Merge pull request #8003 from MicrosoftDocs/main

Publish 07/13/2022 3:30 PM PT

Author: Angela Fleischmann

memdocs/configmgr/hotfix/2203/14244456.md

@@ -67,6 +67,10 @@ For more information on changes in Configuration Manager version 2203, see:
    ~RDC:Failed to set access security on \\<SiteServerFQDN>\SMSSIG$\<PkgID>.1.tar for package <PkgID> signature file
    ```
 
+<!-- 14628373 -->
+- The issue described in the following Knowledge Base article is resolved with the 2203 update rollup.
+[Mismatch certificate subject name error when running client action for Configuration Manager device](/troubleshoot/mem/configmgr/tenant-attach-component-not-connect-to-gateway)
+
 ## Hotfixes that are included in this update
 - KB [13953025](../../hotfix/2203/13953025.md)Update for Microsoft Endpoint Configuration Manager version 2203, early update ring
 - KB [14480034](../../hotfix/2203/14480034.md)Registration fails for PKI clients after updating to Configuration Manager current branch, version 2203

memdocs/intune/apps/apps-win32-add.md

@@ -6,7 +6,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 03/29/2022
+ms.date: 07/11/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -242,15 +242,15 @@ After you've added your rules, select **Next** to display the **Dependencies** p
 
 App dependencies are applications that must be installed before your Win32 app can be installed. You can require that other apps are installed as dependencies. 
 
-Specifically, the device must install the dependent apps before it installs the Win32 app. ​There is a maximum of 100 dependencies, which includes the dependencies of any included dependencies, as well as the app itself. 
+Specifically, the device must install the dependent apps before it installs the Win32 app. There is a maximum of 100 dependencies, which includes the dependencies of any included dependencies, as well as the app itself. 
 
 You can add Win32 app dependencies only after your Win32 app has been added and uploaded to Intune. After your Win32 app has been added, you'll see the **Dependencies** option on the pane for your Win32 app. 
 
 Any Win32 app dependency needs to also be a Win32 app. It does not support depending on other app types, such as single MSI LOB apps or Microsoft Store apps.
 
 When you're adding an app dependency, you can search based on the app name and publisher. Additionally, you can sort your added dependencies based on app name and publisher. Previously added app dependencies can't be selected in the list of added app dependencies. 
 
-You can choose whether or not to install each dependent app automatically. By default, the **Automatically install** option is set to **Yes** for each dependency. By automatically installing a dependent app, even if the dependent app is not targeted to the user or device, Intune will install the app on the device to satisfy the dependency before installing your Win32 app.​ 
+You can choose whether or not to install each dependent app automatically. By default, the **Automatically install** option is set to **Yes** for each dependency. By automatically installing a dependent app, even if the dependent app is not targeted to the user or device, Intune will install the app on the device to satisfy the dependency before installing your Win32 app.
 
 It's important to note that a dependency can have recursive sub-dependencies, and each sub-dependency will be installed before the main dependency is installed. Additionally, installation of dependencies does not follow a specific order at a dependency level.
 
@@ -267,14 +267,25 @@ After you've selected dependencies, select **Next** to display the **Scope tags*
 
 ### Understand additional dependency details
 
-The user will see Windows notifications indicating that dependent apps are being downloaded and installed as part of the Win32 app installation process. Additionally, when a dependent app is not installed, the user will commonly see one of the following notifications:
-- One or more dependent apps failed to be install​ed.
-- One or more dependent app requirements are not met​.
+The user will see Windows notifications indicating that dependent apps are being downloaded and installed as part of the Win32 app installation process. 
+
+#### Dependency limitations
+
+The following bulleted list provides additional clarity about dependency limitations:
+-	If an app has 100 dependencies, then the app graph has a total size of 101 (100 dependency apps + 1 parent app). 
+-	If an app has 3 dependencies, and one of the dependency apps has 2 dependencies, then the app graph has a total size of 6 (1 parent app + 3 dependency app + 2 dependency app that are from another dependency app).
+-	If an app is a dependency for multiple app “graphs”, meaning that the dependency is somewhere in the dependency chain for some app graph, then all apps from all the separate graphs are summed to calculate the dependency size. For example, if graph A has 23 apps, graph B has 62 apps, and graph C has 20 apps, and app X exist as a dependency app somewhere in the dependency chain in all 3 graphs, then the total size of the graph is 103 (app X is only counted once), which surpasses the 100 limit restriction. 
+
+#### Dependency failures
+
+When a dependent app is not installed, the user will commonly see one of the following notifications:
+- One or more dependent apps failed to be installed.
+- One or more dependent app requirements are not met.
 - One or more dependent apps are pending a device reboot.
 
