Merge pull request #16897 from MicrosoftDocs/main

Publish main to live, 12/10, 11:00 AM IST

memdocs/intune/apps/apps-add.md

@@ -202,6 +202,9 @@ When you add an app to Intune, you're given the option to select the category yo
     - To edit a category, select the ellipsis (**...**) next to the category, and then select **Pin to dashboard** or **Delete**.
 4. Select **Create**.
 
+> [!NOTE]
+> The maximum number of App Categories you can create is 200.
+
 ## Apps that are added automatically by Intune
 
 Previously, Intune contained a number of built-in apps that you could quickly assign. Based on Intune customer feedback, we removed this list, and the built-in apps are no longer displayed. However, if you have already assigned any built-in apps, the apps remain visible in the list of apps. You can continue to assign the apps as required.

memdocs/intune/fundamentals/compliance-in-intune.md

@@ -0,0 +1,101 @@
+---
+title: Compliance in Microsoft Intune
+titleSuffix:
+description: Learn about compliance, dependencies, and features in Microsoft Intune supporting data protection and regulatory requirements.
+keywords:
+author: Erikre
+ms.author: erikre
+manager: dougeby
+ms.date: 12/03/2024
+ms.topic: overview
+ms.service: microsoft-intune
+ms.subservice: fundamentals
+ms.localizationpriority: high
+ms.collection: 
+ - tier1
+ - highpri
+ - essentials-compliance
+
+---
+
+# Compliance in Microsoft Intune
+
+Intune supports compliance features to help organizations meet national, regional, and industry-specific regulations. Intune aligns with Microsoft's commitment to data protection, privacy, and compliance by offering tools to help secure and manage data effectively.
+
+## Shared responsibility model
+
+Microsoft ensures that Intune complies with various industry standards and regulatory frameworks. However, customers are responsible for implementing their data protection and compliance strategies to align with their specific organizational requirements.
+
+## Compliance certifications
+
+Intune is covered under several compliance certifications, and regulatory standards. The following table provides a sample of the key certifications that are covered:
+
+| Certification or Standard | Description | Applicability |
+|---------------------------|-------------|---------------|
+| [GDPR](/compliance/regulatory/gdpr) | EU General Data Protection Regulation for data privacy  | European Union |
+| [ISO 27001](/compliance/regulatory/offering-iso-27001) | International standard for information security management | Global |
+| [HIPAA](/compliance/regulatory/offering-hipaa-hitech)   | U.S. Health Insurance Portability and Accountability Act | United States |
+| [SOC 2 Type 2](/compliance/regulatory/offering-soc-2)  | Service Organization Controls for data security | Global |
+
+> [!NOTE]
+> Microsoft Intune helps your organization meet regulatory compliance standards. Intune supports additional certifications, such as [ISO 22301](/compliance/regulatory/offering-iso-22301), [ISO/IEC 27017](/compliance/regulatory/offering-iso-27017), [ISO/IEC 27018](/compliance/regulatory/offering-iso-27018), [ISO/IEC 27701](/compliance/regulatory/offering-iso-27701), [SOC 1 Type 2](/compliance/regulatory/offering-soc-1), [SOC 3](/compliance/regulatory/offering-soc-3), and [WCAG](/compliance/regulatory/offering-wcag-2-1).
+
+For a complete list, see [Microsoft compliance offerings](/compliance/regulatory/offering-home).
+
+## Compliance dependencies
+
+Intune leverages other Microsoft services for compliance, including:
+
+- [Microsoft Purview](/purview/purview): A suite of data governance and compliance tools.
+- [Microsoft Entra ID](/entra/fundamentals/whatis): Identity and access management, formerly known as Azure Active Directory (Azure AD).
+- [Microsoft Purview Compliance Manager](/purview/compliance-manager): Tools for managing compliance across your organization.
+- [Microsoft Defender for Endpoint](../protect/advanced-threat-protection.md): An enterprise endpoint security platform.
+
+## Microsoft Intune capabilities for compliance
+
+Microsoft Intune helps enforce compliance policies and protect organizational data specifically for Intune:
+
+- **Conditional Access**: Ensures only compliant devices and apps managed by Intune can access sensitive data. See [Conditional Access](/mem/intune/protect/conditional-access).
+- **Device Compliance Enforcement**: Enforces device compliance policies to meet organizational security requirements. See [Device Compliance Policies](/mem/intune/protect/device-compliance-get-started).
+
+For more information about Intune compliance capabilities, visit the [Microsoft Intune documentation](/mem/intune).
+
+## Data residency and protection
+
+Intune supports compliance with data residency requirements by supporting Microsoft Cloud's regional and global data storage policies. These policies include:
+
+- **Data location**: Data is stored in Microsoft-managed data centers. For more information, see [Data storage and processing in Intune](../protect/privacy-data-store-process.md).
+- **EU Data Boundary**: Ensures that data belonging to EU customers is stored and processed within the EU. For more information, see [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn) and [Configure Microsoft Tunnel for Intune](../protect/microsoft-tunnel-configure.md).
+- **Encryption**: Data is encrypted at rest and in transit. For more information, see [Access requirements policy mapping from Basic Mobility and Security to Intune](../fundamentals/policy-map-access-requirements.md).
+
+## Compliance features
+
+Intune includes several compliance features that help organizations meet regulatory requirements, manage data lifecycles, and protect sensitive information. These features are designed to ensure your organization can effectively monitor, classify, and safeguard its data while maintaining compliance with industry standards.
+
+### Data lifecycle management
+
+> [!IMPORTANT]
+> Microsoft Intune doesn't use any personal data collected as part of providing the service for profiling, advertising, or marketing purposes. 
+
+Intune supports data lifecycle management through retention policies and labels. These features help organizations retain or delete data based on compliance requirements. For more information, see [Privacy and personal data in Intune](../fundamentals/intune-service-servicing-information.md#privacy-and-personal-data-in-intune).
+
+### Auditing and reporting
+
+Microsoft Purview (included in the **Microsoft 365 E5** license) supports auditing and reporting for Intune. IT administrators can monitor data usage and ensure adherence to organizational compliance policies. Features include:
+
+- eDiscovery: Enables organizations to locate data for legal or regulatory needs.
+- Data Retention Policies: Helps organizations manage data lifecycles.
+
+For more information, see the [Protect your sensitive data with Microsoft Purview](/purview/information-protection).
+
+### Privacy controls
+
+Intune includes privacy controls to manage data collection, storage, and sharing:
+
+For details about privacy, see [Privacy and personal data in Intune](../protect/privacy-personal-data.md).
+
+## Related articles
+
+- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
+- [Microsoft Trust Center](https://www.microsoft.com/trust-center)
+- [Microsoft Purview compliance portal](https://compliance.microsoft.com/)

