Merge pull request #6933 from MicrosoftDocs/main

v-dihans · web-flow · commit 89b743085e81 · 2022-03-02T11:36:13.000-07:00
Publish 03/02/2022, 10:30 AM
diff --git a/memdocs/autopilot/enrollment-autopilot.md b/memdocs/autopilot/enrollment-autopilot.md
@@ -73,6 +73,9 @@ ms.collection:
 
 3. Select **Create**.
 
+[!NOTE] 
+Anything assigned to these attributes will only be assigned if the device is Autopilot registered.
+
 ## Add devices
 
 For information about formatting and using a CSV file to manually add Windows Autopilot devices, see [Manually register devices with Windows Autopilot](add-devices.md).
@@ -131,4 +134,4 @@ You can group Windows devices by a correlator ID when enrolling using [Autopilot
 
 After you have created a device group, you can configure and apply a Windows Autopilot deployment profile to each device in the group. Deployment profiles determine the deployment mode, and customize the OOBE for your end users. For more information, see [Configure deployment profiles](profiles.md).
 
-For more information about managing your Windows Autopilot devices, see [What is Microsoft Intune device management?](../intune/remote-actions/device-management.md)
+For more information about managing your Windows Autopilot devices, see [What is Microsoft Intune device management?](../intune/remote-actions/device-management.md)
diff --git a/memdocs/autopilot/known-issues.md b/memdocs/autopilot/known-issues.md
@@ -28,6 +28,10 @@ This article describes known issues that can often be resolved by configuration
 
 ## Known issues
 
+### Device goes through Autopilot deployment without an assigned profile
+
+When a device is registered in Autopilot and no profile is assigned, it will take the default Autopilot profile. This is by design to ensure that all devices registered with Autopilot, goes through the Autopilot experience. If you do not want the device to go through an Autopilot deployment, you must remove the Autopilot registration. 
+
 ### White screen during HAADJ deployment
 
 There is a UI bug on Autopilot HAADJ deployments where the Enrollment Status page is displayed as a white screen. This issue is limited to the UI and should not impact the deployment process. 
diff --git a/memdocs/autopilot/profiles.md b/memdocs/autopilot/profiles.md
@@ -103,6 +103,8 @@ After you've created an Autopilot deployment profile, you can edit certain parts
     > [!NOTE]
     > Changes to the profile are applied to devices assigned to that profile. However, the updated profile won't be applied to a device that has already enrolled in Intune until after the device is reset and reenrolled.
 
+If a device is registered in Autopilot and a profile is not assigned, it will receive the default Autopilot profile. If you do not want a device to go through Autopilot, you must remove the Autopilot registration.
+
 ## Alerts for Windows Autopilot unassigned devices
 <!-- 163236 -->
 
diff --git a/memdocs/autopilot/registration-overview.md b/memdocs/autopilot/registration-overview.md
@@ -44,6 +44,8 @@ Registration can also be performed within your organization by collecting the ha
 - [Automatic registration](automatic-registration.md)
 - [Manual registration](manual-registration.md)
 
+Once a device is registered in Autopilot if a profile is not assigned, it will receive the default Autopilot profile. If you do not want a device to go through Autopilot, you must remove the Autopilot registration. 
+
 ## Terms
 