-If you choose not to put a dependency in the **Automatically install** column, the Win32 app installation won't be attempted. Additionally, app reporting will show that the dependency was flagged as `failed` and provide a failure reason. You can view the dependency installation failure by selecting a failure (or warning) provided in the Win32 app [installation details](/troubleshoot/mem/intune/troubleshoot-app-install#win32-app-installation-troubleshooting).​
+If you choose not to put a dependency in the **Automatically install** column, the Win32 app installation won't be attempted. Additionally, app reporting will show that the dependency was flagged as `failed` and provide a failure reason. You can view the dependency installation failure by selecting a failure (or warning) provided in the Win32 app [installation details](/troubleshoot/mem/intune/troubleshoot-app-install#win32-app-installation-troubleshooting).
 
-Each dependency will adhere to Intune Win32 app retry logic (try to install three times after waiting for five minutes) and the global re-evaluation schedule.​ Also, dependencies are applicable only at the time of installing the Win32 app on the device. Dependencies are not applicable for uninstalling a Win32 app.​ To delete a dependency, you must select the ellipsis (three dots) to the left of the dependent app located at the end of the row of the dependency list.​ 
+Each dependency will adhere to Intune Win32 app retry logic (try to install three times after waiting for five minutes) and the global re-evaluation schedule. Also, dependencies are applicable only at the time of installing the Win32 app on the device. Dependencies are not applicable for uninstalling a Win32 app. To delete a dependency, you must select the ellipsis (three dots) to the left of the dependent app located at the end of the row of the dependency list. 
 
 ## Step 6: Supersedence
 

memdocs/intune/configuration/administrative-templates-windows.md

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 03/30/2022
+ms.date: 07/13/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -40,11 +40,11 @@ This feature applies to:
 
 The Intune templates are 100% cloud-based, are built in to Intune (no downloading), and don't require any customizations, including using OMA-URI. They offer a straight-forward way to configure the settings, and find the settings you want:
 
-- The **Windows settings** are similar to group policy (GPO) settings in Active Directory (AD). These settings are built in to Windows, and are [ADMX-backed settings](/windows/client-management/mdm/understanding-admx-backed-policies) that use XML. Know Issue Rollback (KIR) policy definition that is installed in the Administrative Template can activate a KIR on managed devices. In a hybrid Azure AD or Active Directory Domain Services (AD DS) domain, you can [apply a KIR to devices by using GPO](/troubleshoot/windows-client/group-policy/use-group-policy-to-deploy-known-issue-rollback#apply-a-kir-to-devices-in-a-hybrid-azure-ad-or-ad-ds-domain-using-group-policy).
+- The **Windows settings** are similar to group policy (GPO) settings in Active Directory (AD). These settings are built in to Windows, and are [ADMX-backed settings](/windows/client-management/mdm/understanding-admx-backed-policies) that use XML.
 
 - The **Office and Microsoft Edge** settings are ADMX-ingested, and use the same Office administrative template files and Microsoft Edge administrative template files that you would download in on-premises environments.
 
-When managing devices in your organization, you want to create groups of settings that apply to different device groups. You also want a simple view of the settings you can configure. You can complete this task using **Administrative Templates** in Microsoft Intune. You can also use [Intune custom settings](custom-settings-windows-10.md) for ADMX ingestion and [configure ADMX-backed MDM policies to perform a KIR activation](/troubleshoot/windows-client/group-policy/use-group-policy-to-deploy-known-issue-rollback#deploy-a-kir-activation-using-microsoft-intune-admx-policy-ingestion-to-the-managed-devices) without requiring a GPO.
+When managing devices in your organization, you want to create groups of settings that apply to different device groups. You also want a simple view of the settings you can configure. You can complete this task using **Administrative Templates** in Microsoft Intune. 
 
 As part of your mobile device management (MDM) solution, use these template settings as a one-stop shop to manage your Windows client devices.
 
