Merge pull request #6754 from MicrosoftDocs/main

Publish 02/09/2022, 10:30 AM

Author: v-dihans

memdocs/configmgr/comanage/index.yml

@@ -14,7 +14,7 @@ metadata:
   author: mestew
   ms.author: mstewart
   manager: dougeby
-  ms.date: 09/23/2021
+  ms.date: 02/08/2022
   ms.localizationpriority: high
   ms.collection: highpri
 
@@ -27,6 +27,8 @@ landingContent:
         links:
           - text: What is co-management?
             url: overview.md
+          - text: Understand co-management (step-by-step)
+            url: /learn/modules/understand-co-management/         
           - text: Paths to co-management
             url: quickstart-paths.md
 

memdocs/configmgr/tenant-attach/index.yml

@@ -14,7 +14,7 @@ metadata:
   author: mestew
   ms.author: mstewart
   manager: dougeby
-  ms.date: 09/23/2021
+  ms.date: 02/08/2022
   ms.localizationpriority: high
   ms.collection: highpri
 
@@ -27,6 +27,8 @@ landingContent:
         links:
           - text: Enable tenant attach
             url: device-sync-actions.md
+          - text: Set up tenant attach (step-by-step)
+            url: /learn/modules/setup-tenant-attach-using-configuration-manager/
       - linkListType: reference
         links:
           - text: Troubleshoot tenant attach and device actions

memdocs/intune/enrollment/terms-and-conditions-create.md

@@ -8,7 +8,7 @@ keywords:
 author: Lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 10/20/2018
+ms.date: 02/08/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: enrollment
@@ -33,80 +33,104 @@ ms.collection: M365-identity-device-management
 
 [!INCLUDE [azure_portal](../includes/azure_portal.md)]
 
-As an Intune admin, you can require that users accept your company's terms and conditions before using the Company Portal to:
-- enroll devices
-- access resources like company apps and email.
+Use an Intune terms and conditions policy to present relevant disclaimers for legal or compliance requirements to device users. A terms and conditions policy requires targeted users to accept your terms in Company Portal before they can enroll devices or access protected resources. 
 
-Configuration of terms and conditions is optional.
+This article describes how to get started with terms and conditions in Intune.  
 
-You can create multiple sets of terms and assign them to different groups, such as to support different languages.
+## Create terms and conditions
+Complete these steps to create an Intune terms and conditions policy. 
 
-There are two ways to create your company terms and conditions:
-- by using Intune as described in this article.
-- by using the [Azure Active Directory terms of use feature](/azure/active-directory/governance/active-directory-tou)
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Tenant administration** > **Terms and conditions**.
+2. Select **Create**.
+3. On the **Basics** page, enter the following information:
 
-To learn which method is best for you, check out the [Choosing the right Terms solution for your organization blog post](https://go.microsoft.com/fwlink/?linkid=2010506&clcid=0x409). 
+   - **Name**: Give your policy a name so that you can recognize it in Intune later. Device users don't see this name.  
+   - **Description**: Optionally, describe the purpose or intended use for this specific set of terms.   
 
-## Create terms and conditions
-Complete these steps to create terms and conditions. The display name and description are for administrative use while terms properties are displayed to users in the Company Portal.
+4. Select **Next**.
+5. On the **Terms** page, enter the following information:
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Terms and Conditions**.
-2. Choose **Create**.
-3. On the **Basics** page, specify the following information:
+   - **Title**: The display name for your terms. Users see the title in the Company Portal app.  
+   - **Terms and conditions**: The terms and conditions that users see and must either accept or reject.
+   - **Summary of Terms**: Enter a brief, high-level explanation of what the user is agreeing to. This text is visible to device users.   
+   
+      Example message: *By enrolling your device, you're agreeing to the terms of use set out by Contoso. Read the terms carefully before proceeding.*  
 
-   - **Name**: The name for the terms in the Azure portal. Users don't see this name.
-   - **Description**: Optional details that help you identify this set of terms in the Azure portal.
+5. Select **Next**.
 
