Merging changes synced from https://github.com/MicrosoftDocs/memdocs-pr (branch live)

Author: dstrome

memdocs/configmgr/hotfix/2207/15498768.md

@@ -0,0 +1,77 @@
+---
+title: NTLM connection fallback update for Microsoft Endpoint Configuration Manager
+titleSuffix: Configuration Manager
+description: NTLM connection fallback update for Configuration Manager
+ms.date: 09/20/2022
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: reference
+ms.assetid: 3c93a332-e818-46fe-860f-cbebf4dd9ab3
+author: bhuney
+ms.author: brianhun
+manager: dougeby
+---
+# NTLM connection fallback update for Microsoft Endpoint Configuration Manager
+
+*Applies to: Configuration Manager (current branch, versions 2103, 2107, 2111, 2203, 2207)*
+
+## Summary of KB15498768
+Disabling the **Allow connection fallback to NTLM** option in *Client Push Installation Properties* is not honored under either of the following conditions:
+- If there are Kerberos authentication failures the client push account will attempt an NTLM connection instead.
+- The site server computer account will attempt a connection using NTLM if Kerberos authentication fails for all defined client push installation accounts.
+
+This update prevents any attempt at NTLM authentication for client push installation when the **Allow connection fallback to NTLM** option is disabled.
+
+Installation of this update resolves the following security issue:
+- [CVE-2022-37972](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37972)
+
+Beginning with Configuration Manager current branch, version 2207, the **Allow connection fallback to NTLM** option is *disabled* by default on new site installations.
+
+It is recommended to disable this option in existing environments, where possible, to increase security.
+
+Refer to the following documents for more detail on client and NTLM security:
+- [Security and privacy for Configuration Manager clients](../../core/clients/deploy/plan/security-and-privacy-for-clients.md#security-guidance-for-clients)
+- [KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services](https://support.microsoft.com/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429)
+- [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](https://learn.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers)
+
+Environments using versions of Configuration Manager current branch prior to 2103 are encouraged to update to a later supported version. Administrators can also disable use of automatic and manual client push installation methods to remove the risk of exposure to this issue.
+For more information, see [Support for Configuration Manager current branch versions](../../core/servers/manage/current-branch-versions-supported.md).
+ 
+## Update information for Microsoft Endpoint Configuration Manager, versions 2103-2207
+An update to resolve this issue is available in the **Updates and Servicing** node of the Configuration Manager console for environments that have versions 2103-2207 installed. 
+
+#### Update replacement information
+This update does not replace any previously released updates.
+
+#### Restart information
+For Configuration Manager versions 2107 and later, this update does not require a computer restart or a [site reset](../../core/servers/manage/modify-your-infrastructure.md#bkmk_reset) after installation.
+
+Configuration Manager version 2103 will require a site reset after update installation.
+
+### Additional installation information
+After you install this update on a primary site, pre-existing secondary sites must be manually updated. To update a secondary site in the Configuration Manager console, select **Administration** > **Site Configuration** > **Sites** >  **Recover Secondary Site**, and then select the secondary site. The primary site then reinstalls that secondary site by using the updated files. Configurations and settings for the secondary site are not affected by this reinstallation. The new, upgraded, and reinstalled secondary sites under that primary site automatically receive this update.
+
+Run the following SQL Server command on the site database to check whether the update version of a secondary site matches that of its parent primary site:
+   ```sql
+   select dbo.fnGetSecondarySiteCMUpdateStatus ('SiteCode_of_secondary_site')
+   ```
+If the value 1 is returned, the site is up to date, with all the hotfixes applied on its parent primary site.
+
+If the value 0 is returned, the site has not installed all the fixes that are applied to the primary site, and you should use the **Recover Secondary Site** option to update the secondary site.
+
+## Version information
+No major components are updated with this release.
+
+## File information
+File information is available in the following version-specific file lists (KB15498768_FileList.txt):
+- [Configuration Manager 2103](https://aka.ms/KB15498768_2103_FileList)
+- [Configuration Manager 2107](https://aka.ms/KB15498768_2107_FileList)
+- [Configuration Manager 2111](https://aka.ms/KB15498768_2111_FileList)
+- [Configuration Manager 2203](https://aka.ms/KB15498768_2203_FileList)
+- [Configuration Manager 2207](https://aka.ms/KB15498768_2207_FileList)
+
+## Release history
+- September 20, 2022: Initial hotfix release
+
+## References
+[Updates and servicing for Configuration Manager](../../core/servers/manage/updates.md)

