Merge branch 'main' into release-win365-2209

Author: v-alje

memdocs/intune/fundamentals/multi-admin-approval.md

@@ -29,6 +29,9 @@ ms.collection:
 
 # Use Access policies to require multiple administrative approvals
 
+> [!NOTE]  
+> This feature is delayed and is not yet available. We'll remove this note when this feature begins to roll out to tenants.
+
 *This feature is in Public Preview*
 
 To help protect against a compromised administrative account, use Intune *access policies* to require that a second administrative account is used to approve a change before the change is applied. This capability is known as multiple administrative approval (MAA).

memdocs/intune/fundamentals/whats-new.md

@@ -141,7 +141,7 @@ Applies to:
 #### Device Firmware Configuration Interface (DFCI) now supports Acer devices<!-- 15240661 -->
 For Windows 10/11 devices, you can create a DFCI profile to manage UEFI (BIOS) settings (**Devices** > **Configuration profiles** > **Create profile** > **Windows 10 and later** for platform > **Templates** > **Device Firmware Configuration Interface** for profile type).
 
-New Acer devices running Windows 10/11 will be enabled for DFCI starting Fall 2022. So, admins can create DFCI profiles to manage the BIOS and then deploy the profiles to these Acer devices.
+New Acer devices running Windows 10/11 will be enabled for DFCI in later 2022. So, admins can create DFCI profiles to manage the BIOS and then deploy the profiles to these Acer devices.
 
 Contact your device vendor or device manufacturer to ensure you get eligible devices.
 
@@ -236,7 +236,10 @@ For more information about protected apps, see [Microsoft Intune protected apps]
 
 ### Tenant administration
 
-#### Access policies for Multiple Administrator Approval in public preview<!--9348867 -->
+#### Access policies for Multiple Administrator Approval in public preview<!--9348867 -->  
+> [!NOTE]  
+> This feature is delayed and is not yet available. We'll remove this note when this feature begins to roll out to tenants.
+
 In public preview, you can use Intune *access policies* to require that a second Administrator Approval account be used to approve a change before the change is applied.  This capability is known as multiple Administrator Approval (MAA).
 
 You create an access policy to protect a type of resource, like App deployments. Each access policy also includes a group of users who are *approvers* for the changes protected by the policy. When a resource like an app deployment configuration is protected by an access policy, any changes that are made to the deployment, including creating, deleting or modifying an existing deployment won't apply until a member of the approvers group for that access policy reviews and approves that change.

memdocs/intune/includes/intune-notices.md

@@ -9,7 +9,35 @@ ms.author: erikje
 ms.custom: include file
 ---
 
-These notices provide important information that can help you prepare for future Intune changes and features.  
+These notices provide important information that can help you prepare for future Intune changes and features.
+
+### Plan for Change: Ending support for Company Portal authentication method for iOS/iPadOS ADE enrollment
+
+As we continue to invest in Setup Assistant with modern authentication, which is the Apple supported path to require enrollment during Setup Assistant with optional multi-factor authentication, we plan to remove the Company Portal authentication method from new and existing iOS/iPadOS ADE enrollment profiles in Q1 2023. This will include removing the Run Company Portal in Single App Mode until authentication setting.
+
+### How does this affect you or your users?
+
+In November, new enrollments (new devices that are targeted with an existing enrollment profile or devices re-enrolling) that are targeted with an existing enrollment profile with the Company Portal authentication method, will not be able to enroll.
+
+This will not impact existing enrolled devices unless the device is re-enrolled after this change. The device will not be able to re-enroll until the authentication method is switched in the enrollment profile to Setup Assistant with modern authentication.
+
+New iOS/iPadOS enrollment profiles will not have the option to select Company Portal as the authentication method.
+
+If you have not already, you will need to move to use Setup Assistant with modern authentication. Within the Microsoft Endpoint Manager admin center, you will want to either create a new ADE enrollment profile, or edit your existing enrollment profile to use the “Setup assistant with modern authentication.”
+
+**User experience:** The Setup Assistant with modern authentication enrollment flow does change the enrollment screen order where authentication will occur prior to accessing the home screen. If you have user guides that share screenshots, you will want to update those so the guides match the experience of Setup Assistant with modern authentication.
+
+### How can you prepare?
+
+To enroll new devices (or re-enroll) after this change, you will either need to update existing profiles to move to Setup Assistant with modern authentication or create a new enrollment profile with this method.
+
+For related information, see:
+
+- [Move to Setup Assistant with Modern Authentication for Automated Device Enrollment](https://techcommunity.microsoft.com/t5/intune-customer-success/move-to-setup-assistant-with-modern-authentication-for-automated/ba-p/2556536)
+- [Setup Assistant with Modern Auth for ADE (iOS/iPadOS 13+ and macOS 10.15+)](https://aka.ms/MEM-ADEModernAuth-Blog)
+- [Using filters with Setup Assistant with modern auth for ADE for corporate iOS/iPadOS/macOS devices](https://techcommunity.microsoft.com/t5/intune-customer-success/using-filters-with-setup-assistant-with-modern-auth-for-ade-for/ba-p/2670379)
+- [Enroll iOS/iPadOS devices by using ADE](../enrollment/device-enrollment-program-enroll-ios.md#create-an-apple-enrollment-profile)
+- [Upcoming changes to iOS/iPadOS Company Portal app deployment for Setup Assistant with modern auth](https://aka.ms/ADE-CP-auto-deploy)
 
