Merge pull request #7668 from MicrosoftDocs/main

Release CM2205TP (double checked the protected file in the warning, gitignore)

Author: mestew

.gitignore

@@ -16,3 +16,4 @@ _themes/
 .openpublishing.build.mdproj
 .openpublishing.buildcore.ps1
 packages.config
+.DS_Store

memdocs/configmgr/core/get-started/2022/includes/2205/13351390.md

@@ -0,0 +1,14 @@
+---
+author: Baladelli
+ms.author: Baladell
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: include
+ms.date: 05/15/2022
+ms.localizationpriority: medium
+---
+
+## <a name="bkmk_cmg"></a>  Improvements to cloud management gateway (CMG) workflow
+<!--13351390#-->
+
+You can now approve the application workflow through email. For the application approvals through email, manually add the CMG URL in the Azure Active Directory app as single page application redirect URI. For more information on how to change the URI, see [Create an app registration in Azure AD for your App Service app](/azure/app-service/configure-authentication-provider-aad).

memdocs/configmgr/core/get-started/2022/includes/2205/14046376.md

@@ -0,0 +1,142 @@
+---
+author: Banreet
+ms.author: banreetkaur
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: include
+ms.date: 05/17/2022
+ms.localizationpriority: medium
+---
+
+## <a name="bkmk_powershell"></a> PowerShell release notes preview
+
+<!--14046376-->
+
+These release notes summarize changes to the Configuration Manager PowerShell cmdlets in this technical preview release.
+
+For more information about PowerShell for Configuration Manager, see [Get started with Configuration Manager cmdlets](/powershell/sccm/overview).
+
+### New cmdlets
+
+#### Approve-CMOrchestrationGroupScript
+
+Use this cmdlet to approve an orchestration group script. For more information, see [About orchestration groups in Configuration Manager](../../../../../sum/deploy-use/orchestration-groups.md).
+
+```powershell
+$referenceOG = Get-CMOrchestrationGroup -Name "Orchestratrion group 1"
+$preScript = $referenceOG | Get-CMOrchestrationGroupScript -ScriptType Pre
+$preScript | Approve-CMOrchestrationGroupScript -Comment "Approve"
+
+Approve-CMOrchestrationGroupScript -ScriptGuid $PreScript.ScriptGuid
+```
+
+#### Deny-CMOrchestrationGroupScript
+
+Use this cmdlet to deny an orchestration group script. For more information, see [About orchestration groups in Configuration Manager](../../../../../sum/deploy-use/orchestration-groups.md).
+
+```powershell
+$referenceOG = Get-CMOrchestrationGroup -Name "Orchestratrion group 1"
+$preScript = $referenceOG | Get-CMOrchestrationGroupScript -ScriptType Pre
+$preScript | Deny-CMOrchestrationGroupScript -Comment "Deny"
+
+Deny-CMOrchestrationGroupScript -ScriptGuid $PreScript.ScriptGuid -Comment "Deny"
+```
+
+#### Get-CMOrchestrationGroupScript
+
+Use this cmdlet to get a script from the specified orchestration group. For more information, see [About orchestration groups in Configuration Manager](../../../../../sum/deploy-use/orchestration-groups.md).
+
+```powershell
+$referenceOG = Get-CMOrchestrationGroup -Name "Orchestratrion group 1"
+$preScript = $referenceOG | Get-CMOrchestrationGroupScript -ScriptType Pre
+```
+
+#### Get-CMTrustedRootCertificationAuthority
+
+Use this cmdlet to get the certificates for trusted root certification authorities from the site.
+
+```powershell
+$ci =Get-CMTrustedRootCertificationAuthority
+$ci =Get-CMTrustedRootCertificationAuthority -ViewDetail
+```
+
+#### New-CMAADClientApplication
+
+Use this cmdlet to create a client app registration in Azure Active Directory (Azure AD). When you run this cmdlet, it will prompt you to sign in to your tenant. For more information on this app registration, see [Manually register Azure AD apps for the CMG](../../../../clients/manage/cmg/manually-register-azure-ad-apps.md).
+
+```powershell
+$serverApp = New-CMAADServerApplication -AppName $appName
+New-CMAADClientApplication -AppName $name -InputObject $serverApp
+```
+
+#### New-CMAADServerApplication
+
+Use this cmdlet to create a server app registration in Azure AD. When you run this cmdlet, it will prompt you to sign in to your tenant. For more information on this app registration, see [Manually register Azure AD apps for the CMG](../../../../clients/manage/cmg/manually-register-azure-ad-apps.md).
+
+```powershell
+New-CMAADServerApplication -AppName $appName
+```
+
+### Modified cmdlets
+
+#### Add-CMManagementPoint
+
+For more information, see [Add-CMManagementPoint](/powershell/module/configurationmanager/Add-CMManagementPoint).
+
+**Non-breaking changes**
+
+When you use this cmdlet to enable communication with the cloud management gateway, it now by default configures the management point to support both internet and intranet clients.
+
+#### Get-CMObjectSecurityScope
+
+For more information, see [Get-CMObjectSecurityScope](/powershell/module/configurationmanager/Get-CMObjectSecurityScope).
+
+**Non-breaking changes**
+
+You can now use this cmdlet to get the security scope of a specified folder object.
+
+#### New-CMCloudManagementGateway
+
+For more information, see [New-CMCloudManagementGateway](/powershell/module/configurationmanager/New-CMCloudManagementGateway).
+
+**Non-breaking changes**
+
+Added parameters **VMSSVMSize** and **Version** to support creating a cloud management gateway (CMG) using a virtual machine scale set.
+
+#### New-CMComplianceRuleRegistryKeyPermission
+
+For more information, see [New-CMComplianceRuleRegistryKeyPermission](/powershell/module/configurationmanager/New-CMComplianceRuleRegistryKeyPermission).
+
+**Non-breaking changes**
+
+Fixed an issue in **OperandDataType** property when creating a rule.
+
+#### Set-CMClientSettingComplianceSetting
+
+For more information, see [Set-CMClientSettingComplianceSetting](/powershell/module/configurationmanager/Set-CMClientSettingComplianceSetting).
+
+**Non-breaking changes**
+
+Added a new parameter **ScriptExecutionTimeoutSecs** to extend the script execution timeout value.
+
+#### Set-CMClientSettingComputerRestart
+
+For more information, see [Set-CMClientSettingComputerRestart](/powershell/module/configurationmanager/Set-CMClientSettingComputerRestart).
+
+**Non-breaking changes**
+
+- Extended the validation range of the parameters **CountdownMins** and **RebootLogoffNotificationCountdownMins** to align with the console.
+- Added new parameters **CountdownIntervalMins** and **ServerRebootLowRight** to align with the console.
+- Fixed a property name issue for the parameter **NoRebootEnforcement**.
+
+### Module changes
+
+The following folder-related cmdlets now support automatic deployment rules:
+
+- [Get-CMFolder](/powershell/module/configurationmanager/get-cmfolder)
+- [New-CMFolder](/powershell/module/configurationmanager/new-cmfolder)
+- [Remove-CMFolder](/powershell/module/configurationmanager/remove-cmfolder)
+- [Set-CMFolder](/powershell/module/configurationmanager/set-cmfolder)
+- [Move-CMObject](/powershell/module/configurationmanager/move-cmobject)
+- [Add-CMObjectSecurityScope](/powershell/module/configurationmanager/Add-CMObjectSecurityScope)
+- [Remove-CMObjectSecurityScope](/powershell/module/configurationmanager/Remove-CMObjectSecurityScope)