memdocs/configmgr/hotfix/TOC.yml

@@ -9,6 +9,8 @@ items:
     href: 2207/14959905.md
   - name: KB 14978429  Connected cache update for Microsoft Endpoint Configuration Manager version 2207
     href: 2207/14978429.md
+  - name: KB 15498768 NTLM connection fallback update
+    href: 2207/15498768.md
 - name: Version 2203
   items:
   - name: KB 13174460 Summary of changes in 2203
@@ -19,6 +21,8 @@ items:
     href: 2203/14480034.md
   - name: KB 14244456 Update rollup for Microsoft Endpoint Configuration Manager version 2203
     href: 2203/14244456.md
+  - name: KB 15498768 NTLM connection fallback update
+    href: 2207/15498768.md
 - name: Version 2111
   items:
   - name: KB 10096997 Summary of changes in 2111
@@ -31,6 +35,8 @@ items:
     href: 2111/12819689.md
   - name: KB 12896009 Update rollup for Microsoft Endpoint Configuration Manager version 2111
     href: 2111/12896009.md
+  - name: KB 15498768 NTLM connection fallback update
+    href: 2207/15498768.md
 - name: Version 2107
   items:
   - name: KB 10096997 Summary of changes in 2107
@@ -41,6 +47,8 @@ items:
     href: 2107/11121541.md
   - name: KB 12636660 Network access account update
     href: 2107/12636660.md
+  - name: KB 15498768 NTLM connection fallback update
+    href: 2207/15498768.md
 - name: Version 2103
   items:
   - name: KB 9210721 Summary of changes in 2103
@@ -59,6 +67,8 @@ items:
     href: 2103/10589155.md
   - name: KB 10582136 Tenant attach update
     href: 2103/10582136.md
+  - name: KB 15498768 NTLM connection fallback update
+    href: 2207/15498768.md
 - name: Version 2010
   items:
   - name: KB 4599442 Summary of changes in 2010

memdocs/configmgr/hotfix/index.yml

@@ -25,6 +25,8 @@ landingContent:
             url: 2207/14840616.md
           - text: KB 14959905 Early update ring
             url: 2207/14959905.md
+          - text: KB 15498768 NTLM connection fallback update
+            url: 2207/15498768.md
 
   - title: Configuration Manager 2203
     linkLists:

memdocs/intune/protect/microsoft-tunnel-prerequisites.md

@@ -236,7 +236,8 @@ When creating the Server configuration for the tunnel, you can specify a differe
   - `*.blob.storage.azure.net`
 
 
-- The Tunnel shares the same requirements as [Network endpoints for Microsoft Intune](../fundamentals/intune-endpoints.md), with the addition of port TCP 22.
+
+- The Tunnel shares the same requirements as [Network endpoints for Microsoft Intune](../fundamentals/intune-endpoints.md), with the addition of port TCP 22, and graph.microsoft.com.
 
 - Configure firewall rules to support the configurations detailed in  [Microsoft Container Registry (MCR) Client Firewall Rules Configuration](https://github.com/microsoft/containerregistry/blob/master/client-firewall-rules.md).
 

memdocs/intune/user-help/TOC.yml

@@ -26,8 +26,10 @@ items:
       href: enroll-device-android-company-portal.md
     - name: Enroll with Android work profile
       href: enroll-device-android-work-profile.md
-    - name: Enroll with Microsoft Intune app
-      href: enroll-device-android-microsoft-intune-app.md
+    - name: Enroll Android with Microsoft Intune app 
+      href: enroll-device-android-microsoft-intune-app.md 
+    - name: Enroll AOSP with Microsoft Intune app 
+      href: enroll-device-aosp.md
     - name: Enroll with derived credentials
       items:
       - name: Enroll with Entrust
@@ -50,7 +52,16 @@ items:
       href: use-verbose-logging-to-help-your-it-administrator-fix-device-issues-android.md
     - name: Turn off Microsoft data collection
       href: turn-off-microsoft-usage-data-collection-android.md
-
+  - name: Microsoft Intune app for AOSP 
+    items:
+    - name: Check device compliance 
+      href: check-compliance-aosp.md 
+    - name: Sync device 
+      href: sync-device-aosp.md 
+    - name: Configure logging settings 
+      href: intune-app-logs-aosp.md 
+    - name: Turn off Microsoft data collection 
+      href: turn-off-microsoft-usage-data-collection-aosp.md 
   - name: Update device settings
     items:
     - name: Move to new device management setup

