Merge branch 'release-intune-2202' of https://github.com/MicrosoftDocs/memdocs-pr into FixedBlockingIssues

Author: MandiOhlinger

memdocs/intune/configuration/group-policy-analytics.md

@@ -8,7 +8,7 @@ author: MandiOhlinger
 
 ms.author: mandia
 manager: dougeby
-ms.date: 02/03/2022
+ms.date: 02/23/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -140,7 +140,10 @@ Currently, the Group Policy analytics (preview) tool only supports non-ADMX sett
 
     - **Ready for migration**: The policy has a matching setting in Intune, and is ready to be migrated to Intune.
     - **Not supported**: The policy doesn't have a matching setting. Typically, policy settings that show this status aren't exposed to MDM providers, including Intune.
-    - **Deprecated**: The policy may apply to older Windows versions, and no longer used in Windows 10/11.
+    - **Deprecated**: The policy may apply to older Windows versions, older Microsoft Edge versions, and more policies that aren't used anymore.
+
+      > [!NOTE]
+      > When the Microsoft Intune product team updates the mapping logic, your imported GPOs are automatically updated. You don't need to reimport your GPOs.
 
 3. Select the **Reports** tab > **Group policy migration readiness**. In this report, you can:
 

memdocs/intune/configuration/settings-catalog.md

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 02/03/2022
+ms.date: 02/23/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -39,6 +39,7 @@ This feature applies to:
 
 - **macOS**
 
+  - **Configure device settings**. Device settings that are directly generated from Apple Profile-Specific Payload Keys are continually being added. To learn more about these keys, see, [Profile-Specific Payload Keys](https://developer.apple.com/documentation/devicemanagement/profile-specific_payload_keys) (opens Apple's website).
   - **Configure Microsoft Edge version 77 and newer**. Previously, you had to [use a property list (plist) file](/deployedge/configure-microsoft-edge-on-mac) (opens another Microsoft website). For a list of the settings you can configure, see [Microsoft Edge - Policies](/DeployEdge/microsoft-edge-policies) (opens another Microsoft website). Be sure macOS is listed as a supported platform. If some settings aren't available in the settings catalog, then it's recommended to continue using the [preference file](preference-file-settings-macos.md).
   - **Configure Microsoft Defender for Endpoint**. Previously, you had to [use a property list (plist) file](/microsoft-365/security/defender-endpoint/mac-install-with-intune) (opens another Microsoft website). For a list of the settings you can configure, see [Set preferences for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-preferences) (opens another Microsoft website). Be sure macOS is listed as a supported platform. If some settings aren't available in the settings catalog, then it's recommended to continue using the [preference file](preference-file-settings-macos.md).
 
@@ -188,7 +189,7 @@ When you create the policy, you have two policy types: **Settings catalog** and
 
 The **Templates** include a logical group of settings, such as device restrictions, kiosk, and more. Use this option if you want to use these groupings to configure your settings.
 
-For Windows, the **Settings catalog** lists all the available settings. If you want to see all the available Firewall settings, or all the available BitLocker settings, then use this option. Also, use this option if you're looking for specific settings.
+The **Settings catalog** lists all the available settings. If you want to see all the available Firewall settings, or all the available BitLocker settings, then use this option. Also, use this option if you're looking for specific settings.
 
 ## Next steps
 

memdocs/intune/configuration/vpn-settings-ios.md

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 12/16/2021
+ms.date: 02/23/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -72,6 +72,10 @@ Select this option if you're deploying to an Android Enterprise dedicated, corpo
 