 The following terms are used to refer to various steps in the registration process:
diff --git a/memdocs/configmgr/hotfix/2111/12896009.md b/memdocs/configmgr/hotfix/2111/12896009.md
@@ -0,0 +1,136 @@
+---
+title: Update rollup for Microsoft Endpoint Configuration Manager version 2111
+titleSuffix: Configuration Manager
+description: Update rollup for Configuration Manager 2111
+ms.date: 03/02/2022
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: reference
+ms.assetid: 7bd4295d-20c0-4d5f-b2e4-fa770ebc2ca6
+author: bhuney
+ms.author: brianhun
+manager: dougeby
+---
+
+# Update rollup for Microsoft Endpoint Configuration Manager version 2111
+
+*Applies to: Configuration Manager (current branch, version 2111)*
+
+## Summary of KB12896009
+This article describes issues that are fixed in this update rollup for Microsoft Endpoint Configuration Manager current branch, version 2111. This update applies both to customers who opted in through a PowerShell script to the early update ring deployment, and customers who installed the globally available release.
+For more information on changes in Configuration Manager version 2111, see:
+- [What’s new in version 2111 of Configuration Manager current branch](../../core/plan-design/changes/whats-new-in-version-2111.md)
+- [Summary of changes in Microsoft Endpoint Configuration Manager current branch, version 2111](../../hotfix/2111/11052354.md)
+
+## Issues that are fixed
+
+<!-- 12905440 -->
+- The Configuration Manager console fails to open after installing an updated version of a required console extension.
+
+<!-- 12923578 -->
+- Users without the **Read Client Status Settings** permission on the **Site** object are unable to see the client health dashboard.
+
+<!-- 12905525 -->
+- Windows LEDBAT isn't automatically enabled or disabled for a distribution point when selecting the **Adjust the download
+speed to use the unused network bandwidth (Windows LEDBAT)** setting in site properties. 
+
+<!-- 12909958 -->
+- Automatic registration of the Configuration Manager PowerShell module (*ConfigurationManager.psd1*) can trigger a false positive alert from security software.
+
+<!-- 12785033 -->
+- The Configuration Manager console now allows wildcards when defining Microsoft Defender Attack Surface Reduction (ASR) rules.
+
+<!-- 12785058 -->
+- CMPivot queries against the **Processor** entity may fail with an "Invalid query" error.
+
+<!-- 12905518 -->
+- Clients that aren't Intune enrolled will  record the following error in the execmgr.log file after receiving a task sequence policy.
+   ```text
+   Failed to check enrollment url, 0x00000001:
+   ```
+
+<!-- 12981663 -->
+- The OneTrace log file viewer (*CMPowerLogViewer.exe*) may terminate unexpectedly when opening a log file.
+
+<!-- 12952864 -->
+- The **Show Table** link in the Windows Servicing dashboard displays repetitive information after selecting different collections.
+
+<!-- 13059770 -->
+- The Post Installation task **Installing SMS_EXECUTIVE service** displays a status of *Completed with warning* even though it was successful and no warnings are recorded in the sitecomp.log file.
+
+<!-- 13069590 -->
+- Clients will now throttle communication with a cloud management gateway if they make five unsuccessful contact attempts in five minutes.
+
+<!-- 13104384 -->
+- If a client computer is offline for multiple days with a pending state message resync request, it will receive duplicate policies for the resync when it comes back online. This leads to repeated resynchronization of the same messages.
+
+<!-- 13039356 -->
+- When the Configuration Manager console is installed on a computer with an x86 processor, it doesn't detect the installation state of console extensions.
+
+<!-- 13219303 -->
+- The built-in cloud features notification message continues to display in the Configuration Manager console even after it is dismissed.
+
+<!-- 13104468 -->
+- A remote control session doesn't display as expected when the target computer has multiple monitors and the display has a custom scale over 125 percent.
+
+<!-- 13515162 -->
+- Internet-based clients fail to register over the cloud management gateway when the management point is hosted on a remote site system. This occurs for clients installed using a Windows Imaging Task sequence and boot media over an internet connection.
+
+<!-- 13486459 -->
+- After updating to Configuration Manager version 2111, client policies for **Windows Defender Firewall Remote Management** that were previously disabled may be re-enabled.
+ 
+
+## Hotfixes that are included in this update
+
+- KB [12709700](../../hotfix/2111/12709700.md) Update for Microsoft Endpoint Configuration Manager version 2111
+- KB [12959506](../../hotfix/2111/12959506.md) Client update for Configuration Manager current branch, version 2111
+
+## Update information for Microsoft Endpoint Configuration Manager current branch, version 2111
+
+This update is available in the Updates and Servicing node of the Configuration Manager console for environments that were installed by using early update ring or globally available builds of version 2111.
+
+Members of the Configuration Manager Technology Adoption Program (TAP) must first apply the private TAP rollup before this update is displayed.
+
+To verify which build is in use, look for a Package GUID by adding the Package GUID column to the details pane of the Updates and Servicing node in the console. The update applies to installations from packages that have the following GUIDs:
+
+- **653BACCA-5BCE-4B4C-9A83-10932A561F71**
+- **B07144F6-3B8E-4587-B1F0-BB47DA54C566**
+- **C77888E5-7499-4885-9EED-811BB2D958C0**
+- **44CE0720-6C46-4554-89CF-C9713E9C06C6**
+
+
+The update is also applicable to TAP builds with the private TAP rollup (**C30077BF-D610-4C8A-BDB1-9B2D5442380E**) installed.
+New installations from 2111 media, as opposed to updates from prior versions, will not have any package GUIDs listed.
+
+### Restart information
+
+This update doesn't require a computer restart but will initiate a [site reset](../../core/servers/manage/modify-your-infrastructure.md#bkmk_reset) after installation.
+
+### Additional installation information
+
+After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select **Administration** > **Site Configuration** > **Sites** >  **Recover Secondary Site**, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site aren't affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
+
+Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
+   ```code
+   select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
+   ```
+If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
+
+If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the **Recover Secondary Site** option to update the secondary site.
+
+## Version information
+The following major components are updated to the versions specified:
+
+| Component | Version |
+|---|---|
+| Configuration Manager console | 5.2111.1052.2500 |
+| Client | 5.0.9068.1026 |
+
+## File information
+File information is available in the downloadable [KB12896009_FileList.txt](https://aka.ms/KB12896009_FileList) text file.
+
+## Release history
+- March 2, 2022: Initial hotfix release
+
+## References
+[Updates and servicing for Configuration Manager](../../core/servers/manage/updates.md)
diff --git a/memdocs/configmgr/hotfix/TOC.yml b/memdocs/configmgr/hotfix/TOC.yml
@@ -11,6 +11,8 @@ items:
     href: 2111/12959506.md
   - name: KB 12819689 Connected cache update for Microsoft Endpoint Configuration Manager version 2111
     href: 2111/12819689.md
+  - name: KB 12896009 Update rollup for Microsoft Endpoint Configuration Manager version 2111
+    href: 2111/12896009.md
 - name: Version 2107
   items:
   - name: KB 10096997 Summary of changes in 2107
diff --git a/memdocs/configmgr/hotfix/index.yml b/memdocs/configmgr/hotfix/index.yml
@@ -25,6 +25,8 @@ landingContent:
             url: 2111/11052354.md
           - text: KB 12709700 Update for Configuration Manager 2111
             url: 2111/12709700.md
+          - text: KB 12896009 Update rollup for Configuration Manager 2111
+            url: 2111/12896009.md
   - title: Configuration Manager 2107
     linkLists:
       - linkListType: overview
diff --git a/memdocs/intune/apps/lob-apps-macos.md b/memdocs/intune/apps/lob-apps-macos.md
@@ -39,18 +39,13 @@ ms.collection:
 Use the information in this article to help you add macOS line-of-business apps to Microsoft Intune. You must download an external tool to pre-process your *.pkg* files before you can upload your line-of-business file to Microsoft Intune. The pre-processing of your *.pkg* files must take place on a macOS device.
 
