Merge pull request #6712 from MicrosoftDocs/main

 Publish 02/03/2022 3:30 PM PT

Author: Angela Fleischmann

memdocs/configmgr/core/servers/manage/upgrade-on-premises-infrastructure.md

@@ -68,6 +68,8 @@ Use the steps in this section for any of the following upgrade scenarios:
 
 - (_Windows Server 2012 or Windows Server 2012 R2 only_): Remove the System Center Endpoint Protection (SCEP) client. Windows Server now has Windows Defender built in, which replaces the SCEP client. The presence of the SCEP client can prevent an upgrade to Windows Server.
 
+- (_Windows Server 2012 or Windows Server 2012 R2 only_): Install the latest Cumulative Update and uninstall Windows Management Framework 5.1 before attempting the upgrade.
+
 - Remove the WSUS role from the server if it's installed. You may keep the SUSDB and reattach it once WSUS is reinstalled.
 
 - If you're upgrading the OS of the site server, make sure [file-based replication](../../plan-design/hierarchy/file-based-replication.md) is healthy for the site. Check all inboxes for a backlog on both sending and receiving sites. If there are lots of stuck or pending replication jobs, wait until they clear out.<!-- SCCMDocs#1792 -->

memdocs/intune/protect/compliance-use-custom-settings.md

@@ -7,7 +7,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 12/01/2021
+ms.date: 02/04/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -44,7 +44,7 @@ Before you can add custom settings to a policy, you’ll need to prepare the Pow
 
 - The JSON file defines the settings you want to base your custom compliance on, and the acceptable values for those settings. You can also configure messages for device users for how to restore compliance for each setting. You’ll upload the file when you create a compliance policy that will include custom compliance settings.
 
-After you’ve deployed custom compliance settings and devices have reported back, you’ll be able to view the results alongside the built-in compliance setting details in the Microsoft Endpoint Manager admin center.  Custom settings can also be used for conditional access decisions, the same as the built-in compliance settings. 
+After you’ve deployed custom compliance settings and devices have reported back, you’ll be able to view the results alongside the built-in compliance setting details in the Microsoft Endpoint Manager admin center.  Custom compliance settings will be used for conditional access decisions, the same way built-in compliance settings are.  Together they form a compound rule set, equally affecting the device compliance state.
 
 ## Prerequisites
 
@@ -89,14 +89,13 @@ During the workflow to create a compliance policy, on the *Compliance settings*
 5. Complete the compliance policy creation task and assign the policy to devices.
 
 > [!NOTE]  
-> When a Windows device receives a compliance policy with custom settings, the device runs an MSI that installs services that enable the client to download and run PowerShell scripts that are part of a compliance policy, and to upload compliance results. Actions managed by the services include:
+> When a Windows device receives a compliance policy with custom settings, it checks for the presence of [Intune Management Extensions](../apps/intune-management-extension.md). If not found, the device runs an MSI that installs the extensions, enabling the client to download and run PowerShell scripts that are part of a compliance policy, and to upload compliance results. Actions managed by the services include:
 >
 > - Checking for new or updated PowerShell scripts every eight hours.
 > - Running the discovery scripts every eight hours.
 > - Running scripts that download when a user selects Check Compliance on the device. However, there is no check for new or updated scripts when Check Compliance is run.
 > - Don't support push notifications to enable custom compliance to run on demand.
 >
-> For more  information, see [Add PowerShell Add PowerShell scripts to Windows 10/11 devices in Microsoft Intune.
 
 ## Monitor custom compliance policy
 
@@ -115,7 +114,7 @@ Check the device compliance reports for the following error codes and insight in
 - 65009: Invalid json for the discovered setting
 - 65010: Invalid datatype for the discovered setting
 
-To see errors related to the PowerShell script, add the following line to the end of the PowerShell script file: `return $hash | ConvertTo-Json -Compress`
+To see errors related to the PowerShell script, ensure the following line is at the end of the PowerShell script file: `return $hash | ConvertTo-Json -Compress`
 
 ### PowerShell scripts aren’t visible to select, or remain visible after being deleted
 

memdocs/intune/protect/endpoint-security-account-protection-policy.md

@@ -79,6 +79,9 @@ The following are the configurations you can make:
 
 - **Local group**:  Select one or more groups from the drop-down. These groups will all apply the same Group and user action  to the users you assign.  You can create more than one grouping of local groups in a single profile and assign different actions and groups of users to each grouping of local groups.
 
+> [!NOTE]
+> The list of local groups is limited to the six built-in local groups which are guaranteed to be evaluated at logon, as referenced in the [Managing administrator privileges using Azure AD groups](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview) documentation. 
+
 - **Group and user action**: Configure the action to apply to the selected groups. This action will apply to the users you select for this same action and grouping of local accounts.  Actions you can choose include:
   - **Add (Update)**: Adds members to the selected groups. The group membership for users that aren’t specified by the policy are not changed.
   - **Remove (Update)**: Remove members from the selected groups. The group membership for users that aren’t specified by the policy are not changed.