memdocs/intune/fundamentals/deployment-guide-platform-linux.md

@@ -7,7 +7,7 @@ keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 07/22/2024  
+ms.date: 11/04/2024  
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: fundamentals
@@ -77,7 +77,7 @@ You can enforce device compliance policies based on Linux distribution type, ver
 
 Enrollment is supported on Linux desktops running:
 
-* Ubuntu LTS, version 22.04 or 20.04. 
+* Ubuntu LTS, version 24.04, 22.04 or 20.04.
 * RedHat Enterprise Linux 8  
 * RedHat Enterprise Linux 9 
 

memdocs/intune/fundamentals/whats-new.md

@@ -75,6 +75,23 @@ You can use RSS to be notified when this page is updated. For more information,
 ### Tenant administration
 
 -->
+## Week of December 9, 2024
+
+### Tenant administration
+
+#### Intune now supports Ubuntu 24.04 LTS for Linux management.<!--28363586  -->
+
+We're now supporting device management for Ubuntu 24.04 LTS. You can enroll and manage Linux devices running Ubuntu 24.04, and assign standard compliance policies, custom configuration scripts, and compliance scripts.
+
+For more information, see the following in Intune documentation:
+
+- [Deployment guide: Manage Linux devices in Microsoft Intune](../fundamentals/deployment-guide-platform-linux.md)
+- [Enrollment guide: Enroll Linux desktop devices in Microsoft Intune](../fundamentals/deployment-guide-enrollment-linux.md). To enroll Linux devices, ensure that they are running Ubuntu 20.04 LTS or higher.
+
+Applies to:
+
+- Linux Ubuntu Desktops
+
 ## Week of December 2, 2024
 
 ### Device enrollment  
@@ -104,8 +121,6 @@ Applies to:
 
 - Windows 10 and later (Corporate owned devices managed by Intune)
 
-
-
 ## Week of November 18, 2024 (Service release 2411)
 
 ### App management

memdocs/intune/includes/mdm-supported-devices.md

@@ -4,7 +4,7 @@ ms.author: erikje
 ms.service: microsoft-intune
 ms.subservice: fundamentals
 ms.topic: include
-ms.date: 10/10/2024
+ms.date: 11/04/2024
 ms.localizationpriority: high
 ---
 
@@ -41,6 +41,9 @@ ms.localizationpriority: high
 
 - Ubuntu Desktop 22.04 LTS with a GNOME graphical desktop environment
 - Ubuntu Desktop 20.04 LTS with a GNOME graphical desktop environment
+- Ubuntu LTS, version 24.04
+- RedHat Enterprise Linux 8  
+- RedHat Enterprise Linux 9
 
 > [!NOTE]
 > Ubuntu Desktop already has a GNOME graphical desktop environment installed.