 > [!NOTE]
-> Uploading *.pkg* files in the **Add app** pane is in public preview.
->
 > Starting with the release of macOS Catalina 10.15, prior to adding your apps to Intune, check to make sure your macOS LOB apps are notarized. If the developers of your LOB apps did not notarize their apps, the apps will fail to run on your users' macOS devices. For more information about how to check if an app is notarized, visit [Notarize your macOS apps to prepare for macOS Catalina](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Notarizing-your-macOS-apps-to-prepare-for-macOS/ba-p/808579).
 > 
 > macOS LOB apps have a maximum size limit of 2 GB per app.
 > 
 > While users of macOS devices can remove some of the built-in macOS apps like Stocks, and Maps, you cannot use Intune to redeploy those apps. If end users delete these apps, they must go to the app store, and manually re install them.
 
-## Before you start
-
-> [!NOTE]
-> Using the Intune App Wrapping Tool for Mac is not required when uploading *.pkg* files. Uploading *.pkg* files in the **Add app** pane is in public preview.
+## Before your start
 
 You must download an external tool, mark the downloaded tool as an executable, and pre-process your *.pkg* files with the tool before you can upload your line-of-business file to Microsoft Intune. The pre-processing of your *.pkg* files must take place on a macOS device. Use the Intune App Wrapping Tool for Mac to enable Mac apps to be managed by Microsoft Intune.
 
@@ -92,15 +87,10 @@ You must download an external tool, mark the downloaded tool as an executable, a
 
 ## Step 1 - App information
 
-> [!NOTE]
-> Uploading *.pkg* files in the **Add app** pane is in public preview.
->
-> The **minimum operating system** for uploading a *.pkg* file is macOS 10.14. Upload a *.intunemac* file to select an older minimum operating system.
-
 ### Select the app package file
 
 1. In the **Add app** pane, click **Select app package file**. 
-2. In the **App package file** pane, select the browse button. Then, select an macOS installation file with the extension *.intunemac* or *.pkg*.
+2. In the **App package file** pane, select the browse button. Then, select an macOS installation file with the extension *.intunemac*.
    The app details will be displayed.
 3. When you're finished, select **OK** on the **App package file** pane to add the app.
 