-    ![Screenshot of the Azure portal showing the Basics page for terms and conditions](./media/terms-and-conditions-create/terms-basics-page.png)
+6. On the **Select scope tags**, select a scope tag from the list to add it to the terms and conditions, or select the default scope tag. Then select **Next**. 
 
-4. Choose **Next** to go to the **Terms** page and provide the following information:
+7. On the **Assignments** page, choose who you want to assign the terms to. Your options:
+    - **Add all users**: Choose this option to assign these terms and conditions to all device users.
+    - **Add groups**: Choose this option to assign these terms and conditions to users in select groups.  
 
-   - **Title**: The name for your terms that users see in the Company Portal above the **Summary**.
-   - **Terms and Conditions**: The terms and conditions that users see and must either accept or reject.
-   - **Summary of Terms**: Text that explains what it means when users accept the terms. For example, "By enrolling your device, you're agreeing to the terms of use set out by Contoso. Read the terms carefully before proceeding."
+8. Select **Next**.
+9. Review the summary of your new terms and conditions, and then select **Create**.  
 
-5. Choose **Next** to go to the **Scope tags** page.
+## How it looks to users   
+Targeted users can see the terms and conditions in the Intune Company Portal app. The following image shows what the title and summary of terms look like in the app. Intune formats the title with bold font to make it stand out, with the summary of terms positioned directly under it.  
 
-6. Choose **Select scope tags**, select the scope tags that you want to assign to these terms and conditions, and then choose **Select**. 
+> [!div class="mx-imgBorder"]
+> ![Example image of the drafted terms in the Intune and then what it looks like in Company Portal.](./media/terms-and-conditions-create/terms-summary-terms.png)
 
-7. Choose **Next** to go to the **Assignments** page and choose one of the following options for **Assign to**:
-    - **All users**: Choose this option to assign these terms and conditions to all users.
-    - **Select groups**: Choose this option to assign these terms and conditions to everyone in the groups that you identify by choosing **Select groups to include**.
+Device users tap **Read terms** to expand the terms and conditions to full-view. The following image shows what the terms and conditions look like when expanded. 
 
-8. Choose **Next** > **Create**.
+> [!div class="mx-imgBorder"]
+> ![Example image of the drafted terms and conditions message in Intune and then what it looks like in Company Portal.](./media/terms-and-conditions-create/terms-properties-terms.png)  
 
-## See how terms are displayed to your users
-The following example shows the **Title** and **Summary of Terms** in the admin console and Company Portal.
+## Monitor acceptance of terms 
+An acceptance report provides the details of an individual's agreement to your terms and conditions. Intune reports the following details:  
 
-![Screenshot of the Title and Summary of Terms in the admin console and Company Portal.](./media/terms-and-conditions-create/terms-summary-terms.png)
+* User name: The name of the user who accepted the terms.
+* Accepted version: The version that was accepted. 
+* Accepted time: The date and time of acceptance.
+* Accepted latest: Shows whether device user accepted the latest terms and conditions available. 
+* UPN: The user principal name assigned to the device user.
 
-The following example shows the terms and conditions in the admin console and the Company Portal.
+To view and export acceptance reports: 
 
-![Screenshot of terms and conditions in the admin console and Company Portal.](./media/terms-and-conditions-create/terms-properties-terms.png)
+1. Go to **Tenant administration** > **Terms and conditions**.
+2. Select your terms from the table. 
+3. Select **Acceptance Reporting** to view available reports.  
+4. Select **Export** to save the reports to your device.  
 
+> [!NOTE]
+> Report data is updated every 24 hours and can take up to 12 hours to finish generating. Because of this, data in the report can have up to a 36 hour latency.  
 
