Merge branch 'main' into patch-31

Author: ErikjeMS

.gitignore

@@ -6,7 +6,7 @@ _site/
 Tools/NuGet/
 .optemp/
 _themes/
-
+.ds_store
 
 # Visual Studio and VS Code files
 .vscode/*

memdocs/analytics/app-reliability.md

@@ -66,6 +66,8 @@ For each application in the report, the following data is provided:
 
 > [!NOTE]
 > A maximum of 10 application crash events per application, per device, per day is used. This prevents excessive data collections from devices with severe application issues and helps prevent outlier devices from having undue influence over the reliability scores for individual applications.
+> 
+> Applications with an insignificant amount of foreground usage (about 10 minutes or fewer) on a particular device may not be captured. 
 
 ### App performance details
 

memdocs/autopilot/autopilot-device-guidelines.md

@@ -12,7 +12,7 @@ author: greg-lindsay
 ms.author: greglin
 ms.reviewer: jubaptis
 manager: dougeby
-ms.date: 12/16/2020
+ms.date: 2/1/2022
 ms.collection: M365-modern-desktop
 ms.topic: troubleshooting
 ---
@@ -36,6 +36,7 @@ The following best practices ensure that devices can easily be provisioned as pa
 - Before shipping devices to an Autopilot customer or channel partner, the OEM should upload 4K Hardware Hashes to Microsoft by using the CBR report. The hashes should be collected using the OA3 Tool RS3+ run in Audit mode on full OS.
 - Microsoft requires that OEM shipping drivers get published to Windows Update within 30 days of the CBR submission date. System firmware and driver updates are published to Windows Update within 14 days.
 - The OEM ensures that the PKID provisioned in the SMBIOS is passed on to the channel.
+- When using a VM for Autopilot testing, assign at least 2 processors and 4gb of memory. *Note: The [minimum system requirements](/windows/whats-new/windows-11-requirements#virtual-machine-support) for Windows 11 are 2 processors and 4gb memory.
 
 ## Software best practice guidelines for Windows Autopilot
 
@@ -47,4 +48,4 @@ The following best practices ensure that devices can easily be provisioned as pa
 ## Next steps
 
 [Windows Autopilot customer consent](registration-auth.md)<br>
-[Motherboard replacement scenario guidance](autopilot-mbr.md)<br>
+[Motherboard replacement scenario guidance](autopilot-mbr.md)<br>

memdocs/autopilot/windows-autopilot.md

@@ -75,7 +75,6 @@ Windows Autopilot enables you to:
 
 - Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). For more information about the differences between these two join options, see [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction).
 - Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription for configuration*](/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal)).
-- Restrict the Administrator account creation.
 - Create and auto-assign devices to configuration groups based on a device's profile.
 - Customize OOBE content specific to the organization.
 

memdocs/cloud-native-windows-endpoints.md

@@ -404,6 +404,7 @@ Use Endpoint Security in Microsoft Endpoint Manager to configure encryption with
 - Check out our blog series on BitLocker at [Enabling BitLocker with Microsoft Endpoint Manager](https://techcommunity.microsoft.com/t5/intune-customer-success/enabling-bitlocker-with-microsoft-endpoint-manager-microsoft/ba-p/2149784).
 
 These settings can be enabled in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com)  by going to **Endpoint Security** > **Disk encryption** > **Create Policy** > **Windows and later** > **Profile** = **BitLocker**.
+Configuring the BitLocker settings specified below will result in silenty enabling 128 bit encryption for standard users, which is one of the most common scenarios. However your organisation might have different security requirements, so consult the [BitLocker documentation](./intune/protect/encrypt-devices.md) for additional settings.
 
 **BitLocker – Base Settings**:
 
@@ -432,9 +433,9 @@ These settings can be enabled in the [Microsoft Endpoint Manager admin center](h
 - BitLocker system drive policy: **Configure**
   - Startup authentication required: **Yes**
   - Compatible TPM startup: **Required**
-  - Compatible TPM startup PIN: **Not configured**
-  - Compatible TPM startup key: **Not configured**
-  - Compatible TPM startup key and PIN: **Not configured**
+  - Compatible TPM startup PIN: **Block**
+  - Compatible TPM startup key: **Block**
+  - Compatible TPM startup key and PIN: **Block**
   - Disable BitLocker on devices where TPM is incompatible: **Not configured**
   - Enable preboot recovery message and url: **Not configured**
 - System drive recovery: **Configure**

memdocs/configmgr/apps/deploy-use/learn-script-security.md

@@ -32,9 +32,9 @@ The Configuration Manager scripts feature lets you visually review and approve s
 
 This collection of links was chosen to give Configuration Manager administrators a starting point for learning about PowerShell script security recommendations.
 
