add su limitation

Author: mestew

memdocs/configmgr/cloud-attach/use-intune-rbac.md

@@ -2,7 +2,7 @@
 title: Intune role-based access control for tenant-attached devices
 titleSuffix: Configuration Manager
 description: Enable Intune role-based access control for Configuration Manager tenant-attached clients
-ms.date: 08/18/2022
+ms.date: 08/24/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-core
 ms.topic: overview
@@ -14,7 +14,7 @@ ms.collection: highpri
 ---
 
 # Intune role-based access control for tenant-attached clients
-<!--8126836, 6415648, 8348644, IN14996522-->
+<!--8126836, 6415648, 8348644, IN14996522, 13058986-->
 *Applies to: Configuration Manager (current branch)*
 
 Starting in Configuration Manager version 2207, you can use Intune role-based access control (RBAC) when interacting with [tenant attached devices](../tenant-attach/client-details.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) from the Microsoft Endpoint Manager admin center. For example, when using Intune as the role-based access control authority, a user with the [Help Desk Operator role](../../intune/fundamentals/role-based-access-control.md#built-in-roles) doesn't need an assigned security role or additional permissions from Configuration Manager. [Intune role-based access control](../../intune/fundamentals/create-custom-role.md) manages the permissions to all cloud-attached device pages in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com), such as [device timeline](../tenant-attach/timeline.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json), [CMPivot](../tenant-attach/cmpivot-start.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json), and [scripts](../tenant-attach/scripts.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json).  
@@ -31,7 +31,8 @@ The three high-level steps to configure Intune as the role-based access control
 
 ## Limitations
 
-Currently [scoping](../../intune/fundamentals/scope-tags.md) isn't supported when using only Intune role-based access control for for displaying and taking actions on tenant-attached devices from the Microsoft Endpoint Manager admin center.
+- Currently [scoping](../../intune/fundamentals/scope-tags.md) isn't supported when using only Intune role-based access control for for displaying and taking actions on tenant-attached devices from the Microsoft Endpoint Manager admin center.
+- Currently, the [**Software updates** page](../tenant-attach/software-updates.md) isn't available for cloud-only users when using the early update ring of Configuration Manager version 2207.  <!--15287859-->
 
 ## <a name="bkmk_disable-configmgr"></a> Disable enforcement of Configuration Manager role-based access control for cloud-attached clients
 
@@ -79,11 +80,11 @@ The following Intune permissions control access to the Configuration Manager clo
 | Cloud attached devices\View timeline | Displays the **Timeline** page for Configuration Manager cloud attached devices |  Application Manager, Endpoint Security Manager, Read Only Operator, School Administrator, Policy Profile Manager, Help Desk Operator |
 | Cloud attached devices\View software updates | Displays the **Software updates** page for Configuration Manager cloud attached devices |  Application Manager, Endpoint Security Manager, Read Only Operator, School Administrator, Help Desk Operator |
 | Cloud attached devices\View scripts | Displays the **Scripts** page for Configuration Manager cloud attached devices |  Endpoint Security Manager, Read Only Operator, School Administrator, Policy Profile Manager, Help Desk Operator |
-| Cloud attached devices\Run script | Displays the **Run script** action for Configuration Manager cloud attached devices |  School Administrator, Help Desk Operator |
+| Cloud attached devices\Run script | Displays the **Run script** action and allows the user to run scripts on Configuration Manager cloud attached devices |  School Administrator, Help Desk Operator |
 | Cloud attached devices\Run CMPivot query | Displays the **CMPivot** page for Configuration Manager cloud attached devices |  Endpoint Security Manager, School Administrator, Help Desk Operator |
 | Cloud attached devices\View client details | Displays the **Client details** page for Configuration Manager cloud attached devices |  Application Manager, Endpoint Security Manager, Read Only Operator,School Administrator, Policy Profile Manager, Help Desk Operator |
 | Cloud attached devices\View applications | Displays the **Applications** page for Configuration Manager cloud attached devices |  Application Manager, Read Only Operator, School Administrator, Policy Profile Manager, Help Desk Operator |
-| Cloud attached devices\Take application actions | Displays application actions in the **Applications** page  for Configuration Manager cloud attached devices |  Application Manager, School Administrator, Help Desk Operator |
+| Cloud attached devices\Take application actions | Displays application actions in the **Applications** page and allows the user to take application actions on Configuration Manager cloud attached devices |  Application Manager, School Administrator, Help Desk Operator |
 | Remote tasks/Rotate BitLockerKeys (preview) | Initiates a key rotation for BitLocker Recovery Passwords on the device. Displays the *Recovery keys* page for Configuration Manager cloud attached devices. |  Endpoint Security Manager, Help Desk Operator |
 