memdocs/configmgr/core/get-started/2022/includes/2205/14120481.md

@@ -0,0 +1,13 @@
+---
+author: mestew
+ms.author: mstewart
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: include
+ms.date: 05/20/2022
+ms.localizationpriority: medium
+---
+
+## <a name="bkmk_timeout"></a> Script execution timeout for compliance settings
+<!--14120481-->
+You can now define a **Script Execution Timeout (seconds)** when configuring [client settings](../../../../clients/deploy/about-client-settings.md#compliance-settings) for compliance settings. The timeout value can be set from a minimum of 60 seconds to a maximum of 600 seconds. This new setting allows you more flexibility for configuration items when you need to run scripts that may exceed the default of 60 seconds.

memdocs/configmgr/core/get-started/2022/includes/2205/3601127.md

@@ -0,0 +1,30 @@
+---
+author: Baladelli
+ms.author: Baladell
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: include
+ms.date: 05/15/2022
+ms.localizationpriority: medium
+---
+
+## <a name="bkmk_offset"></a> Offset for reoccuring monthly maintenance window schedules
+<!--3601127#-->
+
+Based upon your feedback, you can now offset monthly maintenance window schedules to better align deployments with the release of monthly security updates. For example, using an offset of two days after the second Tuesday of the month, sets the maintenance window for Thursday.
+
+:::image type="content" source="../../media/3601127-window-schedule.png" alt-text="Screenshot of menu displaying options for the new custom schedule for setting offset days." lightbox="../../media/3601127-window-schedule.png":::
+
+### Try it out!  
+ Try to complete the tasks. Then send **Feedback** from the **Home** tab of the ribbon letting us know how it worked. 
+
+**Create a custom schedule that sets maintenance window offset from a base day**
+
+1. In the **Device Collection** workspace, create **New Collection**, and select **Properties**.
+2. Select on **Maintenance Window** and choose **New Custom Schedule**. 
+3. For the custom schedule, select **Monthly** and put in a base day such as the second Tuesday. 
+4. Verify the **Offset (days)** and the number of days for the offset then **OK** when finished.  
+5. Complete the deployment as usual. 
+
+> [!NOTE]
+> Before using this feature, upgrade the hierarchy to version 2205. 

