Merge branch 'main' of https://github.com/microsoftdocs/memdocs-pr into 13209859-cp-intelligent-update-rollouts

Author: Brenduns

memdocs/autopilot/enrollment-autopilot.md

@@ -9,7 +9,7 @@ author: greg-lindsay
 ms.author: greglin
 ms.reviewer: jubaptis
 manager: dougeby
-ms.date: 03/16/2021
+ms.date: 02/09/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -80,8 +80,7 @@ For information about formatting and using a CSV file to manually add Windows Au
 ## Assign a user to a specific Autopilot device
 
 > [!NOTE]
-> This functionality has been removed as of September 30, 2021.
-> While the option to assign user to a device in Autopilot is still available in the GUI portal and PowerShell, it will be ignored by the device during provisioning.
+> Assigning a licensed user to a registered Autopilot device using Microsoft Endpoint Manager no longer pre-fills any user information as described below. Please see [Updates to the Windows Autopilot sign-in and deployment experience](https://techcommunity.microsoft.com/t5/intune-customer-success/updates-to-the-windows-autopilot-sign-in-and-deployment/ba-p/2848452) for details on this change. This change does not impact user assigned policies and apps which are still deployed to the device when a licensed user is assigned. See [Windows Autopilot for pre-provisioned deployment](/mem/autopilot/pre-provision#preparation) for details on this.
 
 You can assign a licensed Intune user to a specific Autopilot device. This assignment:
 - Pre-fills a user from Azure Active Directory in the [company-branded](/azure/active-directory/fundamentals/customize-branding) sign-in page during Windows setup.

memdocs/autopilot/images/app-picker.png

@@ -28,6 +28,14 @@ This article describes known issues that can often be resolved by configuration
 
 ## Known issues
 
+### Reset button causes pre-provisioning to fail on retry
+
+When ESP fails during the pre-provisioning flow and the user selects the reset button, TPM attestation may fail during the retry. 
+
+### TPM attestation failure on Windows 11 error code 0x81039023
+
+Some devices may fail TPM attestation on Windows 11 during the pre-provisioning technician flow or self-deployment mode with the error code 0x81039023. There is no workaround currently for this error code, we are working to resolve this issue. 
+
 ### Duplicate device objects with hybrid Azure AD deployments 
 
 A device object is pre-created in Azure AD once a device is registered in Autopilot. If a device goes through a hybrid Azure AD deployment, by design, another device object is created resulting in duplicate entries. 
@@ -56,7 +64,7 @@ When [customizations are applied to the company branding settings](/azure/active
 
 ### TPM attestation is not working on Intel Tiger Lake platforms
 
-TPM attestation support for Intel firmware TPM Tiger Lake platforms are only supported on devices with Windows 10 version 21H2 or higher.
+TPM attestation support for Intel firmware TPM Tiger Lake platforms are only supported on devices with Windows 10 version 21H2 or higher. This issue should be resolved by applying the November 2021 LCU. 
 
 ### Blocking apps specified in a user-targeted Enrollment Status Profile are ignored during device ESP
 

memdocs/autopilot/known-issues.md

@@ -13,7 +13,7 @@ author: greg-lindsay
 ms.author: greglin
 ms.reviewer: jubaptis
 manager: dougeby
-ms.date: 12/17/2020
+ms.date: 02/09/2022
 ms.collection: M365-modern-desktop
 ms.topic: troubleshooting
 ---
@@ -32,6 +32,9 @@ Windows Autopilot is designed to simplify all parts of the Windows device lifecy
 - How Windows Autopilot [device profiles](#profile-download) are downloaded
 - [Key activities](#key-troubleshooting-activities) to perform during troubleshooting
 