 ## <a name="bkmk_faq"></a> Frequently asked questions

memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2207.md

@@ -2,7 +2,7 @@
 title: What's new in version 2207
 titleSuffix: Configuration Manager
 description: Get details about changes and new capabilities introduced in version 2207 of Configuration Manager current branch.
-ms.date: 08/12/2022
+ms.date: 08/24/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-core
 ms.topic: conceptual
@@ -25,6 +25,11 @@ To take full advantage of new Configuration Manager features, after you update t
 
 ## Cloud-attached management
 
+### Use Intune role-based access control (RBAC) for tenant attached devices 
+<!--8126836, 6415648, 8348644, IN14996522, 13058986-->
+
+You can now use Intune role-based access control (RBAC) when interacting with tenant attached devices from the Microsoft Endpoint Manager admin center. For example, when using Intune as the role-based access control authority, a user with Intune's [Help Desk Operator role](../../../../intune/fundamentals/role-based-access-control.md#built-in-roles) doesn't need an assigned security role or additional permissions from Configuration Manager. For more information, see [Intune role-based access control for tenant attached clients](../../../cloud-attach/use-intune-rbac.md).
+
 ### Enhanced security for Configuration Manager administration service
 <!--12952905-->
 We're introducing a new cloud application with limited access to the administration service. This feature allows cloud management gateway (CMG) to segment the admin privileges between a management point, and the administration service. This enables CMG to restrict access to the administration service. This feature gives admins granular access controls through which users can have access to the administration service and to enforce MFA if necessary.

memdocs/configmgr/core/servers/deploy/install/release-notes.md

@@ -2,7 +2,7 @@
 title: Release notes
 titleSuffix: Configuration Manager
 description: Learn about urgent issues that aren't yet fixed in the product or covered in a Microsoft Support knowledge base article.
-ms.date: 08/12/2022
+ms.date: 08/24/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-core
 ms.topic: troubleshooting
@@ -183,11 +183,13 @@ For more information, see [Create custom security roles](../configure/configure-
 
 ## Configuration Manager console
 
-### Intune RBAC for Tenant Attached devices
+### Intune RBAC for tenant attached devices
 <!--13058986-->
 *Applies to: version 2207*
 
-You'll now see a checkbox for a role-based access control (RBAC) setting in the cloud attach configuration wizard in the console. By default, Configuration Manager RBAC is enforced along with Intune RBAC when you're uploading your Configuration Manager devices to the cloud service. This checkbox is checked by default. If you want to enforce only Intune RBAC, you can uncheck the box. However, the enforcement of Intune RBAC only won't apply at this time. This release note and the [What's New in Intune](../../../../../intune/fundamentals/whats-new.md) will be updated when you're able to enforce Intune RBAC only. For more information, see, [Enable Microsoft Endpoint Manager tenant attach](../../../../../configmgr/tenant-attach/device-sync-actions.md)
+***[Updated]***: There is a checkbox for a role-based access control (RBAC) setting in the [cloud attach configuration wizard](../../../../../cloud-attach/enable.md) in the console. By default, Configuration Manager RBAC is enforced along with Intune RBAC when you're uploading your Configuration Manager devices to the cloud service. This checkbox is selected by default.
+
+You can now configure Intune role-based access control (RBAC) when interacting with [tenant attached devices](../../../../../tenant-attach/client-details.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json) from the Microsoft Endpoint Manager admin center. For more information, see [Intune role-based access control for tenant-attached clients](../../../../../cloud-attach/use-intune-rbac.md).
 
 ### Unable to open console because extension installation loops
 <!--12868458-->

memdocs/intune/fundamentals/whats-new.md

@@ -7,7 +7,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 08/15/2022
+ms.date: 08/24/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -59,6 +59,15 @@ You can use RSS to be notified when this page is updated. For more information,
 ### Role-based access control
 ### Scripts
 -->
+
+## Week of August 22, 2022
+
+### Device management
+
+#### Use Intune role-based access control (RBAC) for tenant attached devices <!-- 14996522 -->
+
+You can now use Intune role-based access control (RBAC) when interacting with tenant attached devices from the Microsoft Endpoint Manager admin center. For example, when using Intune as the role-based access control authority, a user with Intune's [Help Desk Operator role](role-based-access-control.md#built-in-roles) doesn't need an assigned security role or additional permissions from Configuration Manager. For more information, see [Intune role-based access control for tenant attached clients](../../configmgr/cloud-attach/use-intune-rbac.md).
+
 ## Week of August 15, 2022
 
 ### App management