 - **Wi-Fi type**: Select **Enterprise**.
 - **SSID**: Enter the **service set identifier**, which is the real name of the wireless network that devices connect to. However, users only see the **network name** you configured when they choose the connection.
+- **Connect automatically**: **Enable** automatically connects to your Wi-Fi network when devices are in range. Select **Disable** to prevent or block this automatic connection. 
+
+  When devices are connected to another preferred Wi-Fi connection, then they won't automatically connect to this Wi-Fi network. If devices fail to connect automatically when this setting is enabled, then disconnect the devices from any existing Wi-Fi connections.
+
 - **Hidden network**: Select **Enable** to hide this network from the list of available networks on the device. The SSID isn't broadcasted. Select **Disable** to show this network in the list of available networks on the device.
 - **EAP type**: Select the Extensible Authentication Protocol (EAP) type used to authenticate secured wireless connections. Your options:
 

memdocs/intune/configuration/wi-fi-settings-android-enterprise.md

@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 10/19/2021
+ms.date: 02/10/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -68,7 +68,7 @@ Create an enrollment profile to enable enrollment on devices.
     - **SSID**: Identifies the network that the device will connect to. 
 
         > [!NOTE]
-        > Wi-Fi details are required because the RealWear device does not have a button or option that lets it automatically connect to other devices.  
+        > Wi-Fi details are required because the RealWear device doesn't have a button or option that lets it automatically connect to other devices.  
 
     - **Hidden network**: Choose whether this is a hidden network. By default, this setting is disabled, which means the network can broadcast its SSID. 
     - **Wi-Fi type**: Select the type of authentication needed for this network.  
@@ -99,7 +99,7 @@ The token appears as a QR code. During device setup, when prompted to, scan the
 >- Since you're managing the device via Intune, you should skip the RealWear first time setup. The Intune QR codes is the only thing you need to set up the device.  
 
 ### Replace a token  
-You can generate a new token to replace one that's nearing its expiration date. Replacing a token does not affect devices that are already enrolled.  
+You can generate a new token to replace one that's nearing its expiration date. The replacement token doesn't affect devices that are already enrolled.  
 
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).  
 2. Select **Devices** > **Android** > **Android enrollment** > **Corporate-owned, user-associated devices**.  
@@ -114,7 +114,7 @@ Revoke a token to immediately expire it and make it unusable. For example, it's
 * You accidentally share the token/QR code with an unauthorized party.
 * You complete all enrollments and no longer need the token.  
 
- Revoking a token does not affect devices that are already enrolled.
+ Revoking a token has no effect on devices that are already enrolled.
 
 1.	Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).  
 2. Select **Devices** > **Android** > **Android enrollment** > **Corporate-owned, user-associated devices**.
@@ -214,5 +214,7 @@ The following are known limitations when working with AOSP devices in Intune:
 
 * [Create an Android (AOSP) device compliance policy](../protect/compliance-policy-create-android-aosp.md).   
 
+* Create a policy that requires users to accept your [terms and conditions](terms-and-conditions-create.md) before enrollment. 
+
 * For more information about how to get started with AOSP, see [Android source requirements](https://source.android.com/setup/build/requirements)(opens Android source documentation). 
 

memdocs/intune/enrollment/android-aosp-corporate-owned-user-associated-enroll.md

@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 10/19/2021
+ms.date: 02/23/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -148,7 +148,7 @@ Complete the following steps to create a dynamic Azure AD device group for devic
 5. Choose **Add query** > **Create**.  
 
 
-### Enroll devices    
+## Enroll devices    
 After you set up and assign the Android (AOSP) enrollment profiles, you can enroll devices via QR code. 
 
 1. Turn on your new or factory-reset device.  
@@ -158,14 +158,16 @@ After you set up and assign the Android (AOSP) enrollment profiles, you can enro
 > [!TIP]
 > To access the token in Intune, select **Devices** > **Android** > **Android enrollment** > **Corporate-owned, userless devices**. Select your enrollment profile, and then select **Tokens**. 
 
