Merge branch 'main' into release-intune-2204

Author: v-alje

memdocs/intune/fundamentals/review-logs-using-azure-monitor.md

@@ -7,7 +7,7 @@ keywords:
 author: MandiOhlinger
 ms.author: mandia
 manager: dougeby
-ms.date: 03/31/2022
+ms.date: 04/25/2022
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -20,7 +20,7 @@ ms.assetid: 95191d64-9895-4f2e-8c5b-f0e85be086d8
 #ROBOTS:
 #audience:
 
-ms.reviewer: shpate
+ms.reviewer: daviales
 ms.suite: ems
 search.appverid: MET150
 #ms.tgt_pltfrm:
@@ -106,6 +106,10 @@ Depending on where you want to route the audit log data, you need one of the fol
 
       If you choose to use a storage account, then also enter how many days you want to keep the data (retention). To keep data forever, set **Retention (days)** to `0` (zero).
 
+    - **LOG** > **IntuneDevices**: The Intune Device log shows device inventory and status information for Intune enrolled and managed devices. Choose this option to send the IntuneDevices logs to your storage account, event hub, or log analytics.
+
+      If you choose to use a storage account, then also enter how many days you want to keep the data (retention). To keep data forever, set **Retention (days)** to `0` (zero).
+
     When finished, your settings look similar to the following settings:
 
     :::image type="content" source="./media/review-logs-using-azure-monitor/diagnostics-settings-example.png" alt-text="Sample image that sends Endpoint Manager and Microsoft Intune audit logs to an Azure storage account.":::

memdocs/intune/protect/actions-for-noncompliance.md

@@ -101,6 +101,9 @@ When you enable this action:
   - Windows 10/11
 
   When this action applies to a device, that device is added to a list of devices in the admin console at **Devices** > **Compliance policies** > **Retire Noncompliant Devices**. The device isn't retired until an admin takes explicit action to retire the device.
+  
+  > [!NOTE]
+  > Only devices to which the **Retire the noncompliant device** action has been triggered appear in the **Retire Selected Devices** view. To see a list of all devices that are not compliant, see the **Noncompliant devices** report mentioned in [Monitor device compliance policy](../protect/compliance-policy-monitor.md#view-compliance-reports).
 
   To retire one or more devices from the list, select devices to retire and then select **Retire Selected Devices**. When you choose an action that retires devices, you're then presented with a dialog box to confirm the action. It's only after confirming the intent to retire the devices that they are cleared of company data and removed from Intune management. 
 

memdocs/intune/protect/compliance-policy-create-windows.md

@@ -197,7 +197,10 @@ Applies only to co-managed devices running Windows 10/11. Intune-only devices re
   [Firewall CSP](/windows/client-management/mdm/firewall-csp)
 
   > [!NOTE]
-  > If the device immediately syncs after a reboot, or immediately syncs waking from sleep, then this setting may report as an **Error**. This scenario might not affect the overall device compliance status. To re-evaluate the compliance status, manually [sync the device](../user-help/sync-your-device-manually-windows.md).
+  > - If the device immediately syncs after a reboot, or immediately syncs waking from sleep, then this setting may report as an **Error**. This scenario might not affect the overall device compliance status. To re-evaluate the compliance status, manually [sync the device](../user-help/sync-your-device-manually-windows.md).
+  > 
+  > - If a group policy is applied to a device that configures Defender Firewall to allow all inbound traffic, or turns off the firewall, setting **Firewall** to **Require** will return **Not compliant**, even if Intune device configuration policy turns Firewall on. This is because the group policy object overrides the Intune policy. To fix this issue, we recommend that you remove any conflicting group policy settings, or that you migrate your Firewall-related group policy settings to Intune device configuration policy. In general, we recommend that you [keep default settings](/windows/security/threat-protection/windows-firewall/best-practices-configuring#keep-default-settings), including blocking inbound connections. For more information, see [Best practices for configuring Windows Defender Firewall](/windows/security/threat-protection/windows-firewall/best-practices-configuring).
+
 
 - **Trusted Platform Module (TPM)**:  
   - **Not configured** (*default*) -  Intune doesn't check the device for a TPM chip version.

memdocs/intune/protect/compliance-policy-monitor.md

@@ -96,21 +96,19 @@ Descriptions of the different device compliance policy states:
 > [!IMPORTANT]
 > Devices that are enrolled into Intune, but not targeted by any device compliance policies are included in this report under the **Compliant** bucket.
 
