Merge branch 'release-intune-2209' of https://github.com/microsoftdocs/memdocs-pr into erikre-wn2209-15468520

Author: Erikre

memdocs/configmgr/hotfix/2207/15498768.md

@@ -0,0 +1,77 @@
+---
+title: NTLM connection fallback update for Microsoft Endpoint Configuration Manager
+titleSuffix: Configuration Manager
+description: NTLM connection fallback update for Configuration Manager
+ms.date: 09/20/2022
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: reference
+ms.assetid: 3c93a332-e818-46fe-860f-cbebf4dd9ab3
+author: bhuney
+ms.author: brianhun
+manager: dougeby
+---
+# NTLM connection fallback update for Microsoft Endpoint Configuration Manager
+
+*Applies to: Configuration Manager (current branch, versions 2103, 2107, 2111, 2203, 2207)*
+
+## Summary of KB15498768
+Disabling the **Allow connection fallback to NTLM** option in *Client Push Installation Properties* is not honored under either of the following conditions:
+- If there are Kerberos authentication failures the client push account will attempt an NTLM connection instead.
+- The site server computer account will attempt a connection using NTLM if Kerberos authentication fails for all defined client push installation accounts.
+
+This update prevents any attempt at NTLM authentication for client push installation when the **Allow connection fallback to NTLM** option is disabled.
+
+Installation of this update resolves the following security issue:
+- [CVE-2022-37972](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37972)
+
+Beginning with Configuration Manager current branch, version 2207, the **Allow connection fallback to NTLM** option is *disabled* by default on new site installations.
+
+It is recommended to disable this option in existing environments, where possible, to increase security.
+
+Refer to the following documents for more detail on client and NTLM security:
+- [Security and privacy for Configuration Manager clients](../../core/clients/deploy/plan/security-and-privacy-for-clients.md#security-guidance-for-clients)
+- [KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services](https://support.microsoft.com/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429)
+- [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](https://learn.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers)
+
+Environments using versions of Configuration Manager current branch prior to 2103 are encouraged to update to a later supported version. Administrators can also disable use of automatic and manual client push installation methods to remove the risk of exposure to this issue.
+For more information, see [Support for Configuration Manager current branch versions](../../core/servers/manage/current-branch-versions-supported.md).
+ 
+## Update information for Microsoft Endpoint Configuration Manager, versions 2103-2207
+An update to resolve this issue is available in the **Updates and Servicing** node of the Configuration Manager console for environments that have versions 2103-2207 installed. 
+
+#### Update replacement information
+This update does not replace any previously released updates.
+
+#### Restart information
+For Configuration Manager versions 2107 and later, this update does not require a computer restart or a [site reset](../../core/servers/manage/modify-your-infrastructure.md#bkmk_reset) after installation.
+
+Configuration Manager version 2103 will require a site reset after update installation.
+
+### Additional installation information
+After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select **Administration** > **Site Configuration** > **Sites** >  **Recover Secondary Site**, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
+
+Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
+   ```sql
+   select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
+   ```
+If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
+
+If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the **Recover Secondary Site** option to update the secondary site.
+
+## Version information
+No major components are updated with this release.
+
+## File information
+File information is available in the following version-specific file lists (KB15498768_FileList.txt):
+- [Configuration Manager 2103](https://aka.ms/KB15498768_2103_FileList)
+- [Configuration Manager 2107](https://aka.ms/KB15498768_2107_FileList)
+- [Configuration Manager 2111](https://aka.ms/KB15498768_2111_FileList)
+- [Configuration Manager 2203](https://aka.ms/KB15498768_2203_FileList)
+- [Configuration Manager 2207](https://aka.ms/KB15498768_2207_FileList)
+
+## Release history
+- September 20, 2022: Initial hotfix release
+
+## References
+[Updates and servicing for Configuration Manager](../../core/servers/manage/updates.md)

