Merge pull request #8268 from MicrosoftDocs/main

Angela Fleischmann · web-flow · commit c51eaee07f6a · 2022-08-16T16:40:16.000-06:00
Publish 08/16/2022 3:30 PM PT
diff --git a/memdocs/autopilot/enrollment-autopilot.md b/memdocs/autopilot/enrollment-autopilot.md
@@ -52,13 +52,12 @@ ms.collection:
 
     - **Group type**: Select **Security**.
     - **Group name** and **Group description**: Enter a name and description for your group.
-    - **Azure AD roles can be assigned to the group**: **Yes** allows Azure AD roles to be assigned to the group you're creating. Once set, the group is permanently and always allowed to be assigned Azure AD roles. When set to **No**, Azure AD roles aren't assigned to this group.
+    - **Azure AD roles can be assigned to the group**: Select **No**, Azure AD roles aren't assigned to this group.
 
       For more information, see [Use cloud groups to manage role assignments in Azure AD](/azure/active-directory/roles/groups-concept).
 
-    - **Membership type**: Choose how devices become members of this group. Select **Assigned**, **Dynamic user**, or **Dynamic Device**. For more information, see [Add groups to organize users and devices](../intune/fundamentals/groups-add.md).
+    - **Membership type**: Choose how devices become members of this group. Select **Dynamic Device**. For more information, see [Add groups to organize users and devices](../intune/fundamentals/groups-add.md).
     - **Owners**: Select users that own the group. Owners can also delete this group.
-    - **Members**: Select Autopilot devices that belong to this group. Autopilot devices that aren't enrolled show the serial number for the device name.
     - **Dynamic device members**: Select **Add dynamic query** > **Add expression**.
 
       Create rules using Autopilot device attributes. Autopilot devices that meet these rules are automatically added to the group. Creating an expression using non-autopilot attributes doesn't guarantee that devices included in the group are registered to Autopilot.
diff --git a/memdocs/autopilot/existing-devices.md b/memdocs/autopilot/existing-devices.md
@@ -85,7 +85,7 @@ If you want, you can set up an [enrollment status page](enrollment-status.md) (E
     Make sure the user account you specify has sufficient administrative rights.
 
     ```powershell
-    Connect-MSGraphApp
+    Connect-MSGraph
     ```
 
     Windows requests the user and password for your account with a standard Azure AD form. Type your username and password, and then select **Sign in**.
diff --git a/memdocs/autopilot/self-deploying.md b/memdocs/autopilot/self-deploying.md
@@ -71,7 +71,7 @@ Optionally, you can use a [device-only subscription](https://techcommunity.micro
 Self-deploying mode uses a device's TPM 2.0 hardware to authenticate the device into an organization's Azure AD tenant. Therefore, devices without TPM 2.0 can't be used with this mode. Devices must also support TPM device attestation. All new Windows devices should meet these requirements. The TPM attestation process also requires access to a set of HTTPS URLs that are unique for each TPM provider. For more information, see the entry for Autopilot self-Deploying mode and Autopilot pre-provisioning in [Networking requirements](networking-requirements.md#tpm). For Windows Autopilot software requirements, see [Windows Autopilot software requirements](./software-requirements.md).
 
 > [!IMPORTANT]
-> If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported). Also note that Windows 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. Since Windows 10 Enterprise 2019 LTSC is based on Windows 10 version 1809, self-deploying mode is also not supported on Windows 10 Enterprise 2019 LTSC.
+> If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported). Also note that Windows 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. 
 >
 > See [Windows Autopilot known issues](known-issues.md) and [Troubleshoot Autopilot device import and enrollment](troubleshoot-device-enrollment.md) to review other known errors and solutions.
 
diff --git a/memdocs/configmgr/desktop-analytics/whats-new.md b/memdocs/configmgr/desktop-analytics/whats-new.md
@@ -20,7 +20,7 @@ ms.localizationpriority: medium
 >
 > To align investments with this shift, **Desktop Analytics will be retired on November 30, 2022**. Over the next year, the types of insights currently found in Desktop Analytics will be incorporated directly into the Microsoft Endpoint Manager admin center.<!-- 10946169 -->
 >
-> For more information, see [A data-driven approach to managing devices in your organization](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-data-driven-approach-to-managing-devices-in-your-organization/ba-p/2932082).
+> For more information, see [Preview app and driver compatibility insights in Endpoint Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/preview-app-and-driver-compatibility-insights-in-endpoint/ba-p/3482136).
 
