merge

Author: ErikjeMS

memdocs/autopilot/enrollment-autopilot.md

@@ -73,6 +73,9 @@ ms.collection:
 
 3. Select **Create**.
 
+> [!NOTE]
+> Anything assigned to these attributes will only be assigned if the device is Autopilot registered.
+
 ## Add devices
 
 For information about formatting and using a CSV file to manually add Windows Autopilot devices, see [Manually register devices with Windows Autopilot](add-devices.md).
@@ -131,4 +134,4 @@ You can group Windows devices by a correlator ID when enrolling using [Autopilot
 
 After you have created a device group, you can configure and apply a Windows Autopilot deployment profile to each device in the group. Deployment profiles determine the deployment mode, and customize the OOBE for your end users. For more information, see [Configure deployment profiles](profiles.md).
 
-For more information about managing your Windows Autopilot devices, see [What is Microsoft Intune device management?](../intune/remote-actions/device-management.md)
+For more information about managing your Windows Autopilot devices, see [What is Microsoft Intune device management?](../intune/remote-actions/device-management.md)

memdocs/autopilot/known-issues.md

@@ -28,6 +28,28 @@ This article describes known issues that can often be resolved by configuration
 
 ## Known issues
 
+### Device-based Conditional Access policies
+
+1. The Intune Enrollment app must be excluded from any Conditional Access policy requiring **Terms of Use** because it isn’t supported.  See [Per-device terms of use](/azure/active-directory/conditional-access/terms-of-use#per-device-terms-of-use).
+
+2. Exceptions to Conditional Access policies to exclude **Microsoft Intune Enrollment** and **Microsoft Intune** cloud apps are needed to complete Autopilot enrollment in cases where restrictive polices are present such as:
+    - Conditional Access policy 1: Block all apps except those on an exclusion list.
+    - Conditional Access policy 2: Require a compliant device for the apps on the exclusion list.
+ 
+    In this case, Microsoft Intune Enrollment and Microsoft Intune should be included in that exclusion list of policy 1.
+
+    If a policy is in place such that **all cloud apps** require a compliant device (there is no exclusion list), Microsoft Intune Enrollment will already be excluded by default, so that the device can register with Azure AD and enroll with Intune and avoid a circular dependency.
+
+3. **Hybrid Azure AD devices**: When Hybrid Azure AD devices are deployed with Autopilot, 2 device IDs are initially associated with the same device – one Azure AD and one hybrid.  The hybrid compliance state will display as **N/A** when viewed from the devices list in the Azure portal until a user signs in. Intune only syncs with the Hybrid device ID after a successful user sign-in. 
+
+    The temporary **N/A** compliance state can cause issues with device based Conditional Access polices that block access based on compliance. In this case, Conditional Access is behaving as intended. To resolve the conflict, a user must to sign in to the device, or the device-based policy must be modified. For more information, see [Conditional Access: Require compliant or hybrid Azure AD joined device](/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device).
+
+4. Conditional Access policies such as BitLocker compliance require a grace period for Autopilot devices, because until the device has been rebooted the status of BitLocker and Secure Boot have not been captured, and cannot be used as part of the Compliance Policy. The grace period can be as short as 0.25 days.
+
+### Device goes through Autopilot deployment without an assigned profile
+
+When a device is registered in Autopilot and no profile is assigned, it will take the default Autopilot profile. This is by design to ensure that all devices registered with Autopilot, goes through the Autopilot experience. If you do not want the device to go through an Autopilot deployment, you must remove the Autopilot registration. 
+
 ### White screen during HAADJ deployment
 
 There is a UI bug on Autopilot HAADJ deployments where the Enrollment Status page is displayed as a white screen. This issue is limited to the UI and should not impact the deployment process. 

memdocs/autopilot/profiles.md

@@ -103,6 +103,8 @@ After you've created an Autopilot deployment profile, you can edit certain parts
     > [!NOTE]
     > Changes to the profile are applied to devices assigned to that profile. However, the updated profile won't be applied to a device that has already enrolled in Intune until after the device is reset and reenrolled.
 
