Merge branch 'main' into release-win365-2203

v-alje · v-alje · commit d9c2c43f514b · 2022-04-04T11:40:15.000-07:00
diff --git a/memdocs/analytics/app-reliability.md b/memdocs/analytics/app-reliability.md
@@ -2,7 +2,7 @@
 title: Application reliability in endpoint analytics
 description: Get details about application reliability in endpoint analytics
 titleSuffix: Microsoft Endpoint Manager
-ms.date: 03/01/2021
+ms.date: 03/31/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-analytics
 ms.topic: conceptual
@@ -89,6 +89,8 @@ Selecting a device name opens the **Application reliability** tab for that devic
 
 ## Known issues
 
+[!INCLUDE [Endpoint analytics export to csv value mapping known issue](includes/known-issue-csv-mapping.md)]
+
 ### Some eligible, enrolled devices aren't appearing in the report due to a client certificate issue
 
 **Scenario**: In certain uncommon situations, devices may be missing from the **Application reliability** report. You can determine how many devices are reporting application reliability data by looking at the number of records in the table on the **Device performance** tab of the **Application reliability** report.
diff --git a/memdocs/analytics/includes/known-issue-csv-mapping.md b/memdocs/analytics/includes/known-issue-csv-mapping.md
@@ -0,0 +1,47 @@
+---
+author: mestew
+ms.author: mstewart
+ms.prod: configuration-manager
+ms.technology: configmgr-comanage
+ms.topic: include
+ms.date: 03/31/2022
+ms.localizationpriority: high
+---
+<!--Don't apply H2 in this include file since they are context driven by article. Used in startup-performance.md, work-from-anywhere.md, app-reliability.md, and scores.md files -->
+### Exported csv files display numerical values
+
+When reporting data is exported to a `.csv` file, the exported data doesn't use the friendly names you're used to seeing in the online reports. Use the information below to map the data in the exported file into the meaning of the value: 
+
+**Application reliability report** </br>
+
+- The `TotalAppUsageDuration` and `MeanTimeToFailure` columns in the `.csv` file are integer values with a unit of **minutes**
+- A `MeanTimeToFailure` value of 2147483647 means `No crash events`
+
+**Per device score report** </br>
+
+- A value of `-1` or `-2` in the `EndpointAnalyticsScore`, `StartupPerformanceScore`, and `AppReliabilityScore` columns means the associated score is unavailable
+- Health status: </br>
+
+   |HealthStatus `.csv` value| Report value|
+   |---|---|
+   |0|Unknown|
+   |1|Insufficient data|
+   |2|Needs attention|
+   |3|Meeting goals|
+
+**Startup performance report** </br> 
+
+The `CoreBootTime`, `GPBootTime`, `CoreLogonTime`, `GPLogonTime`, `DesktopUsableTime`, `Median`, and `TimePerProcess` columns are integer values with a unit of **seconds**.
+
+**Work from anywhere report** </br>
+- Column name in `.csv` file: UpgradeEligibility </br>
+Report column name: Windows 11 readiness status </br>
+
+   |`.csv` value| Report value|
+   |---|---|
+   |0|Upgraded|
+   |1|Unknown|
+   |2|Not capable|
+   |3|Capable|
+
+- Column name in `.csv` file: GraphDeviceIsManaged </br> Report column name: Azure AD registered
diff --git a/memdocs/analytics/scores.md b/memdocs/analytics/scores.md
@@ -2,7 +2,7 @@
 title: Scores, baselines, and insights in Endpoint Analytics
 titleSuffix: Microsoft Endpoint Manager
 description: Learn about scores, baselines, and insights in Endpoint Analytics
-ms.date: 03/22/2022
+ms.date: 03/31/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-analytics
 ms.topic: conceptual
@@ -80,6 +80,10 @@ Use the **Add filter** option on tables to display items that match your criteri
 > - The **Disk type** filter doesn't support the value **Unknown**<!--12829141-->. 
 > - Filtering on **Startup performance score** from **Overview** > **Device Scores** returns devices with a score of "--". <!--12829158-->
 