 ### Plan for Change: Ending support for Windows Information Protection
 
@@ -31,7 +59,7 @@ Microsoft strongly recommends that you move to a supported version of Windows 10
 
 ### How does this affect you or your users?
 
-If you are managing Windows 8.1 devices those devices should be upgraded to a supported version of Windows 10 or Windows 11. There is no impact to existing devices and polices, however, you will not be able to enroll new devices if they are running Windows 8.1.
+If you are managing Windows 8.1 devices those devices should be upgraded to a supported version of Windows 10 or Windows 11. There is no impact to existing devices and policies, however, you will not be able to enroll new devices if they are running Windows 8.1.
 
 ### How can you prepare?
 
@@ -52,7 +80,7 @@ If you're impacted by this change, see MC393815 in the Message center.
 
 Download, install, and configure the latest certificate connector. For more information see, [Install the Certificate Connector for Microsoft Intune](../protect/certificate-connector-install.md).
 
-To check which version of the certificate connector you are using follow these steps:
+To check which version of the certificate connector you are using, follow these steps:
 
 1. On a Windows Server running the Intune Certificate Connector, launch "Add or Remove programs".
 2. A list of installed programs and applications will be displayed.

memdocs/intune/protect/microsoft-tunnel-conditional-access.md

@@ -39,14 +39,14 @@ Before you can configure Conditional Access policies for the tunnel, you must en
 
 2. Download the PowerShell script named **mst-ca-provisioning.ps1** from aka.ms/mst-ca-provisioning.
 
-3. Using credentials that have the Azure Role permissions [equivalent to **Application Administrator**](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator-permissions), run the script from any location in your environment, to provision your tenant.
+3. Using credentials that have the Azure Role permissions [equivalent to **Global Administrator**](/azure/active-directory/roles/permissions-reference#global-administrator), run the script from any location in your environment, to provision your tenant.
 
-   The script modifies your tenant by creating a service principle with the following details:
+   The script modifies your tenant by creating a service principal with the following details:
 
    - App ID: 3678c9e9-9681-447a-974d-d19f668fcd88
    - Name: Microsoft Tunnel Gateway
 
-   The addition of this service principle is required so you can select the tunnel cloud app while configuring Conditional Access policies. It's also possible to use Graph to add the service principle information to your tenant.
+   The addition of this service principal is required so you can select the tunnel cloud app while configuring Conditional Access policies. It's also possible to use Graph to add the service principal information to your tenant.
 