+If a device is registered in Autopilot and a profile is not assigned, it will receive the default Autopilot profile. If you do not want a device to go through Autopilot, you must remove the Autopilot registration.
+
 ## Alerts for Windows Autopilot unassigned devices
 <!-- 163236 -->
 

memdocs/autopilot/registration-overview.md

@@ -44,6 +44,8 @@ Registration can also be performed within your organization by collecting the ha
 - [Automatic registration](automatic-registration.md)
 - [Manual registration](manual-registration.md)
 
+Once a device is registered in Autopilot if a profile is not assigned, it will receive the default Autopilot profile. If you do not want a device to go through Autopilot, you must remove the Autopilot registration. 
+
 ## Terms
 
 The following terms are used to refer to various steps in the registration process:

memdocs/autopilot/troubleshoot-oobe.md

@@ -28,7 +28,7 @@ ms.topic: troubleshooting
 When the out-of-box-experience (OOBE) includes unexpected Autopilot behavior, it's useful to check if the device received an Autopilot profile. If so, check the settings that the profile contained. Depending on the Windows client release, there are different mechanisms available to do that.
 
 > [!NOTE]
-> **[Preview]** With Windows 11, you can enable users to view additional detailed troubleshooting information about the Autopilot provisioning process. The [Windows Autopilot diagnostics page](windows-autopilot-whats-new.md#preview-windows-autopilot-diagnostics-page) provides IT admins and end users with a user-friendly view to troubleshoot Windows Autopilot failures. This feature can be enabled by going to the [ESP profile](../intune/enrollment/windows-enrollment-status.md#available-settings) and selecting **Yes** to **Allow users to collect logs about installation errors**. This feature is currently supported for commercial OOBE, and Autopilot user-driven mode.
+> **[Preview]** With Windows 11, you can enable users to view additional detailed troubleshooting information about the Autopilot provisioning process. The [Windows Autopilot diagnostics page](windows-autopilot-whats-new.md#preview-windows-autopilot-diagnostics-page) provides IT admins and end users with a user-friendly view to troubleshoot Windows Autopilot failures. This feature can be enabled by going to the [ESP profile](../intune/enrollment/windows-enrollment-status.md) and selecting **Yes** to **Allow users to collect logs about installation errors**. This feature is currently supported for commercial OOBE, and Autopilot user-driven mode.
 
 ## Can't connect to MDM terms of use error
 

memdocs/autopilot/windows-autopilot-whats-new.md

@@ -65,7 +65,7 @@ An example of the diagnostics page is shown below. In this example, **Configurat
 ![diagnostics page click](images/oobe-02.png)<br>
 ![diagnostics page expand](images/oobe-03.png)
 
-The diagnostics page can be enabled by going to the [ESP profile](../intune/enrollment/windows-enrollment-status.md#available-settings) and selecting **Yes** to **Turn on log collection and diagnostics page for end users**. 
+The diagnostics page can be enabled by going to the [ESP profile](../intune/enrollment/windows-enrollment-status.md) and selecting **Yes** to **Turn on log collection and diagnostics page for end users**. 
 
 The diagnostics page is currently supported for commercial OOBE, and Autopilot user-driven mode. It is currently available on Windows 11. Windows 10 users can still collect and export diagnostic logs when this setting is enabled in Intune. 
 

memdocs/configmgr/core/TOC.yml

@@ -285,14 +285,14 @@ items:
     items:
     - name: Technical Preview overview
       href: get-started/technical-preview.md
+    - name: 2203 features
+      href: get-started/2022/technical-preview-2203.md 
     - name: 2202 features
       href: get-started/2022/technical-preview-2202.md 
     - name: 2201 features
       href: get-started/2022/technical-preview-2201.md       
     - name: 2112 features
       href: get-started/2021/technical-preview-2112.md      
-    - name: 2111 features
-      href: get-started/2021/technical-preview-2111.md
   - name: Migrate data between hierarchies
     items:
     - name: Migration overview

memdocs/configmgr/core/clients/deploy/about-client-installation-properties.md

@@ -2,7 +2,7 @@
 title: Client installation parameters and properties
 titleSuffix: Configuration Manager
 description: Learn about the ccmsetup command-line parameters and properties for installing the Configuration Manager client.
-ms.date: 02/16/2022
+ms.date: 03/03/2022
 ms.prod: configuration-manager
 ms.technology: configmgr-client
 ms.topic: reference
@@ -606,6 +606,12 @@ If you set this property to `TRUE`, the client installer doesn't check the minim
 
 Example: `CCMSetup.exe IGNOREAPPVVERSIONCHECK=TRUE`
 
+### `MANAGEDINSTALLER`
+
+If you set this property to `1` then ccmsetup.exe and client.msi are set as managed installers. For more information, see [Automatically allow apps deployed by a managed installer with Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer).
+
+Example: `CCMSetup.exe MANGEDINSTALLER=1`
+
 ### `NOTIFYONLY`
 
 When you enable this property, the client reports status, but doesn't remediate problems that it finds.