+## Known issues
+
+[!INCLUDE [Endpoint analytics export to csv value mapping known issue](includes/known-issue-csv-mapping.md)]
+
 ## Next steps
 
 - Use [Proactive remediations](proactive-remediations.md) to gather more data and take action on devices
diff --git a/memdocs/analytics/startup-performance.md b/memdocs/analytics/startup-performance.md
@@ -2,7 +2,7 @@
 title: Startup performance in Endpoint Analytics
 titleSuffix: Microsoft Endpoint Manager
 description: Get details about device startup performance in Endpoint Analytics
-ms.date: 11/15/2021
+ms.date: 03/31/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-analytics
 ms.topic: conceptual
@@ -47,7 +47,7 @@ The **Startup performance** page also provides a prioritized list of **Insights
 
 Startup performance provides an insight on the number of devices on which the boot drive is a hard disk. Hard disk drives typically result in boot times three to four times longer than solid-state drives. We also report the expected improvement to start up performance you would gain by moving to solid-state drives.
 
-Click though to see the list of devices that have hard disk drives. The recommended action is to upgrade these devices to solid-state drives.
+Click through to see the list of devices that have hard disk drives. The recommended action is to upgrade these devices to solid-state drives.
 
 ### <a name="bkmk_gp"></a> Group Policy
 
@@ -74,6 +74,10 @@ The **Startup performance** page has reporting tabs that provide support for the
    - **Median delay**: The median delay time of the process for the counted devices.
    - **Total delay**: The sum of the delays for all of the counted devices.
 
+## Known issues
+
+[!INCLUDE [Endpoint analytics export to csv value mapping known issue](includes/known-issue-csv-mapping.md)]
+
 ## Next steps
 
 - Use the [Work from anywhere report](work-from-anywhere.md).
diff --git a/memdocs/analytics/work-from-anywhere.md b/memdocs/analytics/work-from-anywhere.md
@@ -2,7 +2,7 @@
 title: Work from anywhere report in Endpoint analytics
 titleSuffix: Microsoft Endpoint Manager
 description: The Work from anywhere report in Endpoint analytics provides insights to help your end users be productive from anywhere.
-ms.date: 02/23/2022
+ms.date: 03/31/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-analytics
 ms.topic: conceptual
@@ -93,6 +93,9 @@ In the **Windows** tab, a device-by-device view of Windows 11 hardware readiness
 
 The built-in baseline of **All organizations (median)** doesn't currently have metrics for the subscore metrics listed in the sections above.
 
+## Known issues
+
+[!INCLUDE [Endpoint analytics export to csv value mapping known issue](includes/known-issue-csv-mapping.md)]
 ## Next steps
 