-## Monitor terms and conditions
+## Provide localized terms and conditions  
+You can create multiple policies using localized text, and then target each policy to the appropriate groups of users.   
 
-To add *terms of use* compliance requirements, use the following steps:
+## Update terms and conditions  
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Terms and Conditions**.
-2. In the **Terms and conditions** pane, select **Create** to add and assign *terms of use* compliance requirements to your end users.
+Microsoft Intune provides a version control setting so that you can track versions and notify users of changes to your terms. As a best practice, every time you make a significant change to your terms and conditions, you should: 
 
-> [!NOTE]
-> Acceptance reporting data is updated every 24 hours and can take up to 12 hours to run. As such, data in the report can have up to a 36 hour latency.
+- Increase the version number in Intune.  
+- Require assigned users to review and reaccept the updated terms.  
 
+> [!TIP]
+> Do not change the version number for changes like typo and formatting fixes. 
 
-## Work with multiple versions of terms and conditions
-You can edit your terms and conditions and manage their versions. Each time you make a significant change to your terms and conditions, you should:
-- increase the version number
-- require users to accept the new terms and conditions
+To edit terms and conditions:  
 
-Keep the current version number if, for example, you're fixing typos or changing formatting.
+1. Select **Tenant administration** > **Terms and conditions**.
+2. From the table, choose the terms and conditions you want to edit.  
+3. Select **Properties** and then next to **Terms**, select **Edit.**
+4. Adjust the existing content as needed. 
+5. If you edit the meaning of the terms at all, select the checkbox next to **Require users to re-accept, and increment the version number to *next version*.** In place of *next step*, you'll see the actual version number. 
+3. Select **Review + save**.  
+4. Review the summary for your terms and conditions, and then select **Save**.  
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Terms and Conditions** > choose the terms and conditions you want to modify > **Properties**.
+Users only have to accept the updated terms and conditions once. This means that a user associated with multiple enrolled devices won't need to accept the terms and conditions on each device.  
 
-2. On the **Properties** pane, choose **Terms and Conditions** and then modify the **Title**, **Summary of Terms**, and **Terms and Conditions** as needed. If your changes make it necessary for users to reaccept the new terms, choose **Require users to re-accept, and increment the version number to**
+## Use Azure AD Terms of use feature  
+You can use the [Azure Active Directory terms of use](/azure/active-directory/conditional-access/terms-of-use) feature to configure stricter compliance requirements. Capabilities include: 
 
-3. Choose **OK** > **Save**.
+* Attach multiple localized versions to a single policy  
+* Render terms in PDF format for a richer experience that allows for branding, images, and hyperlinks
+* Require users to expand the terms of use  
+* Require users to consent on every device  
+* Expire consents  
+* Require users to reaccept terms after a certain period of time  
+* Provide terms for non-enrollment scenarios  
 
-Users only have to accept updated terms and conditions once. Users with multiple devices don't have to accept terms and conditions on each device.
+These terms are shown to users when they sign in to targeted apps and resources. If you configure both Azure AD terms of use and Intune terms and conditions, users will be required to accept both. For a comparison of both solutions, see [Choosing the right Terms solution for your organization](https://go.microsoft.com/fwlink/?linkid=2010506&clcid=0x409). 

memdocs/intune/protect/encrypt-devices.md

@@ -146,6 +146,45 @@ Depending on the type of policy that you use to silently enable BitLocker, confi
 > [!TIP]  
 > While the setting labels and options in the following two policy types are different from each other, they both apply the same configuration to Windows encryption CSPs that manage BitLocker on Windows devices.
 