memdocs/configmgr/hotfix/TOC.yml

@@ -9,6 +9,8 @@ items:
     href: 2207/14959905.md
   - name: KB 14978429  Connected cache update for Microsoft Endpoint Configuration Manager version 2207
     href: 2207/14978429.md
+  - name: KB 15498768 NTLM connection fallback update
+    href: 2207/15498768.md
 - name: Version 2203
   items:
   - name: KB 13174460 Summary of changes in 2203
@@ -19,6 +21,8 @@ items:
     href: 2203/14480034.md
   - name: KB 14244456 Update rollup for Microsoft Endpoint Configuration Manager version 2203
     href: 2203/14244456.md
+  - name: KB 15498768 NTLM connection fallback update
+    href: 2207/15498768.md
 - name: Version 2111
   items:
   - name: KB 10096997 Summary of changes in 2111
@@ -31,6 +35,8 @@ items:
     href: 2111/12819689.md
   - name: KB 12896009 Update rollup for Microsoft Endpoint Configuration Manager version 2111
     href: 2111/12896009.md
+  - name: KB 15498768 NTLM connection fallback update
+    href: 2207/15498768.md
 - name: Version 2107
   items:
   - name: KB 10096997 Summary of changes in 2107
@@ -41,6 +47,8 @@ items:
     href: 2107/11121541.md
   - name: KB 12636660 Network access account update
     href: 2107/12636660.md
+  - name: KB 15498768 NTLM connection fallback update
+    href: 2207/15498768.md
 - name: Version 2103
   items:
   - name: KB 9210721 Summary of changes in 2103
@@ -59,6 +67,8 @@ items:
     href: 2103/10589155.md
   - name: KB 10582136 Tenant attach update
     href: 2103/10582136.md
+  - name: KB 15498768 NTLM connection fallback update
+    href: 2207/15498768.md
 - name: Version 2010
   items:
   - name: KB 4599442 Summary of changes in 2010

memdocs/configmgr/hotfix/index.yml

@@ -25,6 +25,8 @@ landingContent:
             url: 2207/14840616.md
           - text: KB 14959905 Early update ring
             url: 2207/14959905.md
+          - text: KB 15498768 NTLM connection fallback update
+            url: 2207/15498768.md
 
   - title: Configuration Manager 2203
     linkLists:

memdocs/intune/apps/mam-faq.yml

@@ -206,7 +206,7 @@ sections:
           
       - question: Intune App Protection Policies provide the capability for admins to require end user devices to pass Google's SafetyNet Attestation for Android devices. How often is a new SafetyNet Attestation result sent to the service?
         answer: |
-           A new Google Play service determination will be reported to the IT admin at an interval determined by the Intune service. How often the service call is made is throttled due to load, thus this value is maintained internally and is not configurable. Any IT admin configured action for the Google SafetyNet Attestation setting will be taken based on the last reported result to the Intune service at the time of conditional launch. If there is no data, access will be allowed depending on no other conditional launch checks failing, and Google Play Service "roundtrip" for determining attestation results will begin in the backend and prompt the user asynchronously if the device has failed. If there is stale data, access will be blocked or allowed depending on the last reported result, and similarly, a Google Play Service "roundtrip" for determining attestation results will begin and prompt the user asynchronously if the device has failed.
+           The Intune service will contact Google Play at a non-configurable interval determined by service load. Any IT admin configured action for the Google SafetyNet Attestation setting will be taken based on the last reported result to the Intune service at the time of conditional launch. If the Google SafetyNet Attestation result is compliant, no action is taken.  If the Google SafetyNet Attestation result is non-compliant, the IT admin configured action will be taken immediately. If the request to the Google SafetyNet Attestation fails for any reason, the cached result from the previous request will be used for up to 24 hours or the next device restart, which ever comes first. At that time Intune App Protection Policies will block access until a current result can be obtained.
           
       - question: Intune App Protection Policies provide the capability for admins to require end user devices to send signals via Google's Verify Apps API for Android devices. How can an end user turn on the app scan so that they are not blocked from access due to this?
         answer: |

memdocs/intune/apps/manage-microsoft-office.md

@@ -120,6 +120,7 @@ Office supports the following settings for configuration:
 
 - Manage the creation of Sticky Notes
 - Set add-ins preference
+- Manage Teams apps running on Office app for Android (in preview)
 
 ### Manage the creation of Sticky Notes
 
@@ -145,6 +146,22 @@ If you need to enable or disable the Office Store portion of the platform for iO
 
 For more information about adding configuration keys, see [Add app configuration policies for managed iOS/iPadOS devices](../apps/app-configuration-policies-use-ios.md).
 