@@ -113,7 +103,7 @@ You must download an external tool, mark the downloaded tool as an executable, a
     - **Minimum Operating System**: From the list, choose the minimum operating system version on which the app can be installed. If you assign the app to a device with an earlier operating system, it will not be installed.
     - **Ignore app version**: Select **Yes** to install the app if the app is not already installed on the device. Select **No** to only install the app when it is not already installed on the device, or if the deploying app's version number does not match the version that's already installed on the device.
     - **Install as managed**: Select **Yes** to install the Mac LOB app as a managed app on  supported devices (macOS 11 and higher). A macOS LOB app can only be installed as managed when the app distributable contains a single app without any nested packages and installs to the */Applications* directory. Managed line-of-business apps will be able to be removed using the **uninstall** assignment type on supported devices (macOS 11 and higher). In addition, removing the MDM profile removes all managed apps from the device. The default value is **No**.
-    - **Included apps**: Review and edit the apps that are contained in the uploaded file. Included app bundle IDs and build numbers are used for detecting and monitoring app installation status of the uploaded file. The app listed first is used as the primary app in app reporting. <br>Included apps list should only contain the application(s) installed by the uploaded file in **Applications** folder on Macs. Any other type of file that is not an application or an application that is not installed to **Applications** folder should be removed from the **Included apps** list. If **Included apps** list contains files that are not applications or if all the listed apps are not installed, app installation status does not report success.<br>Mac Terminal can be used to lookup and confirm the included app details of an installed app.<br>For example, to look up the bundle ID and build number of Company Portal, run the following:<br>    *defaults read /Applications/Company\ Portal.app/Contents/Info CFBundleIdentifier*<br>Then, run the following:<br>    *defaults read /Applications/Company\ Portal.app/Contents/Info CFBundleShortVersionString*
+    - **Included apps**: Review and edit the apps that are contained in the uploaded file. Included app bundle IDs and build numbers are used for detecting and monitoring app installation status of the uploaded file. Included apps list should only contain the application(s) installed by the uploaded file in **Applications** folder on Macs. Any other type of file that is not an application or an application that is not installed to **Applications** folder should be removed from the **Included apps** list. If **Included apps** list contains files that are not applications or if all the listed apps are not installed, app installation status does not report success.<br>Mac Terminal can be used to lookup and confirm the included app details of an installed app.<br>For example, to look up the bundle ID and build number of Company Portal, run the following:<br>    *defaults read /Applications/Company\ Portal.app/Contents/Info CFBundleIdentifier*<br>Then, run the following:<br>    *defaults read /Applications/Company\ Portal.app/Contents/Info CFBundleVersion*
     - **Category**: Select one or more of the built-in app categories, or select a category that you created. Categories make it easier for users to find the app when they browse through the company portal.
     - **Show this as a featured app in the Company Portal**: Display the app prominently on the main page of the company portal when users browse for apps.
     - **Information URL**: Optionally, enter the URL of a website that contains information about this app. The URL appears in the company portal.
@@ -156,9 +146,8 @@ The app you have created appears in the apps list where you can assign it to the
 
 [!INCLUDE [shared-proc-lob-updateapp](../includes/shared-proc-lob-updateapp.md)]
 
-To update a line-of-business app deployed as a *.intunemac* file, you must increment the package `version` and `CFBundleVersion` string in the *packageinfo* file in your *.pkg* file.
-
-To update a line-of-business app deployed as a *.pkg* file, you must increment the `CFBundleShortVersionString` of the *.pkg* file.
+> [!NOTE]
+> For the Intune service to successfully deploy a new *.pkg* file to the device you must increment the package `version` and `CFBundleVersion` string in the *packageinfo* file in your *.pkg* package.
 
 ## Next steps
 
diff --git a/memdocs/intune/protect/endpoint-security-firewall-policy.md b/memdocs/intune/protect/endpoint-security-firewall-policy.md
@@ -30,7 +30,7 @@ ms.reviewer: mattcall
 
 # Firewall policy for endpoint security in Intune
 
-Use the endpoint security Firewall policy in Intune to configure a devices built-in firewall for devices that run macOS and /11.
+Use the endpoint security Firewall policy in Intune to configure a devices built-in firewall for devices that run macOS and Windows 10/11.
 
 While you can configure the same firewall settings by using Endpoint Protection profiles for device configuration, the device configuration profiles include additional categories of settings. These additional settings are unrelated to firewalls and can complicate the task of configuring only firewall settings for your environment.
 
diff --git a/memdocs/intune/protect/microsoft-tunnel-configure.md b/memdocs/intune/protect/microsoft-tunnel-configure.md
@@ -5,7 +5,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 02/28/2022
+ms.date: 03/02/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -336,12 +336,14 @@ You can use the **./mst-cli** command-line tool to update the TLS certificate on
 
 1. Copy the certificate file to **/etc/mstunnel/private/site.pfx**
 2. Run: `mst-cli import_cert`
+3. Run: `mst-cli server restart`
 
 **PEM**:
 
 1. Copy the new certificate to **/etc/mstunnel/certs/site.crt**
 2. Copy the private key to **/etc/mstunnel/private/site.key**
 3. Run: `mst-cli import_cert`
+4. Run: `mst-cli server restart`
 
 For more information about *mst-cli*, see [Reference for Microsoft Tunnel](../protect/microsoft-tunnel-reference.md).
 
