Merge branch 'main' of https://github.com/MicrosoftDocs/memdocs-pr into in2205-model-14439211

Author: mestew

.openpublishing.redirection.json

@@ -1,5 +1,44 @@
 {
     "redirections": [
+        {
+            "source_path": "memdocs/intune/fundamentals/end-user-company-portal-messages.md",
+            "redirect_url": "/mem/intune/user-help/sign-in-to-the-company-portal",
+            "redirect_document_id": false
+        }, 
+        {
+            "source_path": "memdocs/intune/user-help/your-device-is-noncompliant-cant-evaluate.md",
+            "redirect_url": "/mem/intune/user-help/",
+            "redirect_document_id": false
+        }, 
+        {
+            "source_path": "memdocs/intune/user-help/you-need-to-update-your-company-portal-app-windows.md",
+            "redirect_url": "/mem/intune/user-help/install-a-new-version-of-the-company-portal-app",
+            "redirect_document_id": false
+        }, 
+        {
+            "source_path": "memdocs/intune/user-help/what-happens-if-you-install-the-Company-Portal-app-and-enroll-your-device-in-intune-ios.md",
+            "redirect_url": "/mem/intune/user-help/use-managed-devices-to-get-work-done",
+        }, 
+        {
+            "source_path": "memdocs/intune/user-help/how-to-set-the-period-before-your-android-device-is-locked.md",
+            "redirect_url": "/mem/intune/user-help/set-the-amount-of-time-before-your-device-is-locked-android",
+            "redirect_document_id": false
+        }, 
+        {
+            "source_path": "memdocs/intune/user-help/how-to-reconnect-a-compromised-android-device.md",
+            "redirect_url": "/mem/intune/user-help/your-device-is-rooted-and-you-cant-connect-android",
+            "redirect_document_id": false
+        }, 
+        {
+            "source_path": "memdocs/intune/user-help/how-to-encrypt-your-windows-device.md",
+            "redirect_url": "https://support.microsoft.com/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838",
+            "redirect_document_id": false
+        }, 
+        {
+            "source_path": "memdocs/intune/fundamentals/end-user-mam-apps-android.md",
+            "redirect_url": "/mem/intune/user-help/use-managed-apps-on-your-device-android",
+            "redirect_document_id": true
+        }, 
         {
             "source_path": "memdocs/intune/configuration/vpn-settings-windows-phone-8-1.md",
             "redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3",

memdocs/analytics/proactive-remediations.md

@@ -2,7 +2,7 @@
 title: Tutorial - Proactive remediations
 titleSuffix: Microsoft Endpoint Manager
 description: A tutorial on using Proactive remediations to enhance the user
-ms.date: 03/07/2022
+ms.date: 07/05/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-analytics
 ms.topic: tutorial
@@ -120,9 +120,24 @@ Proactive remediation scripts need to be encoded in UTF-8. Uploading these scrip
 
    For information about enforcing script signature checks, see [Script requirements](#bkmk_requirements).
 1. Click **Next** then assign any **Scope tags** you need.
-1. In the **Assignments** step, select the device groups to which you want to deploy the script package. When you're ready to deploy the packages to your users or devices, you can also use filters. For more information, see [Create filters in Microsoft Intune](../intune/fundamentals/filters.md).     
+1. In the **Assignments** step, select the device groups to which you want to deploy the script package. When you're ready to deploy the packages to your users or devices, you can also use filters. For more information, see [Create filters in Microsoft Intune](../intune/fundamentals/filters.md).
 1. Complete the **Review + Create** step for your deployment.
 
+## <a name="bkmk_prs_policy"></a> Client policy retrieval and client reporting
+
+The client retrieves policy for proactive remediations scripts at the following times:
+
+- After a restart of the device or Intune management extension service
+- After a user signs into the client
+- Once every 8 hours
+   - The 8 hour script retrieval schedule is fixed based on when the Intune management extension service starts. The schedule isn't altered by user sign ins.
+
+The client reports proactive remediation information at the following times:
+
+- When a script is set to run once, the results are reported after the script runs.
+- Recurring scripts follow a 7 day reporting cycle:
+  - Within the first 6 days, the client reports only if a change occurs. The first time the script runs would be considered a change.
+  - Every 7 days the client sends a report even if there wasn't a change.
 
 ## <a name="bkmk_prs_monitor"></a> Monitor your script packages
 

memdocs/analytics/startup-performance.md

@@ -29,7 +29,7 @@ For devices enrolled via Intune, Startup performance insights are only available
 For devices that do not meet the above criteria, you are able to [enroll via Configuration Manager](enroll-configmgr.md).
 
 > [!Important]
-> Client devices require a restart to fully enable all analytics. <!--7698085-->
+> Client devices require a restart to fully enable all analytics. <!--7698085--> The retention period for device boot and sign-in events is 29 days. If a device has not uploaded a boot or sign-in event in the past 29 days, it will not appear in the Startup performance report.
 ## <a name="bkmk_score"></a> Startup score
 
 [!INCLUDE [Endpoint analytics startup score](includes/startup-score.md)]
@@ -55,7 +55,7 @@ Startup performance provides an insight on the number of devices that have delay
 
 If you click through to a particular device, you can see its boot and sign-in history. The history helps you determine if the issue is a regression and when it might have occurred.
 
