Merge pull request #6231 from MicrosoftDocs/main

11/29/2021 AM Publish

Author: Taojunshen

memdocs/intune/fundamentals/create-custom-role.md

@@ -72,6 +72,7 @@ The following permissions are available when creating custom roles.
  | Mobile apps/Update | Manage mobile applications such as store apps, line-of-business apps, web-links or built-in apps. You can also manage books purchased through the Apple Volume Purchase Program or add eBook categories. You can manage iOS VPP Tokens, Windows Symantec certificates, Windows side loading keys, app categories, or the Android for Work connection. | 
  | Mobile apps/Delete | Delete mobile applications such as store apps, line-of-business apps, web-links or built-in apps. You can also delete books purchased through the Apple Volume Purchase Program or delete eBook categories. You can delete iOS VPP Tokens, Windows Symantec certificates, Windows side loading keys, app categories, or the Android for Work connection. | 
  | Mobile apps/Assign | Assign mobile applications or eBooks to Azure AD security groups. | 
+ | Mobile apps/Relate | Create relationships with other managed apps using Dependencies and Supersedence features. Without this permission, IT admins are not able to add App dependency or supercedence relationships when creating or editing Win32 apps. |
  | Terms and conditions/Create | Create new terms and conditions. | 
  | Terms and conditions/Read | View terms and conditions. | 
  | Terms and conditions/Update | Manage existing terms and conditions but not assignments. | 

memdocs/intune/protect/antivirus-microsoft-defender-settings-windows-tenant-attach.md

@@ -24,7 +24,7 @@ search.appverid: MET150
 #ms.tgt_pltfrm:
 ms.custom: intune-azure
 ms.collection: M365-identity-device-management
-ms.reviewer: mattsha
+ms.reviewer: mattcall
 
 ---
 
@@ -118,7 +118,7 @@ For each setting in this group, you can expand the setting, select **Add**, and
   Configure Defender to allow or disallow Intrusion Prevention functionality.
 
   - **Not configured** (*default*) - The setting is restored to the system default.
-  - **No** - Intrusion Prevention Systme is not allowed.
+  - **No** - Intrusion Prevention System is not allowed.
   - **Yes** - Intrusion Prevention System is allowed.
 
 - **Scan all downloaded files and attachments**  

memdocs/intune/protect/certificate-connector-install.md

@@ -7,7 +7,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 08/13/2021
+ms.date: 11/29/2021
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -101,7 +101,7 @@ Use the following procedure to both configure a new connector and modify a previ
    - **SYSTEM**
    - **Domain user account** – Use any domain user account that is an administrator on the Windows Server.
 
-4. On the *Proxy* page, add details for your proxy server if you require a proxy for internet access.
+4. On the *Proxy* page, add details for your proxy server if you require a proxy for internet access. For example, *http://proxy.contoso.com*.
 
 5. On the *Prerequisites* page, the wizard runs several checks on the server before the configuration can begin. Review and resolve any errors or warnings before you continue.
 

memdocs/intune/protect/certificates-scep-configure.md

@@ -70,7 +70,7 @@ To support SCEP, the following on-premises infrastructure must run on servers th
   - We recommend you don’t use NDES that's installed on the server that hosts the Enterprise CA. While use of NDES that's installed on an Enterprise CA is supported, this configuration represents a security risk when the CA services internet requests.  
   - Internet Explorer Enhanced Security Configuration [must be disabled on the server that hosts NDES](/previous-versions/windows/it-pro/windows-server-2003/cc775800(v=ws.10)) and the Microsoft Intune Connector.
 
-  To learn more about NDES, see [Network Device Enrollment Service Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831498(v=ws.11)) in the Windows Server documentation, and [Using a Policy Module with the Network Device Enrollment Service](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn473016(v=ws.11)).
+  To learn more about NDES, see [Network Device Enrollment Service Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831498(v=ws.11)) in the Windows Server documentation, and [Using a Policy Module with the Network Device Enrollment Service](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn473016(v=ws.11)). To learn how to configure high availability for NDES, see [High Availability](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert#high-availability).
 
 #### Support for NDES on the internet
 

memdocs/intune/protect/includes/security-config-mgt-prerequisites.md

@@ -4,7 +4,7 @@ description: include file
 author: brenduns
 ms.service: microsoft-intune
 ms.author: brenduns
-ms.date: 11/22/2021
+ms.date: 11/29/2021
 ms.topic: include
 ---
 
@@ -109,7 +109,10 @@ To support Microsoft Defender for Endpoint security configuration management thr
 
 Microsoft Defender for Endpoint supports several options to onboard devices. For current guidance, see [Onboarding tools and methods for Windows devices](/microsoft-365/security/defender-endpoint/security-config-management) in the Defender for Endpoint documentation.
 
-Devices that you manage with Intune or Configuration Manager are not supported for this scenario.
+> [!IMPORTANT]  
+> After a device onboards with Microsoft Defender for Endpoint, it must and be tagged with **MDE-Management** before it can enroll with Security Management for Microsoft Defender for Endpoint. For more information on device tagging in MDE, see Create and manage device tags](/microsoft-365/security/defender-endpoint/machine-tag).
+
+Devices that you manage with Intune are not supported for this scenario.
 
