Merge branch 'MicrosoftDocs:main' into main

Author: Banreet

memdocs/autopilot/enrollment-autopilot.md

@@ -52,13 +52,12 @@ ms.collection:
 
     - **Group type**: Select **Security**.
     - **Group name** and **Group description**: Enter a name and description for your group.
-    - **Azure AD roles can be assigned to the group**: **Yes** allows Azure AD roles to be assigned to the group you're creating. Once set, the group is permanently and always allowed to be assigned Azure AD roles. When set to **No**, Azure AD roles aren't assigned to this group.
+    - **Azure AD roles can be assigned to the group**: Select **No**, Azure AD roles aren't assigned to this group.
 
       For more information, see [Use cloud groups to manage role assignments in Azure AD](/azure/active-directory/roles/groups-concept).
 
-    - **Membership type**: Choose how devices become members of this group. Select **Assigned**, **Dynamic user**, or **Dynamic Device**. For more information, see [Add groups to organize users and devices](../intune/fundamentals/groups-add.md).
+    - **Membership type**: Choose how devices become members of this group. Select **Dynamic Device**. For more information, see [Add groups to organize users and devices](../intune/fundamentals/groups-add.md).
     - **Owners**: Select users that own the group. Owners can also delete this group.
-    - **Members**: Select Autopilot devices that belong to this group. Autopilot devices that aren't enrolled show the serial number for the device name.
     - **Dynamic device members**: Select **Add dynamic query** > **Add expression**.
 
       Create rules using Autopilot device attributes. Autopilot devices that meet these rules are automatically added to the group. Creating an expression using non-autopilot attributes doesn't guarantee that devices included in the group are registered to Autopilot.

memdocs/autopilot/existing-devices.md

@@ -85,7 +85,7 @@ If you want, you can set up an [enrollment status page](enrollment-status.md) (E
     Make sure the user account you specify has sufficient administrative rights.
 
     ```powershell
-    Connect-MSGraphApp
+    Connect-MSGraph
     ```
 
     Windows requests the user and password for your account with a standard Azure AD form. Type your username and password, and then select **Sign in**.

memdocs/autopilot/networking-requirements.md

@@ -13,7 +13,7 @@ author: aczechowski
 ms.author: aaroncz
 ms.reviewer: jubaptis
 manager: dougeby
-ms.date: 08/23/2021
+ms.date: 08/23/2022
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -132,7 +132,7 @@ Some of these services will also need to check certificate revocation lists (CRL
 
 The device can be hybrid Azure AD joined. The computer should be on the internal network for hybrid Azure AD join to work. For more information, see [Windows Autopilot user-driven mode](user-driven.md#user-driven-mode-for-hybrid-azure-ad-join).
 
-### <a name="tpm"></a> Autopilot self-Deploying mode and Autopilot pre-provisioning
+### <a name="tpm"></a> Autopilot self-deploying mode and Autopilot pre-provisioning
 
 The TPM attestation process requires access to a set of HTTPS URLs, which are unique for each TPM provider. Ensure access to this URL pattern: `*.microsoftaik.azure.net`.
 

memdocs/autopilot/self-deploying.md

@@ -71,7 +71,7 @@ Optionally, you can use a [device-only subscription](https://techcommunity.micro
 Self-deploying mode uses a device's TPM 2.0 hardware to authenticate the device into an organization's Azure AD tenant. Therefore, devices without TPM 2.0 can't be used with this mode. Devices must also support TPM device attestation. All new Windows devices should meet these requirements. The TPM attestation process also requires access to a set of HTTPS URLs that are unique for each TPM provider. For more information, see the entry for Autopilot self-Deploying mode and Autopilot pre-provisioning in [Networking requirements](networking-requirements.md#tpm). For Windows Autopilot software requirements, see [Windows Autopilot software requirements](./software-requirements.md).
 
 > [!IMPORTANT]
-> If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported). Also note that Windows 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. Since Windows 10 Enterprise 2019 LTSC is based on Windows 10 version 1809, self-deploying mode is also not supported on Windows 10 Enterprise 2019 LTSC.
+> If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported). Also note that Windows 10, version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10, version 1809. 
 >
 > See [Windows Autopilot known issues](known-issues.md) and [Troubleshoot Autopilot device import and enrollment](troubleshoot-device-enrollment.md) to review other known errors and solutions.
 