@@ -150,6 +150,15 @@ There are thousands of settings available in these templates. To make it easier
 
   :::image type="content" source="./media/administrative-templates-windows/show-all-internet-explorer-settings-user-configuration.png" alt-text="In the ADMX template, select user configuration, and search or filter for Internet Explorer in Microsoft Intune.":::
 
+## Create a Known Issue Rollback (KIR) policy
+
+On your enrolled devices, you can use administrative templates to create a Known Issue Rollback (KIR) policy, and deploy this policy to your Windows devices. For the specific steps, go to [Deploy a KIR activation using Microsoft Intune ADMX policy ingestion to managed devices](/troubleshoot/windows-client/group-policy/use-group-policy-to-deploy-known-issue-rollback#deploy-a-kir-activation-using-microsoft-intune-admx-policy-ingestion-to-the-managed-devices).
+
+For more information on KIR, and what it is, go to:
+
+- [Known Issue Rollback: Helping you keep Windows devices protected and productive](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/known-issue-rollback-helping-you-keep-windows-devices-protected/ba-p/2176831)
+- [How to use on-premises Group Policy or Intune to deploy a Known Issue Rollback](/troubleshoot/windows-client/group-policy/use-group-policy-to-deploy-known-issue-rollback)
+
 ## Next steps
 
 - The template is created, but may not be doing anything yet. Be sure to [assign the template (also called a profile)](device-profile-assign.md) and [monitor the policy status](device-profile-monitor.md).

memdocs/intune/configuration/group-policy-analytics-migrate.md

@@ -8,7 +8,7 @@ author: MandiOhlinger
 
 ms.author: mandia
 manager: dougeby
-ms.date: 06/21/2022
+ms.date: 07/13/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -126,6 +126,18 @@ The **Migrate** feature takes the parsed data from the imported Group Policy obj
 
 When you create the Settings Catalog profile, any settings that can be included in the profile will be included. There can be some differences with the imported settings and the settings in Settings Catalog.
 
+- **Some settings have a better configuration experience in Endpoint Security**
+
+  If you import AppLocker settings or Firewall rule settings, then the **Migrate** option is disabled and grayed out. Instead, configure these settings using the Endpoint Security workload in the Endpoint Manager admin center.
+
+  For more information, go to:
+  
+  - [Firewall policy in Endpoint Security](../protect/endpoint-security-firewall-policy.md)
+  - [Endpoint security firewall rule migration tool overview](../protect/endpoint-security-firewall-rule-tool.md)
+  - [Application control policy in Endpoint Security](../protect/endpoint-security-asr-policy.md).
+
+  If you have GPOs that focus on endpoint security, then you should look at the features available in [Endpoint Security](../protect/endpoint-security.md), including Security Baselines and mobile threat defense.
+
 - **Some settings don't migrate exactly, and may use a different setting**
 
   In some scenarios, some GPO settings won't migrate to the exact same setting in the Settings Catalog. Intune will show an alternate setting that has a similar effect.

memdocs/intune/enrollment/tutorial-use-autopilot-enroll-devices.md

@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 10/19/2018
+ms.date: 07/13/2022
 ms.topic: tutorial
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -66,7 +66,7 @@ The first step in setting up Windows Autopilot is to add the Windows devices to
 
 2. Save the CSV file.
 
-3. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Windows** > **Devices** (under **Windows Autopilot Deployment Program** > **Import**.
+3. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Devices** > **Windows** > **Windows Enrollment** > **Devices** (under **Windows Autopilot Deployment Program**) > **Import**.
 
     ![Screenshot of Windows Autopilot devices](./media/enrollment-autopilot/autopilot-import-device.png)
 

memdocs/intune/fundamentals/filters-reports-troubleshoot.md

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 01/25/2022
+ms.date: 07/13/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -45,12 +45,14 @@ The Endpoint Manager admin center has per-device and per-app reporting informati
 You can use the following reports to get more information on your filters:
 
 - [Filter evaluation report for devices](#filter-evaluation-report-for-devices) (in this article)
-- [App filter evaluation report](#app-filter-evaluation-report) (in this article)
+- [Workload filter evaluation reports](#workload-filter-evaluation-reports) (in this article)
 
 ### Filter evaluation report for devices
 
 This report shows every app or policy with a filter that's been applied. For each evaluated app or policy, you can see the applied filters, and get more detailed information.
 