 ## July 2021
 
diff --git a/memdocs/intune/apps/app-protection-framework.md b/memdocs/intune/apps/app-protection-framework.md
@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 06/10/2022
+ms.date: 08/15/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -129,9 +129,7 @@ The policies in level 1 enforce a reasonable data access level while minimizing
 | Simple PIN  | Allow  | iOS/iPadOS, Android  |   |
 | Select Minimum PIN length  | 4  | iOS/iPadOS, Android  |   |
 | Touch ID instead of PIN for access (iOS 8+/iPadOS)  | Allow  | iOS/iPadOS  |   |
-| Fingerprint instead of PIN for access (Android 9.0+)  | Allow  | Android  |   |
-| Override biometrics with PIN after timeout  | Require  | iOS/iPadOS  |   |
-| Override fingerprint with PIN after timeout  | Require  | Android  |   |
+| Override biometrics with PIN after timeout  | Require  | iOS/iPadOS, Android  |   |
 | Timeout (minutes of activity)  | 720  | iOS/iPadOS, Android  |   |
 | Face ID instead of PIN for access (iOS 11+/iPadOS)  | Allow  | iOS/iPadOS  |   |
 | Biometric instead of PIN for access  | Allow  | iOS/iPadOS, Android  |   |
@@ -215,6 +213,8 @@ The policy settings enforced in level 3 include all the policy settings recommen
 |       Select   Minimum PIN length  |          6  |          iOS/iPadOS,   Android  |
 |       PIN reset   after number of days  |          Yes  |          iOS/iPadOS,   Android  |
 |       Number of   days  |          365  |          iOS/iPadOS,   Android  |
+|       Class 3 Biometrics (Android 9.0+)​   |          Require  |          Android  |
+|       Override Biometrics with PIN after biometric updates   |          Require  |          Android  |
 