 - View [Startup performance](startup-performance.md)
diff --git a/memdocs/intune/configuration/device-firmware-configuration-interface-windows.md b/memdocs/intune/configuration/device-firmware-configuration-interface-windows.md
@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 01/18/2022
+ms.date: 04/04/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: configuration
@@ -123,7 +123,10 @@ This profile includes the DFCI settings you configure.
     - **Boot from external media (USB, SD)**: Your options:
         - **Not configured**: Intune doesn't change or update this setting.
         - **Enabled**: UEFI (BIOS) allows booting from non-hard drive storage.
-        - **Disabled**: UEFI (BIOS) doesn't allow booting from non-hard drive storage.
+        - **Disabled**: UEFI (BIOS) doesn't allow booting from non-hard drive storage, which also disables booting from network adapters. 
+
+          When set to **Disabled**, don't set the **Boot from network adapters** setting to **Enabled**. It causes the **Boot from external media (USB, SD)** setting or **Boot from network adapters** setting to become not compliant.
+
     - **Boot from network adapters**: Your options:
         - **Not configured**: Intune doesn't change or update this setting.
         - **Enabled**: UEFI (BIOS) allows booting from built-in network interfaces.
diff --git a/memdocs/intune/enrollment/device-enrollment-manager-enroll.md b/memdocs/intune/enrollment/device-enrollment-manager-enroll.md
@@ -43,10 +43,9 @@ DEM user accounts and devices that are enrolled with a DEM user account have the
 - Wipe can't be done from the Company Portal. Wiping a device enrolled by a DEM user account can be done from the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 - Only the local device appears in the Company Portal app or website.
 - DEM user accounts cannot use Apple Volume Purchase Program (VPP) apps with Apple VPP user licenses because of per-user Apple ID requirements for app management.
-- For all platforms, DEM accounts do not support conditional access because conditional access is intended for per-user scenarios. 
-- DEM accounts cannot be used when enrolling devices via Apple's Automated Device Enrollment (ADE).
+- Microsoft Intune does not support the use of DEM accounts when enrolling devices via Apple Automated Device Enrollment (ADE).  
+- DEM accounts cannot support conditional access because conditional access is intended for per-user scenarios. 
 - Devices can install VPP apps if they have Apple VPP device licenses.
-- On Windows 10 1709 and older, conditional access isn't available for Windows devices enrolled using bulk enrollment.
 - Every device enrolled with DEM accounts needs to be properly licensed to be managed by Intune. The license could be an Intune user license or an Intune device license.
 - If you're [enrolling Android Enterprise personally-owned devices with work profile](android-work-profile-enroll.md) using a DEM account, there is a limit of 10 devices that can be enrolled per account.
 - [Enrolling Android Enterprise fully managed devices](android-fully-managed-enroll.md) with DEM accounts isn't supported.
@@ -63,6 +62,7 @@ You can use the following methods to enroll devices using DEM accounts:
 - [Windows Autopilot](../../autopilot/enrollment-autopilot.md)
 - [Windows devices bulk enrollment](windows-bulk-enroll.md)
 - [DEM initiated via Company Portal](../user-help/use-managed-devices-to-get-work-done.md)
+- [DEM initiated via Azure AD join](/mem/intune/enrollment/device-enrollment-manager-enroll)
 
 ## Add a device enrollment manager
 
diff --git a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md
@@ -234,16 +234,7 @@ Now that you've installed your token, you can create an enrollment profile for A
         - Won’t be evaluated for device compliance.
         - Will be redirected to the Company Portal from other apps if the user tries to open any managed applications that are protected by conditional access.
 
-7. If you selected **Company Portal** for your authentication method, you can use a VPP token to automatically install Company Portal on the device. In this case, the user doesn't have to provide an Apple ID. To install Company Portal by using a VPP token, select a token in **Install Company Portal with VPP**. You need to have already added Company Portal to the VPP token. To ensure that Company Portal continues to be updated after enrollment, make sure that you've configured an app deployment in Intune (In Endpoint Manager select **Apps** > **All apps** > **Add**).
 
-   To ensure that user interaction isn't required, you'll probably want to make Company Portal an iOS/iPadOS VPP app, make it a required app, and use device licensing for the assignment. Make sure that the token doesn't expire and that you have enough device licenses for Company Portal. If the token expires or runs out of licenses, Intune installs the App Store Company Portal instead and prompts for an Apple ID.
-
-    > [!NOTE]
-    > If you set the authentication method to **Company Portal**, make sure that the device enrollment process is completed within the first 24 hours of the Company Portal download to the ADE device. Otherwise enrollment might fail, and a factory reset will be needed to enroll the device.
-
-    :::image type="content" source="./media/device-enrollment-program-enroll-ios/install-cp-with-vpp.png" alt-text="Screenshot that shows the options for installing the Company Portal app with VPP.":::
-
-   For more information about connecting Intune to Apple Volume Purchase Program (VPP), see [Manage Apple volume-purchased apps](../apps/vpp-apps-ios.md). After you've connected to VPP, you can add the Company Portal app to your Apple Business Manager/Apple School Manager inventory so it can be assigned through Intune.
 8. If you selected **Setup Assistant (legacy)** for the authentication method but you also want to use Conditional Access or deploy company apps on the devices, you need to install Company Portal on the devices and sign in to complete the Azure AD registration. To do so, select **Yes** for **Install Company Portal**. If you want users to receive Company Portal without having to authenticate in to the App Store, in **Install Company Portal with VPP**, select a VPP token. Make sure the token doesn't expire and that you have enough device licenses for the Company Portal app to deploy correctly.
 
