive the default Autopilot profile. If you do not want a device to go through Autopilot, you must remove the Autopilot registration. 
 
 ## Terms

memdocs/autopilot/windows-autopilot-whats-new.md

@@ -4,11 +4,11 @@ description: News and resources about the latest updates and past versions of Wi
 ms.prod: w10
 ms.technology: windows
 ms.localizationpriority: medium
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: frankroj
+ms.author: frankroj
+manager: aczechowski
 ms.reviewer: jubaptis
-ms.date: 08/02/2022
+ms.date: 09/22/2022
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -17,6 +17,12 @@ ms.topic: article
 
 # Windows Autopilot: What's new
 
+## Autopilot automatic device diagnostics collection
+<!--1895390-->
+Starting with Intune 2209, Intune will automatically capture diagnostics when devices experience a failure during the Autopilot process on Windows 10 version 1909 or later and with Windows 11. When logs are finished processing on a failed device, they will be automatically captured and uploaded to Intune. Diagnostics and logs may include user identifiable information such as user name or device name. If the logs are not available in Intune, check if the device is powered-on and has access to the internet. Diagnostics are available for 28 days before they are removed.
+
+For more information, see [Collect diagnostics from a Windows device](../intune/remote-actions/collect-diagnostics.md).
+
 ## Updates to Autopilot device targeting infrastructure
 
 With Intune 2208 we are updating the Autopilot infrastructure to ensure that the profiles and applications assigned are consistently ready when the devices are deployed. This change reduces the amount of data that needs to be synchronized per-Autopilot device and leverages device lifecycle change events to reduce the amount of time that it takes to recover from device resets for Azure AD and Hybrid Azure AD joined devices. No action is needed to enable this change, it will be rolling out to all clients starting August 2022.

memdocs/intune/enrollment/enrollment-notifications.md

@@ -46,8 +46,6 @@ items:
   - name: Require multi-factor authentication  
     href: multi-factor-authentication.md
     displayName: mfa; multifactor   
-  - name: Set up enrollment notifications 
-    href: enrollment-notifications.md 
   - name: Set up Windows enrollment
     items:
     - name: Windows enrollment methods
@@ -69,7 +67,7 @@ items:
       displayName: wpj
     - name: Connect Intune to Android Enterprise
       href: connect-intune-android-enterprise.md
-    - name: Android personally-owned work profile enrollment
+    - name: Android personally owned work profile enrollment
       href: android-work-profile-enroll.md
     - name: Android Enterprise dedicated device enrollment
       href: android-kiosk-enroll.md
@@ -89,7 +87,7 @@ items:
       href: android-enterprise-overview.md 
     - name: Enroll Android Enterprise corporate-owned work profile devices
       href: android-corporate-owned-work-profile-enroll.md     
-    - name: Move device administrator devices to personally-owned work profile management
+    - name: Move device administrator devices to personally owned work profile management
       href: android-move-device-admin-work-profile.md        
     - name: Samsung Knox Mobile Enrollment 
       href: android-samsung-knox-mobile-enroll.md
@@ -104,7 +102,7 @@ items:
           href: device-enrollment-restrictions.md
         - name: Set app configuration policies
           href: android-app-configuration-policies.md
-        - name: Android personally-owned work profile security settings
+        - name: Android personally owned work profile security settings
           href: android-work-profile-security-settings.md
         - name: Android fully managed-security settings
           href: android-fully-managed-security-settings.md         
@@ -176,4 +174,4 @@ items:
     - name: Troubleshoot Windows auto-enrollment
       href: /troubleshoot/mem/intune/troubleshoot-windows-auto-enrollment
     - name: Troubleshoot Android device enrollment
-      href: /troubleshoot/mem/intune/troubleshoot-android-enrollment
+      href: /troubleshoot/mem/intune/troubleshoot-android-enrollment

memdocs/intune/enrollment/media/enrollment-notifications/enrollment-notification-message.png

@@ -29,6 +29,9 @@ ms.collection:
 
 # Use Access policies to require multiple administrative approvals
 
+> [!NOTE]  
+> This feature is delayed and is not yet available. We'll remove this note when this feature begins to roll out to tenants.
+
 *This feature is in Public Preview*
 
 To help protect against a compromised administrative account, use Intune *access policies* to require that a second administrative account is used to approve a change before the change is applied. This capability is known as multiple administrative approval (MAA).

memdocs/intune/enrollment/toc.yml

@@ -141,7 +141,7 @@ Applies to:
 #### Device Firmware Configuration Interface (DFCI) now supports Acer devices<!-- 15240661 -->
 For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings (**Devices** > **Configuration profiles** > **Create profile** > **Windows 10 and later** for platform > **Templates** > **Device Firmware Configuration Interface** for profile type).
 
-New Acer devices running Windows 10/11 will be enabled for DFCI starting Fall 2022. So, admins can create DFCI profiles to manage the BIOS and then deploy the profiles to these Acer devices.
+New Acer devices running Windows 10/11 will be enabled for DFCI in later 2022. So, admins can create DFCI profiles to manage the BIOS and then deploy the profiles to these Acer devices.
 
 Contact your device vendor or device manufacturer to ensure you get eligible devices.
 
@@ -236,7 +236,10 @@ For more information about protected apps, see [Microsoft Intune protected apps]
 
 ### Tenant administration
 
-#### Access policies for Multiple Administrator Approval in public preview<!--9348867 -->
+#### Access policies for Multiple Administrator Approval in public preview<!--9348867 -->  
+> [!NOTE]  
+> This feature is delayed and is not yet available. We'll remove this note when this feature begins to roll out to tenants.
+
 In public preview, you can use Intune *access policies* to require that a second Administrator Approval account be used to approve a change before the change is applied.  This capability is known as multiple Administrator Approval (MAA).
 
 You create an access policy to protect a type of resource, like App deployments. Each access policy also includes a group of users who are *approvers* for the changes protected by the policy. When a resource like an app deployment configuration is protected by an access policy, any changes that are made to the deployment, including creating, deleting or modifying an existing deployment won't apply until a member of the approvers group for that access policy reviews and approves that change.

memdocs/intune/fundamentals/multi-admin-approval.md

@@ -39,14 +39,14 @@ Before you can configure Conditional Access policies for the tunnel, you must en
 
 2. Download the PowerShell script named **mst-ca-provisioning.ps1** from aka.ms/mst-ca-provisioning.
 
-3. Using credentials that have the Azure Role permissions [equivalent to **Application Administrator**](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator-permissions), run the script from any location in your environment, to provision your tenant.
+3. Using credentials that have the Azure Role permissions [equivalent to **Global Administrator**](/azure/active-directory/roles/permissions-reference#global-administrator), run the script from any location in your environment, to provision your tenant.
 
-   The script modifies your tenant by creating a service principle with the following details:
+   The script modifies your tenant by creating a service principal with the following details:
 
    - App ID: 3678c9e9-9681-447a-974d-d19f668fcd88
    - Name: Microsoft Tunnel Gateway
 
-   The addition of this service principle is required so you can select the tunnel cloud app while configuring Conditional Access policies. It's also possible to use Graph to add the service principle information to your tenant.
+   The addition of this service principal is required so you can select the tunnel cloud app while configuring Conditional Access policies. It's also possible to use Graph to add the service principal information to your tenant.
 
 4. After the script completes, you can use your normal process to create Conditional Access policies.