Merge pull request #6946 from MicrosoftDocs/main

Publish 03/03/2022, 10:30 AM

Author: v-dihans

memdocs/autopilot/troubleshoot-oobe.md

@@ -28,7 +28,7 @@ ms.topic: troubleshooting
 When the out-of-box-experience (OOBE) includes unexpected Autopilot behavior, it's useful to check if the device received an Autopilot profile. If so, check the settings that the profile contained. Depending on the Windows client release, there are different mechanisms available to do that.
 
 > [!NOTE]
-> **[Preview]** With Windows 11, you can enable users to view additional detailed troubleshooting information about the Autopilot provisioning process. The [Windows Autopilot diagnostics page](windows-autopilot-whats-new.md#preview-windows-autopilot-diagnostics-page) provides IT admins and end users with a user-friendly view to troubleshoot Windows Autopilot failures. This feature can be enabled by going to the [ESP profile](../intune/enrollment/windows-enrollment-status.md#available-settings) and selecting **Yes** to **Allow users to collect logs about installation errors**. This feature is currently supported for commercial OOBE, and Autopilot user-driven mode.
+> **[Preview]** With Windows 11, you can enable users to view additional detailed troubleshooting information about the Autopilot provisioning process. The [Windows Autopilot diagnostics page](windows-autopilot-whats-new.md#preview-windows-autopilot-diagnostics-page) provides IT admins and end users with a user-friendly view to troubleshoot Windows Autopilot failures. This feature can be enabled by going to the [ESP profile](../intune/enrollment/windows-enrollment-status.md) and selecting **Yes** to **Allow users to collect logs about installation errors**. This feature is currently supported for commercial OOBE, and Autopilot user-driven mode.
 
 ## Can't connect to MDM terms of use error
 

memdocs/autopilot/windows-autopilot-whats-new.md

@@ -65,7 +65,7 @@ An example of the diagnostics page is shown below. In this example, **Configurat
 ![diagnostics page click](images/oobe-02.png)<br>
 ![diagnostics page expand](images/oobe-03.png)
 
-The diagnostics page can be enabled by going to the [ESP profile](../intune/enrollment/windows-enrollment-status.md#available-settings) and selecting **Yes** to **Turn on log collection and diagnostics page for end users**. 
+The diagnostics page can be enabled by going to the [ESP profile](../intune/enrollment/windows-enrollment-status.md) and selecting **Yes** to **Turn on log collection and diagnostics page for end users**. 
 
 The diagnostics page is currently supported for commercial OOBE, and Autopilot user-driven mode. It is currently available on Windows 11. Windows 10 users can still collect and export diagnostic logs when this setting is enabled in Intune. 
 

memdocs/intune/developer/data-warehouse-app-only-auth.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 01/10/2022
+ms.date: 03/03/2022
 ms.topic: reference
 ms.service: microsoft-intune
 ms.subservice: developer
@@ -102,9 +102,9 @@ Using Visual Studio, create a Console App (.NET Framework) project that supports
          var applicationId = ConfigurationManager.AppSettings["appId"].ToString();
          SecureString applicationSecret = ConvertToSecureStr(ConfigurationManager.AppSettings["appKey"].ToString()); // Load as SecureString from configuration file or secret store (i.e. Azure KeyVault)
          var tenantDomain = ConfigurationManager.AppSettings["tenantDomain"].ToString();
-         var adalContext = new AuthenticationContext($"https://login.windows.net/" + tenantDomain + "/oauth2/token");
+         var msalContext = new AuthenticationContext($"https://login.windows.net/" + tenantDomain + "/oauth2/token");
 
-         AuthenticationResult authResult = adalContext.AcquireTokenAsync(
+         AuthenticationResult authResult = msalContext.AcquireTokenAsync(
              resource: "https://api.manage.microsoft.com/",
              clientCredential: new ClientCredential(
                  applicationId,
@@ -166,4 +166,4 @@ Using Visual Studio, create a Console App (.NET Framework) project that supports
     > To see additional implementation code, see [Intune-Data-Warehouse code example](https://github.com/Microsoft/Intune-Data-Warehouse/tree/master/Samples/CSharp ).
 
 ## Next Steps
-Learn more about Azure Key Vault by reviewing [What is Azure Key Vault?](/azure/key-vault/key-vault-whatis)
+Learn more about Azure Key Vault by reviewing [What is Azure Key Vault?](/azure/key-vault/key-vault-whatis)

memdocs/intune/developer/reports-proc-data-rest.md

@@ -7,7 +7,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 01/10/2022
+ms.date: 03/03/2022
 ms.topic: reference
 ms.service: microsoft-intune
 ms.subservice: developer
@@ -207,8 +207,8 @@ The following sample contains a simple REST client. The code uses the **httpClie
    var warehouseUrl = "https://fef.{yourinfo}.manage.microsoft.com/ReportingService/DataWarehouseFEService?api-version=v1.0";
    var collectionName = "dates";
 
