Merge branch 'main' into release-intune-2206

Author: Erikre

.openpublishing.redirection.json

@@ -1,5 +1,10 @@
 {
     "redirections": [
+        {
+            "source_path": "memdocs/intune/fundamentals/end-user-mam-apps-android.md",
+            "redirect_url": "/mem/intune/user-help/use-managed-apps-on-your-device-android",
+            "redirect_document_id": true
+        }, 
         {
             "source_path": "memdocs/intune/configuration/vpn-settings-windows-phone-8-1.md",
             "redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3",

memdocs/autopilot/add-devices.md

@@ -43,6 +43,9 @@ This article provides step-by-step guidance for manual registration. For more in
 
 Device enrollment requires *Intune Administrator* or *Policy and Profile Manager* permissions. You can also create a custom Autopilot device manager role by using [role-based access control](../intune/fundamentals/role-based-access-control.md). Autopilot device management requires only that you enable all permissions under **Enrollment programs**, except for the four token management options.
 
+> [!NOTE]
+> In both Intune Administrator and role-based access control methods, the administrative user also requires consent to use the Microsoft Intune PowerShell enterprise application. 
+
 ## Collect the hardware hash
 
 The following methods are available to harvest a hardware hash from existing devices:

memdocs/autopilot/bitlocker.md

@@ -1,54 +1,73 @@
 ---
 title: Setting the BitLocker encryption algorithm for Autopilot devices
 description: Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows devices. 
-keywords: Autopilot, BitLocker, encryption, 256-bit, Windows 10
 ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
 ms.localizationpriority: medium
-audience: itpro
 author: aczechowski
 ms.author: aaroncz
 ms.reviewer: jubaptis
 manager: dougeby
-ms.date: 12/16/2020
+ms.date: 06/15/2022
 ms.collection: M365-modern-desktop
 ms.topic: how-to
 ---
 
-
 # Setting the BitLocker encryption algorithm for Autopilot devices
 
 **Applies to**
 
 - Windows 11
 - Windows 10
 
-With Windows Autopilot, you can configure BitLocker encryption settings to get applied before automatic encryption starts. This configuration makes sure the default encryption algorithm isn't applied automatically. Other BitLocker policies can also be applied before automatic BitLocker encryption begins.
+BitLocker [automatically encrypts](/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption) internal drives during the out of box experience (OOBE) for devices that support [Modern Standby](/windows-hardware/design/device-experiences/modern-standby) or meet the [Hardware Security Testability Specification (HSTI)](/windows-hardware/test/hlk/testref/hardware-security-testability-specification). By default, BitLocker uses XTS-AES 128-bit used space only for automatic encryption.
+
+With Windows Autopilot, you can configure BitLocker encryption settings to apply before automatic encryption starts. This configuration makes sure the default encryption algorithm or type isn't applied automatically. A device that receives these settings after encrypting automatically will need to be decrypted before changing the encryption algorithm.
+
+## Encryption algorithm
+
+The BitLocker encryption algorithm is used when BitLocker is first enabled. During Autopilot, BitLocker will be enabled after the device setup portion of the [enrollment status page](enrollment-status.md). The following encryption algorithms are available:
 
-The BitLocker encryption algorithm is used when BitLocker is first enabled. The algorithm sets the strength  for full volume encryption. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit, or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use.
+- AES-CBC 128-bit
+- AES-CBC 256-bit
+- XTS-AES 128-bit (default)
+- XTS-AES 256-bit
+
+For more information about the recommended encryption algorithms to use, see [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp).
 
 To make sure the BitLocker encryption algorithm you want is set before automatic encryption occurs for Autopilot devices:
 
-1. Configure the [encryption method settings](../intune/protect/endpoint-protection-windows-10.md#windows-encryption) in the Windows Endpoint Protection profile to the encryption algorithm you want.
+1. Configure the [encryption method settings](../intune/protect/encrypt-devices.md#create-an-endpoint-security-policy-for-bitlocker) in the Endpoint Security disk encryption policy. The settings are available under **Endpoint Security** > **Disk encryption** > **Create policy** > **Platform** = Windows 10 and later, **Profile type** = BitLocker.
+
 2. [Assign the policy](../intune/configuration/device-profile-assign.md) to your Autopilot device group. The encryption policy must be assigned to **devices** in the group, not users.
-3. Enable the Autopilot [Enrollment Status Page](enrollment-status.md) (ESP) for these devices. If the ESP isn't enabled, the policy won't apply before encryption starts.
 