 9. If you select a token for **Install Company Portal with VPP**, you can lock the device in Single App Mode (specifically, the Company Portal app) right after the Setup Assistant completes. Select **Yes** for **Run Company Portal in Single App Mode until authentication** to set this option. To use the device, the user must first authenticate by signing in with Company Portal.
diff --git a/memdocs/intune/enrollment/device-limit-intune-azure.md b/memdocs/intune/enrollment/device-limit-intune-azure.md
@@ -58,25 +58,24 @@ Azure device limit restrictions set the maximum number of devices that either Az
 
 If you have both Intune and Azure device limit restrictions set, the following table shows you what is applied based on your user affinity setting.
 
-| Device platform | User affinity | Azure applies | Intune applies |
-| ----- | ----- | ----- | ----- | ----- |
-| Android Enterprise personally-owned work profile | Yes | Yes | Yes|
-| Android Enterprise dedicated device | No | No | No |
-| Android Enterprise fully managed | Yes | Yes | Yes |
-| Android Enterprise corporate-owned work profile | Yes | Yes | Yes |
-| Android device administrator | Yes | Yes | Yes |
+| Device platform | User affinity | Azure applies | Intune applies |  
+| ----- | ----- | ----- | ----- |
+| Android Enterprise personally-owned work profile | Yes | Yes | Yes|  
+| Android Enterprise dedicated device | No | No | No |  
+| Android Enterprise fully managed | Yes | Yes | Yes |  
+| Android Enterprise corporate-owned work profile | Yes | Yes | Yes |  
+| Android device administrator | Yes | Yes | Yes |  
 | Android device administrator DEM | No | | No | 
-| iOS/macOS BYOD | Yes | Yes | Yes |
-| iOS/macOS Automated Device Enrollment (ADE) | Yes | Yes | Yes |
-| iOS/macOS ADE | No | Yes | No |
-| Windows BYOD | Yes | Yes | Yes |
-| Windows MD-only | | Yes | Yes |
-| Windows Azure AD joined| Yes | Yes | No |
-| Windows Autopilot | Yes | Yes | No |
-| Windows hybrid Azure AD joined | No | No | Yes |
-| Windows co-management | No | Yes | No |
-| Windows DEM | No | Yes | No |
-| Windows bulk enrollment | No | Yes | No |
+| iOS/macOS BYOD | Yes | Yes | Yes |  
+| iOS/macOS Automated Device Enrollment (ADE) | Yes | Yes | Yes |  
+| Windows BYOD | Yes | Yes | Yes |  
+| Windows MD-only | | Yes | Yes |  
+| Windows Azure AD joined| Yes | Yes | No |  
+| Windows Autopilot | Yes | Yes | No |  
+| Windows hybrid Azure AD joined | No | No | Yes |  
+| Windows co-management | No | Yes | No |  
+| Windows DEM | No | Yes | No |  
+| Windows bulk enrollment | No | Yes | No |  
 
 
 ## Android and iOS devices
@@ -130,4 +129,4 @@ For the device limit restriction in Azure, the **Maximum number of devices per u
 
 - [Create a device limit restriction in Azure.](/azure/active-directory/devices/device-management-azure-portal#configure-device-settings)
 - [Configure device settings in Azure.](enrollment-restrictions-set.md#create-a-device-limit-restriction)
-- [Learn more about registration and domain joined.](/azure/active-directory/devices/overview#getting-devices-in-azure-ad)
+- [Learn more about registration and domain joined.](/azure/active-directory/devices/overview#getting-devices-in-azure-ad)
diff --git a/memdocs/intune/enrollment/ios-user-enrollment.md b/memdocs/intune/enrollment/ios-user-enrollment.md
@@ -54,6 +54,9 @@ For more information about the options available with User Enrollment, see [User
 
 ## Create a User Enrollment profile in Intune
 
+> [!NOTE]
+> An iOS User Enrollment profile overrides an enrollment restriction policy.
+
 An enrollment profile defines the settings applied to a group of devices during enrollment. 
 