memdocs/configmgr/core/get-started/2022/media/3601127-window-schedule.png

@@ -0,0 +1,39 @@
+---
+title: Technical preview 2205
+titleSuffix: Configuration Manager
+description: Learn about new features available in the Configuration Manager technical preview branch version 2205.
+ms.date: 05/23/2022
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: conceptual
+author: mestew
+ms.author: mstewart
+manager: dougeby
+ms.localizationpriority: medium
+---
+
+# Features in Configuration Manager technical preview version 2205
+
+*Applies to: Configuration Manager (technical preview branch)*
+
+This article introduces the features that are available in the technical preview for Configuration Manager, version 2205. Install this version to update and add new features to your technical preview site.<!-- baseline only statement: When you install a new technical preview site, this release is also available as a baseline version. --> 
+
+Review the [technical preview](../technical-preview.md) article before installing this update. That article familiarizes you with the general requirements and limitations for using a technical preview, how to update between versions, and how to provide feedback.
+
+The following sections describe the new features to try out in this version:
+
+<!-- [!INCLUDE [Example feature name](includes/2205/1234567.md)] -->
+
+[!INCLUDE [Offset for reoccurring monthly maintenance window schedules](includes/2205/3601127.md)]
+[!INCLUDE [Improvements to cloud management gateway (CMG) workflow](includes/2205/13351390.md)]
+[!INCLUDE [Script execution timeout for compliance settings](includes/2205/14120481.md)]
+[!INCLUDE [PowerShell release notes preview](includes/2205/14046376.md)]
+
+<!-- ## General known issues  -->
+ 
+<!--  [!INCLUDE [11018755](includes/2112/known-issue-11018755.md)] -->
+## Next steps
+
+For more information about installing or updating the technical preview branch, see [Technical preview](../technical-preview.md).
+
+For more information about the different branches of Configuration Manager, see [Which branch of Configuration Manager should I use?](../../understand/which-branch-should-i-use.md).

memdocs/configmgr/core/get-started/2022/technical-preview-2205.md

@@ -2,7 +2,7 @@
 title: Technical preview releases
 titleSuffix: Configuration Manager
 description: Learn about the technical preview branch to test-drive new functionality and capabilities in Configuration Manager.
-ms.date: 04/29/2022
+ms.date: 05/23/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-core
 ms.topic: conceptual
@@ -118,14 +118,16 @@ Enable this section if needed to include any broad change to the tech preview br
 This is the full list of new features in the latest TP release
 
 bullet format:
-<!-- - [title](2021/technical-preview-2101.md) <!--ID-->
+<!-- - [title](2021/technical-preview-2101.md) <!-- ID -->
 
 The following features are available with the most recent Configuration Manager technical preview version:
 
-### Technical preview version 2204
+### Technical preview version 2205
 
-- [Administration Service Management option](2022/technical-preview-2204.md#bkmk_administration) <!--12952905-->
-- [Folders for automatic deployment rules (ADRs)](2022/technical-preview-2204.md#bkmk_folder) <!--13507410-->
+- [Offset for reoccurring monthly maintenance window schedules](2022/technical-preview-2205.md#bkmk_offset) <!--3601127-->
+- [Improvements to cloud management gateway (CMG) workflow](2022/technical-preview-2205.md#bkmk_cmg) <!--13351390-->
+- [Script execution timeout for compliance settings](2022/technical-preview-2205.md#bkmk_timeout) <!--14120481-->
+- [PowerShell release notes preview](2022/technical-preview-2205.md#bkmk_powershell) <!--14046376-->
 
 > [!NOTE]
 > Features that were available in a previous version of the technical preview remain available in later versions. Similarly, features that are added to the Configuration Manager current branch remain available in the technical preview branch.
@@ -145,6 +147,11 @@ The following features were released with previous versions of the Configuration
 
 <!-- ### Technical preview version 2111 -->
 
+### Technical preview version 2204
+
+- [Administration Service Management option](2022/technical-preview-2204.md#bkmk_administration) <!--12952905-->
+- [Folders for automatic deployment rules (ADRs)](2022/technical-preview-2204.md#bkmk_folder) <!--13507410-->
+
 ### Technical preview version 2203
 