-An example of Microsoft Intune Windows Encryption settings is shown below.
+3. Enable the Autopilot [enrollment status page](enrollment-status.md) for these devices. If you don't enable this feature, the policy won't apply before encryption starts.
+
+The following image is an example of the Endpoint Security disk encryption settings.
 
-![BitLocker encryption settings.](images/bitlocker-encryption.png)
+:::image type="content" source="media/bitlocker/endpoint-security-disk-encryption-policy.png" alt-text="Screenshot example of the Endpoint Security disk encryption settings.":::
 
-A device that is encrypted automatically will need to be decrypted before changing the encryption algorithm.
+## Full disk or used space-only encryption
 
-The settings are available under **Device Configuration** > **Profiles** > **Create profile** > **Platform** = Windows 10 and later, Profile type = Endpoint protection > **Configure** > **Windows Encryption** > **BitLocker base settings**, Configure encryption methods = Enable.
+There are two types of encryption, full disk or used space-only. The type of encryption is automatically determined by configuration of [silent enablement](../intune/protect/encrypt-devices.md#silently-enable-bitlocker-on-devices) and hardware support for modern standby. You can enforce it by configuring the [SystemDrivesEncryptionType](/windows/client-management/mdm/bitlocker-csp) setting. Like the encryption algorithm, the encryption type is used when BitLocker is first enabled. For more information on the expected encryption type behavior, see [Manage BitLocker policy](../intune/protect/encrypt-devices.md#full-disk-vs-used-space-only-encryption).
 
-It's also recommended to set **Windows Encryption** > **Windows Settings** > **Encrypt** = Require.
+To enforce the type of drive encryption used:
+
+1. Configure the **Enforce drive encryption type on operating system drives** setting within the [settings catalog](../intune/configuration/settings-catalog.md). This setting is available in the **Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives** category from the settings picker.
+
+2. [Assign the policy](../intune/configuration/device-profile-assign.md) to your Autopilot device group. The encryption policy must be assigned to **devices** in the group, not users.
+
+3. Enable the Autopilot [enrollment status page](enrollment-status.md) for these devices. If you don't enable this feature, the policy won't apply before encryption starts.
+
+The following image is an example of the settings catalog profile.
+
+:::image type="content" source="media/bitlocker/settings-catalog-drive-type.png" alt-text="Screenshot example of the BitLocker drive type configuration in the settings catalog.":::
 
 ## Requirements
 
-Windows 10, version 1809 or later.
+A supported version of Windows 11 or Windows 10.
 
 ## Next steps
 
 [BitLocker overview](/windows/security/information-protection/bitlocker/bitlocker-overview)
+
+[Manage BitLocker policy for Windows devices with Intune](../intune/protect/encrypt-devices.md)

memdocs/autopilot/index.yml

@@ -123,4 +123,4 @@ landingContent:
       - text: Windows Autopilot and Surface devices
         url: /surface/windows-autopilot-and-surface-devices
       - text: Windows Autopilot for HoloLens 2
-        url:  https://docs.microsoft.com/hololens/hololens2-autopilot
+        url: /hololens/hololens2-autopilot

memdocs/autopilot/known-issues.md

@@ -28,7 +28,11 @@ This article describes known issues that can often be resolved by configuration
 
 ## Known issues
 
-### `DefaultuserX` profile not deleted
+### Autopilot profile not being applied when assigned 
+
+In Windows 10 April (KB5011831) release, there is an issue where the Autopilot profile may fail to apply to the device. As a result, any settings made in the profile may not be configured for the user such as device renaming. To resolve this issue, the May (KB5015020) cumulative update needs to be applied to the device.
+
+### DefaultuserX profile not deleted
 
 When you use the [EnableWebSignIn CSP](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin), the `defaultuserX` profile may not be deleted. This CSP isn't currently supported. It's in preview mode only and not recommended for production purposes at this time.
 

memdocs/autopilot/media/bitlocker/endpoint-security-disk-encryption-policy.png

@@ -8,7 +8,7 @@ keywords:
 author: ErikjeMS
 ms.author: erikje
 manager: dougeby
-ms.date: 06/07/2021
+ms.date: 06/22/2021
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -113,12 +113,23 @@ The organizational unit that's granted the rights to create computers must match
 
 ## Install the Intune Connector
 
-The Intune Connector for Active Directory must be installed on a computer that's running Windows Server 2016 or later. The computer must also have access to the internet and your Active Directory. To increase scale and availability, you can install multiple connectors in your environment. We recommend installing the Connector on a server that's not running any other Intune connectors. Each connector must be able to create computer objects in any domain that you want to support.
+### Before you begin
 