 #### Conditional launch
 
diff --git a/memdocs/intune/apps/app-protection-policy-settings-android.md b/memdocs/intune/apps/app-protection-policy-settings-android.md
@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 06/10/2022
+ms.date: 08/15/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -120,10 +120,11 @@ For more information, see [Data transfer policy exceptions for apps](app-protect
 |<ol><br>**PIN type** |Set a requirement for either numeric or passcode type PINs before accessing an app that has app protection policies applied. Numeric requirements involve only numbers, while a passcode can be defined with at least 1 alphabetical letter **or** at least 1 special character. <br><br> Default value = **Numeric**<br><br> **Note:** Special characters allowed include the special characters and symbols on the Android English language keyboard. |
 |<ul><b> **Simple PIN** |Select **Allow** to allow users to use simple PIN sequences like *1234*, *1111*, *abcd* or *aaaa*. Select **Blocks** to prevent them from using simple sequences. Simple sequences are checked in 3 character sliding windows. If **Block** is configured, 1235 or 1112 would not be accepted as PIN set by the end user, but 1122 would be allowed. <br><br>Default value = **Allow** <br><br>**Note:** If Passcode type PIN is configured, and Simple PIN is set to Allow, the user needs at least one letter **or** at least one special character in their PIN. If Passcode type PIN is configured, and Simple PIN is set to Block, the user needs at least one number **and** one letter **and** at least one special character in their PIN. </li> |
 |<ul><b> **Select minimum PIN length** |Specify the minimum number of digits in a PIN sequence. <br><br>Default value = **4** |
-|<ul><b> **Fingerprint instead of PIN for access (Android 9.0+)** |Select **Allow** to allow the user to use [fingerprint authentication](https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication) instead of a PIN for app access. <br><br>Default value = **Allow** <br><br>**Note:** This feature supports generic controls for biometric on Android devices. OEM-specific biometric settings, like Samsung Pass, *are not supported.* <br><br>On Android, you can let the user prove their identity by using [Android fingerprint authentication](https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication) instead of a PIN. When the user tries to use this app with their work or school account, they are prompted to provide their fingerprint identity instead of entering a PIN. <br><br> Android personally owned work profile enrolled devices require registering a separate fingerprint for the **Fingerprint instead of PIN for access** policy to be enforced. This policy takes effect only for policy-managed apps installed in the Android personally owned work profile. The separate fingerprint must be registered with the device after the Android personally owned work profile is created by enrolling in the Company Portal. For more information about personally owned work profile fingerprints using Android personally owned work profiles, see [Lock your work profile](https://support.google.com/work/android/answer/7029958). |
-|<ul><b>**Override fingerprint with PIN after timeout** |To use this setting, select **Require** and then configure an inactivity timeout. <br><br>Default value = **Require** |
-|<ul><b><ul><b> **Timeout (minutes of inactivity)** |Specify a time in minutes after which either a passcode or numeric (as configured) PIN will override the use of a fingerprint. This timeout value should be greater than the value specified under 'Recheck the access requirements after (minutes of inactivity)'.<br><br>Default value = **30** |
-|<ul><b>**Biometrics instead of PIN for access** |Select **Allow** to allow the user to use Face Unlock to authenticate users on Android devices. If allowed, Face Unlock is used to access the app on Android 10 or higher devices.    |
+|<ul><b>**Biometrics instead of PIN for access** |Select **Allow** to allow the user to use biometrics to authenticate users on Android devices. If allowed, biometrics is used to access the app on Android 10 or higher devices.    |
+|<ul><b>**Override biometric with PIN after timeout** |To use this setting, select **Require** and then configure an inactivity timeout. <br><br>Default value = **Require** |
+|<ul><b><ul><b> **Timeout (minutes of inactivity)** |Specify a time in minutes after which either a passcode or numeric (as configured) PIN will override the use of a biometric. This timeout value should be greater than the value specified under 'Recheck the access requirements after (minutes of inactivity)'.<br><br>Default value = **30** |
+|<ul><b> **Class 3 biometrics (Android 9.0+)** | Select **Require** to require the user to sign in with class 3 biometrics. For more information on class 3 biometrics, see [Biometrics](https://source.android.com/docs/security/biometric) in Google's documentation.  |
+|<ul><b> **Override biometrics with PIN after biometric updates​** | Select **Require** to override the use of biometrics with PIN when a change in biometrics is detected.<p><p>**NOTE:**<br>Depending on the Android device manufacturer, not all forms of biometrics may be supported for cryptographic operations. Currently, cryptographic operations are supported for any biometric (e.g., fingerprint, iris, or face) on the device that meets or exceeds the requirements for Class 3 biometrics, as defined in the Android documentation. See the `BIOMETRIC_STRONG` constant of the [BiometricManager.Authenticators](https://developer.android.com/reference/android/hardware/biometrics/BiometricManager.Authenticators#BIOMETRIC_STRONG) interface and the `authenticate` method of the [BiometricPrompt](https://developer.android.com/reference/android/hardware/biometrics/BiometricPrompt#authenticate(android.hardware.biometrics.BiometricPrompt.CryptoObject,%20android.os.CancellationSignal,%20java.util.concurrent.Executor,%20android.hardware.biometrics.BiometricPrompt.AuthenticationCallback)) class. You may need to contact your device manufacturer to understand the device-specific limitations.  |
 |<ul><b>**PIN reset after number of days** |Select **Yes** to require users to change their app PIN after a set period of time, in days.  <br><br>When set to *Yes*, you then configure the number of days before the PIN reset is required. <br><br> Default value = **No**  |
 |<ul><b><ul><b> **Number of days** |Configure the number of days before the PIN reset is required. <br><br> Default value = **90**  |
 |<ul><b>**Select number of previous PIN values to maintain** |This setting specifies the number of previous PINs that Intune will maintain. Any new PINs must be different from those that Intune is maintaining. <br><br> Default value = **0** |
diff --git a/memdocs/intune/developer/app-sdk-android.md b/memdocs/intune/developer/app-sdk-android.md
@@ -155,7 +155,10 @@ integration points relevant to your app.
 
 ### Gradle Build Plugin
 If your app does not build with gradle, skip to [Integrating with the
-Command Line Tool](#command-line-build-tool). 
+Command Line Tool](#command-line-build-tool).
+
+> [!NOTE]
+> Android Gradle Plugin 4.2 introduced a number of resources optimizations in order to reduce the size of the APK package. One of these optimizations is the obfuscation/shortening of filenames. For now, the workaround is to add android.enableResourceOptimizations=false in the app's gradle.properties. This will prevent the optimization from happening thus allowing the detection of the Intune SDK when uploading the app into the Portal.
 