-While there are many articles on how to optimize Group Policies performance, you may choose to migrate to cloud-management instead. Migrating to cloud-management allows you to use [Intune security baselines](../intune/protect/security-baselines.md) and the soon-to-be-released Policy Analytics tool.
+While there are many articles on how to optimize Group Policies performance, you may choose to migrate to cloud-management instead. Migrating to cloud-management allows you to use [Intune security baselines](../intune/protect/security-baselines.md) and [Group Policy analytics](../intune/configuration/group-policy-analytics.md).
 
 ### <a name="bkmk_sb"></a> Slow boot and sign-in times
 

memdocs/analytics/troubleshoot.md

@@ -81,7 +81,7 @@ For Intune or co-managed devices configured with the Intune data collection poli
 
 For Configuration Manager-managed devices:
 1. Ensure all devices you want to see performance data are [enrolled](enroll-configmgr.md#bkmk_cm_enroll).
-1. Check if the data upload from Configuration Manager to the Gateway Service was successful by looking at the error messages on the **UXAnalyticsUploadWorker.log** file on the site server.
+1. Check if the data upload from Configuration Manager to the Gateway Service was successful by looking at the error messages on the **UXAnalyticsUploadWorker.log** file on the site system hosting Service Connection Point role.
 1. Check if an admin has custom overrides for client settings.  In the Configuration Manager console, go to the **Devices** workspace, find the target devices, and in the **Client settings** group, select the **Resultant client settings**. If endpoint analytics is disabled, there's an overriding client setting. Find the overriding client settings and enable endpoint analytics on it.  
 1. Check if missing client devices are sending data to the site server by reviewing the **SensorEndpoint.log** file located in `C:\Windows\CCM\Logs\` on client devices. Look for *Message sent* messages.
 1. Check and resolve any errors occurring during processing of the boot events by reviewing the **SensorManagedProvider.log** file located in `C:\Windows\CCM\Logs\` on client devices.

memdocs/autopilot/add-devices.md

@@ -43,6 +43,9 @@ This article provides step-by-step guidance for manual registration. For more in
 
 Device enrollment requires *Intune Administrator* or *Policy and Profile Manager* permissions. You can also create a custom Autopilot device manager role by using [role-based access control](../intune/fundamentals/role-based-access-control.md). Autopilot device management requires only that you enable all permissions under **Enrollment programs**, except for the four token management options.
 
+> [!NOTE]
+> In both Intune Administrator and role-based access control methods, the administrative user also requires consent to use the Microsoft Intune PowerShell enterprise application. 
+
 ## Collect the hardware hash
 
 The following methods are available to harvest a hardware hash from existing devices:

memdocs/autopilot/bitlocker.md

@@ -1,54 +1,73 @@
 ---
 title: Setting the BitLocker encryption algorithm for Autopilot devices
 description: Microsoft Intune provides a comprehensive set of configuration options to manage BitLocker on Windows devices. 
-keywords: Autopilot, BitLocker, encryption, 256-bit, Windows 10
 ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
 ms.localizationpriority: medium
-audience: itpro
 author: aczechowski
 ms.author: aaroncz
 ms.reviewer: jubaptis
 manager: dougeby
-ms.date: 12/16/2020
+ms.date: 06/15/2022
 ms.collection: M365-modern-desktop
 ms.topic: how-to
 ---
 
-
 # Setting the BitLocker encryption algorithm for Autopilot devices
 
 **Applies to**
 
 - Windows 11
 - Windows 10
 
-With Windows Autopilot, you can configure BitLocker encryption settings to get applied before automatic encryption starts. This configuration makes sure the default encryption algorithm isn't applied automatically. Other BitLocker policies can also be applied before automatic BitLocker encryption begins.
+BitLocker [automatically encrypts](/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption) internal drives during the out of box experience (OOBE) for devices that support [Modern Standby](/windows-hardware/design/device-experiences/modern-standby) or meet the [Hardware Security Testability Specification (HSTI)](/windows-hardware/test/hlk/testref/hardware-security-testability-specification). By default, BitLocker uses XTS-AES 128-bit used space only for automatic encryption.
+
+With Windows Autopilot, you can configure BitLocker encryption settings to apply before automatic encryption starts. This configuration makes sure the default encryption algorithm or type isn't applied automatically. A device that receives these settings after encrypting automatically will need to be decrypted before changing the encryption algorithm.
+
+## Encryption algorithm
+
+The BitLocker encryption algorithm is used when BitLocker is first enabled. During Autopilot, BitLocker will be enabled after the device setup portion of the [enrollment status page](enrollment-status.md). The following encryption algorithms are available:
 
-The BitLocker encryption algorithm is used when BitLocker is first enabled. The algorithm sets the strength  for full volume encryption. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit, or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use.
+- AES-CBC 128-bit
+- AES-CBC 256-bit
+- XTS-AES 128-bit (default)
+- XTS-AES 256-bit
+
+For more information about the recommended encryption algorithms to use, see [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp).
 