-   var adalContext = new AuthenticationContext("https://login.windows.net/common/oauth2/token");
-   AuthenticationResult authResult = adalContext.AcquireTokenAsync(
+   var msalContext = new AuthenticationContext("https://login.windows.net/common/oauth2/token");
+   AuthenticationResult authResult = msalContext.AcquireTokenAsync(
    resource: "https://api.manage.microsoft.com/",
    clientId: applicationId,
    userCredential: new UserPasswordCredential(emailAddress, password)).Result;

memdocs/intune/enrollment/android-enroll.md

@@ -31,7 +31,7 @@ ms.collection:
   - highpri
 ---
 
-# Enroll Android devices
+# Enroll Android devices  
 
 [!INCLUDE [azure_portal](../includes/azure_portal.md)]
 
@@ -41,7 +41,7 @@ As an Intune administrator, you can enroll Android devices in the following ways
     - [**Android Enterprise dedicated**](android-kiosk-enroll.md): For corporate-owned, single use devices, such as digital signage, ticket printing, or inventory management. Admins lock down the usage of a device for a limited set of apps and web links. It also prevents users from adding other apps or taking other actions on the device.
     - [**Android Enterprise fully managed**](android-fully-managed-enroll.md): For corporate-owned, single user devices used exclusively for work and not personal use. Admins can manage the entire device and enforce policy controls unavailable to personally-owned/corporate-owned work profiles.
     - [**Android Enterprise corporate-owned with a work profile**](android-corporate-owned-work-profile-enroll.md): For corporate-owned, single user devices intended for corporate and personal use.
-- [**Android device administrator**](android-enroll-device-administrator.md), including Samsung Knox Standard devices and [Zebra devices](../configuration/android-zebra-mx-overview.md). In areas where Android Enterprise is available, Google is encouraging movement off device administrator (DA) management by decreasing its management support in new Android releases. However, where Android Enterprise or Google Mobile Services (GMS) are unavailable, you'll want to use device administrator and familiarize yourself with these changes. For more information, see [Is Android Enterprise available in my country](https://support.google.com/work/android/answer/6270910)?  
+- [**Android device administrator**](android-enroll-device-administrator.md), including Samsung Knox Standard devices and [Zebra devices](../configuration/android-zebra-mx-overview.md). Device administrator should be used in areas where Android Enterprise or Google Mobile Services (GMS) is unavailable.  Google has decreased support for device administrator (DA) management in areas where Android Enterprise is available, and encourages organizations to migrate to Android Enterprise device management. For a list of countries that support Android Enterprise, see [Is Android Enterprise available in my country](https://support.google.com/work/android/answer/6270910)?  
 - Android (AOSP), currently in public preview, offers a set of enrollment options for devices that aren't integrated with Google Mobile services.  
     - [Corporate-owned, user associated devices](android-aosp-corporate-owned-user-associated-enroll.md): For corporate-owned, single user devices intended exclusively for work and not personal use. Admins can manage the entire device.  
     - [Corporate-owned, userless devices](android-aosp-corporate-owned-userless-enroll.md): For corporate-owned, shared devices. Admins can manage the entire device.  

memdocs/intune/enrollment/apple-mdm-push-certificate-get.md

@@ -35,15 +35,14 @@ ms.collection:
 
 [!INCLUDE [azure_portal](../includes/azure_portal.md)]
 
-An Apple MDM Push certificate is required for Intune to manage iOS/iPadOS and macOS devices. After you add the certificate to Intune, your users can enroll their devices using:
+Upload and renew your Apple MDM push certificates in Microsoft Intune. An Apple MDM Push certificate is required to manage iOS/iPadOS and macOS devices in Microsoft Intune, and enables devices to enroll via: 
 
-- The Company Portal app.
+- The Intune Company Portal app.
+- Apple bulk enrollment methods, such as the Device Enrollment Program, Apple School Manager, and Apple Configurator.
 
-- Apple's bulk enrollment methods like the Device Enrollment Program, Apple School Manager, or Apple Configurator.
+Certificates must be renewed annually. 
 
-For more information about enrollment options, see [Choose how to enroll iOS/iPadOS devices](ios-enroll.md).
-
-When a push certificate expires, you must renew it. When renewing, make sure to use the same Apple ID that you used when you first created the push certificate.
+This article describes how to use Intune to create and renew an Apple MDM push certificate.  
 
 
 ## Steps to get your certificate
@@ -73,18 +72,22 @@ Record this ID as a reminder for when you need to renew this certificate.
 Go to the certificate (.pem) file, choose **Open**, and then choose **Upload**. With the push certificate, Intune can enroll and manage Apple devices.
 
 ## Renew Apple MDM push certificate
-The Apple MDM push certificate is valid for one year and must be renewed annually to maintain iOS/iPadOS and macOS device management. If your certificate expires, enrolled Apple devices cannot be contacted.
+The Apple MDM push certificate is valid for one year. You must renew it annually to maintain iOS/iPadOS and macOS device management. Once the certificate expires, there is a 30-day grace period to renew it.  
 