+### Manage Teams apps running on Office app for Android (in preview)
+
+Teams personal tab apps are already in preview for Office.com and Outlook desktop in Target Release, and IT admins can manage access to Teams apps by creating [custom permission policies](/MicrosoftTeams/teams-app-permission-policies#create-a-custom-app-permission-policy) and [assigning these policies to users](/MicrosoftTeams/policy-assignment-overview) using Teams admin center. You can now also run Teams personal tab apps in Office app for Android, in preview. Teams personal tab apps built using [Microsoft Teams JavaScript client SDK v2](/microsoftteams/platform/tabs/how-to/using-teams-client-sdk?tabs=javascript%2Cmanifest-teams-toolkit) (version 2.0.0) and [Teams App manifest](/microsoftteams/platform/resources/schema/manifest-schema) (version 1.13) appear in Office app for Android under the “Apps” menu.
+
+There may be additional management requirements specific to Office app for Android. You may want to:
+- Only allow specific users in your organization to try enhanced Teams apps on Office app for Android, or
+- Block all users in your organization from using enhanced Teams apps on Office app for Android.
+
+To manage these, you can use the following key:
+
+|    Key    |    Value    |
+|-------------------------------------------------------------------|-------------|
+|    com.microsoft.office.officemobile.TeamsApps.IsAllowed    |    **true** (default) enables Teams apps on Office app for Android<br>**false** disables Teams apps on Office app for Android    |
+
+This key can be used both by managed devices and managed apps.
+
 ## Data protection app configuration scenarios
 
 Office for iOS and Android supports app configuration policies for the following data protection settings when the app is managed by Microsoft Endpoint Manager with an Intune App Protection Policy applied to the work or school account that is signed into the app and the policy settings are delivered only through a managed apps App Configuration Policy:

memdocs/intune/protect/microsoft-tunnel-prerequisites.md

@@ -236,7 +236,8 @@ When creating the Server configuration for the tunnel, you can specify a differe
   - `*.blob.storage.azure.net`
 
 
-- The Tunnel shares the same requirements as [Network endpoints for Microsoft Intune](../fundamentals/intune-endpoints.md), with the addition of port TCP 22.
+
+- The Tunnel shares the same requirements as [Network endpoints for Microsoft Intune](../fundamentals/intune-endpoints.md), with the addition of port TCP 22, and graph.microsoft.com.
 
 - Configure firewall rules to support the configurations detailed in  [Microsoft Container Registry (MCR) Client Firewall Rules Configuration](https://github.com/microsoft/containerregistry/blob/master/client-firewall-rules.md).
 

memdocs/intune/user-help/TOC.yml

@@ -26,8 +26,10 @@ items:
       href: enroll-device-android-company-portal.md
     - name: Enroll with Android work profile
       href: enroll-device-android-work-profile.md
-    - name: Enroll with Microsoft Intune app
-      href: enroll-device-android-microsoft-intune-app.md
+    - name: Enroll Android with Microsoft Intune app 
+      href: enroll-device-android-microsoft-intune-app.md 
+    - name: Enroll AOSP with Microsoft Intune app 
+      href: enroll-device-aosp.md
     - name: Enroll with derived credentials
       items:
       - name: Enroll with Entrust
@@ -50,7 +52,16 @@ items:
       href: use-verbose-logging-to-help-your-it-administrator-fix-device-issues-android.md
     - name: Turn off Microsoft data collection
       href: turn-off-microsoft-usage-data-collection-android.md
-
+  - name: Microsoft Intune app for AOSP 
+    items:
+    - name: Check device compliance 
+      href: check-compliance-aosp.md 
+    - name: Sync device 
+      href: sync-device-aosp.md 
+    - name: Configure logging settings 
+      href: intune-app-logs-aosp.md 
+    - name: Turn off Microsoft data collection 
+      href: turn-off-microsoft-usage-data-collection-aosp.md 
   - name: Update device settings
     items:
     - name: Move to new device management setup

memdocs/intune/user-help/check-compliance-aosp.md

@@ -0,0 +1,58 @@
+---
+# required metadata
+
+title: Check compliance on your AOSP device | Microsoft Docs
+description: Use the Intune app to check in and confirm that the settings on your device meet your organization's requirements. 
+keywords:
+author: lenewsad
+ms.author: lanewsad
+manager: dougeby
+ms.date: 09/19/2022
+ms.topic: end-user-help
+ms.service: microsoft-intune
+ms.subservice: end-user
+ms.technology:
+ms.assetid: 
+searchScope:
+ - User help
+
+# optional metadata
+
+ROBOTS:  
+#audience:
+
+ms.reviewer: 
+ms.suite: ems
+#ms.tgt_pltfrm:
+ms.custom: intune-enduser
+ms.collection: 
+---
+
+# Check compliance on your AOSP device  
+
+Manually start a device check-in from the Microsoft Intune app to:
+
+* Force the Intune app to check device compliance 
+* Update your device status 
+* Regain access to your work or school resources 
+
+## Purpose of check-in 
+
+During a check-in, the Intune app confirms that the settings on your device meet your organization's policy requirements. Your organization can limit or restrict access to work or school resources until you check in.  
+
+If you recently made changes to your device settings, you may need to manually check in to register these changes with Company Portal. 
+
+## Check compliance  
+Complete these steps to check device settings or refresh your compliance status. 
+
+1. Open the Microsoft Intune app for AOSP on your device.   
+
+2. Tap **Devices** and then select your device.  
+
+3. Under **Device Settings Status**, tap **Refresh**. 
+    
+    The Intune app will check your device to confirm that it's meeting your organization's setting requirements. 
+
+4. After the check, your device settings status will either read, **In Compliance** or **Not in Compliance**. 
+
+    If you're required to make any changes, a message will appear at the top of the screen. Tap it for more details. 