-3. Follow the on-screen prompts to finish enrolling and registering the device. 
+3. Follow the on-screen prompts to finish enrolling and registering the device. During setup, Intune automatically installs and opens the apps that are needed for enrollment. Those apps include:  
 
-The Microsoft Intune and Microsoft Authenticator apps automatically install and open on the device, which allows the device to be enrolled. You'll be locked in the enrollment process until it's complete.  
+    *  Microsoft Authenticator app  
+    *  Microsoft Intune app  
+    *  Intune Company Portal app  
 
 ## After enrollment 
 
-### Update Microsoft Intune and Microsoft Authenticator  
-The Intune app automatically installs available app updates for itself and Authenticator. When an update becomes available, the Intune app closes and installs the update. The app must be closed completely to install the update.   
+### App updates    
+The Microsoft Intune app automatically installs available app updates for itself, Authenticator, and Company Portal. When an update becomes available, the Intune app closes and installs the update. The app must be closed completely to install the update.   
 
 ### Manage devices remotely    
 
@@ -207,7 +209,7 @@ The following are known limitations when working with AOSP devices in Intune:
     * Alphanumeric  
     * Alphanumeric with symbols    
     * Weak biometric   
-*  Device compliance reporting is not available for for Android (AOSP).   
+*  Device compliance reporting is not available for Android (AOSP).   
 
 * Android (AOSP) management is not supported in these environments:  
     * Intune for Government Community Cloud (GCC) High and Department of Defense (D0D)  

memdocs/intune/enrollment/android-aosp-corporate-owned-userless-enroll.md

@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 11/11/2021
+ms.date: 02/08/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -211,10 +211,6 @@ Now that you've installed your token, you can create an enrollment profile for A
 
         This method provides the same security as Company Portal authentication but avoids the issue of leaving end users with a device they can't use until the Company Portal installs.  
 
-         > [!IMPORTANT]
-         > If you select Setup Assistant with modern authentication as the authentication method, and you also apply a *conditional access - terms of use* policy that requires end users to accept the Azure AD Terms of Use, you must apply a *conditional access* policy that uses the Microsoft Intune cloud app, not the Microsoft Intune Enrollment cloud app. Otherwise, enrollment will fail and devices will need to be wiped to reset enrollment.  
-
-
         The Company Portal will be installed without user interaction (the user won't see the **Install Company Portal** option) in both of the following situations:
 
         - If you use the **Install Company Portal with VPP** option below (recommended).

memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md

@@ -5277,7 +5277,7 @@ To see the new experience, sign in to Intune and select **Devices** > **All devi
 If you still want the wipe/retire confirmation, you can use the standard device lifecycle route by issuing a **Remove company data** and **Factory Reset** prior to **Delete**. 
 
 #### Play sounds on iOS when in Lost mode<!-- 1947769 -->
-When supervised iOS devices are in Mobile Device Management (MDM) [Lost mode](../remote-actions/device-lost-mode.md), you can [play a sound](../remote-actions/device-locate.md#activate-lost-mode-sound-alert) (**Devices** > **All devices** > select an iOS device > **Overview** > **More**). The sound continues to play until the device is removed from Lost mode, or a user disables sound on the device. Applies to iOS devices 9.3 and newer.
+When supervised iOS devices are in Mobile Device Management (MDM) [Lost mode](../remote-actions/device-lost-mode.md), you can [play a sound](../remote-actions/device-locate.md#activate-lost-device-sound-alert) (**Devices** > **All devices** > select an iOS device > **Overview** > **More**). The sound continues to play until the device is removed from Lost mode, or a user disables sound on the device. Applies to iOS devices 9.3 and newer.
 
 #### Block or allow web results in searches made on an Intune device<!--1972804-->
 
@@ -6868,4 +6868,4 @@ You can now view the device category as a column in the device list. You can als
 
 Windows as a Service is the new way of providing updates for Windows 10. Starting with Windows 10, any new Feature Updates and Quality Updates will contain the contents of all previous updates. This means that as long as you've installed the latest update, you know that your Windows 10 devices are completely up-to-date. Unlike with previous versions of Windows, you now must install the entire update instead of part of an update.
 
