Merge pull request #6972 from MicrosoftDocs/main

Publish 03/08/2022, 10:30 AM

Author: v-dihans

memdocs/configmgr/core/clients/manage/cmg/set-up-checklist.md

@@ -2,7 +2,7 @@
 title: Set up checklist for CMG
 titleSuffix: Configuration Manager
 description: Get an overview of the cloud management gateway (CMG) setup process and make sure you have all prerequisites ready to start.
-ms.date: 09/09/2021
+ms.date: 03/08/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-client
 ms.topic: overview
@@ -70,6 +70,8 @@ Use the following checklist to make sure you have the necessary information and
 
 - At least one existing site system server on which you plan to add the **CMG connection point** role.
 
+- Review the [internet access requirements](data-flow.md#internet-access-requirements) to make sure each required services can be reached.
+
 You'll set up other prerequisite components during the next steps in the process.
 
 ## Automate with PowerShell

memdocs/configmgr/core/plan-design/hierarchy/ports.md

@@ -567,6 +567,8 @@ During the installation of a site that uses a remote SQL Server to host the site
 |Description|UDP|TCP|
 |-----------------|---------|---------|
 |Server Message Block (SMB)|--|445|
+|RPC Endpoint Mapper|135|135|
+|RPC|--|DYNAMIC <sup>[Note 6](#bkmk_note6)</sup>|
 |HTTP|--|80 or 8530 <sup>[Note 3](#bkmk_note3)</sup>|
 |HTTPS|--|443 or 8531 <sup>[Note 3](#bkmk_note3)</sup>|
 

memdocs/configmgr/mdt/known-issues.md

@@ -1,7 +1,7 @@
 ---
 title: MDT known issues
 description: Current limitations with the Microsoft Deployment Toolkit (MDT).
-ms.date: 08/27/2021
+ms.date: 03/08/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-mdt
 ms.topic: article
@@ -16,6 +16,26 @@ ms.collection: openauth
 
 This article provides details of any current known issues and limitations with the Microsoft Deployment Toolkit (MDT). It assumes familiarity with MDT version concepts, features, and capabilities.
 
+## Windows Deployment Services (WDS) multicast stops working after upgrading to ADK for Windows 11
+
+<!-- 12891430 --> 
+
+After you updated your MDT boot image to [ADK for Windows 11](/windows-hardware/get-started/adk-install) you might see popups in Windows PE (WinPE) multicast enabled environments prompting wdscommonlib.dll and imagelib.dll are missing in WinPE.
+
+The right way to add WDS multicast to WinPE is to install WinPE-WDS-Tools OC ([WinPE optional components](/windows-hardware/manufacture/desktop/winpe-add-packages--optional-components-reference?view=windows-11#winpe-optional-components--)) into WinPE.
+
+Follow this example to install WinPE-WDS-Tools OC in WinPE (assuming the mount folder E:\mnt exists).
+
+ ```cmd
+Dism /mount-wim /WimFile:"E:\DeploymentShare\Boot\LiteTouchPE_multicast_x64.wim" /Index:1 /MountDir:E:\mnt
+Dism /Image:"E:\mnt" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WDS-Tools.cab"
+Dism /Image:"E:\mnt" /Add-Package /PackagePath:"C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\en-us\WinPE-WDS-Tools_en-us.cab"
+Dism /Unmount-Wim /MountDir:E:\mnt /Commit
+ ```
+
+Add or replace the multicast enabled boot image in WDS snap-in for Microsoft Management Console (MMC).
+
+
 ## ZTI extensions with version 2013 or 2107
 
 <!-- 10695200 -->

memdocs/intune/configuration/device-profile-troubleshoot.md

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 01/18/2022
+ms.date: 03/07/2022
 ms.topic: troubleshooting
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -114,7 +114,10 @@ When you delete a profile, or remove a device from a group that's assigned the p
 
     Intune settings are based on the Windows configuration service provider (CSPs). The behavior depends on the CSP. Some CSPs remove the setting, and some CSPs keep the setting, also called tattooing.
 
-- A profile applies to a user group. Later, a user is removed from the group. For the settings to be removed from that user, it can take up to 7 hours + the [platform-specific policy refresh cycle](#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned) (in this article).
+- A profile applies to a user group. Later, a user is removed from the group. For the settings to be removed from that user, it can take up to 7 hours or more for:
+
+  - The profile to be removed from the policy assignment in the Endpoint Manager admin center
+  - The device to sync with the Intune object using the [platform-specific policy refresh cycle](#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned) (in this article)
 
 ## I changed a device restriction profile, but the changes haven't taken effect
 

memdocs/intune/configuration/email-settings-windows-10.md

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 01/19/2022
+ms.date: 03/07/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -60,7 +60,7 @@ Create a [Windows 10/11 Email device configuration profile](email-settings-confi
       When using **Custom** attributes, also enter:
       - **Custom domain name to use**: Enter a value that Intune uses for the domain name, such as `contoso.com` or `contoso`.
 