memdocs/intune/user-help/enroll-device-aosp.md

@@ -0,0 +1,64 @@
+---
+# required metadata
+
+title: Enroll AOSP device with Microsoft Intune app| Microsoft Docs
+description: Describes how to enroll a corporate-owned AOSP device in Intune.
+keywords:
+author: lenewsad
+ms.author: lanewsad
+manager: dougeby
+ms.date: 09/19/2022
+ms.topic: end-user-help
+ms.prod:
+ms.service: microsoft-intune
+ms.subservice: end-user
+ms.technology:
+ms.assetid: 
+searchScope:
+ - User help
+
+# optional metadata
+
+ROBOTS:  
+#audience:
+
+ms.reviewer: 
+ms.suite: ems
+#ms.tgt_pltfrm:
+ms.custom: intune-enduser
+ms.collection: 
+---
+
+
+# Enroll AOSP device with the Microsoft Intune app
+
+Enroll your corporate-owned AOSP device to get secure, mobile access to your organization's internal resources. This article describes the enrollment requirements and steps for AOSP devices. 
+
+## Prerequisites 
+
+AOSP devices must meet the following requirements to enroll:  
+
+* New or factory-reset 
+* Running Android 10.0 or later 
+* Corporate-owned (not a personal device) 
+* RealWear device, updated to Firmware 11.2 or later
+
+Additionally, you need the enrollment QR code that's provided by your organization.  
+
+## Enroll device  
+Complete these steps to set up and enroll your device.  
+
+1. Turn on your new or factory-reset device.  
+2. If prompted to, connect to Wi-Fi. Then tap **NEXT**. 
+3. Scan the QR code provided by your organization. 
+4. Follow the onscreen prompts to enroll your device. 
+5. If prompted to, review the device terms and conditions. Then select **ACCEPT & CONTINUE**. 
+6. The Microsoft Intune app opens. The next step depends on the type of device you're using. Complete the step that matches the screen shown on your device: 
+
+   - Tap **START** to begin enrollment.  
+   - Sign in with your work account. 
+      1. Enter your email, and then tap **NEXT**. 
+      2. Enter your password, and then tap **SIGN IN** to begin enrollment.   
+7. When you see the message that your device is ready, tap **DONE**. 
+
+If after enrolling you have trouble accessing your organization's resources, go to the Microsoft Intune app to verify that all of your device settings meet your organization's requirements. For more information about checking compliance, see [Check compliance on your AOSP device](check-compliance-aosp.md). 

memdocs/intune/user-help/intune-app-logs-aosp.md

@@ -0,0 +1,44 @@
+---
+# required metadata
+
+title: Configure logging settings for AOSP - Microsoft Intune| Microsoft Docs
+description: Learn how to adjust app logging levels in the Microsoft Intune app. 
+keywords:
+author: lenewsad
+ms.author: lanewsad
+manager: dougeby
+ms.date: 09/19/2022
+ms.topic: end-user-help
+ms.prod:
+ms.service: microsoft-intune
+ms.subservice: end-user
+ms.technology:
+ms.assetid: 
+searchScope:
+ - User help
+
+# optional metadata
+
+ROBOTS:  
+#audience:
+
+ms.reviewer: 
+ms.suite: ems
+#ms.tgt_pltfrm:
+ms.custom: intune-enduser
+ms.collection: 
+---
+
+
+# Configure logging settings for AOSP
+
+Logging enables the Microsoft Intune app to record actions that take place in the app. If you ever experience a problem in the app, and then report it, your support team will review the app logs. Verbose logging, which is the highest level of logging, is most helpful in these cases because it provides the most details about what happened in the app. 
+
+The log detail level defaults to **Important** in the Microsoft Intune app. To adjust the level:  
+
+1. Open the Microsoft Intune app.  
+2. Tap **Settings**.  
+3. Under **Log level detail**, select **Verbose** to increase the level of details recorded. Select **Off** to turn off logging.  
+
+> [!NOTE]
+> The logs that you send to your support team will include your email address.