-#### Device behavior with a compliance status of Error
+#### Device behavior with a compliance settings in Error state
 
-Devices keep a compliance status of **Error** for up to seven days to allow time for the compliance calculation to complete correctly. Within those seven days, its previous compliance status applies until the device evaluates as **Compliant** or **Not compliant**. If after seven days, the device still has a status of **Error**, it becomes **Not compliant**. Note that grace periods do not apply to devices with an Error status.
+When a setting for a compliance policy returns a value of **Error**, the existing compliance state on the device remains unaffected for up to seven days to allow time for the compliance calculation to complete correctly for that setting. Within those seven days, the device's existing compliance status continues to apply until the compliance policy setting evaluates as **Compliant** or **Not compliant**. If after seven days, the setting still has a status of **Error**, the device becomes **Not compliant** immediately. Note that grace periods do not apply to compliance policies with a setting in an **Error** state.
 
 ##### Examples:
-	
-- A device is initially marked **Compliant**, but then its status changes to **Error**. After three days, compliance evaluation completes successfully and the device is marked **Not compliant**. The user can continue to use the device to access Conditional Access-protected resources within the first three days after the status changes to **Error**. Once the device is marked **Not compliant**, this access is removed until the device becomes **Compliant** again.
-	
-- A device is initially marked **Compliant**, but then its status changes to **Error**. After three days, compliance evaluation completes successfully and the device is marked **Compliant**. The user is able to continue to access Conditional Access-protected resources without interruption.
-	
 
-- A device is initially marked **Compliant**, but then its status changes to **Error**. The user is able to access Conditional Access-protected resources for seven days, but after seven days, the compliance status is still **Error**. At this point, the device becomes **Not compliant** and the user loses access to the protected resources until the device becomes **Compliant** – even if there is a grace period set for the applicable compliance policy.
-	
+- A device is initially marked **Compliant**, but then a setting in one of the compliance policies targeted to the device reports **Error**. After three days, compliance evaluation completes successfully and the setting now reports **Not compliant**. The user can continue to use the device to access Conditional Access-protected resources within the first three days after the setting states changes to **Error**, but once the setting returns **Not compliant**, the device is marked **Not compliant** and this access is removed until the device becomes **Compliant** again.
+ 
+- A device is initially marked **Compliant**, but then a setting in one of the compliance policies targeted to the device reports **Error**. After three days, compliance evaluation completes successfully, the setting returns **Compliant**, and the device's compliance status becomes **Compliant**. The user is able to continue to access Conditional Access protected resources without interruption.
 
-- A device is initially marked **Not compliant**, but then its status changes to **Error**. After three days, compliance evaluation completes successfully and the device is marked **Compliant**. The user is prevented from accessing Conditional Access-protected resources for the first three days. Once the device is marked **Compliant**, the user can begin to access protected resources on the device.
+- A device is initially marked **Compliant**, but then a setting in one of the compliance policies targeted to the device reports **Error**. The user is able to access Conditional Access protected resources for seven days, but after seven days, the compliance setting still returns **Error**. At this point, the device becomes Not compliant immediately and the user loses access to the protected resources until the device becomes **Compliant** – even if there is a grace period set for the applicable compliance policy.
+
+-  A device is initially marked **Not compliant**, but then a setting in one of the compliance policies targeted to the device reports Error. After three days, compliance evaluation completes successfully, the setting returns **Compliant**, and the device's compliance status becomes **Compliant**. The user is prevented from accessing Conditional Access protected resources for the first three days (while the setting returns **Error**). Once the setting returns **Compliant** and the device is marked **Compliant**, the user can begin to access protected resources on the device.
 
 #### Drill down for more details