memdocs/intune/user-help/check-compliance-aosp.md

@@ -0,0 +1,58 @@
+---
+# required metadata
+
+title: Check compliance on your AOSP device | Microsoft Docs
+description: Use the Intune app to check in and confirm that the settings on your device meet your organization's requirements. 
+keywords:
+author: lenewsad
+ms.author: lanewsad
+manager: dougeby
+ms.date: 09/19/2022
+ms.topic: end-user-help
+ms.service: microsoft-intune
+ms.subservice: end-user
+ms.technology:
+ms.assetid: 
+searchScope:
+ - User help
+
+# optional metadata
+
+ROBOTS:  
+#audience:
+
+ms.reviewer: 
+ms.suite: ems
+#ms.tgt_pltfrm:
+ms.custom: intune-enduser
+ms.collection: 
+---
+
+# Check compliance on your AOSP device  
+
+Manually start a device check-in from the Microsoft Intune app to:
+
+* Force the Intune app to check device compliance 
+* Update your device status 
+* Regain access to your work or school resources 
+
+## Purpose of check-in 
+
+During a check-in, the Intune app confirms that the settings on your device meet your organization's policy requirements. Your organization can limit or restrict access to work or school resources until you check in.  
+
+If you recently made changes to your device settings, you may need to manually check in to register these changes with Company Portal. 
+
+## Check compliance  
+Complete these steps to check device settings or refresh your compliance status. 
+
+1. Open the Microsoft Intune app for AOSP on your device.   
+
+2. Tap **Devices** and then select your device.  
+
+3. Under **Device Settings Status**, tap **Refresh**. 
+    
+    The Intune app will check your device to confirm that it's meeting your organization's setting requirements. 
+
+4. After the check, your device settings status will either read, **In Compliance** or **Not in Compliance**. 
+
+    If you're required to make any changes, a message will appear at the top of the screen. Tap it for more details. 

memdocs/intune/user-help/enroll-device-aosp.md

@@ -0,0 +1,64 @@
+---
+# required metadata
+
+title: Enroll AOSP device with Microsoft Intune app| Microsoft Docs
+description: Describes how to enroll a corporate-owned AOSP device in Intune.
+keywords:
+author: lenewsad
+ms.author: lanewsad
+manager: dougeby
+ms.date: 09/19/2022
+ms.topic: end-user-help
+ms.prod:
+ms.service: microsoft-intune
+ms.subservice: end-user
+ms.technology:
+ms.assetid: 
+searchScope:
+ - User help
+
+# optional metadata
+
+ROBOTS:  
+#audience:
+
+ms.reviewer: 
+ms.suite: ems
+#ms.tgt_pltfrm:
+ms.custom: intune-enduser
+ms.collection: 
+---
+
+
+# Enroll AOSP device with the Microsoft Intune app
+
+Enroll your corporate-owned AOSP device to get secure, mobile access to your organization's internal resources. This article describes the enrollment requirements and steps for AOSP devices. 
+
+## Prerequisites 
+
+AOSP devices must meet the following requirements to enroll:  
+
+* New or factory-reset 
+* Running Android 10.0 or later 
+* Corporate-owned (not a personal device) 
+* RealWear device, updated to Firmware 11.2 or later
+
+Additionally, you need the enrollment QR code that's provided by your organization.  
+
+## Enroll device  
+Complete these steps to set up and enroll your device.  
+
+1. Turn on your new or factory-reset device.  
+2. If prompted to, connect to Wi-Fi. Then tap **NEXT**. 
+3. Scan the QR code provided by your organization. 
+4. Follow the onscreen prompts to enroll your device. 
+5. If prompted to, review the device terms and conditions. Then select **ACCEPT & CONTINUE**. 
+6. The Microsoft Intune app opens. The next step depends on the type of device you're using. Complete the step that matches the screen shown on your device: 
+
+   - Tap **START** to begin enrollment.  
+   - Sign in with your work account. 
+      1. Enter your email, and then tap **NEXT**. 
+      2. Enter your password, and then tap **SIGN IN** to begin enrollment.   
+7. When you see the message that your device is ready, tap **DONE**. 
+
+If after enrolling you have trouble accessing your organization's resources, go to the Microsoft Intune app to verify that all of your device settings meet your organization's requirements. For more information about checking compliance, see [Check compliance on your AOSP device](check-compliance-aosp.md). 