-- **Email address attribute from AAD**: Intune gets this attribute from Azure Active Directory (AAD). Choose how the email address for the user is generated. Your options:
+- **Email address attribute from AAD**: Intune gets this attribute from Azure Active Directory (AAD). Choose how the email address for the user is generated. Make sure your users have email addresses that match the attribute you select. Your options:
   - **User principal name**: Uses the full principal name as the email address, such as `[email protected]` or `user1`.
   - **Primary SMTP address**: Uses the primary SMTP address to sign in to Exchange, such as `[email protected]`.
 

memdocs/intune/fundamentals/deployment-guide-enrollment-macos.md

@@ -55,7 +55,7 @@ For an overview, including any Intune-specific prerequisites, see [Deployment gu
 
 ## BYOD: Device enrollment
 
-Use for personal or bring your own devices (BYOD). Not a traditional "enrollment" method, as it uses an app configuration profile. This option manages apps on the device. Devices aren't enrolled.
+Use for personal or bring your own devices (BYOD). 
 
 ---
 | Feature | Use this enrollment option when |

memdocs/intune/fundamentals/deployment-guide-enrollment-windows.md

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 01/31/2022
+ms.date: 03/07/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -309,6 +309,11 @@ Clearly communicate the options users should choose on personal and organization
 
 This enrollment option is available for domain-joined devices that you want to manage using Intune. Before enrolling, the devices must be hybrid Azure AD joined. Meaning, the devices are registered in on-premises Active Directory (AD), and registered in Azure AD. Once registered in Azure AD, they're available to enroll in Intune, and receive the settings and device features you configure.
 
+> [!TIP]
+> In the Endpoint Manager admin center, you can use [Group Policy analytics](../configuration/group-policy-analytics.md) to see your on-premises group policies settings that are supported by cloud MDM providers, including Microsoft Intune.
+> 
+> If you want a cloud native solution to manage devices, then [Windows Autopilot](#windows-autopilot) (in this article) might be the best option for your organization.
+
 You create a group policy on your local AD. When a group policy refresh occurs on the device, users are notified to complete the configuration. The configuration uses the user's Azure AD account to automatically enroll the device in Intune.
 
 For more specific information, see [Enroll a Windows client device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
@@ -357,7 +362,7 @@ For more specific information on co-management, see [What is co-management?](../
 ---
 | Feature | Use this enrollment option when |
 | --- | --- |
-| You use Configuration Manager. | ✔️ |
+| You use Configuration Manager. | ✔️ <br/><br/> Configuration Manager can manage Windows Server. |
 | Devices are hybrid Azure AD joined. | ✔️ <br/><br/> Hybrid Azure AD joined devices are joined to your on-premises Active Directory, and registered with your Azure AD. Devices in Azure AD are available to Intune. Devices that aren't registered in Azure AD aren't available to Intune. |
 | Devices are enrolled in Intune. | ✔️ <br/><br/> You have devices you want to bring to co-management. Devices may have been enrolled using Windows Autopilot, or are direct from your hardware OEM. |
 | You have Azure AD Premium. | ✔️ <br/><br/>  Azure AD Premium may be required depending on your co-management configuration. For more specific information, see [Paths to co-management](../../configmgr/comanage/quickstart-paths.md). |

memdocs/intune/protect/create-compliance-policy.md

@@ -61,7 +61,7 @@ To use device compliance policies, be sure you:
 
 - Enroll devices in Intune (required to see the compliance status)
 
-- Enroll devices to one user, or enroll without a primary user. Devices enrolled to multiple users aren't supported.
+- Enroll devices to one user, or enroll without a primary user. Single devices cannot be enrolled to multiple users.
 
 If you plan to use custom settings for device compliance (*in preview*), you'll need prepare a custom JSON file and PowerShell script before you create a policy. For more information about custom compliance settings, including supported platforms, prerequisites, and how to configure the *Custom Compliance* category while creating a policy, see [Use custom compliance settings](../protect/compliance-use-custom-settings.md).
 ## Create the policy

memdocs/intune/protect/create-conditional-access-intune.md

@@ -34,6 +34,12 @@ With Intune, enhance Conditional Access in Azure Active Directory by adding mobi
 
 A Conditional Access policy specifies the app or services you want to protect, the conditions under which the apps or services can be accessed, and the users the policy applies to. Although Conditional Access is an Azure AD premium feature, the Conditional Access node you access from *Intune* is the same node as accessed from *Azure AD*.
 
+To Create a device-based Conditional Access policy your account must have one of the following permissions in Azure AD:
+
+- Global administrator	
+- Intune Service administrator	
+- Conditional Access administrator	
+
 > [!IMPORTANT]
 > Before you set up Conditional Access, you'll need to set up Intune device compliance policies to evaluate devices based on whether they meet specific requirements. See [Get started with device compliance policies in Intune](device-compliance-get-started.md).
 

memdocs/intune/protect/windows-10-expedite-updates.md

@@ -70,8 +70,8 @@ The following are requirements to qualify for installing expedited quality updat
 
 In addition to a license for Intune, your organization must have one of the following subscriptions:
 
-- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
-- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
+- Enterprise Mobility + Security E3  (included in Microsoft 365 F3, E3, or A3)
+- Enterprise Mobility + Security E5  (included in Microsoft 365 E5 or A5)
 - Windows 10/11 Virtual Desktop Access (VDA) per user
 - Microsoft 365 Business Premium