 1. Federate your Azure AD instance with Apple Business Manager or Apple School Manager. For more information, see [Intro to federated authentication with Apple Business Manager](https://support.apple.com/en-euro/guide/apple-business-manager/welcome/web).
diff --git a/memdocs/intune/enrollment/multi-factor-authentication.md b/memdocs/intune/enrollment/multi-factor-authentication.md
@@ -73,7 +73,7 @@ To require MFA when a device is enrolled, follow these steps:
 8. Choose **Done**.
 9. In the **Assignments** section, for **Conditions** you don't need to configure any settings for MFA.
 10. In the **Access controls** section, choose **Grant**.
-11. In **Grant**, choose **Grant access**, and then select **Require multi-factor authentication**. Don't select **Require device to be marked as compliant** because a device can't be evaluated for compliance until it's enrolled. Then choose **Select**.
+11. In **Grant**, choose **Grant access**, and then select **Require multi-factor authentication** and **Require device to be marked as compliant**. Then choose **Select**.
 12. In **New policy**, choose **Enable policy** > **On**, and then choose **Create**.
 
 > [!NOTE]
diff --git a/memdocs/intune/protect/network-access-control-integrate.md b/memdocs/intune/protect/network-access-control-integrate.md
@@ -36,6 +36,8 @@ Intune integrates with network access control (NAC) partners to help organizatio
 > A new NAC service was released in July 2021 and many of our NAC partners are transitioning to this new service. Currently, the following NAC partner product supports the new NAC service:
 > 
 > - Cisco ISE 3.1 and later
+> - Citrix Gateway 13.0-84.11 and later
+> - Citrix Gateway 13.1-12.50 and later
 >
 > Contact your NAC partner if you have questions on the impact of this transition. For more information, see our [blog post on the new compliance retrieval service](https://aka.ms/new-compliance-retrieval-api/).
 
diff --git a/memdocs/intune/user-help/enroll-your-device-in-intune-ios.md b/memdocs/intune/user-help/enroll-your-device-in-intune-ios.md
@@ -63,7 +63,7 @@ To learn more about enrollment, see [What happens when I install the Company Por
 
 ## Prerequisites    
 
-* Device running iOS 11.0 and later.   
+* Device running iOS 13.0 and later.   
 * Install Company Portal app [from App Store](https://go.microsoft.com/fwlink/?linkid=2141414).
 * Maintain a Wi-Fi connection until all steps are complete.
 * Have access to Safari web browser on your device.
diff --git a/memdocs/intune/user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune.md b/memdocs/intune/user-help/what-info-can-your-company-see-when-you-enroll-your-device-in-intune.md
@@ -44,7 +44,7 @@ Your organization cannot see your personal information when you enroll a device
 - Passwords
 - Pictures, including what's in the photos app or camera roll
 - Files
-- Additionally, for corporate-owned devices with a work profile:  
+- Additionally, for corporate-owned Android devices with a work profile:
   - Apps and data in your personal profile
   - Phone number 
 
@@ -53,7 +53,7 @@ Your organization cannot see your personal information when you enroll a device
 - Device model, like Google Pixel
 - Device manufacturer, like Microsoft
 - Operating system and version, like iOS 12.0.1
-- App inventory and app names, like Microsoft Word. On personal devices, your organization can only see your managed app inventory. For corporate-owned fully managed and dedicated devices, your organization can see all of your app inventory. For corporate-owned devices with a work profile, your organization can only see the app inventory in your work profile.
+- App inventory and app names, like Microsoft Word. On personal devices, your organization can only see your managed app inventory. For corporate devices, your organization can see all of your app inventory. For corporate-owned Android devices with a work profile, your organization can only see the app inventory in your work profile.
 - Device owner
 - Device name
 - Device serial number