memdocs/intune/protect/microsoft-cloud-pki-audit-logs.md

@@ -6,7 +6,7 @@ keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 02/26/2024
+ms.date: 12/06/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect

memdocs/intune/protect/microsoft-cloud-pki-configure-byoca.md

@@ -6,7 +6,7 @@ keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 06/13/2024
+ms.date: 12/06/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect

memdocs/intune/protect/microsoft-cloud-pki-configure-ca.md

@@ -5,7 +5,7 @@ keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 06/12/2024
+ms.date: 12/06/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect

memdocs/intune/protect/microsoft-cloud-pki-delete.md

@@ -6,7 +6,7 @@ keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 07/30/2024
+ms.date: 12/06/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect

memdocs/intune/protect/microsoft-cloud-pki-deployment.md

@@ -6,7 +6,7 @@ keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 02/26/2024
+ms.date: 12/06/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -55,7 +55,7 @@ Identify your relying parties. The relying party is a user or system that consum
 
 - A Wi-Fi access point using radius certificate-based authentication.  
 - A VPN server authenticating a remote user.
-- A user visiting an SSL protected web site in a web browser.
+- A user visiting an TLS/LLS protected web site in a web browser.
 
 ### Determine location for trust anchor
 
@@ -71,13 +71,13 @@ When using certificates to perform certificate-based authentication, ensure that
 If the issuing CA certificate is missing, a relying party can request it via the Authority Information Access (AIA) property in the certificate by using the native OS platform certificate chaining engine.
 
 > [!NOTE]
-> When connecting to a relying party such as a Wi-Fi access point or VPN server, an SSL/TLS connection is first established by the managed Intune device when attempting to connect. Microsoft Cloud PKI doesn't provide these TLS/SSL certificates.  You must obtain these certificates through another PKI or CA service.  As a result, when you create a Wi-Fi or VPN profile, you also have to create a trusted certificate profile and assign it to managed devices to trust the TLS/SSL connection. The trusted certificate profile must contain the public keys for the root and issuing CAs responsible for issuing the TLS/SSL certificate.  
+> When connecting to a relying party such as a Wi-Fi access point or VPN server, an TLS/SSL connection is first established by the managed Intune device when attempting to connect. Microsoft Cloud PKI doesn't provide these TLS/SSL certificates.  You must obtain these certificates through another PKI or CA service.  As a result, when you create a Wi-Fi or VPN profile, you also have to create a trusted certificate profile and assign it to managed devices to trust the TLS/SSL connection. The trusted certificate profile must contain the public keys for the root and issuing CAs responsible for issuing the TLS/SSL certificate.  
 
 ## Deployment options
 
 This section describes the Microsoft Intune-supported deployment options for Microsoft Cloud PKI.  
 
-There are methods for deploying CA certificates to relying parties not managed by Intune, such as radius servers, Wi-Fi access points, VPN servers, and web app servers supporting certificate-based authentication.  
+There are methods for deploying CA certificates to relying parties not managed by Intune. Relying parties such as radius servers, Wi-Fi access points, VPN servers, and web app servers supporting certificate-based authentication.  
 
 If the relying party is a member of an Active Directory Domain, then use Group Policy to deploy CA certificates. For more information, see:
 
@@ -86,7 +86,7 @@ If the relying party is a member of an Active Directory Domain, then use Group P
 
 If the relying party isn't a member of Active Directory Domain, ensure the CA certificate trust chain for the Microsoft Cloud PKI root and issuing CA is installed in the security store of the relying party. The appropriate security store varies depending on the OS platform and the hosting application providing the service.  
 
-Also consider the relying party software configuration needed to support additional certification authorities.  
+Also consider the relying party software configuration needed to support other certification authorities.  
 
 ### Option 1: Microsoft Cloud PKI root CA
 
@@ -109,15 +109,16 @@ Relying parties require the following CA certificate trust chain.
 |Cloud PKI CA certificate| Root CA certificate required, issuing CA optional but recommended | If the relying party's server or service is a member server in Active Directory (AD) domain, use Group Policy to deploy CA certificates. If it's not in AD domain, a manual installation method might be required. |
 |Private CA certificate| Root CA certificate required, issuing CA certificate optional but recommended | If the relying party's server or service is a member server in Active Directory (AD) domain, use Group Policy to deploy CA certificates. If it's not in AD domain, a manual installation method might be required. |
 
-<!-- The following diagram shows certificates in action for both client and relying parties.    
+The following diagram shows certificates in action for both client and relying parties.    
 