+To see this report, use the following steps:
+
 1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Devices** > **All Devices** > select a device > **Filter evaluation**. The following information is shown:
 
@@ -68,9 +70,11 @@ In the following example, you can see this information for the **TestDevice**:
 
 :::image type="content" source="./media/filters-reports-troubleshoot/filter-properties-single-device.png" alt-text="See the date, time, evaluation results, and other device filter assignment properties in Microsoft Endpoint Manager and Microsoft Intune.":::
 
-### App filter evaluation report
+### Workload filter evaluation reports
+
+These reports show filter information for each device that's evaluated in an app or policy assignment. For each device, you can see the device's overall applicability for a workload, and get more detailed information about the filter evaluation.
 
-This report shows filter information for each device that was evaluated in an app assignment. For each device, you can see the device's overall applicability for an app, and get more detailed information about the filter evaluation.
+To see these reports, use the following steps:
 
 1. Sign in to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 2. Select **Apps** > **All apps** > select an app > **Device install status**.
@@ -88,7 +92,10 @@ In the following example, you can see this information for the **Microsoft Word*
 :::image type="content" source="./media/filters-reports-troubleshoot/filter-properties-single-app.png" alt-text="See the date, time, evaluation results, and other app filter properties in Microsoft Endpoint Manager and Microsoft Intune.":::
 
 > [!IMPORTANT]
-> In the **Device install status** report, apps deployed as "Available" aren't shown. To troubleshoot if a user/device is filtered in or out of an Available assignment, use the **Filter evaluation report for devices**. To generate filter evaluation results, the end user must go to the list of apps in the Company portal app or website.
+> 
+> - In the **Device install status** report, apps deployed as "Available" aren't shown. To troubleshoot if a user/device is filtered in or out of an Available assignment, use the **Filter evaluation report for devices**. To generate filter evaluation results, the end user must go to the list of apps in the Company portal app or website.
+> - When assigning a policy, you can add devices to the "Excluded groups". These excluded devices aren't shown in the workload device status reports.
+> - In the **Apps** and **Settings Catalog** device status reports, there's a column that shows any filter evaluation. Currently, the filter evaluation information isn't available for all Intune workloads.
 
 ## Include vs. Exclude
 

memdocs/intune/protect/data-leak-prevention.md

@@ -67,8 +67,8 @@ For Windows 10/11 devices:
 As appropriate, share the following links to provide additional information:
 
 * [What to expect when your iOS/iPadOS app is managed by app protection policies](../fundamentals/end-user-mam-apps-ios.md)
-* [What to expect when your Android app is managed by app protection policies](../fundamentals/end-user-mam-apps-android.md)
+* [What to expect when your Android app is managed by app protection policies](../user-help/use-managed-apps-on-your-device-android.md)
 
 ## Next steps
 
-Want help enabling this or other EMS or Microsoft 365 scenarios? If you have at least 150 licenses for Microsoft 365, Enterprise Mobility + Security, or Azure Active Directory Premium, use your [FastTrack benefits](/enterprise-mobility-security/solutions/enterprise-mobility-fasttrack-program).
+Want help enabling this or other EMS or Microsoft 365 scenarios? If you have at least 150 licenses for Microsoft 365, Enterprise Mobility + Security, or Azure Active Directory Premium, use your [FastTrack benefits](/enterprise-mobility-security/solutions/enterprise-mobility-fasttrack-program).

windows-365/end-user-access-cloud-pc.md

@@ -96,7 +96,7 @@ To transfer files from the Cloud PC to the local device, copy the files to the D
 
 #### Restrict users from transferring files to and from Cloud PCs
 
-You can restrict users from transferring files by using RDP drive redirection. For more information, see [Manage RDP device redirections for Cloud PCs](manage-rdp-device-redirections.md).
+You can restrict users from transferring files by using RDP drive redirection. For more information, see [Manage RDP device redirections for Cloud PCs](./enterprise/manage-rdp-device-redirections.md).
 
 ### User feedback
 
@@ -128,4 +128,4 @@ To set up their Remote Desktop client, users follow these steps:
 <!-- ########################## -->
 ## Next steps
 
-For information about the different protocol network requirements per scenario, see [Network requirements](./enterprise/requirements-network.md).
+For information about the different protocol network requirements per scenario, see [Network requirements](./enterprise/requirements-network.md).