Merge pull request #6771 from MicrosoftDocs/main

v-dihans · web-flow · commit 973d6cb0e945 · 2022-02-10T11:36:03.000-07:00
Publish 02/10/2022, 10:30 AM
diff --git a/memdocs/configmgr/core/misc/doc-test.md b/memdocs/configmgr/core/misc/doc-test.md
@@ -13,6 +13,8 @@ ms.author: aaroncz
 ms.reviewer: mstewart
 manager: dougeby
 ---
+# Doc team test - Baladell
+Date: 1/19/2022
 
 # Doc team test
 
diff --git a/memdocs/configmgr/core/plan-design/configs/supported-operating-systems-for-site-system-servers.md b/memdocs/configmgr/core/plan-design/configs/supported-operating-systems-for-site-system-servers.md
@@ -20,7 +20,7 @@ This article details the Windows versions that you can use to host a Configurati
 
 ## Windows Server 2022
 
-_Applies to Standard and Datacenter editions_
+_Applies to Datacenter: Azure Edition, Standard and Datacenter editions_
 
 Starting in version 2107<!-- 10200029 -->, this OS version is supported for the following servers.
 
diff --git a/memdocs/configmgr/core/servers/deploy/configure/site-server-high-availability.md b/memdocs/configmgr/core/servers/deploy/configure/site-server-high-availability.md
@@ -2,7 +2,7 @@
 title: Site server high availability
 titleSuffix: Configuration Manager
 description: How to configure high availability for the Configuration Manager site server by adding a passive mode site server.
-ms.date: 12/09/2021
+ms.date: 02/10/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-core
 ms.topic: conceptual
diff --git a/memdocs/configmgr/protect/deploy-use/endpoint-definitions-wsus.md b/memdocs/configmgr/protect/deploy-use/endpoint-definitions-wsus.md
@@ -1,7 +1,7 @@
 ---
 title: Endpoint Protection malware definitions from WSUS
 titleSuffix: Configuration Manager
-ms.date: 04/23/2020
+ms.date: 02/10/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-protect
 ms.topic: conceptual
@@ -34,20 +34,6 @@ If you use WSUS to keep your antimalware definitions up to date, you can configu
 
 1. Select **OK** to close the **Software Update Point Component Properties** window.
 
-## Synchronize definition updates for standalone WSUS
-
-Use the following procedure to configure Endpoint Protection updates when your WSUS server isn't integrated into your Configuration Manager environment.
-
-1. In the WSUS administration console, expand **Computers**, select **Options**, and then select **Products and Classifications**.
-
-1. To specify the **Products** updated with WSUS, switch to the **Products** tab.
-
-    - For Windows 10 and later: Under Microsoft > Windows, select **Microsoft Defender Antivirus**.
-
-    - For Windows 8.1 and earlier: Under Microsoft > Forefront, select **System Center Endpoint Protection**.
-
-1. Switch to the **Classifications** tab. Select **Definition Updates** and **Updates**.
-
 ## Approve definition updates
 
 Endpoint Protection definition updates must be approved and downloaded to the WSUS server before they're offered to clients that request the list of available updates. Clients connect to the WSUS server to check for applicable updates and then request the latest approved definition updates.
diff --git a/memdocs/intune/enrollment/device-enrollment-manager-enroll.md b/memdocs/intune/enrollment/device-enrollment-manager-enroll.md
@@ -43,6 +43,7 @@ DEM user accounts and devices that are enrolled with a DEM user account have the
 - Wipe can't be done from the Company Portal. Wiping a device enrolled by a DEM user account can be done from the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 - Only the local device appears in the Company Portal app or website.
 - DEM user accounts cannot use Apple Volume Purchase Program (VPP) apps with Apple VPP user licenses because of per-user Apple ID requirements for app management.
+- DEM accounts do not support conditional access because conditional access is intended for per-user scenarios. 
 - DEM accounts cannot be used when enrolling devices via Apple's Automated Device Enrollment (ADE).
 - Devices can install VPP apps if they have Apple VPP device licenses.
 - On Windows 10 1709 and older, conditional access isn't available for Windows devices enrolled using bulk enrollment.
diff --git a/windows-365/enterprise/connection-errors.md b/windows-365/enterprise/connection-errors.md
@@ -7,7 +7,7 @@ keywords:
 author: ErikjeMS  
 ms.author: erikje
 manager: dougeby
-ms.date: 02/08/2022
+ms.date: 02/10/2022
 ms.topic: reference
 ms.service: cloudpc
 ms.subservice:
@@ -32,14 +32,27 @@ ms.collection: M365-identity-device-management
 
 The following errors can occur when connecting to a Cloud PC.
 
-## Errors when connecting to an Azure AD join Cloud PC
+## Errors when connecting to an Azure Active Directory (Azure AD) joined Cloud PC
 
-**Potential cause**: Possible causes for connection errors include:
+### The logon attempt failed
+**Potential cause #1**: The Cloud PC denied PKU2U protocol requests. The PKU2U protocol is only triggered in the following cases:
 
-- Windows sign-in works directly against Azure AD, potentially triggering Azure AD authentication controls.
-- Sign-in attempts from the Windows desktop client to a Cloud PC use a different protocol, called PKU2U.
+- The Cloud PC is Azure AD joined.
+- The user is connecting from the Windows desktop client.
+- The user's physical device is Azure AD registered, Azure AD joined, or hybrid Azure AD joined to the same organization as the Cloud PC.
 
-**Possible solution**: Follow the guidance to [troubleshoot connections to Azure AD joined VMs](/azure/virtual-desktop/troubleshoot-azure-ad-connections?context=/windows-365/context/pr-context).
+**Possible solution**: Turn on PKU2U protocol requests on your Cloud PC:
+
+1. [Create a filter for all Cloud PCs](create-filter.md#create-a-filter-for-all-cloud-pcs).
+2. Create a device configuration policy [using the settings catalog](/mem/intune/configuration/settings-catalog).
+3. On the **Configuration settings** page, search for and select **Network Security Allow PKU2U Authentication Requests** > **Allow**.
+![Screenshot with the **Network Security Allow PKU2U Authentication Requests** set to **Allow**.](./media/connection-errors/allow-pku2u.png)
+5. On the **Assignments** page, select **Add all devices** > **Edit filter** > **Include filtered devices in assignment** > select the filter you created for all Cloud PCs.
+6. Complete the creation of the device configuration policy.
+
+**Potential cause #2**: [Per-user multi-factor authentication](/azure/active-directory/authentication/howto-mfa-userstates) is turned on for the user account. Because it blocks sign-in, per-user multi-factor authentication isn't supported for users connecting to Azure AD joined Cloud PCs.
+
+**Possible solution**: [Remove per-user multi-factor authentication](/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows#mfa-sign-in-method-required) for all users connecting to Cloud PCs. Then, [set an Azure AD conditional access policy](set-conditional-access-policies.md) and assign it to the appropriate users.
 
 ## Specific connection errors
 
diff --git a/windows-365/enterprise/media/connection-errors/allow-pku2u.png b/windows-365/enterprise/media/connection-errors/allow-pku2u.png