-> [!NOTE]
-> If your organization has multiple domains and you install multiple Intune Connectors, you must use a service account that's able to create computer objects in all domains, even if you plan to implement hybrid Azure AD join only for a specific domain. If these are untrusted domains, you must uninstall the connectors from domains in which you don't want to use Windows Autopilot. Otherwise, with multiple connectors across multiple domains, all connectors must be able to create computer objects in all domains.
+- The Intune Connector for Active Directory must be installed on a computer that's running Windows Server 2016 or later. 
+- The computer must have access to the internet and your Active Directory. 
+- To increase scale and availability, you can install multiple connectors in your environment. We recommend installing the Connector on a server that's not running any other Intune connectors. Each connector must be able to create computer objects in any domain that you want to support.
+
+- If your organization has multiple domains and you install multiple Intune Connectors, you must use a service account that can create computer objects in all domains, even if you plan to implement hybrid Azure AD join only for a specific domain. If these are untrusted domains, you must uninstall the connectors from domains in which you don't want to use Windows Autopilot. Otherwise, with multiple connectors across multiple domains, all connectors must be able to create computer objects in all domains.
+
+  This connector service account must have the following permissions:
+
+  - **[Log on as a service](/system-center/scsm/enable-service-log-on-sm)**
+  - Must be part of the **Domain user** group
+  - Must be a member of the local **Administrators** group on the Windows server that hosts the connector
+
+- The Intune Connector requires the [same endpoints as Intune](../intune/fundamentals/intune-endpoints.md).
 
-The Intune Connector requires the [same endpoints as Intune](../intune/fundamentals/intune-endpoints.md).
+### Install steps
 
 1. Turn off IE Enhanced Security Configuration. By default Windows Server has Internet Explorer Enhanced Security Configuration turned on. If you're unable to sign in to the Intune Connector for Active Directory, then turn off IE Enhanced Security Configuration for the Administrator. [How To Turn Off Internet Explorer Enhanced Security Configuration](/archive/blogs/chenley/how-to-turn-off-internet-explorer-enhanced-security-configuration). 
 2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Windows** > **Windows enrollment** > **Intune Connector for Active Directory** > **Add**. 
@@ -131,13 +142,10 @@ The Intune Connector requires the [same endpoints as Intune](../intune/fundament
 8. Go to **Devices** > **Windows** > **Windows enrollment** > **Intune Connector for Active Directory**, and then confirm that the connection status is **Active**.
 
 > [!NOTE]
-> The Global administrator role is a temporary requirement at the time of installation.
-
-> [!NOTE]
-> After you sign in to the Connector, it might take a couple of minutes to appear in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). It appears only if it can successfully communicate with the Intune service.
-
-> [!NOTE]
-> Inactive Intune connectors will still appear in the Intune Connectors blade and will automatically be cleaned up after 30 days.
+> 
+> - The Global administrator role is a temporary requirement at the time of installation.
+> - After you sign in to the Connector, it can take several minutes to appear in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). It appears only if it can successfully communicate with the Intune service.
+> - Inactive Intune connectors still appear in the Intune Connectors blade and will automatically be cleaned up after 30 days.
 
 ### Configure web proxy settings
 

memdocs/autopilot/media/bitlocker/settings-catalog-drive-type.png

@@ -60,7 +60,7 @@ The endpoint is joined to Azure AD. It's not joined to an on-premises AD domain.
 
 To join Windows endpoints to Azure AD, you have some options:
 
-- **Use [Windows Autopilot](/mem/autopilot/)**. Windows Autopilot guides users through the Windows Out of Box Experience (OOBE). When users enter their work or school account, the endpoint joins Azure AD.
+- **Use [Windows Autopilot](./autopilot/index.yml)**. Windows Autopilot guides users through the Windows Out of Box Experience (OOBE). When users enter their work or school account, the endpoint joins Azure AD.
 
   All devices registered with Windows Autopilot are automatically considered organization owned devices. Windows Autopilot is one of the most adopted approaches to get organization devices joined to Azure AD and managed by IT.  
 
