Merge pull request #7665 from MicrosoftDocs/main

OOB Publish

Author: Thomas Raya

memdocs/configmgr/hotfix/2203/14480034.md

@@ -0,0 +1,66 @@
+---
+title: Client registration fails after updating to Configuration Manager current branch, version 2203
+titleSuffix: Configuration Manager
+description: Client registration fails in Configuration Manager 2203
+ms.date: 05/23/2022
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: reference
+ms.assetid: 18919f4e-e479-484a-902f-6d49c58c1448
+author: bhuney
+ms.author: brianhun
+manager: dougeby
+---
+# Registration fails for PKI clients after updating to Configuration Manager current branch, version 2203
+
+*Applies to: Configuration Manager (current branch, version 2203)*
+
+## Summary of KB14480034
+After updating to Configuration Manager current branch, version 2203, the registration process fails for clients using public key infrastructure (PKI) for client authentication if they are unable to authenticate against the domain. This affects the following scenarios:
+
+ - Newly installed workgroup clients using PKI.
+ - Clients that are joining an AD or Azure AD domain for the first time, generating a new device identity.
+ - Existing clients that are trying to renew their client authentication certificate.
+ 
+When this issue happens, the following error is logged in the DDM.log file on the site server for each affected client.
+   ```textgit s
+   ClientIdentity is not a hex string
+   The registration record is not valid. Bad RDR
+   ```
+The .RDR file(s) will be moved to *..\auth\ddm.box\regreq\bad_ddrs* on the site server.
+
+## Update information for Microsoft Endpoint Configuration Manager, version 2203
+An update to resolve this issue is available in the **Updates and Servicing** node of the Configuration Manager console for environments that installed version 2203. 
+Customers using the early update ring version must first install the following update:
+- KB [13953025](../../hotfix/2203/13953025.md): Update for Microsoft Endpoint Configuration Manager version 2203, early update ring
+
+Members of the Technology Adoption Program (TAP) must first apply the private TAP rollup. 
+
+#### Update replacement information
+This update does not replace any previously released updates.
+
+#### Restart information
+This update does not require a computer restart or a [site reset](../../core/servers/manage/modify-your-infrastructure.md#bkmk_reset) after installation.
+
+### Additional installation information
+After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select **Administration** > **Site Configuration** > **Sites** >  **Recover Secondary Site**, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
+
+Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
+   ```sql
+   select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
+   ```
+If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
+
+If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the **Recover Secondary Site** option to update the secondary site.
+
+## Version information
+No major components are updated with this release.
+
+## File information
+File information is available in the downloadable [KB14480034_FileList.txt](https://aka.ms/KB14480034_FileList) text file.
+
+## Release history
+- May 23, 2022: Initial hotfix release
+
+## References
+[Updates and servicing for Configuration Manager](../../core/servers/manage/updates.md)

memdocs/configmgr/hotfix/TOC.yml

@@ -7,6 +7,8 @@ items:
     href: 2203/13174460.md
   - name: KB 13953025 Early update ring
     href: 2203/13953025.md  
+  - name: KB 14480034 Client registration fails in Configuration Manager 2203
+    href: 2203/14480034.md
 - name: Version 2111
   items:
   - name: KB 10096997 Summary of changes in 2111

memdocs/intune/developer/app-sdk-ios.md

@@ -7,7 +7,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 02/28/2022
+ms.date: 05/23/2022
 ms.topic: reference
 ms.service: microsoft-intune
 ms.subservice: developer
@@ -172,26 +172,32 @@ In `- startProvidingItemAtURL:completionHandler:` check if you should encrypt fi
 
 In `- importDocumentAtURL:toParentItemIdentifier:completionHandler:` check whether the file is encrypted using `isFileEncrytped:` API in `IntuneMAMFileProtectionManager`. If it is then decrypt it using `decryptFile:toCopyPath:` API of `IntuneMAMFileProtectionManager`.
 
-## Configure MSAL
+## Setup MSAL
 
 The Intune App SDK uses the [Microsoft Authentication Library](https://github.com/AzureAD/microsoft-authentication-library-for-objc) for its authentication and conditional launch scenarios. It also relies on MSAL to register the user identity with the MAM service for management without device enrollment scenarios.
 
 ### Set up and configure an AAD app registration
 MSAL requires apps to [register](/azure/active-directory/develop/quickstart-register-app) with Azure Active Directory (AAD) and create a unique client ID and redirect URI, to guarantee the security of the tokens granted to the app. If your application already uses MSAL for its own authentication, then there should already be an AAD app registration/client ID/redirect URI associated with the app. 
 
-Developers should [grant their new or existing app registration access to the Intune MAM service](../developer/app-sdk-get-started.md#give-your-app-access-to-the-intune-app-protection-service-optional), to ensure the application is able to successfully acquire MAM policies.
+If your app does not already use MSAL, you will need to configure an app registration in AAD and specify the client ID and redirect URI that the Intune SDK should use.  
 