-The certificate is associated with the Apple ID used to create it. Renew the MDM push certificate with the same Apple ID used to create it.
+Renew the MDM push certificate with the same Apple ID you used to create it.  
 
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Enroll devices** > **Apple enrollment** > **Apple MDM Push Certificate**.
 2. Choose **Download your CSR** to download and save the request file locally. The file is used to request a trust relationship certificate from the Apple Push Certificates Portal.
 3. Select **Create your MDM push Certificate** to go to the Apple Push Certificates Portal. Find the certificate you want to renew and select **Renew**.
 4. On the **Renew Push Certificate** screen, provide notes to help you identify the certificate in the future, select **Choose File** to browse to the new request file you downloaded, and choose **Upload**.
    > [!TIP]
-   > A Certificate can be identified by its UID. Examine the **Subject ID** in the certificate details to find the GUID portion of the UID. Or, on an enrolled iOS/iPadOS device, go to **Settings** > **General** > **Device** **Management** > **Management Profile** > **More Details** > **Management Profile**. The second line item, **Topic**, contains the unique GUID that you can match up to the certificate in the Apple Push Certificates portal.
+   > A certificate can be identified by its UID. Examine the **Subject ID** in the certificate details to find the GUID portion of the UID. Or, on an enrolled iOS/iPadOS device, go to **Settings** > **General** > **Device** **Management** > **Management Profile** > **More Details** > **Management Profile**. The second line item, **Topic**, contains the unique GUID that you can match up to the certificate in the Apple Push Certificates portal.
  
 6. On the **Confirmation** screen, select **Download** and save the .pem file locally.
 7. In [Intune](https://go.microsoft.com/fwlink/?linkid=2090973), select the **Apple MDM push certificate** browse icon, select the .pem file downloaded from Apple, and choose **Upload**.
 
 Your Apple MDM push certificate appears **Active** and has 365 days until expiration.
+
+## Next steps  
+
+For more information about enrollment options, see [Choose how to enroll iOS/iPadOS devices](ios-enroll.md).

memdocs/intune/enrollment/backup-restore-ios.md

@@ -38,7 +38,7 @@ You might have to back up and restore an Intune Automated Device Enrollment (ADE
 To back up and restore an iOS/iPadOS device, you must follow the Apple instructions:
 
 - To back up your device, see [How to back up your iPhone, iPad, and iPod touch](https://support.apple.com/HT203977).
-- To restore you device, see [Restore your iPhone, iPad, or iPod touch from a backup](https://support.apple.com/HT204184).
+- To restore your device, see [Restore your iPhone, iPad, or iPod touch from a backup](https://support.apple.com/HT204184).
 - To transfer data to a new device, see the following Apple support article:
     - [Use iCloud to transfer data from your previous iOS device to your new iPhone, iPad, or iPod touch](https://support.apple.com/HT210217)
 
@@ -69,7 +69,8 @@ While it links files and documents, it doesn't typically restore any user data a
 ### Specific to backup/restore
 
 - In most cases, your MDM enrollment state (at the time of backup) isn't of any special significance. However, in a migration scenario where you are moving from one MDM vendor to another, it is important to be aware of.  
-    - When restoring a backup, taken while enrolled in MDM vendor A and restoring it on the same device but attempting to enroll in Intune, this will result in failure. The restore will be successful (no errors) as explained above, however since the management profile from MDM vendor A has been restored, the device isn't under management by Intune. Attempting to manually enroll the device using the Company Portal app will result in an error when trying to install the new Intune management profile "The new MDM payload doesn't match the old payload". To remediate this error, you would need to remove the existing management profile belonging to MDM vendor A and then re-enroll into Intune using Company Portal. Migrating from one Intune tenant to another Intune tenant would exhibit the same behavior. 
+    - When restoring a backup, taken while enrolled in MDM vendor A and restoring it on the same device but attempting to enroll in Intune, this will result in failure. The restore will be successful (no errors) as explained above, however since the management profile from MDM vendor A has been restored, the device isn't under management by Intune. Attempting to manually enroll the device using the Company Portal app will result in an error when trying to install the new Intune management profile "The new MDM payload doesn't match the old payload". To remediate this error, you would need to remove the existing management profile belonging to MDM vendor A and then re-enroll into Intune using Company Portal. Migrating from one Intune tenant to another Intune tenant would exhibit the same behavior.
+    - To correctly and fully re-enroll an ADE device, a factory reset is required, and the device cannot be restored from its own backup (otherwise the ADE configuration and profiles in the backup will be applied). 
 
 ### Migrating without wiping the device
 
@@ -88,4 +89,4 @@ There is an additional migration scenario to consider, which should not be impac
 
 ## Next steps
 
-[Learn more about Automated Device Enrollment](device-enrollment-program-enroll-ios.md).
+[Learn more about Automated Device Enrollment](device-enrollment-program-enroll-ios.md).