 4. After the script completes, you can use your normal process to create Conditional Access policies.
 

windows-365/enterprise/create-provisioning-policy.md

@@ -58,7 +58,7 @@ A few things to keep in mind:
 6. Select **Next**.
 7. On the **Configuration** page, under **Windows settings**, choose a **Language & Region**. The selected language pack will be installed on Cloud PCs provisioned with this policy.
 8. Optionally, under **Additional services**, choose a service to be installed on Cloud PCs provisioned with this policy:
-    - **Windows Autopatch (preview)** is a cloud service that automates updates for Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams on both physical and virtual devices. For more information, see [What is What is Windows Autopatch?](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) and the [Windows Autopatch FAQ](https://go.microsoft.com/fwlink/?linkid=2200228).
+    - **Windows Autopatch** is a cloud service that automates updates for Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams on both physical and virtual devices. For more information, see [What is What is Windows Autopatch?](/windows/deployment/windows-autopatch/overview/windows-autopatch-overview) and the [Windows Autopatch FAQ](https://go.microsoft.com/fwlink/?linkid=2200228).
     - **Microsoft Managed Desktop** is a cloud service that helps with device deployment, service management and operations, and security. For more information, see [What is Microsoft Managed Desktop?](/managed-desktop/intro/)
 9. Select **Next**.
 10. On the **Assignments** page, choose **Select groups** > choose the groups you want this policy assigned to > **Select** > **Next**. Nested groups aren't currently supported.

windows-365/enterprise/customer-permissions.md

@@ -39,21 +39,24 @@ Windows 365 uses the Azure role-based access control (RBAC) permissions required
 
 ## Create Azure network connections
 
-You create ANCs to define the connection between your network and the Windows 365 system so that Cloud PCs can be successfully provisioned. When you create an ANC, the Windows 365 service requires the following permissions:
+You create ANCs to define the connection between your network and the Windows 365 system so that Cloud PCs can be successfully provisioned. When you create an ANC, the Windows 365 [service principal](/azure/active-directory/fundamentals/service-accounts-introduction-azure.md#service-principals) requires the following permissions:
 
 - **Reader permission on the Azure subscription**: This permission is used to simplify the flow when adding a custom image.
 - **Network contributor on the specified resource group**: This permission is used to create network interface cards in the selected resource group.
 - **Network contributor on the virtual network**: This permission is used to attach the created network interface cards to the selected virtual network. 
 
-When you create an ANC, you must be signed in with an account that is an Owner of the subscription.
+When you create an ANC, you must be signed in with an account that is an Owner of the subscription. 
+
+> [!TIP]
+> When you use [Microsoft hosted network option](architecture.md#virtual-network-connectivity) with a gallery image, you do not need to grant the Windows 365 service principal these permissions.
 
 For more information, see [Create Azure network connection](create-azure-network-connection.md).
 
 ## Add a custom image
 
 If you’ve already created an ANC for the image's associated Azure subscription, no new permissions are needed.
 
-When you use a subscription without an ANC, the Windows 365 service requires the following permission to upload a custom image:
+When you use Windows 365 with a Microsoft hosted network and a custom image, the Windows 365 service principal requires the following permission to upload a custom image:
 
 - Reader of the subscription
 

windows-365/enterprise/resize-cloud-pc.md

@@ -49,6 +49,7 @@ To resize a Cloud PC, the admin must have any of the following built in Azure Ac
 
 - Global Admin
 - Intune Service Admin
+- Intune Reader + Cloud PC Admin roles
 
 Alternatively, you can assign a custom role that includes the permissions of the built-in roles above.
 
@@ -58,6 +59,8 @@ The **Resize** remote action is supported for paid, preview, and trial licenses.
 
 Resizing isn’t supported for Cloud PCs provisioned through group-based licenses.
 
+Resizing is only supported for Gen 2 Cloud PCs. If you try resizing a Gen 1 Cloud PC, the resize will no start and you will be notified that this happened due to the user having a Gen 1 Cloud PC. Reprovision the Gen 1 Cloud PC to convert it to a Gen 2 Cloud PC
+
 ## Resize a Cloud PC
 
 1. Contact your end users and have them save their work and sign out. Resizing automatically disconnects the user from their session and any unsaved work might be lost. Therefore, it's best to coordinate any resizing with the user before you begin.