memdocs/configmgr/core/get-started/2022/includes/2203/10454717.md

@@ -0,0 +1,42 @@
+---
+author: aczechowski
+ms.author: aaroncz
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: include
+ms.date: 03/02/2022
+ms.localizationpriority: medium
+---
+
+## <a name="bkmk_blmts"></a> Escrow BitLocker recovery password to the site during a task sequence
+
+<!--10454717-->
+
+You can now configure the **Enable BitLocker** step of a task sequence to escrow the BitLocker recovery information for the OS volume to Configuration Manager. Previously, you had to escrow to Active Directory, or wait for the Configuration Manager client to receive BitLocker management policy after the task sequence. This new option makes sure that the device is fully protected by BitLocker when the task sequence completes, and that you can recover the OS volume immediately.
+
+For more general information, see [Plan for BitLocker management](../../../../../protect/plan-design/bitlocker-management.md).
+
+### Prerequisites for escrowing BitLocker recovery password during a task sequence
+
+The client will only escrow its key to the Configuration Manager site if you configure one of the following options:
+
+- Create and use a certificate to encrypt the site database for BitLocker management.
+
+- Enable the BitLocker client management policy option to **Allow recovery information to be stored in plain text**.
+
+For more information, see [Encrypt recovery data in the database](../../../../../protect/deploy-use/bitlocker/encrypt-recovery-data.md).
+
+### Try it out!
+
+Try to complete the tasks. Then send [Feedback](../../../../understand/product-feedback.md) with your thoughts on the feature.
+
+1. If needed, first [create a task sequence to deploy an OS](../../../../../osd/deploy-use/manage-task-sequences-to-automate-tasks.md).
+
+1. [Use the task sequence editor](../../../../../osd/understand/task-sequence-editor.md) to edit the task sequence.
+
+1. If the task sequence doesn't already include the **Enable BitLocker** step, add it. For more information, see [About task sequence steps: Enable BitLocker](../../../../../osd/understand/task-sequence-steps.md#BKMK_EnableBitLocker).
+
+1. On the properties of the **Enable BitLocker** step, select the option to **Automatically store the recovery key**, and then select **The Configuration Manager database**.
+
+    > [!NOTE]
+    > If Configuration Manager can't escrow the key, by default this task sequence step fails.

memdocs/configmgr/core/get-started/2022/includes/2203/13395691.md

@@ -0,0 +1,49 @@
+---
+author: aczechowski
+ms.author: aaroncz
+ms.prod: configuration-manager
+ms.technology: configmgr-core
+ms.topic: include
+ms.date: 03/02/2022
+ms.localizationpriority: medium
+---
+
+## <a name="bkmk_powershell"></a> PowerShell release notes preview
+
+<!--13395691-->
+
+These release notes summarize changes to the Configuration Manager PowerShell cmdlets in this technical preview release.
+
+For more information about PowerShell for Configuration Manager, see [Get started with Configuration Manager cmdlets](/powershell/sccm/overview).
+
+### Module changes
+
+The following folder-related cmdlets now support software update groups and deployment packages:
+
+- [Get-CMFolder](/powershell/module/configurationmanager/get-cmfolder)
+- [New-CMFolder](/powershell/module/configurationmanager/new-cmfolder)
+- [Remove-CMFolder](/powershell/module/configurationmanager/remove-cmfolder)
+- [Set-CMFolder](/powershell/module/configurationmanager/set-cmfolder)
+- [Move-CMObject](/powershell/module/configurationmanager/move-cmobject)
+- [Add-CMObjectSecurityScope](/powershell/module/configurationmanager/Add-CMObjectSecurityScope)
+- [Remove-CMObjectSecurityScope](/powershell/module/configurationmanager/Remove-CMObjectSecurityScope)
+
+For more general information, see [Added folder support for nodes in the Software Library](../../technical-preview-2202.md#bkmk_folder).
+
+### Modified cmdlets
+
+#### New-CMSoftwareUpdateDeployment
+
+For more information, see [New-CMSoftwareUpdateDeployment](/powershell/module/configurationmanager/New-CMSoftwareUpdateDeployment).
+
+**Non-breaking changes**
+
+Added parameter **PreDownloadUpdateContent** to support [pre-download for available software updates](../../technical-preview-2202.md#bkmk_pre-download).
+
+#### Set-CMSoftwareUpdateDeployment
+
+For more information, see [Set-CMSoftwareUpdateDeployment](/powershell/module/configurationmanager/Set-CMSoftwareUpdateDeployment).
+
+**Non-breaking changes**
+
+Added parameter **PreDownloadUpdateContent** to support [pre-download for available software updates](../../technical-preview-2202.md#bkmk_pre-download).