memdocs/autopilot/windows-autopilot-whats-new.md

@@ -17,6 +17,10 @@ ms.topic: article
 
 # Windows Autopilot: What's new
 
+## Updates to Autopilot device targeting infrastructure
+
+With Intune 2208 we are updating the Autopilot infrastructure to ensure that the profiles and applications assigned are consistently ready when the devices are deployed. This change reduces the amount of data that needs to be synchronized per-Autopilot device and leverages device lifecycle change events to reduce the amount of time that it takes to recover from device resets for Azure AD and Hybrid Azure AD joined devices. No action is needed to enable this change, it will be rolling out to all clients starting August 2022.
+
 ## Update Intune Connector for Active Directory for Hybrid Azure AD joined devices
 <!-- 2209 -->
 

memdocs/configmgr/core/clients/manage/collections/collection-evaluation.md

@@ -6,9 +6,9 @@ ms.date: 06/05/2020
 ms.prod: configuration-manager
 ms.technology: configmgr-client
 ms.topic: conceptual
-author: aczechowski
-ms.author: aaroncz
-manager: dougeby
+author: gowdhamankarthikeyan
+ms.author: gokarthi
+manager: apoorvseth
 ms.localizationpriority: medium
 ---
 
@@ -30,12 +30,13 @@ At a high level, each individual collection evaluation and update follows these
 
 1. Execute the collection query.
 1. Add any systems that are direct members.
+1. Add members specified in the *Include* collections.
 1. Perform a logical `AND` between the returned results and the limiting collection.
-1. Evaluate the *exclude* collections.
+1. Remove members specified in the *exclude* collections.
 
    If the exclude collections also have query rules, or have include or exclude collections, evaluate them also. If these collections themselves are limiting collections, evaluate any collections below them. After fully evaluating the tree, return the results to the calling collection.
 
-1. Compare the result set from evaluating the direct members and include collections with the results of evaluating the exclude collections.
+1. Compare the result set from evaluating the direct members and include collections with the results of the exclude collections.
 1. Write the changes to the database and perform updates.
 1. Trigger any dependent collections to update as well. Dependent collections are collections that the current collection limits, or that refer to the current collection using include or exclude rules.
 

memdocs/configmgr/core/clients/manage/collections/media/high-level-collection-update-process.png

@@ -20,7 +20,7 @@ ms.localizationpriority: medium
 >
 > To align investments with this shift, **Desktop Analytics will be retired on November 30, 2022**. Over the next year, the types of insights currently found in Desktop Analytics will be incorporated directly into the Microsoft Endpoint Manager admin center.<!-- 10946169 -->
 >
-> For more information, see [A data-driven approach to managing devices in your organization](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-data-driven-approach-to-managing-devices-in-your-organization/ba-p/2932082).
+> For more information, see [Preview app and driver compatibility insights in Endpoint Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/preview-app-and-driver-compatibility-insights-in-endpoint/ba-p/3482136).
 
 ## July 2021
 

memdocs/configmgr/desktop-analytics/whats-new.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 06/10/2022
+ms.date: 08/15/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -129,9 +129,7 @@ The policies in level 1 enforce a reasonable data access level while minimizing
 | Simple PIN  | Allow  | iOS/iPadOS, Android  |   |
 | Select Minimum PIN length  | 4  | iOS/iPadOS, Android  |   |
 | Touch ID instead of PIN for access (iOS 8+/iPadOS)  | Allow  | iOS/iPadOS  |   |
-| Fingerprint instead of PIN for access (Android 9.0+)  | Allow  | Android  |   |
-| Override biometrics with PIN after timeout  | Require  | iOS/iPadOS  |   |
-| Override fingerprint with PIN after timeout  | Require  | Android  |   |
+| Override biometrics with PIN after timeout  | Require  | iOS/iPadOS, Android  |   |
 | Timeout (minutes of activity)  | 720  | iOS/iPadOS, Android  |   |
 | Face ID instead of PIN for access (iOS 11+/iPadOS)  | Allow  | iOS/iPadOS  |   |
 | Biometric instead of PIN for access  | Allow  | iOS/iPadOS, Android  |   |
@@ -215,6 +213,8 @@ The policy settings enforced in level 3 include all the policy settings recommen
 |       Select   Minimum PIN length  |          6  |          iOS/iPadOS,   Android  |
 |       PIN reset   after number of days  |          Yes  |          iOS/iPadOS,   Android  |
 |       Number of   days  |          365  |          iOS/iPadOS,   Android  |
+|       Class 3 Biometrics (Android 9.0+)​   |          Require  |          Android  |
+|       Override Biometrics with PIN after biometric updates   |          Require  |          Android  |
 
 #### Conditional launch