Merge branch 'main' of https://github.com/microsoftdocs/memdocs-pr into erikre-oob2208-9740832

Author: Erikre

memdocs/autopilot/enrollment-autopilot.md

@@ -52,13 +52,12 @@ ms.collection:
 
     - **Group type**: Select **Security**.
     - **Group name** and **Group description**: Enter a name and description for your group.
-    - **Azure AD roles can be assigned to the group**: **Yes** allows Azure AD roles to be assigned to the group you're creating. Once set, the group is permanently and always allowed to be assigned Azure AD roles. When set to **No**, Azure AD roles aren't assigned to this group.
+    - **Azure AD roles can be assigned to the group**: Select **No**, Azure AD roles aren't assigned to this group.
 
       For more information, see [Use cloud groups to manage role assignments in Azure AD](/azure/active-directory/roles/groups-concept).
 
-    - **Membership type**: Choose how devices become members of this group. Select **Assigned**, **Dynamic user**, or **Dynamic Device**. For more information, see [Add groups to organize users and devices](../intune/fundamentals/groups-add.md).
+    - **Membership type**: Choose how devices become members of this group. Select **Dynamic Device**. For more information, see [Add groups to organize users and devices](../intune/fundamentals/groups-add.md).
     - **Owners**: Select users that own the group. Owners can also delete this group.
-    - **Members**: Select Autopilot devices that belong to this group. Autopilot devices that aren't enrolled show the serial number for the device name.
     - **Dynamic device members**: Select **Add dynamic query** > **Add expression**.
 
       Create rules using Autopilot device attributes. Autopilot devices that meet these rules are automatically added to the group. Creating an expression using non-autopilot attributes doesn't guarantee that devices included in the group are registered to Autopilot.

memdocs/autopilot/existing-devices.md

@@ -85,7 +85,7 @@ If you want, you can set up an [enrollment status page](enrollment-status.md) (E
     Make sure the user account you specify has sufficient administrative rights.
 
     ```powershell
-    Connect-MSGraphApp
+    Connect-MSGraph
     ```
 
     Windows requests the user and password for your account with a standard Azure AD form. Type your username and password, and then select **Sign in**.

memdocs/autopilot/self-deploying.md

@@ -71,7 +71,7 @@ Optionally, you can use a [device-only subscription](https://techcommunity.micro
 Self-deploying mode uses a device's TPM 2.0 hardware to authenticate the device into an organization's Azure AD tenant. Therefore, devices without TPM 2.0 can't be used with this mode. Devices must also support TPM device attestation. All new Windows devices should meet these requirements. The TPM attestation process also requires access to a set of HTTPS URLs that are unique for each TPM provider. For more information, see the entry for Autopilot self-Deploying mode and Autopilot pre-provisioning in [Networking requirements](networking-requirements.md#tpm). For Windows Autopilot software requirements, see [Windows Autopilot software requirements](./software-requirements.md).
 
 > [!IMPORTANT]
-> If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported). Also note that Windows 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. Since Windows 10 Enterprise 2019 LTSC is based on Windows 10 version 1809, self-deploying mode is also not supported on Windows 10 Enterprise 2019 LTSC.
+> If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported). Also note that Windows 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. 
 >
 > See [Windows Autopilot known issues](known-issues.md) and [Troubleshoot Autopilot device import and enrollment](troubleshoot-device-enrollment.md) to review other known errors and solutions.
 

memdocs/configmgr/tenant-attach/breadcrumb/toc.yml

@@ -21,3 +21,24 @@ items:
         - name: Tenant attach
           tocHref: /mem/intune/protect/
           topicHref: /mem/configmgr/tenant-attach/index
+
+- name: Docs
+  tocHref: /
+  topicHref: /
+  items:
+  - name: Enterprise Mobility + Security
+    tocHref: /enterprise-mobility-security/
+    topicHref: /enterprise-mobility-security/
+    items:
+    - name: Microsoft Endpoint Manager
+      tocHref: /mem/
+      topicHref: /mem/
+      items:
+      - name: Configuration Manager
+        tocHref: /mem/configmgr/
+        topicHref: /mem/configmgr/index
+        items:
+        - name: Tenant attach
+          tocHref: /mem/configmgr/cloud-attach/
+          topicHref: /mem/configmgr/tenant-attach/index
+          