-[PowerShell Security Best Practices](https://devblogs.microsoft.com/powershell/powershell-security-best-practices/)
+<!-- [PowerShell Security Best Practices](https://devblogs.microsoft.com/powershell/powershell-security-best-practices/)
 
-> [!VIDEO https://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Security-Briefings-Fall-2013-Sessions/PowerShell-Best-Practices/player]
+> [!VIDEO https://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Security-Briefings-Fall-2013-Sessions/PowerShell-Best-Practices/player] -->
 
 [Defending Against PowerShell Attacks](https://devblogs.microsoft.com/powershell/defending-against-powershell-attacks/)
 

memdocs/configmgr/comanage/faq.yml

@@ -7,7 +7,7 @@ metadata:
   ms.author: aaroncz
   ms.reviewer: crosorio
   manager: dougeby
-  ms.date: 01/10/2021
+  ms.date: 01/26/2022
   ms.topic: reference
   ms.prod: configuration-manager
   ms.technology: configmgr-comanage
@@ -122,6 +122,9 @@ sections:
 
           For more information, see [How to prepare internet-based devices for co-management](how-to-prepare-win10.md).
 
+          > [!NOTE]
+          > You can't deploy the Configuration Manager client while provisioning a new computer in Windows Autopilot user-driven mode for hybrid Azure AD join. This limitation is due to the identity change of the device during the Azure AD-join process. Deploy the Configuration Manager client after the Autopilot process.<!-- CMADO-10205503 --> For alternative options to install the client, see [Client installation methods in Configuration Manager](../core/clients/deploy/plan/client-installation-methods.md).
+
       - question: |
           How do I manage updates for Windows and Microsoft 365 apps?
         answer: |

memdocs/configmgr/comanage/index.yml

@@ -14,7 +14,7 @@ metadata:
   author: mestew
   ms.author: mstewart
   manager: dougeby
-  ms.date: 09/23/2021
+  ms.date: 02/08/2022
   ms.localizationpriority: high
   ms.collection: highpri
 
@@ -27,6 +27,8 @@ landingContent:
         links:
           - text: What is co-management?
             url: overview.md
+          - text: Understand co-management (step-by-step)
+            url: /learn/modules/understand-co-management/         
           - text: Paths to co-management
             url: quickstart-paths.md
 

memdocs/configmgr/core/TOC.yml

@@ -285,14 +285,14 @@ items:
     items:
     - name: Technical Preview overview
       href: get-started/technical-preview.md
+    - name: 2201 features
+      href: get-started/2022/technical-preview-2201.md       
     - name: 2112 features
       href: get-started/2021/technical-preview-2112.md      
     - name: 2111 features
       href: get-started/2021/technical-preview-2111.md
     - name: 2110 features
       href: get-started/2021/technical-preview-2110.md
-    - name: 2109 features
-      href: get-started/2021/technical-preview-2109.md
   - name: Migrate data between hierarchies
     items:
     - name: Migration overview

memdocs/configmgr/core/clients/deploy/deploy-clients-to-windows-computers.md

@@ -339,11 +339,13 @@ Preinstall the Configuration Manager client on a reference computer that you use
 
 2. At a command prompt, type `net stop ccmexec` to stop the SMS Agent Host service (CcmExec.exe) on the reference computer.  
 
-3. Delete the SMSCFG.INI file from the Windows folder on the reference computer.  
+3. Delete the SMSCFG.INI file from the Windows folder on the reference computer.
 
-4. Remove any certificates that are stored in the local computer store on the reference computer. For example, if you use PKI certificates, before you image the computer, remove the certificates in the **Personal** store for **Computer** and **User**.  
+4. Remove the certificates from the local computer's **SMS** certificate store.   
 
-5. If the clients are installed in a different Configuration Manager hierarchy than the hierarchy of the reference computer, remove the trusted root key from the reference computer.  
+5. Remove any other valid client authentication certificates that are stored in the local computer store on the reference computer. For example, if you use PKI certificates, before you image the computer, remove the certificates in the **Personal** store for **Computer** and **User**.  
+
+6. If the clients are installed in a different Configuration Manager hierarchy than the hierarchy of the reference computer, remove the trusted root key from the reference computer.  
 
     > [!NOTE]  
     > If clients can't query Active Directory Domain Services to locate a management point, they use the trusted root key to determine trusted management points. If you deploy all imaged clients in the same hierarchy as that of the master computer, leave the trusted root key in place.