 The App SDK plugin is distributed as part of the SDK as
 **GradlePlugin/com.microsoft.intune.mam.build.jar**. For Gradle to be
diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md
@@ -7,7 +7,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 08/03/2022
+ms.date: 08/15/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -59,6 +59,12 @@ You can use RSS to be notified when this page is updated. For more information,
 ### Role-based access control
 ### Scripts
 -->
+## Week of August 15, 2022
+
+### App management
+
+#### Android strong biometric change detection<!-- 9740832 -->
+The Android **Fingerprint instead of PIN for access** setting in Intune, which allows the end-user to use [fingerprint authentication](https://developer.android.com/about/versions/marshmallow/android-6.0.html#fingerprint-authentication) instead of a PIN, is being modified. This change will allow you to require end-users to set strong biometrics, as well as require end-users to confirm their app protection policy (APP) PIN if a change in strong biometrics is detected. You can find Android app protection polices in [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Apps** > **App protection policies** > **Create policy** > **Android**. For more information, see [Android app protection policy settings in Microsoft Intune](../apps/app-protection-policy-settings-android.md#access-requirements).
 
 ## Week of August 1, 2022
 
diff --git a/memdocs/intune/protect/encrypt-devices.md b/memdocs/intune/protect/encrypt-devices.md
@@ -187,7 +187,7 @@ To change the disk encryption type between full disk encryption and used space o
 
 #### TPM startup PIN or key
 
-A device **must not require** use of a startup PIN or startup key.
+A device **must not be set to require** a startup PIN or startup key.
 
 When a TPM startup PIN or startup key is required on a device, BitLocker can't silently enable on the device and instead requires interaction from the end user. Settings to configure the TPM startup PIN or key are available in both the endpoint protection template and the BitLocker policy. By default, these policies do not configure these settings.
 
@@ -289,4 +289,4 @@ For information about BitLocker deployments and requirements, see the [BitLocker
 - [Monitor disk encryption](../protect/encryption-monitor.md)
 - [Troubleshooting BitLocker policy](/troubleshoot/mem/intune/troubleshoot-bitlocker-policies)
 - [Known issues for Enforcing BitLocker policies with Intune](/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues)
-- [BitLocker management for enterprises](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises), in the Windows security documentation
+- [BitLocker management for enterprises](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises), in the Windows security documentation
diff --git a/memdocs/intune/protect/microsoft-tunnel-configure.md b/memdocs/intune/protect/microsoft-tunnel-configure.md
@@ -365,7 +365,9 @@ For more information about *mst-cli*, see [Reference for Microsoft Tunnel](../pr
 
 ## Uninstall the Microsoft Tunnel
 
-To uninstall the product, run **./mst-cli uninstall** from the Linux server as root.
+To uninstall the product, run **./mst-cli uninstall** from the Linux server as root. 
+
+After the product is uninstalled, delete the corresponding server record in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) under **Tenant administration** > **Microsoft Tunnel Gateway** > **Servers**.
 
 ## Next steps
 
diff --git a/memdocs/intune/protect/windows-10-feature-updates.md b/memdocs/intune/protect/windows-10-feature-updates.md
@@ -224,6 +224,9 @@ Selecting a profile from the list opens the profiles **Overview** pane where you
 - Select **Properties** to modify the deployment.  On the *Properties* pane, select **Edit** to open the *Deployment settings or Assignments*, where you can then modify the deployment.
 - Select **End user update status** to view information about the policy.
 