-### Link to MSAL binaries
+If your app currently uses ADAL to authenticate users, see [Migrate applications to MSAL for iOS and macOS](/azure/active-directory/develop/migrate-objc-adal-msal) for more information on migrating your app from ADAL to MSAL.
 
 It is recommended that your app links to the latest release of [MSAL](https://github.com/AzureAD/microsoft-authentication-library-for-objc/releases).
 
-Follow [these instructions](https://github.com/AzureAD/microsoft-authentication-library-for-objc#installation) to link your app to the MSAL binaries.
+### Link MSAL to Your Project
 
-1. If your app does not have any keychain access groups defined, add the app's bundle ID as the first group.
+Follow the [installation](https://github.com/AzureAD/microsoft-authentication-library-for-objc#installation) section to put the MSAL binaries in your app.
 
-2. Enable MSAL single sign-on (SSO) by adding `com.microsoft.adalcache` to the keychain access groups.
+### Configure MSAL
 
-3. In the case you are explicitly setting the MSAL shared cache keychain group, make sure it is set to `<appidprefix>.com.microsoft.adalcache`. MSAL will set this for you unless you override it. If you want to specify a custom keychain group to replace `com.microsoft.adalcache`, specify that in the Info.plist file under IntuneMAMSettings, by using the key `ADALCacheKeychainGroupOverride`.
+Follow the [configuration](https://github.com/AzureAD/microsoft-authentication-library-for-objc#configuring-msal) section to configure MSAL. Make sure you follow all the steps in the configuration section. Disregard step one if your app is already registered in AAD. 
+
+The points below contain additional information to configure MSAL and link to it. Follow these if they apply to your application.
+
+* If your app does not have any keychain access groups defined, add the app's bundle ID as the first group.
+* Enable MSAL single sign-on (SSO) by adding `com.microsoft.adalcache` to the keychain access groups.
+* In the case you are explicitly setting the MSAL shared cache keychain group, make sure it is set to `<appidprefix>.com.microsoft.adalcache`. MSAL will set this for you unless you override it. If you want to specify a custom keychain group to replace `com.microsoft.adalcache`, specify that in the Info.plist file under IntuneMAMSettings, by using the key `ADALCacheKeychainGroupOverride`.
 
 
 ### Configure MSAL settings for the Intune App SDK

memdocs/intune/user-help/you-need-to-enable-secure-boot-windows.md

@@ -2,12 +2,12 @@
 # required metadata
 
 title: Enable Secure Boot on Windows devices - Microsoft Intune | Microsoft Docs
-description: Learn how to make your device compliant again by enabling Secure Boot.  
+description: Learn how to make your enrolled device compliant again by enabling Secure Boot.  
 keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 10/04/2021
+ms.date: 05/23/2022
 ms.topic: end-user-help
 ms.prod:
 ms.localizationpriority: high
@@ -31,18 +31,19 @@ ms.collection:
 ---
 
 
-# Enable Secure Boot on Windows device  
+# Enable Secure Boot on enrolled Windows device  
 
-Secure Boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the original equipment manufacturer (OEM). Your organization's device management policies might require you to enable it before you access their internal resources.      
+Secure Boot is a security standard developed by members of the PC industry to help ensure that a device boots using only software that's trusted by the original equipment manufacturer (OEM). Your organization's device management policies may require you to enable it on your enrolled Windows device. Devices that don't meet this requirement may be unable to access work or school resources.     
 
-If you're using a mobile device, contact your support person and they'll help enable Secure Boot for you.  
+## Enable Secure Boot  
+If your enrolled device is a mobile device, contact your support person and they'll help enable Secure Boot for you.  
 
-If you're using a PC, you can either:  
+If your enrolled device is a PC, you can either:  
 
 * Contact your support person for help.  
 * Enable Secure Boot from the PC BIOS menu. For step-by-step instructions, see [Re-enable Secure Boot](/windows-hardware/manufacture/desktop/disabling-secure-boot#re-enable-secure-boot).  
 
-### Check Secure Boot status  
+## Check Secure Boot status  
 To check the status of Secure Boot on your PC:  
 
 1. Go to Start.
@@ -53,5 +54,4 @@ To check the status of Secure Boot on your PC:
 ## Next steps  
 
 * For more detailed information about the Secure Boot feature, see the [Windows Developer Hardware docs](/windows-hardware/manufacture/desktop/secure-boot-landing).  
-
-* Still need help? Contact your support person. For contact information, check the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980).
+* Still need help? Contact your support person if you're having trouble enabling Secure Boot or if it appears enabled already. Sign in to the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980) to check for your support person's contact information.