+## Windows Autopilot diagnostics page
+On Windows 11, you can open the Autopilot diagnostic page to view additional detailed troubleshooting information about the Autopilot provisioning process. The diagnostics page can be enabled by going to the ESP profile and selecting **Yes** to **Turn on log collection and diagnostics page for end users**. Once it is enabled you can select the **View Diagnostics button** or the keyboard shortcut Ctrl+Shift+D to access any diagnostic information. The diagnostics page is currently supported for commercial OOBE, and Autopilot user-driven mode.
+
 ## Windows Autopilot flow
 
 Whether you're performing user-driven or self-deploying device deployments, the troubleshooting process is about the same. It's useful to understand the flow for a specific device:

memdocs/autopilot/troubleshooting.md

@@ -13,7 +13,7 @@ author: greg-lindsay
 ms.author: greglin
 manager: dougeby
 ms.reviewer: jubaptis
-ms.date: 10/20/2021
+ms.date: 02/09/2022
 ms.collection:
   - M365-modern-desktop
   - highpri
@@ -28,6 +28,17 @@ ms.topic: article
 - Windows 10
 - Windows Holographic, version 2004
 
+## Enrollment Status Page
+
+With the 2022 Intune release, functionality has been added to the [Enrollment Status Page](enrollment-status.md) UI. The application picker for selecting blocking apps has additional improvements for admins:
+- A search box has been added for easier selection of apps
+- Fixes issue where store apps could not be differentiated between Online and Offline modes
+- A new column has been added for **Version** to see which version of the application is selected
+
+See the following example:
+
+![Application picker](images/app-picker.png)
+
 ## Autopilot agility rolling out
 
 Autopilot agility is a new feature that allows updates and bug fixes to the OOBE experience. These updates occur before device enrollment, after the AADJ login page and may result in an additional reboot and authentication prompt to the user. This feature is rolling out to Windows 10 1909 and 2004/20H2 with August cumulative update and is not yet available for Windows 11.

memdocs/autopilot/windows-autopilot-whats-new.md

@@ -75,7 +75,6 @@ Windows Autopilot enables you to:
 
 - Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). For more information about the differences between these two join options, see [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction).
 - Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription for configuration*](/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal)).
-- Restrict the Administrator account creation.
 - Create and auto-assign devices to configuration groups based on a device's profile.
 - Customize OOBE content specific to the organization.
 

memdocs/autopilot/windows-autopilot.md

@@ -404,6 +404,7 @@ Use Endpoint Security in Microsoft Endpoint Manager to configure encryption with
 - Check out our blog series on BitLocker at [Enabling BitLocker with Microsoft Endpoint Manager](https://techcommunity.microsoft.com/t5/intune-customer-success/enabling-bitlocker-with-microsoft-endpoint-manager-microsoft/ba-p/2149784).
 
 These settings can be enabled in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com)  by going to **Endpoint Security** > **Disk encryption** > **Create Policy** > **Windows and later** > **Profile** = **BitLocker**.
+Configuring the BitLocker settings specified below will result in silenty enabling 128 bit encryption for standard users, which is one of the most common scenarios. However your organisation might have different security requirements, so consult the [BitLocker documentation](./intune/protect/encrypt-devices.md) for additional settings.
 
 **BitLocker – Base Settings**:
 
@@ -432,9 +433,9 @@ These settings can be enabled in the [Microsoft Endpoint Manager admin center](h
 - BitLocker system drive policy: **Configure**
   - Startup authentication required: **Yes**
   - Compatible TPM startup: **Required**
-  - Compatible TPM startup PIN: **Not configured**
-  - Compatible TPM startup key: **Not configured**
-  - Compatible TPM startup key and PIN: **Not configured**
+  - Compatible TPM startup PIN: **Block**
+  - Compatible TPM startup key: **Block**
+  - Compatible TPM startup key and PIN: **Block**
   - Disable BitLocker on devices where TPM is incompatible: **Not configured**
   - Enable preboot recovery message and url: **Not configured**
 - System drive recovery: **Configure**

memdocs/cloud-native-windows-endpoints.md

@@ -5,7 +5,7 @@ description: Learn how to prepare your Windows internet-based devices for co-man
 author: mestew
 ms.author: mstewart
 manager: dougeby
-ms.date: 10/05/2021
+ms.date: 02/16/2022
 ms.topic: how-to
 ms.prod: configuration-manager
 ms.technology: configmgr-comanage
@@ -77,26 +77,26 @@ Decide which command-line properties you require for your environment:
 