@@ -132,7 +132,7 @@ Consider the following scenarios:
 | You want to manage endpoints using MDM policies | ✔️ Azure AD join <br/><br/> Microsoft Intune, which is a 100% cloud solution, can manage Windows client devices. Intune has many built-in features and settings that can manage settings, control device features, help secure your endpoints, and more. <br/><br/>The [High level planning guide to move to cloud-native endpoints: Intune features you should know](cloud-native-endpoints-planning-guide.md#intune-features-you-should-know) lists some of these features. [What is Intune](./intune/fundamentals/what-is-intune.md) is also a good resource. <br/><br/>❌ Hybrid Azure AD join<br/><br/> On HAADJ endpoints, you must use group policies objects (GPO) to control policy settings. If you enable [co-management](./configmgr/comanage/overview.md) (Intune (cloud) + Configuration Manager (on-premises)), then you can use some Azure AD features, such as conditional access. <br/><br/>For some guidance, go to [Deployment guide: Setup or move to Microsoft Intune](./intune/fundamentals/deployment-guide-intune-setup.md). |
 | You want to eliminate on-premises AD for authentication and sign-on  | ✔️ Azure AD join <br/><br/> User identities are created and stored in Azure AD. Users can sign in to their endpoints from anywhere and at any time. If you use [passwordless authentication](/azure/active-directory/authentication/concept-authentication-passwordless), then users might not need internet access to sign in. <br/><br/> AADJ endpoints can also use modern authentication, including multifactor authentication (MFA), smart card authentication, and certificate-based authentication.<br/><br/> ❌ Hybrid Azure AD join<br/><br/> HAADJ endpoints require a line-of-sight to the on-premises AD domain controller for initial sign-in and to change passwords. If the domain is down, or there isn't any internet access, then users could be blocked from signing in to their endpoints. <br/><br/> If you use [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-faqs), then users need internet access and line of sight to the DCs. HAADJ endpoints can use kerberos and NTLM to authenticate. |
 | You need to access on-premises resources | ✔️ Azure AD join <br/><br/> AADJ endpoints can access on-premises resources, and can use single sign-on (SSO). For more specific information, go to [Cloud-native endpoints and on-premises resources](cloud-native-endpoints-on-premises.md).<br/><br/>✔️ Hybrid Azure AD join<br/><br/> HAADJ endpoints can use single sign-on (SSO) across your cloud and on-premises resources. For more specific information, go to [Configure hybrid Azure AD join](/azure/active-directory/devices/howto-hybrid-azure-ad-join). |
-| You want device compliance and/or conditional access | ✔️ Azure AD join <br/><br/> With Microsoft Intune or [co-management](/configmgr/comanage/overview) (Intune (cloud) + Configuration Manager (on-premises)), you can create [compliance policies](/mem/intune/protect/device-compliance-get-started). When combined with [conditional access](/mem/intune/protect/conditional-access), you can enforce your compliance policies on AADJ endpoints. <br/><br/>✔️ Hybrid Azure AD join<br/><br/> With Microsoft Intune or [co-management](/configmgr/comanage/overview) (Intune (cloud) + Configuration Manager (on-premises)), you can create [compliance policies](/mem/intune/protect/device-compliance-get-started). When combined with [conditional access](/mem/intune/protect/conditional-access), you can enforce your compliance policies on HAADJ endpoints. |
+| You want device compliance and/or conditional access | ✔️ Azure AD join <br/><br/> With Microsoft Intune or [co-management](/configmgr/comanage/overview) (Intune (cloud) + Configuration Manager (on-premises)), you can create [compliance policies](./intune/protect/device-compliance-get-started.md). When combined with [conditional access](./intune/protect/conditional-access.md), you can enforce your compliance policies on AADJ endpoints. <br/><br/>✔️ Hybrid Azure AD join<br/><br/> With Microsoft Intune or [co-management](/configmgr/comanage/overview) (Intune (cloud) + Configuration Manager (on-premises)), you can create [compliance policies](./intune/protect/device-compliance-get-started.md). When combined with [conditional access](./intune/protect/conditional-access.md), you can enforce your compliance policies on HAADJ endpoints. |
 
 ## Follow the cloud-native endpoints guidance
 
@@ -141,4 +141,4 @@ Consider the following scenarios:
 3. 🡺 **Concept: Azure AD joined vs. Hybrid Azure AD joined** (*You are here*)
 4. [Concept: Cloud-native endpoints and on-premises resources](cloud-native-endpoints-on-premises.md)
 5. [High level planning guide](cloud-native-endpoints-planning-guide.md)
-6. [Known issues and important information](cloud-native-endpoints-known-issues.md)
+6. [Known issues and important information](cloud-native-endpoints-known-issues.md)