+> [!NOTE]
+> The End user update status Last Scanned Time value will return 'Not scanned yet' until an initial user logs on and Update Session Orchestrator (USO) scan is initiated. For more information on the Unified Update Platform (UUP) architecture and related components, see [Get started with Windows Update](/windows/deployment/update/windows-update-overview).
+
 ## Validation and reporting
 
 There are multiple options to get in-depth reporting for Windows 10/11 updates with Intune. Windows update reports show details about your Windows 10 and Windows 11 devices side by side in the same report.
diff --git a/windows-365/enterprise/media/report-remoting-connection/device-performance-tab.png b/windows-365/enterprise/media/report-remoting-connection/device-performance-tab.png
diff --git a/windows-365/enterprise/media/report-remoting-connection/model-performance-tab.png b/windows-365/enterprise/media/report-remoting-connection/model-performance-tab.png
diff --git a/windows-365/enterprise/media/report-remoting-connection/remoting-connection-report.png b/windows-365/enterprise/media/report-remoting-connection/remoting-connection-report.png
diff --git a/windows-365/enterprise/media/report-remoting-connection/remoting-connection-tab.png b/windows-365/enterprise/media/report-remoting-connection/remoting-connection-tab.png
diff --git a/windows-365/enterprise/report-resource-performance.md b/windows-365/enterprise/report-resource-performance.md
@@ -7,7 +7,7 @@ keywords:
 author: ErikjeMS  
 ms.author: erikje
 manager: dougeby
-ms.date: 08/30/2021
+ms.date: 08/16/2022
 ms.topic: overview
 ms.service: cloudpc
 ms.subservice:
@@ -53,8 +53,8 @@ To get to the **Resource performance** report, sign in to [Microsoft Endpoint Ma
 
 The **Resource performance score** is an overall performance rating (from 0 to 100) for all the Cloud PCs that you manage. This score is a weighted average of **CPU spike time score** and **RAM Spike time score**.
 
-- **CPU spike time score**:
-- **RAM Spike time score**:
+- **CPU spike time %**: The daily metric trends graph plots the ratio of CPU spike times to total usage time. This CPU spike % data is averaged over a 14-day period ending on the date at the bottom of the graph. Usage over 50% is considered a spike.
+- **RAM Spike time %**: The daily metric trends graph plots the ratio of RAM spike times to total usage time. This RAM spike % data is averaged over a 14-day period ending on the date at the bottom of the graph. Usage over 50% is considered a spike.
 
 **Baseline** helps you see if you're meeting goals. You can set the baseline to the organizational median or a custom value.
 
diff --git a/windows-365/enterprise/whats-new.md b/windows-365/enterprise/whats-new.md

Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ Optionally, you can use a [device-only subscription](https://techcommunity.micro`
`71`	`71`	Self-deploying mode uses a device's TPM 2.0 hardware to authenticate the device into an organization's Azure AD tenant. Therefore, devices without TPM 2.0 can't be used with this mode. Devices must also support TPM device attestation. All new Windows devices should meet these requirements. The TPM attestation process also requires access to a set of HTTPS URLs that are unique for each TPM provider. For more information, see the entry for Autopilot self-Deploying mode and Autopilot pre-provisioning in [Networking requirements](networking-requirements.md#tpm). For Windows Autopilot software requirements, see [Windows Autopilot software requirements](./software-requirements.md).
`72`	`72`
`73`	`73`	`> [!IMPORTANT]`
`74`		-> If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported). Also note that Windows 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. Since Windows 10 Enterprise 2019 LTSC is based on Windows 10 version 1809, self-deploying mode is also not supported on Windows 10 Enterprise 2019 LTSC.
	`74`	`+> If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported). Also note that Windows 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809.`
`75`	`75`	`>`
`76`	`76`	`> See [Windows Autopilot known issues](known-issues.md) and [Troubleshoot Autopilot device import and enrollment](troubleshoot-device-enrollment.md) to review other known errors and solutions.`
`77`	`77`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ ms.localizationpriority: medium`
`20`	`20`	`>`
`21`	`21`	`> To align investments with this shift, Desktop Analytics will be retired on November 30, 2022. Over the next year, the types of insights currently found in Desktop Analytics will be incorporated directly into the Microsoft Endpoint Manager admin center.<!-- 10946169 -->`
`22`	`22`	`>`
`23`		`-> For more information, see [A data-driven approach to managing devices in your organization](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-data-driven-approach-to-managing-devices-in-your-organization/ba-p/2932082).`
	`23`	`+> For more information, see [Preview app and driver compatibility insights in Endpoint Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/preview-app-and-driver-compatibility-insights-in-endpoint/ba-p/3482136).`
`24`	`24`
`25`	`25`	`## July 2021`
`26`	`26`