 To make sure the BitLocker encryption algorithm you want is set before automatic encryption occurs for Autopilot devices:
 
-1. Configure the [encryption method settings](../intune/protect/endpoint-protection-windows-10.md#windows-encryption) in the Windows Endpoint Protection profile to the encryption algorithm you want.
+1. Configure the [encryption method settings](../intune/protect/encrypt-devices.md#create-an-endpoint-security-policy-for-bitlocker) in the Endpoint Security disk encryption policy. The settings are available under **Endpoint Security** > **Disk encryption** > **Create policy** > **Platform** = Windows 10 and later, **Profile type** = BitLocker.
+
 2. [Assign the policy](../intune/configuration/device-profile-assign.md) to your Autopilot device group. The encryption policy must be assigned to **devices** in the group, not users.
-3. Enable the Autopilot [Enrollment Status Page](enrollment-status.md) (ESP) for these devices. If the ESP isn't enabled, the policy won't apply before encryption starts.
 
-An example of Microsoft Intune Windows Encryption settings is shown below.
+3. Enable the Autopilot [enrollment status page](enrollment-status.md) for these devices. If you don't enable this feature, the policy won't apply before encryption starts.
+
+The following image is an example of the Endpoint Security disk encryption settings.
 
-![BitLocker encryption settings.](images/bitlocker-encryption.png)
+:::image type="content" source="media/bitlocker/endpoint-security-disk-encryption-policy.png" alt-text="Screenshot example of the Endpoint Security disk encryption settings.":::
 
-A device that is encrypted automatically will need to be decrypted before changing the encryption algorithm.
+## Full disk or used space-only encryption
 
-The settings are available under **Device Configuration** > **Profiles** > **Create profile** > **Platform** = Windows 10 and later, Profile type = Endpoint protection > **Configure** > **Windows Encryption** > **BitLocker base settings**, Configure encryption methods = Enable.
+There are two types of encryption, full disk or used space-only. The type of encryption is automatically determined by configuration of [silent enablement](../intune/protect/encrypt-devices.md#silently-enable-bitlocker-on-devices) and hardware support for modern standby. You can enforce it by configuring the [SystemDrivesEncryptionType](/windows/client-management/mdm/bitlocker-csp) setting. Like the encryption algorithm, the encryption type is used when BitLocker is first enabled. For more information on the expected encryption type behavior, see [Manage BitLocker policy](../intune/protect/encrypt-devices.md#full-disk-vs-used-space-only-encryption).
 
-It's also recommended to set **Windows Encryption** > **Windows Settings** > **Encrypt** = Require.
+To enforce the type of drive encryption used:
+
+1. Configure the **Enforce drive encryption type on operating system drives** setting within the [settings catalog](../intune/configuration/settings-catalog.md). This setting is available in the **Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives** category from the settings picker.
+
+2. [Assign the policy](../intune/configuration/device-profile-assign.md) to your Autopilot device group. The encryption policy must be assigned to **devices** in the group, not users.
+
+3. Enable the Autopilot [enrollment status page](enrollment-status.md) for these devices. If you don't enable this feature, the policy won't apply before encryption starts.
+
+The following image is an example of the settings catalog profile.
+
+:::image type="content" source="media/bitlocker/settings-catalog-drive-type.png" alt-text="Screenshot example of the BitLocker drive type configuration in the settings catalog.":::
 
 ## Requirements
 
-Windows 10, version 1809 or later.
+A supported version of Windows 11 or Windows 10.
 
 ## Next steps
 
 [BitLocker overview](/windows/security/information-protection/bitlocker/bitlocker-overview)
+
+[Manage BitLocker policy for Windows devices with Intune](../intune/protect/encrypt-devices.md)

memdocs/autopilot/index.yml

@@ -123,4 +123,4 @@ landingContent:
       - text: Windows Autopilot and Surface devices
         url: /surface/windows-autopilot-and-surface-devices
       - text: Windows Autopilot for HoloLens 2
-        url:  https://docs.microsoft.com/hololens/hololens2-autopilot
+        url: /hololens/hololens2-autopilot

memdocs/autopilot/known-issues.md

@@ -28,7 +28,11 @@ This article describes known issues that can often be resolved by configuration
 
 ## Known issues
 
-### `DefaultuserX` profile not deleted
+### Autopilot profile not being applied when assigned 
+
+In Windows 10 April (KB5011831) release, there is an issue where the Autopilot profile may fail to apply to the device. As a result, any settings made in the profile may not be configured for the user such as device renaming. To resolve this issue, the May (KB5015020) cumulative update needs to be applied to the device.
+
+### DefaultuserX profile not deleted
 
 When you use the [EnableWebSignIn CSP](/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin), the `defaultuserX` profile may not be deleted. This CSP isn't currently supported. It's in preview mode only and not recommended for production purposes at this time.