-By using Windows Update for Business, you can simplify the update management experience so that you don't need to approve individual updates for groups of devices. You can still manage risk in your environments by configuring an update rollout strategy and Windows Update will make sure that updates are installed at right time. Microsoft Intune provides the ability to configure update settings on devices and gives you the ability to defer update installation. Intune doesn't store the updates, but only the update policy assignment. Devices access Windows Update directly for the updates.Use Intune to configure and manage **Windows 10 update rings**. An update ring contains a group of settings that configure when and how Windows 10 updates get installed. For details, see [Configure Windows Update for Business settings](../protect/windows-update-for-business-configure.md).
+By using Windows Update for Business, you can simplify the update management experience so that you don't need to approve individual updates for groups of devices. You can still manage risk in your environments by configuring an update rollout strategy and Windows Update will make sure that updates are installed at right time. Microsoft Intune provides the ability to configure update settings on devices and gives you the ability to defer update installation. Intune doesn't store the updates, but only the update policy assignment. Devices access Windows Update directly for the updates.Use Intune to configure and manage **Windows 10 update rings**. An update ring contains a group of settings that configure when and how Windows 10 updates get installed. For details, see [Configure Windows Update for Business settings](../protect/windows-update-for-business-configure.md).

memdocs/intune/fundamentals/whats-new-archive.md

@@ -8,7 +8,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 12/18/2020
+ms.date: 02/23/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -66,7 +66,7 @@ To view classic conditional access policies, in [Azure](https://portal.azure.com
 
 5. Enable the toggle options according to your organization's requirements. Toggle options visible will vary depending on the MTD partner.  For example, the following image shows the options that are available for Symantec Endpoint Protection:
 
-   ![MTD setup in Intune](./media/mtd-connector-enable/enable-mtd-connector-1.png)
+   :::image type="content" source="./media/mtd-connector-enable/enable-mtd-connector-1.png" alt-text="Screen shot example that shows the MDM Complince Policy Settings for the MDT connector.":::
 
 ## Mobile Threat Defense toggle options
 
@@ -81,7 +81,16 @@ You can decide which MTD toggle options you need to enable according to your org
 - **Enable App Sync for iOS Devices**: Allows this Mobile Threat Defense partner to request metadata of iOS applications from Intune to use for threat analysis purposes. This iOS device must be MDM-enrolled device and will provide updated app data during device check-in. You can find standard Intune policy check-in frequencies in the [Refresh cycle times](../configuration/device-profile-troubleshoot.md#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned). 
 
   > [!NOTE]  
-  > App Sync data is sent to Mobile Threat Defense partners at an interval based on device check-in, and should **not** be confused with the refresh interval for the [Discovered Apps report](../apps/app-discovered-apps.md#details-of-discovered-apps). 
+  > App Sync data is sent to Mobile Threat Defense partners at an interval based on device check-in, and should **not** be confused with the refresh interval for the [Discovered Apps report](../apps/app-discovered-apps.md#details-of-discovered-apps).
+
+- **Send full application inventory data on personally-owned iOS/iPadOS Devices​**: This setting controls the application inventory data that Intune shares with this Mobile Threat Defense partner when the partner syncs app data and requests the app inventory list.
+
+  Choose from the following options:
+
+  - **On** - Allows this Mobile Threat Defense partner to request a list of iOS/iPadOS applications from Intune for personally-owned iOS/iPadOS devices. This list includes unmanaged apps (apps not deployed through Intune) as well as the apps that were deployed through Intune. 
+  - **Off** - Data about unmanaged apps isn't provided to the partner. Intune does share data for the apps that are deployed through Intune.
+
+  This setting has no effect for corporate devices. For corporate devices, Intune sends data about both managed and unmanaged apps when requested by this MTD vendor.
 
 - **Block unsupported OS versions**: Block if the device is running an operating system less than the minimum supported version. Details of the minimum supported version would be shared within the docs for the Mobile Threat Defense vendor.