 - [Dark theme for the console](2022/technical-preview-2203.md#bkmk_dark) <!--9070525-->

memdocs/configmgr/core/get-started/technical-preview.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 05/04/2022
+ms.date: 05/23/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -155,7 +155,7 @@ If you don't want to allow the default managed Universal Links, you can delete t
 | <ul><ul>**Face ID instead of PIN for access (iOS 11+)** | Select **Allow** to allow the user to use facial recognition technology to authenticate users on iOS/iPadOS devices. If allowed, Face ID must be used to access the app on a Face ID capable device.    | **Allow**  |
 | <ul>**PIN reset after number of days** | Select **Yes** to require users to change their app PIN after a set period of time, in days.  <br><br>When set to *Yes*, you then configure the number of days before the PIN reset is required. |**No**  |  
 | <ul><ul> **Number of days** | Configure the number of days before the PIN reset is required.  |**90**  |
-| <ul>**App PIN when device PIN is set** | Select **Disable** to disable the app PIN when a device lock is detected on an enrolled device with Company Portal configured.<br><br> **Note:** *Requires app to have Intune SDK version 7.0.1 or above.*  <br><br>On iOS/iPadOS devices, you can let the user prove their identity by using [Touch ID](https://support.apple.com/HT201371) or [Face ID](https://support.apple.com/HT208109) instead of a PIN. Intune uses the [LocalAuthentication](https://developer.apple.com/documentation/localauthentication/) API to authenticate users using Touch ID and Face ID. To learn more about Touch ID and Face ID, see the [iOS Security Guide](https://www.apple.com/business/docs/iOS_Security_Guide.pdf).  <br><br> When the user tries use this app with their work or school account, they're prompted to provide their fingerprint identity or face identity instead of entering a PIN. When this setting is enabled, the App-switcher preview image will be blurred while using a work or school account.  |  **Enable** |  
+| <ul>**App PIN when device PIN is set** | Select **Disable** to disable the app PIN when a device lock is detected on an enrolled device with Company Portal configured.<br><br> **Note:** *Requires app to have Intune SDK version 7.0.1 or above.*  <br><br>On iOS/iPadOS devices, you can let the user prove their identity by using [Touch ID](https://support.apple.com/HT201371) or [Face ID](https://support.apple.com/HT208109) instead of a PIN. Intune uses the [LocalAuthentication](https://developer.apple.com/documentation/localauthentication/) API to authenticate users using Touch ID and Face ID. To learn more about Touch ID and Face ID, see the [iOS Security Guide](https://www.apple.com/business/docs/iOS_Security_Guide.pdf).  <br><br> When the user tries to use this app with their work or school account, they're prompted to provide their fingerprint identity or face identity instead of entering a PIN. When this setting is enabled, the App-switcher preview image will be blurred while using a work or school account. If there is any change to the device's biometric database, Intune prompts the user for a PIN when the next inactivity timeout value is met. Changes to biometric data include the addition or removal of a fingerprint or face for authentication. If the Intune user does not have a PIN set, they are led to set up an Intune PIN.  |  **Enable** |  
 | **Work or school account credentials for access** | Select **Require** to require the user to sign in with their work or school account instead of entering a PIN for app access. If you set this to **Require**, and PIN or biometric prompts are turned on, both corporate credentials and either the PIN or biometric prompts are shown.  | **Not required** |
 | **Recheck the access requirements after (minutes of inactivity)** | Configure the number of minutes of inactivity that must pass before the app requires the user to again specify the access requirements. <br><br> For example, an admin turns on PIN and Blocks rooted devices in the policy, a user opens an Intune-managed app, must enter a PIN, and must be using the app on a non-rooted device. When using this setting, the user would not have to enter a PIN or undergo another root-detection check on any Intune-managed app for a period of time equal to the configured value.  <br><br>**Note:** *On iOS/iPadOS, the PIN is shared amongst all Intune-managed apps of the **same publisher**. The PIN timer for a specific PIN is reset once the app leaves the foreground on the device. The user wouldn't have to enter a PIN on any Intune-managed app that shares its PIN for the duration of the timeout defined in this setting. This policy setting format supports a positive whole number.*     | **30** |
 

memdocs/intune/apps/app-protection-policy-settings-ios.md

@@ -40,7 +40,7 @@ Intune provides several ways to monitor the properties of apps that you manage a
 3. In the list of apps, select an app to monitor. You'll then see the app pane, which includes an overview of the device status and the user status.
 
 > [!NOTE]
-> Android Store apps that are deployed as **Available** do not report their installation status.
+> Microsoft Store and Android Store apps that are deployed as **Available** do not report their installation status.
 >
 > For Managed Google Play apps deployed to Android Enterprise personally-owned work profile devices, you can view the status and version number of the app installed on a device using Intune. 
 > 
@@ -107,4 +107,4 @@ A user status list is shown when you select **User install status** in the **Mon
 ## Next steps
 
 - To learn more about working with your Intune data, see [Use the Intune Data Warehouse](../developer/reports-nav-create-intune-reports.md).
-- To learn about app configuration policies, see [App configuration policies for Intune](app-configuration-policies-overview.md).
+- To learn about app configuration policies, see [App configuration policies for Intune](app-configuration-policies-overview.md).