 > [!div class="mx-imgBorder"]
-> ![Diagram showing the certificate flow for client and relying parties.](./media/microsoft-cloud-pki/)  
+> ![Diagram of the certificate flow for client and relying parties.](./media/microsoft-cloud-pki-deployment/certs-in-play-for-CBA.png)   
 
-The following diagram shows the respective CA certificate trust chains that must be deployed to both managed devices and relying parties to ensure Cloud PKI certificates issued to Intune managed devices are trusted and can be used to authenticate to relying parties.   
+The following diagram shows the respective CA certificate trust chains that must be deployed to both managed devices and relying parties. The CA trust chains ensure Cloud PKI certificates issued to Intune-managed devices are trusted and can be used to authenticate to relying parties.   
 
 > [!div class="mx-imgBorder"]
-> ![Diagram of Microsoft Cloud PKI, root CA deployment flow.](./media/microsoft-cloud-pki/) -->
+> ![Diagram of the Microsoft Cloud PKI root CA deployment flow.](./media/microsoft-cloud-pki-deployment/root-ca-deployment.png)  
+
 
 ### Option 2: Bring your own CA (BYOCA)
 
@@ -142,10 +143,11 @@ The relying party should already have the private CA certificate chain. However,
 
 Relying parties trust the Cloud PKI BYOCA issued SCEP certificate to the managed device, because it chains up to the private CA trust chain already present on the relying party.
 
-<!-- The following diagram illustrates how the respective CA certificate trust chains are deployed to Intune managed devices.  
+The following diagram illustrates how the respective CA certificate trust chains are deployed to Intune managed devices.   
 
 > [!div class="mx-imgBorder"]
-> ![Diagram showing the respective CA certificate trust chains that must be deployed to Intune managed devices.] -->
+> ![Diagram of the CA certificate trust chains that must be deployed to Intune managed devices.](./media/microsoft-cloud-pki-deployment/byoca-ca-deployment.png)  
+`*` In this diagram, *private* refers to the Active Directory Certificate Service or a non-Microsoft service.  
 
 ## Summary
 

memdocs/intune/protect/microsoft-cloud-pki-fundamentals.md

@@ -6,7 +6,7 @@ keywords:
 author: lenewsad
 ms.author: lanewsad
 manager: dougeby
-ms.date: 02/26/2024
+ms.date: 12/06/2024
 ms.topic: how-to
 ms.service: microsoft-intune
 ms.subservice: protect
@@ -113,19 +113,23 @@ After the chain is built, the following checks are performed on each certificate
 
 The certificate and its chain are considered valid after all checks are complete, and come back successful.
 
-<!-- The following diagram illustrates the *name matching* chain validation flow.   
+A certificate chain with an ordered list of certificates enables the relying party to verify a sender is trustworthy. It works both ways, from client-to-server and server-to-client. 
 
- needs redesign to meet MS standards> [!div class="mx-imgBorder"]
-> ![Diagram of the chain validation process using the name match method.](./media/microsoft-cloud-pki/chain-validation.png) -->
+The following diagram illustrates the *name matching* chain validation flow.  
+
+> [!div class="mx-imgBorder"]
+> ![Diagram of the chain validation process using the name match method.](./media/microsoft-cloud-pki-fundamentals/chain-validation.png)
 
 ### Ensure a chain of trust  
 
 When you use certificates to perform certificate-based authentication, you must ensure that both relying parties have the CA certificate (public keys) trust chain. In this case, the *relying parties* are the Intune managed device and the authentication access point, such as Wi-Fi, VPN, or web service.
 
 The root CA must be present. If the issuing CA certificate isn't present, then it can be requested by the relying party using the native certificate chain engine for the intended OS platform. The relying party can request the issuing CA certificate using the leaf certificate's *authority information access* property.  
 
-## Certificate-based authentication
+> [!div class="mx-imgBorder"]
+> ![Diagram of the chain of validation process.](./media/microsoft-cloud-pki-fundamentals/chain-of-trust.png)  
 
+## Certificate-based authentication  
 This section provides a basic understanding of the various certificates being used when a client or device performs certificate-based authentication.  
 
 The following steps describe the handshake that takes place between a client and a relying party service during certificate-based authentication.
@@ -135,7 +139,7 @@ The following steps describe the handshake that takes place between a client and
 3. The relying party requests a certificate to be used for client authentication.  
 4. The client presents its client authentication certificate to the relying party to authenticate.
 
-<!-- diagram needs redesign > [!div class="mx-imgBorder"]
-> ![Drawing of a handshake between a client and relying party service.](./media/microsoft-cloud-pki/png)  -->
+> [!div class="mx-imgBorder"]
+> ![Diagram of a handshake between a client and relying party service.](./media/microsoft-cloud-pki-fundamentals/certificate-handshake.png)  
 
 In an environment without Microsoft Cloud PKI, a private CA is responsible for issuing both the TLS/SSL certificate used by the relying party, and the device client authentication certificate. Microsoft Cloud PKI can be used to issue the device client authentication certificate, effectively replacing the private CA for this specific task.