+### Full disk vs Used Space only encryption 
+
+Three settings determine whether an OS drive will be encrypted using used space only or full disk encryption:
+- Whether the hardware of the device is [modern standby](/windows-hardware/design/device-experiences/modern-standby) capable
+- Whether silent enablement has been configured for BitLocker 
+  - ('Warning for other disk encryption' = Block or 'Hide prompt about third-party encryption' = Yes)
+- Configuration of the [SystemDrivesEncryptionType](/windows/client-management/mdm/bitlocker-csp) 
+  - (Enforce drive encryption type on operating system drives)
+
+Assuming that SystemDrivesEncryptionType has not been configured, the following is the expected behaviour. When silent enablement is configured on a modern standby device, the OS drive will be encrypted using used space only encryption. When silent enablement is configured on a device which is not capable of modern standby, the OS drive will be encrypted using full disk encryption. The result is the same whether you are using an [Endpoint Security disk encryption policy for BitLocker](/mem/intune/protect/encrypt-devices#create-an-endpoint-security-policy-for-bitlocker) or a [Device Configuration profile for endpoint protection for BitLocker](/mem/intune/protect/encrypt-devices#create-an-endpoint-security-policy-for-bitlocker). If a different end state is required, the encryption type can be controlled by configuring the SystemDrivesEncryptionType using settings catalog as shown below.
+
+To verify whether the hardware is modern standby capable, run the following command from a command prompt:
+
+```console
+powercfg /a
+```
+If the device supports modern standby, it will show that Standby (S0 Low Power Idle) Network Connected is available
+
+:::image type="content" source="./media/encrypt-devices/docs_bl_powercfg_surface_s0_possible.png" alt-text="Screenshot of command prompt displaying output of powercfg command with Standby state S0 available.":::
+
+If the device does not support modern standby, such as a virtual machine, it will show that Standby (S0 Low Power Idle) Network Connected is not supported
+
+:::image type="content" source="./media/encrypt-devices/docs_bl_powercfg_surface_nos0possible.png" alt-text="Screenshot of command prompt displaying output of powercfg command with Standby state S0 un-available.":::
+
+To verify the encryption type, run the following command from an elevated (admin) command prompt:
+
+```console
+manage-bde -status c:
+```
+The 'Conversion Status' field will reflect the encryption type as either Used Space Only encrypted or Fully Encrypted.
+
+:::image type="content" source="./media/encrypt-devices/docs_bl_usedspaceonly.png" alt-text="Screenshot of administrative command prompt showing output of manage-bde with conversion status reflecting fully encrypted.":::
+
+:::image type="content" source="./media/encrypt-devices/docs_bl_fullyencrypted.png" alt-text="Screenshot of administrative command prompt showing output of manage-bde with conversion status reflecting used space only encryption.":::
+
+To change the disk encryption type between full disk encryption and used space only encryption, leverage the'Enforce drive encryption type on operating system drives' setting within settings catalog.
+
+:::image type="content" source="./media/encrypt-devices/docs_bl_settingscatalog_control_encryption.png" alt-text="Screenshot of Intune settings catalog displaying Enforce drive encryption type on operating system drives setting and drop-down list to select from full or used space only encryption types.":::
+
 #### TPM startup PIN or key
 
 A device **must not require** use of a startup PIN or startup key.

windows-365/enterprise/create-on-premises-network-connection.md

@@ -45,7 +45,8 @@ As part of the connection process, the Windows 365 service is granted the follow
 To create an OPNC, you must:
 
 - Be an [Intune Administrator in Azure AD](/azure/active-directory/roles/permissions-reference).
-- Have [Owner permissions on the Azure subscription](/azure/cost-management-billing/manage/add-change-subscription-administrator) that contains the virtual network.
+- Have [Owner permissions on the Azure subscription](/azure/cost-management-billing/manage/add-change-subscription-administrator) that contains the virtual network with connectivity to your on-premises domain controller and network.
+- Make sure that your PowerShell execution policy is configured to allow RemoteSigned scripts. If you use Group Policy to set execution policy, make sure that the Group Policy Object (GPO) targeted at the Organizational Unit (OU) defined in the OPNC is configured to allow RemoteSigned scripts. For more information, see [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy).
 
 ## Create an OPNC