 ## Create Azure AD Groups
 

memdocs/intune/protect/mde-security-integration.md

@@ -62,6 +62,7 @@ When you select a policy, you'll see information about the device check-in statu
 ## Known limitations and considerations
 
 ### Co-existence with Microsoft Endpoint Configuration Manager
+
 When using Configuration Manager, the best path for management of security policy is using the [Configuration Manager tenant attach](/mem/configmgr/tenant-attach/endpoint-security-get-started). In some environments it may be desired to use Security Management for Microsoft Defender. When using Security Management for Microsoft Defender with Configuration Manager, endpoint security policy should be isolated to a single control plane. Controlling policy through both channels will create the opportunity for conflicts and undesired results.
 
 ### Active Directory joined devices

memdocs/intune/remote-actions/remote-help.md

@@ -7,7 +7,7 @@ keywords:
 author: brenduns
 ms.author: brenduns
 manager: dougeby
-ms.date: 11/24/2021
+ms.date: 11/29/2021
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: remote-actions
@@ -70,7 +70,6 @@ The Remote help app supports the following capabilities:
 - Windows 10/11
 - Devices must install the *remote help* app. Device users can download the app directly from the Microsoft. See [Install and update remote help](#install-and-update-remote-help)
 
-
 > [!NOTE]
 > Remote help has the following limitations:  
 >
@@ -126,8 +125,50 @@ When an update to remote help that is required, users are prompted to install th
 - Intune admins can download and deploy the app to enrolled devices. For more information about app deployments, see [Install apps on Windows devices](../apps/apps-windows-10-app-deploy.md#install-apps-on-windows-10-devices).
 - Individual users who have permissions to install apps on their devices can also download and install remote help.
 
-**Download remote help**: Download the latest version of remote help direct from Microsoft at [aka.ms/downloadremotehelp](https://aka.ms/downloadremotehelp).
+### Download remote help
+
+Download the latest version of remote help direct from Microsoft at [aka.ms/downloadremotehelp](https://aka.ms/downloadremotehelp).
+
+The most recent version of remote help is **10.0.100110.16384**
+
+### Deploy remote help as a Win32 app
+
+To deploy remote help with Intune, you can add the app as a Windows win32 app, and define a detection rule to identify devices that don’t have the most current version of remote help installed.  Before you can add remote help as a Win32 app, you must repackage *remotehelp.exe* as a *.intunewin* file, which is a Win32 app file you can deploy with Intune. For information on how to repackage a file as a Wind32 app, see [Prepare the Win32 app content for upload](../apps/apps-win32-prepare.md).
+
+After you repackage remote help as a *.intunewinfile*, use the procedures in [Add a Win32 app](../apps/apps-win32-add.md ) with the following details to upload and deploy remote help. In the following, the repackaged remotehelp.exe file is named *remotehelp.intunewin*.
+
+1. On the App information page, click **Select app package file**, and locate the *remotehelp.intunewin* file you’ve previously prepared, and then select **OK**.
+
+   Add a *Publisher* and then select **Next**. The additional details on the App Information page are optional.
+
+2. On the Program page, configure the following options:
+
+   - For *Install command line*, specify **remotehelp.exe /install /quiet acceptTerms=Yes**
+   - For *Uninstall command line*, specify **remotehelp.exe/ uninstall /quiet acceptTerms=Yes**
+
+   > [!IMPORTANT]
+   > The command line option *acceptTerms* is always case sensitive.
+
+   You can leave the remainder of the options at their default values and select **Next** to continue.
+
+3. On the Requirements page, configure the following options to meet your environment, and then select **Next**:
+
+   - *Operating system architecture*
+   - *Minimum operating system*
+
+4. On the Detection rules page, for *Rules format*, select **Manually configure detection rules**, and then select **Add** to open the *Detection rule* pane. Configure the following options:
+
+   - For *Rule type*, select **File**
+   - For *Path*, specify **C:\Program Files\Remote Help**
+   - For *File or folder*, specify **RemoteHelp.exe**
+   - For *Detection method*, select **String (version)**
+   - For *Operator*, select **Greater than or equal to**
+   - For *Value*, specify the [version of remote help](#download-remote-help) your deploying. For example, **10.0.10011.16384**
+   - Leave *Associated with a 32-bit app on 64-bit clients* set to **No**
+
+5. Proceed to the Assignments page, and then select an applicable device group or groups that should install the remote help app.
 
+6. Complete creation of the Windows app to have Intune deploy and install remote help on applicable devices.
 
 ## Configure remote help for your tenant
 

windows-365/enterprise/device-management-overview.md

@@ -81,6 +81,11 @@ If a user has multiple Windows 365 SKUs assigned to them, they’ll get multiple
   If the grace period was triggered in error, you have seven days to resolve the breaking change to get the Cloud PC switched back to **Provisioned**.
 
   You can manually end the grace period by using the [End grace period](end-grace-period.md) option.
+- **Pending**: If there are not enough available licenses in your tenant to process the provisioning request, new Cloud PCs are marked as **Pending**.
+
+  Your Windows 365 tenant can only have as many active Cloud PCs as the license allocation allows. An active Cloud PC can either be in a **Provisioned** or **In grace period** state.
+
+  To begin provisioning on Pending Cloud PCs, free up some Windows 365 licenses or end grace period on Cloud PCs in the grace period state. 
 
 **User**: The user assigned to the Cloud PC.