memdocs/intune/user-help/intune-app-logs-aosp.md

@@ -0,0 +1,44 @@
+---
+# required metadata
+
+title: Configure logging settings for AOSP - Microsoft Intune| Microsoft Docs
+description: Learn how to adjust app logging levels in the Microsoft Intune app. 
+keywords:
+author: lenewsad
+ms.author: lanewsad
+manager: dougeby
+ms.date: 09/19/2022
+ms.topic: end-user-help
+ms.prod:
+ms.service: microsoft-intune
+ms.subservice: end-user
+ms.technology:
+ms.assetid: 
+searchScope:
+ - User help
+
+# optional metadata
+
+ROBOTS:  
+#audience:
+
+ms.reviewer: 
+ms.suite: ems
+#ms.tgt_pltfrm:
+ms.custom: intune-enduser
+ms.collection: 
+---
+
+
+# Configure logging settings for AOSP
+
+Logging enables the Microsoft Intune app to record actions that take place in the app. If you ever experience a problem in the app, and then report it, your support team will review the app logs. Verbose logging, which is the highest level of logging, is most helpful in these cases because it provides the most details about what happened in the app. 
+
+The log detail level defaults to **Important** in the Microsoft Intune app. To adjust the level:  
+
+1. Open the Microsoft Intune app.  
+2. Tap **Settings**.  
+3. Under **Log level detail**, select **Verbose** to increase the level of details recorded. Select **Off** to turn off logging.  
+
+> [!NOTE]
+> The logs that you send to your support team will include your email address.  

memdocs/intune/user-help/sync-device-aosp.md

@@ -0,0 +1,53 @@
+---
+# required metadata
+
+title: Sync AOSP device with Intune 
+description: If you've been disconnected from Wi-Fi for an extended period of time, sync your device to get Intune policies and updates you may have missed. 
+keywords:
+author: lenewsad
+ms.author: lanewsad
+manager: dougeby
+ms.date: 09/19/2022
+ms.topic: end-user-help
+ms.prod:
+ms.service: microsoft-intune
+ms.subservice: end-user
+ms.technology:
+ms.assetid: 
+searchScope:
+ - User help
+
+# optional metadata
+
+ROBOTS:  
+#audience:
+
+ms.reviewer: 
+ms.suite: ems
+#ms.tgt_pltfrm:
+ms.custom: intune-enduser
+ms.collection: 
+---
+
+
+# Sync AOSP device with Intune  
+
+ A manual sync forces your device to connect with Intune to get the latest updates, requirements, and communications from your organization. The Microsoft Intune app regularly syncs devices as long as you're connected to Wi-Fi. If you've been disconnected from Wi-Fi for an extended period of time, you can use the manual sync feature to get any policies and updates you missed.    
+ 
+Syncing can also help resolve work-related downloads or other processes that are in progress or stalled. If you're experiencing slow or unusual behavior while installing or using a work app, or if you're missing a work app that you know you're supposed to have, try syncing your device.   
+
+## Sync device  
+To force a sync:    
+
+1. Sign in to the Intune app. 
+2. Tap the menu. 
+3. Tap **Settings**.  
+4. Go to **Security policy sync** and tap **Sync**. 
+
+## Sync versus Refresh
+
+The Company Portal **Sync** feature is different from the **Refresh** feature. *Refresh* your device to check device compliance and verify that your settings meet your organization's requirements. For more information, see [Check device compliance for AOSP](check-compliance-aosp.md).   
+
+
+
+