 - The following command-line properties are required in all scenarios:
 
-  - **CCMHOSTNAME**
+  - `CCMHOSTNAME`
 
-  - **SMSSITECODE**
+  - `SMSSITECODE`
 
 - If a device uses Azure AD for client authentication and also has a PKI-based client authentication certificate, specify the following properties to use Azure AD:<!-- MEMDocs#1483 -->
 
-  - **AADCLIENTAPPID**
+  - `AADCLIENTAPPID`
 
-  - **AADRESOURCEURI**
+  - `AADRESOURCEURI`
 
-- If the client roams back to the intranet, use the **SMSMP** property.
+- If the client roams back to the intranet, use the `SMSMP` property.
 
-- If you use your own PKI certificate, and your CRL isn't published to the internet, use the **/NoCRLCheck** parameter. For more information, see [About client installation properties: /NoCRLCheck](../core/clients/deploy/about-client-installation-properties.md#nocrlcheck).
+- If you use your own PKI certificate, and your CRL isn't published to the internet, use the `/NoCRLCheck` parameter. For more information, see [About client installation properties: /NoCRLCheck](../core/clients/deploy/about-client-installation-properties.md#nocrlcheck).
 
   > [!IMPORTANT]
   > Microsoft recommends publishing the CRL. For more information, see [Planning for CRLs](../core/plan-design/security/plan-for-certificates.md#pki-certificate-revocation).<!-- memdocs#1942 -->
 
-- To bootstrap a task sequence immediately after client registration, use the **PROVISIONTS** property. For more information, see [About client installation properties: PROVISIONTS](../core/clients/deploy/about-client-installation-properties.md#provisionts).
+- To bootstrap a task sequence immediately after client registration, use the `PROVISIONTS` property. For more information, see [About client installation properties: PROVISIONTS](../core/clients/deploy/about-client-installation-properties.md#provisionts).
 
-The site publishes other Azure AD information to the cloud management gateway (CMG). An Azure AD-joined client gets this information from the CMG during the ccmsetup process, using the same tenant to which it's joined. This behavior further simplifies enrolling devices to co-management in an environment with more than one Azure AD tenant. The only two required ccmsetup properties are **CCMHOSTNAME** and **SMSSITECODE**.<!--3607731-->
+The site publishes other Azure AD information to the cloud management gateway (CMG). An Azure AD-joined client gets this information from the CMG during the ccmsetup process, using the same tenant to which it's joined. This behavior further simplifies enrolling devices to co-management in an environment with more than one Azure AD tenant. The only two required ccmsetup properties are `CCMHOSTNAME` and `SMSSITECODE`.<!--3607731-->
 
 > [!NOTE]
 > If you're already deploying the Configuration Manager client from Intune, update the Intune app with a new command line and new MSI.<!-- SCCMDocs-pr issue 3084 -->

memdocs/configmgr/comanage/how-to-prepare-Win10.md

@@ -14,7 +14,7 @@ metadata:
   author: mestew
   ms.author: mstewart
   manager: dougeby
-  ms.date: 09/23/2021
+  ms.date: 02/08/2022
   ms.localizationpriority: high
   ms.collection: highpri
 
@@ -27,6 +27,8 @@ landingContent:
         links:
           - text: What is co-management?
             url: overview.md
+          - text: Understand co-management (step-by-step)
+            url: /learn/modules/understand-co-management/         
           - text: Paths to co-management
             url: quickstart-paths.md