memdocs/intune/configuration/device-restrictions-windows-10.md

@@ -445,11 +445,9 @@ This device restrictions profile is directly related to the kiosk profile you cr
 - **Clear browsing data on exit** (desktop only): **Yes** clears the history, and browsing data when users exit Microsoft Edge. **No** (default) uses the OS default, which may cache the browsing data.
 - **Sync browser settings between user's devices**: Choose how you want to sync browser settings between devices. Your options:
   - **Allow**: Allow syncing of Microsoft Edge browser settings between user's devices
-  - **Block and enable user override**: Block syncing of Microsoft Edge browser settings between user's devices. Users can override this setting.
+  - **Block and enable user override**: Block syncing of Microsoft Edge browser settings between user's devices. Users can override this setting. When this option is selected, users can override the admin designation.
   - **Block**: Block syncing of Microsoft Edge browser setting between users devices. Users can't override this setting.
 
-When "block and enable user override" is selected, user can override admin designation.
-
 - **Allow Password Manager**: **Yes** (default) allows Microsoft Edge to automatically use Password Manager, which allows users to save and manage passwords on the device. **No** prevents Microsoft Edge from using Password Manager.
 - **Cookies**: Choose how cookies are handled in the web browser. Your options:
   - **Allow**: Cookies are stored on the device.

memdocs/intune/protect/device-compliance-get-started.md

@@ -7,7 +7,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 11/16/2021
+ms.date: 08/16/2022
 ms.topic: overview
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -123,6 +123,7 @@ The following subjects link to dedicated articles for different aspects of devic
 
   - [Android device administrator](compliance-policy-create-android.md)
   - [Android Enterprise](compliance-policy-create-android-for-work.md)
+  - [Android Android Open Source Project (AOSP)](compliance-policy-create-android-aosp.md)
   - [iOS](compliance-policy-create-ios.md)
   - [macOS](compliance-policy-create-mac-os.md)
   - [Windows Holographic for Business](compliance-policy-create-windows.md#windows-holographic-for-business)

memdocs/intune/protect/encrypt-devices.md

@@ -187,7 +187,7 @@ To change the disk encryption type between full disk encryption and used space o
 
 #### TPM startup PIN or key
 
-A device **must not require** use of a startup PIN or startup key.
+A device **must not be set to require** a startup PIN or startup key.
 
 When a TPM startup PIN or startup key is required on a device, BitLocker can't silently enable on the device and instead requires interaction from the end user. Settings to configure the TPM startup PIN or key are available in both the endpoint protection template and the BitLocker policy. By default, these policies do not configure these settings.
 
@@ -289,4 +289,4 @@ For information about BitLocker deployments and requirements, see the [BitLocker
 - [Monitor disk encryption](../protect/encryption-monitor.md)
 - [Troubleshooting BitLocker policy](/troubleshoot/mem/intune/troubleshoot-bitlocker-policies)
 - [Known issues for Enforcing BitLocker policies with Intune](/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues)
-- [BitLocker management for enterprises](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises), in the Windows security documentation
+- [BitLocker management for enterprises](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises), in the Windows security documentation

memdocs/intune/protect/microsoft-tunnel-configure.md

@@ -365,7 +365,9 @@ For more information about *mst-cli*, see [Reference for Microsoft Tunnel](../pr
 
 ## Uninstall the Microsoft Tunnel
 
-To uninstall the product, run **./mst-cli uninstall** from the Linux server as root.
+To uninstall the product, run **./mst-cli uninstall** from the Linux server as root. 
+
+After the product is uninstalled, delete the corresponding server record in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) under **Tenant administration** > **Microsoft Tunnel Gateway** > **Servers**.
 
 ## Next steps
 

memdocs/intune/protect/windows-10-feature-updates.md

@@ -224,6 +224,9 @@ Selecting a profile from the list opens the profiles **Overview** pane where you
 - Select **Properties** to modify the deployment.  On the *Properties* pane, select **Edit** to open the *Deployment settings or Assignments*, where you can then modify the deployment.
 - Select **End user update status** to view information about the policy.
 
+> [!NOTE]
+> The End user update status Last Scanned Time value will return 'Not scanned yet' until an initial user logs on and Update Session Orchestrator (USO) scan is initiated. For more information on the Unified Update Platform (UUP) architecture and related components, see [Get started with Windows Update](/windows/deployment/update/windows-update-overview).
+
 ## Validation and reporting
 
 There are multiple options to get in-depth reporting for Windows 10/11 updates with Intune. Windows update reports show details about your Windows 10 and Windows 11 devices side by side in the same report.